All pastes #2653468 Raw Edit

Unnamed

public unlisted text v1 · immutable
#2653468 ·published 2014-03-10 20:59 UTC
rendered paste body
Executing: C:\Program Files\Windows NT\Accessories\wordpad.exe
QuerySystemInformation(SystemBasicInformation) [c:\program files\windows nt\accessories\wordpad.exe]
QuerySystemInformation(SystemProcessorInformation) [c:\program files\windows nt\accessories\wordpad.exe]
QueryProcessInformation(C:\Program Files\Windows NT\Accessories\wordpad.exe, ProcessImageInformation) [c:\program files\windows nt\accessories\wordpad.exe]
CreateThread() [c:\program files\windows nt\accessories\wordpad.exe]
ResumeThread(4104) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x0000000000001000) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualQueryEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MemoryBasicInformation, BaseAddress=0x00000000FF5C6110) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualQueryEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MemoryRegionInformation, BaseAddress=0x00000000FF5C6110) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualQueryEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MemoryMappedFilenameInformation, BaseAddress=0x00000000FF5C6110) [c:\program files\windows nt\accessories\wordpad.exe]
QueryProcessInformation(C:\Program Files\Windows NT\Accessories\wordpad.exe, ProcessCookie) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualQueryEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MemoryRegionInformation, BaseAddress=0x00000000001B0000) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x0000000000003000) [c:\program files\windows nt\accessories\wordpad.exe]
LoadLibrary(CRYPTBASE.dll) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x0000000000006000) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x0000000000002000) [c:\program files\windows nt\accessories\wordpad.exe]
OpenProcess(C:\Program Files\Windows NT\Accessories\wordpad.exe, PROCESS_QUERY_INFORMATION) [c:\program files\windows nt\accessories\wordpad.exe]
QueryProcessInformation(C:\Program Files\Windows NT\Accessories\wordpad.exe, ProcessSessionInformation) [c:\program files\windows nt\accessories\wordpad.exe]
OpenProcessToken(C:\Program Files\Windows NT\Accessories\wordpad.exe, TOKEN_QUERY, TOKEN_READ) [c:\program files\windows nt\accessories\wordpad.exe]
QueryProcessInformation(C:\Program Files\Windows NT\Accessories\wordpad.exe, ProcessBasicInformation) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_RESERVE, PAGE_READWRITE, RegionSize=0x0000000000180000) [c:\program files\windows nt\accessories\wordpad.exe]
LoadLibrary(uxtheme.dll) [c:\program files\windows nt\accessories\wordpad.exe]
IsDebuggerPresent() [c:\program files\windows nt\accessories\wordpad.exe]
FreeLibrary(C:\Windows\system32\uxtheme.dll) [c:\program files\windows nt\accessories\wordpad.exe]
GetModuleHandle(user32.dll) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x0000000000004000) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x0000000000037000) [c:\program files\windows nt\accessories\wordpad.exe]
LoadLibrary(CLBCatQ.DLL) [c:\program files\windows nt\accessories\wordpad.exe]
QueryProcessInformation(C:\Program Files\Windows NT\Accessories\wordpad.exe, ProcessWow64Information) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x0000000000009000) [c:\program files\windows nt\accessories\wordpad.exe]
LoadLibrary(msxml3.dll) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x0000000000011000) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_RESERVE, PAGE_READWRITE, RegionSize=0x0000000000130000) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_RESERVE, PAGE_READWRITE, RegionSize=0x0000000000210000) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_RESERVE, PAGE_READWRITE, RegionSize=0x0000000000270000) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_RESERVE, PAGE_READWRITE, RegionSize=0x00000000000F0000) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_RESERVE, PAGE_READWRITE, RegionSize=0x00000000001C0000) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_RESERVE, PAGE_READWRITE, RegionSize=0x00000000000E0000) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_RESERVE, PAGE_READWRITE, RegionSize=0x00000000001F0000) [c:\program files\windows nt\accessories\wordpad.exe]
LdrFindEntryForAddress(0x000007FEFD120000) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualQueryEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MemoryRegionInformation, BaseAddress=0x0000000002830000) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_RESERVE, PAGE_READWRITE, RegionSize=0x0000000000400000) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x0000000000010000) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_RESERVE, PAGE_NOACCESS, RegionSize=0x0000000000020000) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x0000000000005000) [c:\program files\windows nt\accessories\wordpad.exe]
QueryProcessInformation(C:\Program Files\Windows NT\Accessories\wordpad.exe, ProcessDefaultHardErrorMode) [c:\program files\windows nt\accessories\wordpad.exe]
FindWindow(WordPadClass, null) [c:\program files\windows nt\accessories\wordpad.exe]
RegOpenKeyEx(\HKCU\S-1-5-21-1941945027-3115137342-1228438717-1001\software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Options, KEY_ENUMERATE_SUB_KEYS, KEY_READ, KEY_NOTIFY, KEY_QUERY_VALUE, KEY_WRITE, READ_CONTROL) [c:\program files\windows nt\accessories\wordpad.exe]
RegCloseKey(\HKCU\S-1-5-21-1941945027-3115137342-1228438717-1001\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Options) [c:\program files\windows nt\accessories\wordpad.exe]
RegCloseKey(\HKCU\S-1-5-21-1941945027-3115137342-1228438717-1001\software\Microsoft\Windows\CurrentVersion\Applets\Wordpad) [c:\program files\windows nt\accessories\wordpad.exe]
RegOpenKeyEx(\HKLM\Software\Microsoft\Windows\CurrentVersion\Wordpad\COMChecks, KEY_ENUMERATE_SUB_KEYS, KEY_READ, KEY_NOTIFY, KEY_QUERY_VALUE, KEY_WRITE, READ_CONTROL) [c:\program files\windows nt\accessories\wordpad.exe]
RegCloseKey(\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wordpad\COMChecks) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_RESERVE, PAGE_READWRITE, RegionSize=0x0000000000150000) [c:\program files\windows nt\accessories\wordpad.exe]
LoadLibrary(MSFTEDIT.DLL) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_RESERVE, PAGE_READWRITE, RegionSize=0x000000000003FFF0) [c:\program files\windows nt\accessories\wordpad.exe]
ResumeThread(5772) [c:\program files\windows nt\accessories\wordpad.exe]
SuspendThread(5772) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_RESERVE, PAGE_READWRITE, RegionSize=0x0000000000030000) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_COMMIT MEM_RESERVE MEM_TOP_DOWN, PAGE_READWRITE, RegionSize=0x0000000000010000) [c:\program files\windows nt\accessories\wordpad.exe]
LoadLibrary(WINSPOOL.DRV) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_COMMIT MEM_RESERVE MEM_TOP_DOWN, PAGE_READWRITE, RegionSize=0x0000000000102000) [c:\program files\windows nt\accessories\wordpad.exe]
OpenFile(C:\Windows\system32\UIRibbon.dll.2.config) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_RESERVE, PAGE_NOACCESS, RegionSize=0x0000000000010000) [c:\program files\windows nt\accessories\wordpad.exe]
GetModuleHandle(advapi32.dll) [c:\program files\windows nt\accessories\wordpad.exe]
LoadLibrary(UIRibbon.dll) [c:\program files\windows nt\accessories\wordpad.exe]
LoadLibrary(gdiplus.dll) [c:\program files\windows nt\accessories\wordpad.exe]
OpenProcessToken(C:\Program Files\Windows NT\Accessories\wordpad.exe, TOKEN_ADJUST_PRIVILEGES, TOKEN_QUERY, TOKEN_READ, TOKEN_WRITE) [c:\program files\windows nt\accessories\wordpad.exe]
QuerySystemInformation(123) [c:\program files\windows nt\accessories\wordpad.exe]
QueryProcessInformation(C:\Program Files\Windows NT\Accessories\wordpad.exe, ProcessQuotaLimits) [c:\program files\windows nt\accessories\wordpad.exe]
QueryProcessInformation(C:\Program Files\Windows NT\Accessories\wordpad.exe, ProcessVmCounters) [c:\program files\windows nt\accessories\wordpad.exe]
ResumeThread(2128) [c:\program files\windows nt\accessories\wordpad.exe]
SystemParametersInfo(SPI_GETNONCLIENTMETRICS, 504) [c:\program files\windows nt\accessories\wordpad.exe]
OpenFile(C:\Windows\system32\spool\DRIVERS\x64\3\hp1100su.dll.2.config) [c:\program files\windows nt\accessories\wordpad.exe]
SystemParametersInfo(SPI_GETHIGHCONTRAST, 16) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualQueryEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MemoryWorkingSetExInformation, BaseAddress=0x0000000000000000) [c:\program files\windows nt\accessories\wordpad.exe]
OpenFile(C:\Windows\system32\spool\DRIVERS\x64\3\HP1100GC.dll.2.config) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_RESERVE, PAGE_READWRITE, RegionSize=0x0000000000200000) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_RESERVE, PAGE_READWRITE, RegionSize=0x0000000000100000) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x0000000000038000) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_RESERVE, PAGE_READWRITE, RegionSize=0x0000000000080000) [c:\program files\windows nt\accessories\wordpad.exe]
LoadLibrary(hp1100su.dll) [c:\program files\windows nt\accessories\wordpad.exe]
LoadLibrary(HP1100GC.dll) [c:\program files\windows nt\accessories\wordpad.exe]
LoadLibrary(MSIMG32.dll) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_RESERVE, PAGE_READWRITE, RegionSize=0x0000000000101CC8) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x0000000000001CC8) [c:\program files\windows nt\accessories\wordpad.exe]
GetModuleHandle(C:\Program Files\Windows NT\Accessories\wordpad.exe) [c:\program files\windows nt\accessories\wordpad.exe]
OpenFile(C:\Windows\system32\spool\DRIVERS\x64\3\HP1100SD.DLL.2.config) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_RESERVE, PAGE_READWRITE, RegionSize=0x0000000000140000) [c:\program files\windows nt\accessories\wordpad.exe]
LoadLibrary(HP1100SD.DLL) [c:\program files\windows nt\accessories\wordpad.exe]
FreeLibrary(C:\Windows\system32\spool\DRIVERS\x64\3\HP1100SD.DLL) [c:\program files\windows nt\accessories\wordpad.exe]
OpenProcessToken(C:\Program Files\Windows NT\Accessories\wordpad.exe, TOKEN_DUPLICATE, TOKEN_QUERY, TOKEN_READ) [c:\program files\windows nt\accessories\wordpad.exe]
LoadLibrary(dwmapi.dll) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_RESERVE, PAGE_READWRITE, RegionSize=0x0000000000060000) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_RESERVE, PAGE_READWRITE, RegionSize=0x00000000001001E2) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x00000000000001E2) [c:\program files\windows nt\accessories\wordpad.exe]
GetSystemDefaultLangID() [c:\program files\windows nt\accessories\wordpad.exe]
RegOpenKeyEx(\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback, KEY_READ, KEY_QUERY_VALUE) [c:\program files\windows nt\accessories\wordpad.exe]
RegCloseKey(\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback) [c:\program files\windows nt\accessories\wordpad.exe]
GetKeyboardLayoutList() [c:\program files\windows nt\accessories\wordpad.exe]
OpenFile(C:\Windows\system32\uxtheme.dll.config) [c:\program files\windows nt\accessories\wordpad.exe]
CreateDC(winspool,HP LaserJet Professional P1606dn,IP_192.168.1.152,000000000052BE40) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_RESERVE, PAGE_READWRITE, RegionSize=0x0000000000160000) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x0000000000008000) [c:\program files\windows nt\accessories\wordpad.exe]
OpenMutex(CicLoadWinStaWinSta0) [c:\program files\windows nt\accessories\wordpad.exe]
OpenMutex(Local\MSCTF.CtfMonitorInstMutexDefault1) [c:\program files\windows nt\accessories\wordpad.exe]
LoadLibrary(oleacc.dll) [c:\program files\windows nt\accessories\wordpad.exe]
GetModuleHandle(KERNEL32.DLL) [c:\program files\windows nt\accessories\wordpad.exe]
GetModuleHandle(NTDLL.DLL) [c:\program files\windows nt\accessories\wordpad.exe]
GetModuleHandle(ole32.dll) [c:\program files\windows nt\accessories\wordpad.exe]
RegOpenKeyEx(\HKCR\CLSID\{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}, KEY_ENUMERATE_SUB_KEYS, KEY_READ, KEY_NOTIFY, KEY_QUERY_VALUE, KEY_WRITE, READ_CONTROL) [c:\program files\windows nt\accessories\wordpad.exe]
RegCloseKey(\HKLM\SOFTWARE\Classes\CLSID\{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x000000000000003C) [c:\program files\windows nt\accessories\wordpad.exe]
LoadLibrary(msls31.dll) [c:\program files\windows nt\accessories\wordpad.exe]
SystemParametersInfo(SPI_GETWHEELSCROLLLINES, 0) [c:\program files\windows nt\accessories\wordpad.exe]
SystemParametersInfo(SPI_GETWHEELSCROLLCHARS, 0) [c:\program files\windows nt\accessories\wordpad.exe]
SystemParametersInfo(SPI_GETDRAGFULLWINDOWS, 4) [c:\program files\windows nt\accessories\wordpad.exe]
SystemParametersInfo(SPI_GETUIEFFECTS, 0) [c:\program files\windows nt\accessories\wordpad.exe]
SystemParametersInfo(SPI_GETCLIENTAREAANIMATION, 0) [c:\program files\windows nt\accessories\wordpad.exe]
SystemParametersInfo(SPI_GETMENUDROPALIGNMENT, 0) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_RESERVE, PAGE_READWRITE, RegionSize=0x00000000001D0000) [c:\program files\windows nt\accessories\wordpad.exe]
SystemParametersInfo(SPI_GETFLATMENU, 0) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Program Files\Windows NT\Accessories\wordpad.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x0000000000000032) [c:\program files\windows nt\accessories\wordpad.exe]
LoadLibrary(UIRibbonRes.dll) [c:\program files\windows nt\accessories\wordpad.exe]
CheckRemoteDebuggerPresent() [c:\program files\windows nt\accessories\wordpad.exe]
OutputDebugString(Error - ) [c:\program files\windows nt\accessories\wordpad.exe]
OutputDebugString(RtlWerpReportException failed with status code :-1073741823. Will try to launch the process directly) [c:\program files\windows nt\accessories\wordpad.exe]
OutputDebugString(
) [c:\program files\windows nt\accessories\wordpad.exe]
CreateProcess(C:\Windows\system32\WerFault.exe, C:\Windows\system32\WerFault.exe -u -p 796 -s 496, C:\Windows\system32) [c:\program files\windows nt\accessories\wordpad.exe]
OpenFile(C:\Windows\system32) [c:\program files\windows nt\accessories\wordpad.exe]
GetFileAttributes(C:\Windows\system32) [c:\program files\windows nt\accessories\wordpad.exe]
OpenFile(C:\Windows\system32\WerFault.exe) [c:\program files\windows nt\accessories\wordpad.exe]
GetFileAttributes(C:\PROGRA~1\MICROS~2\Office15\OUTLOOK.EXE) [c:\program files\windows nt\accessories\wordpad.exe]
ReadProcessMemory(C:\Windows\System32\WerFault.exe, BaseAddress=0x000007FFFFFD8010, BufferSize=0x0000000000000008) [c:\program files\windows nt\accessories\wordpad.exe]
OpenFile(C:\delete\SandboxiePortable\App\Sandboxie\Manifest1.txt) [c:\program files\windows nt\accessories\wordpad.exe]
OpenFile(C:\delete\SandboxiePortable\App\Sandboxie\Manifest2.txt) [c:\program files\windows nt\accessories\wordpad.exe]
LoadLibrary(apphelp.dll) [c:\program files\windows nt\accessories\wordpad.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x0000000000000058) [c:\program files\windows nt\accessories\wordpad.exe]
WriteProcessMemory(C:\Windows\System32\WerFault.exe, BaseAddress=0x0000000000060000, BufferSize=0x0000000000000020) [c:\program files\windows nt\accessories\wordpad.exe]
WriteProcessMemory(C:\Windows\System32\WerFault.exe, BaseAddress=0x0000000000060020, BufferSize=0x0000000000000034) [c:\program files\windows nt\accessories\wordpad.exe]
WriteProcessMemory(C:\Windows\System32\WerFault.exe, BaseAddress=0x000007FFFFFD8368, BufferSize=0x0000000000000008) [c:\program files\windows nt\accessories\wordpad.exe]
ResumeThread(4336) [c:\program files\windows nt\accessories\wordpad.exe]
Executing: C:\Windows\System32\WerFault.exe
QuerySystemInformation(SystemBasicInformation) [c:\windows\system32\werfault.exe]
QuerySystemInformation(SystemProcessorInformation) [c:\windows\system32\werfault.exe]
QueryProcessInformation(C:\Windows\System32\WerFault.exe, ProcessImageInformation) [c:\windows\system32\werfault.exe]
CreateThread() [c:\windows\system32\werfault.exe]
ResumeThread(5584) [c:\windows\system32\werfault.exe]
VirtualQueryEx(C:\Windows\System32\WerFault.exe, MemoryBasicInformation, BaseAddress=0x00000000FFAC4978) [c:\windows\system32\werfault.exe]
VirtualQueryEx(C:\Windows\System32\WerFault.exe, MemoryRegionInformation, BaseAddress=0x00000000FFAC4978) [c:\windows\system32\werfault.exe]
VirtualQueryEx(C:\Windows\System32\WerFault.exe, MemoryMappedFilenameInformation, BaseAddress=0x00000000FFAC4978) [c:\windows\system32\werfault.exe]
QueryProcessInformation(C:\Windows\System32\WerFault.exe, ProcessCookie) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x0000000000001000) [c:\windows\system32\werfault.exe]
QueryProcessInformation(C:\Windows\System32\WerFault.exe, ProcessDefaultHardErrorMode) [c:\windows\system32\werfault.exe]
OpenProcess(C:\Program Files\Windows NT\Accessories\wordpad.exe, PROCESS_ALL_ACCESS) [c:\windows\system32\werfault.exe]
RegOpenKeyEx(\HKLM\Software\Microsoft\Windows\Windows Error Reporting, KEY_READ, KEY_QUERY_VALUE, KEY_WOW64_64KEY) [c:\windows\system32\werfault.exe]
RegCloseKey(\HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting) [c:\windows\system32\werfault.exe]
RegOpenKeyEx(\HKCU\Software\Microsoft\Windows\Windows Error Reporting, KEY_READ, KEY_QUERY_VALUE, KEY_WOW64_64KEY) [c:\windows\system32\werfault.exe]
RegCloseKey(\HKCU\S-1-5-21-1941945027-3115137342-1228438717-1001\Software\Microsoft\Windows\Windows Error Reporting) [c:\windows\system32\werfault.exe]
QueryProcessInformation(C:\Program Files\Windows NT\Accessories\wordpad.exe, ProcessWow64Information) [c:\windows\system32\werfault.exe]
QueryFullProcessImageName(C:\Program Files\Windows NT\Accessories\wordpad.exe) [c:\windows\system32\werfault.exe]
QueryProcessInformation(C:\Program Files\Windows NT\Accessories\wordpad.exe, ProcessBasicInformation) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_RESERVE, PAGE_READWRITE, RegionSize=0x0000000000130000) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x0000000000002000) [c:\windows\system32\werfault.exe]
LoadLibrary(uxtheme.dll) [c:\windows\system32\werfault.exe]
IsDebuggerPresent() [c:\windows\system32\werfault.exe]
FreeLibrary(C:\Windows\system32\uxtheme.dll) [c:\windows\system32\werfault.exe]
GetModuleHandle(user32.dll) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x0000000000004000) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x0000000000037000) [c:\windows\system32\werfault.exe]
OpenProcess(C:\Program Files\Windows NT\Accessories\wordpad.exe, PROCESS_QUERY_INFORMATION) [c:\windows\system32\werfault.exe]
OpenProcessToken(C:\Program Files\Windows NT\Accessories\wordpad.exe, TOKEN_DUPLICATE) [c:\windows\system32\werfault.exe]
QueryProcessInformation(C:\Program Files\Windows NT\Accessories\wordpad.exe, ProcessImageInformation) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000000028D270, BufferSize=0x0000000000000010) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000000028DF70, BufferSize=0x0000000000000098) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000000028DA80, BufferSize=0x00000000000004D0) [c:\windows\system32\werfault.exe]
QueryProcessInformation(C:\Program Files\Windows NT\Accessories\wordpad.exe, ProcessDefaultHardErrorMode) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FFFFFDC000, BufferSize=0x0000000000001818) [c:\windows\system32\werfault.exe]
QueryProcessInformation(C:\Windows\System32\WerFault.exe, ProcessWow64Information) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FFFFFDE000, BufferSize=0x0000000000000380) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x000000000000025A) [c:\windows\system32\werfault.exe]
SuspendThread(5772) [c:\windows\system32\werfault.exe]
SuspendThread(2128) [c:\windows\system32\werfault.exe]
LoadLibrary(psapi.dll) [c:\windows\system32\werfault.exe]
QueryProcessInformation(C:\Program Files\Windows NT\Accessories\wordpad.exe, ProcessTimes) [c:\windows\system32\werfault.exe]
CreateToolhelp32Snapshot(796, TH32CS_SNAPALL) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x0000000000010001) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000077382650, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000000482C00, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000000482CF0, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000000483070, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004831E0, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C0700, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C0840, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C0CD0, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C0A50, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C0B90, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C1820, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C1910, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C1A50, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C1E50, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C1B40, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C1C30, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C39C0, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C3AE0, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C3BD0, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C3CC0, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C3DB0, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C3EA0, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C3F90, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4080, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4170, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4260, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4350, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4440, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4530, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4620, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4710, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4800, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C48F0, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C49E0, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4AD0, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4BC0, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4CB0, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4DA0, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4F80, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C5160, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C5250, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C5340, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C5430, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C5520, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C5610, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C57F0, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C58E0, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000000051F140, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000000051F230, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000000051F320, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000000051F500, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000000051F5F0, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000000051F6E0, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000000051F7D0, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000000051F8C0, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x0000000000002F48) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000000482C00, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004829EA, BufferSize=0x0000000000000066) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000000482CF0, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000000482B70, BufferSize=0x000000000000003A) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000000483070, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000000483020, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004831E0, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000000483190, BufferSize=0x0000000000000044) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C0700, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C06B0, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C0840, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C07F0, BufferSize=0x000000000000003C) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C0CD0, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C0C80, BufferSize=0x000000000000003E) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C0A50, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C0E80, BufferSize=0x000000000000003C) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C0B90, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C0B40, BufferSize=0x000000000000003A) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C1820, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C17D0, BufferSize=0x000000000000003C) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C1910, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004BE330, BufferSize=0x0000000000000036) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C1A50, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C1A00, BufferSize=0x000000000000003A) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C1E50, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C1E00, BufferSize=0x000000000000003C) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C1B40, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C1F40, BufferSize=0x000000000000003A) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C1C30, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C1FC0, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C39C0, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C2010, BufferSize=0x000000000000003C) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C3AE0, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C2060, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C3BD0, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C20B0, BufferSize=0x000000000000003E) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C3CC0, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C38A0, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C3DB0, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C2100, BufferSize=0x000000000000003E) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C3EA0, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C2150, BufferSize=0x000000000000003E) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C3F90, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C21A0, BufferSize=0x000000000000003A) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4080, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C21F0, BufferSize=0x000000000000003C) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4170, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C1D20, BufferSize=0x0000000000000072) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4260, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C62B0, BufferSize=0x0000000000000076) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4350, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C6330, BufferSize=0x0000000000000078) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4440, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C63C0, BufferSize=0x0000000000000074) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4530, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C6440, BufferSize=0x0000000000000076) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4620, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C2240, BufferSize=0x000000000000003E) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4710, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C64C0, BufferSize=0x0000000000000078) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4800, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C2290, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C48F0, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C22E0, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C49E0, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C2330, BufferSize=0x000000000000003E) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4AD0, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C2380, BufferSize=0x000000000000003E) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4BC0, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C23D0, BufferSize=0x000000000000003A) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4CB0, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C2420, BufferSize=0x000000000000003A) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4DA0, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C2510, BufferSize=0x000000000000003E) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4F80, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C25B0, BufferSize=0x0000000000000042) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C5160, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C26A0, BufferSize=0x000000000000003E) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C5250, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C26F0, BufferSize=0x000000000000003E) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C5340, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C2790, BufferSize=0x000000000000003C) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C5430, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C28D0, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C5520, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C2970, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C5610, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C2A10, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C57F0, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C5700, BufferSize=0x00000000000000E6) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C58E0, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000000521140, BufferSize=0x0000000000000068) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000000051F140, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000005211C0, BufferSize=0x0000000000000068) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000000051F230, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C2AB0, BufferSize=0x000000000000003E) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000000051F320, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C2B50, BufferSize=0x000000000000003C) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000000051F500, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000000521340, BufferSize=0x0000000000000068) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000000051F5F0, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C2E20, BufferSize=0x000000000000003C) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000000051F6E0, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000005368E0, BufferSize=0x000000000000003C) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000000051F7D0, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000000536B10, BufferSize=0x0000000000000046) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000000051F8C0, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000000536BB0, BufferSize=0x000000000000003E) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FFFFFDE018, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000077382660, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004829EA, BufferSize=0x0000000000000068) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000FF540000, BufferSize=0x0000000000000200) [c:\windows\system32\werfault.exe]
LoadLibrary(VERSION.dll) [c:\windows\system32\werfault.exe]
VirtualQueryEx(C:\Windows\System32\WerFault.exe, MemoryRegionInformation, BaseAddress=0x0000000001C60000) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000000482B70, BufferSize=0x000000000000003C) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000077250000, BufferSize=0x0000000000000200) [c:\windows\system32\werfault.exe]
LdrFindEntryForAddress(0x0000000077250000) [c:\windows\system32\werfault.exe]
FreeLibrary(C:\Windows\SYSTEM32\ntdll.dll) [c:\windows\system32\werfault.exe]
FreeLibrary(C:\Windows\system32\psapi.dll) [c:\windows\system32\werfault.exe]
CreateMutex(Local\WERReportingForProcess796) [c:\windows\system32\werfault.exe]
QuerySystemInformation(123) [c:\windows\system32\werfault.exe]
QueryProcessInformation(C:\Windows\System32\WerFault.exe, ProcessQuotaLimits) [c:\windows\system32\werfault.exe]
QueryProcessInformation(C:\Windows\System32\WerFault.exe, ProcessVmCounters) [c:\windows\system32\werfault.exe]
ResumeThread(5652) [c:\windows\system32\werfault.exe]
SwitchDesktop(Unknown) [c:\windows\system32\werfault.exe]
LdrFindEntryForAddress(0x000007FEF5AE0000) [c:\windows\system32\werfault.exe]
VirtualQueryEx(C:\Windows\System32\WerFault.exe, MemoryRegionInformation, BaseAddress=0x0000000001CD0000) [c:\windows\system32\werfault.exe]
QueryProcessInformation(C:\Windows\System32\WerFault.exe, ProcessBasicInformation) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x00000000000008D0) [c:\windows\system32\werfault.exe]
OpenProcessToken(C:\Windows\System32\WerFault.exe, TOKEN_DUPLICATE, TOKEN_QUERY, TOKEN_READ) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x0000000000003000) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x0000000000005000) [c:\windows\system32\werfault.exe]
RegOpenKeyEx(\HKCU\Software\Microsoft\Windows\Windows Error Reporting\Plugins\FDR\CurrentSession, KEY_READ, KEY_QUERY_VALUE, KEY_WOW64_64KEY) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004835E0, BufferSize=0x00000000000000E0) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000000483020, BufferSize=0x0000000000000042) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000000483190, BufferSize=0x0000000000000046) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000000400000, BufferSize=0x0000000000000052) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C06B0, BufferSize=0x0000000000000042) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C07F0, BufferSize=0x000000000000003E) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C0C80, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C0E80, BufferSize=0x000000000000003E) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C0B40, BufferSize=0x000000000000003C) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C17D0, BufferSize=0x000000000000003E) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004BE330, BufferSize=0x0000000000000038) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C1A00, BufferSize=0x000000000000003C) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C1E00, BufferSize=0x000000000000003E) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C1F40, BufferSize=0x000000000000003C) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C1FC0, BufferSize=0x0000000000000042) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C2010, BufferSize=0x000000000000003E) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C2060, BufferSize=0x0000000000000042) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C20B0, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C38A0, BufferSize=0x00000000000000FA) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C2100, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C2150, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C21A0, BufferSize=0x000000000000003C) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C21F0, BufferSize=0x000000000000003E) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C1D20, BufferSize=0x0000000000000074) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C62B0, BufferSize=0x0000000000000078) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C6330, BufferSize=0x000000000000007A) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C63C0, BufferSize=0x0000000000000076) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C6440, BufferSize=0x0000000000000078) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C2240, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C64C0, BufferSize=0x000000000000007A) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C2290, BufferSize=0x0000000000000042) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C22E0, BufferSize=0x0000000000000042) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C2330, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C2380, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C23D0, BufferSize=0x000000000000003C) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C2420, BufferSize=0x000000000000003C) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C2510, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C25B0, BufferSize=0x0000000000000044) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C26A0, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C26F0, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C2790, BufferSize=0x000000000000003E) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C28D0, BufferSize=0x0000000000000042) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C2970, BufferSize=0x0000000000000042) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C2A10, BufferSize=0x0000000000000042) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C5700, BufferSize=0x00000000000000E8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000000521140, BufferSize=0x000000000000006A) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000005211C0, BufferSize=0x000000000000006A) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C2AB0, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C2B50, BufferSize=0x000000000000003E) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000000521340, BufferSize=0x000000000000006A) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C2E20, BufferSize=0x000000000000003E) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000005368E0, BufferSize=0x000000000000003E) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000000536B10, BufferSize=0x0000000000000048) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000000536BB0, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
RegCreateKeyEx(\HKLM\Software\Microsoft\Windows\Windows Error Reporting\Debug, KEY_CREATE_SUB_KEY, KEY_READ, KEY_SET_VALUE, KEY_WRITE, READ_CONTROL) [c:\windows\system32\werfault.exe]
RegSetValueEx(\HKLM\software\microsoft\Windows\Windows Error Reporting\Debug, ExceptionRecord, REG_BINARY) [c:\windows\system32\werfault.exe]
RegCloseKey(\HKLM\software\microsoft\Windows\Windows Error Reporting\Debug) [c:\windows\system32\werfault.exe]
RegOpenKeyEx(\HKLM\Software\Microsoft\Windows\Windows Error Reporting\Debug, KEY_ENUMERATE_SUB_KEYS, KEY_READ, KEY_NOTIFY, KEY_QUERY_VALUE, KEY_WOW64_64KEY, KEY_WRITE, READ_CONTROL) [c:\windows\system32\werfault.exe]
OpenProcessToken(C:\Program Files\Windows NT\Accessories\wordpad.exe, TOKEN_ASSIGN_PRIMARY, TOKEN_DUPLICATE, TOKEN_QUERY, TOKEN_READ) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_RESERVE, PAGE_READWRITE, RegionSize=0x00000000000B0000) [c:\windows\system32\werfault.exe]
LoadLibrary(dbgeng.dll) [c:\windows\system32\werfault.exe]
LoadLibrary(dbghelp.dll) [c:\windows\system32\werfault.exe]
GetModuleHandle(dbgeng.dll) [c:\windows\system32\werfault.exe]
RegOpenKeyEx(\HKCU\Software\Microsoft\Windiff, KEY_ENUMERATE_SUB_KEYS, KEY_READ, KEY_NOTIFY, KEY_QUERY_VALUE, KEY_WRITE, READ_CONTROL) [c:\windows\system32\werfault.exe]
OpenFile(C:\Windows\System32\winxp\triage.ini) [c:\windows\system32\werfault.exe]
RegOpenKeyEx(\HKLM\Software\Microsoft\Windows NT\CurrentVersion, KEY_ENUMERATE_SUB_KEYS, KEY_READ, KEY_NOTIFY, KEY_QUERY_VALUE, KEY_WRITE, READ_CONTROL) [c:\windows\system32\werfault.exe]
RegCloseKey(\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion) [c:\windows\system32\werfault.exe]
FreeLibrary(C:\Windows\system32\kernel32.dll) [c:\windows\system32\werfault.exe]
OpenProcessToken(C:\Windows\System32\WerFault.exe, TOKEN_ADJUST_PRIVILEGES, TOKEN_WRITE) [c:\windows\system32\werfault.exe]
AdjustTokenPrivileges(SeDebugPrivilege: Enable) [c:\windows\system32\werfault.exe]
QuerySystemInformation(SystemProcessInformation) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x0000000000006000) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x0000000000008000) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x000000000000A000) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x000000000000C000) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x000000000000E000) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x0000000000010000) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x0000000000012000) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x0000000000014000) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x0000000000016000) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x000000000001B000) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000000482C00, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000FF540000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000FF5400F0, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000FF5400F0, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000FF5400F0, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000000482CF0, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000077250000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000772500E0, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000772500E0, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000772500E0, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000000483070, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000077030000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000770300E8, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000770300E8, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000770300E8, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004831E0, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD120000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD1200E8, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD1200E8, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD1200E8, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C0700, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFF480000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFF4800E0, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFF4800E0, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFF4800E0, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C0840, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFE9A0000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFE9A00E8, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFE9A00E8, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFE9A00E8, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C0CD0, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFE830000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFE8300E8, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFE8300E8, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFE8300E8, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C0A50, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFED50000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFED500F0, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFED500F0, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFED500F0, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C0B90, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFE850000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFE8500F0, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFE8500F0, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFE8500F0, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C1820, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000077150000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000771500F8, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000771500F8, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000771500F8, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C1910, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFE820000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFE8200E0, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFE8200E0, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFE8200E0, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C1A50, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFE8D0000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFE8D00E0, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFE8D00E0, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFE8D00E0, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C1E50, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEF3DC0000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEF3DC00F0, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEF3DC00F0, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEF3DC00F0, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C1B40, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFF270000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFF2700F0, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFF2700F0, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFF2700F0, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C1C30, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFF190000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFF1900E8, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFF1900E8, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFF1900E8, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C39C0, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEF56D0000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEF56D00F0, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEF56D00F0, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEF56D00F0, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C3AE0, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFECB0000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFECB00E8, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFECB00E8, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFECB00E8, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_RESERVE, PAGE_READWRITE, RegionSize=0x0000000000100000) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x0000000000007000) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C3BD0, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD970000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD9700F8, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD9700F8, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD9700F8, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C3CC0, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFBAD0000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFBAD00E8, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFBAD00E8, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFBAD00E8, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C3DB0, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD9F0000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD9F00F0, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD9F00F0, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD9F00F0, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C3EA0, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFB7A0000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFB7A0100, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFB7A0100, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFB7A0100, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C3F90, BufferSize=0x0000000000000070) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4000, BufferSize=0x0000000000000018) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFB320000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFB3200F0, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFB3200F0, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFB3200F0, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4080, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFEB50000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFEB500F8, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFEB500F8, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFEB500F8, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4170, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD3C0000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD3C00C8, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD3C00C8, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD3C00C8, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4260, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD410000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD4100C8, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD4100C8, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD4100C8, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4350, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD1A0000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD1A00C8, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD1A00C8, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD1A00C8, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4440, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD420000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD4200C8, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD4200C8, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD4200C8, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4530, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD0B0000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD0B00C8, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD0B00C8, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD0B00C8, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4620, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFC160000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFC1600E0, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFC1600E0, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFC1600E0, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4710, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD190000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD1900C8, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD1900C8, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD1900C8, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4800, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000077410000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000774100B8, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000774100B8, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000774100B8, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C48F0, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD430000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD4300F8, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD4300F8, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD4300F8, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C49E0, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFEE80000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFEE80100, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFEE80100, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFEE80100, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4AD0, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFAD90000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFAD900F0, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFAD900F0, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFAD900F0, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4BC0, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD940000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD9400F0, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD9400F0, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFD9400F0, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4CB0, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFEA40000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFEA400F0, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFEA400F0, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFEA400F0, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4DA0, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000067D40000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000067D400B8, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000067D400B8, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000067D400B8, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C4F80, BufferSize=0x0000000000000080) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C5000, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFCEF0000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFCEF00F0, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFCEF00F0, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFCEF00F0, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C5160, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFB730000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFB7300F0, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFB7300F0, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFB7300F0, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C5250, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFE780000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFE7800E8, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFE7800E8, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFE7800E8, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C5340, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEF72B0000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEF72B0100, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEF72B0100, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEF72B0100, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C5430, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEF5F60000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEF5F600F8, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEF5F600F8, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEF5F600F8, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C5520, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEF6FC0000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEF6FC00F0, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEF6FC00F0, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEF6FC00F0, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C5610, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEF35A0000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEF35A00E8, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEF35A00E8, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEF35A00E8, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C57F0, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFB3E0000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFB3E00E8, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFB3E00E8, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFB3E00E8, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000004C58E0, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000180000000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000180000108, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000180000108, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000180000108, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000000051F140, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000002F70000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000002F700F8, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000002F700F8, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000002F700F8, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000000051F230, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEF7070000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEF70700E0, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEF70700E0, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEF70700E0, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000000051F320, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFB380000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFB3800E0, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFB3800E0, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFB3800E0, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000000051F500, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000023B0000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000023B00F8, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000023B00F8, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000023B00F8, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000000051F5F0, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEF6AB0000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEF6AB00E0, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEF6AB00E0, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEF6AB00E0, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_RESERVE, PAGE_READWRITE, RegionSize=0x0000000000200000) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000000051F6E0, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEF6F50000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEF6F500F0, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEF6F500F0, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEF6F500F0, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000000051F7D0, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000005D730000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000005D7300B8, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000005D7300B8, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000005D7300B8, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000000051F8C0, BufferSize=0x0000000000000088) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFCE90000, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFCE900F0, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFCE900F0, BufferSize=0x00000000000000F8) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FEFCE900F0, BufferSize=0x0000000000000108) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000007738B628, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000773822B4, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000077382350, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000000052A430, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000000052A430, BufferSize=0x0000000000000068) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000000052A498, BufferSize=0x0000000000000068) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000000052A500, BufferSize=0x0000000000000068) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000000052A568, BufferSize=0x0000000000000068) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FFFFFDC000, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
SearchPath(C:\Windows\System32\WINXP;C:\Windows\System32\winext;C:\Windows\System32\winext\arcade;C:\Windows\System32\pri;C:\Windows\System32;C:\Windows\System32\winext\arcade;C:\Program Files (x86)\RSA SecurID Token Common;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Intel\OpenCL SDK\2.0\bin\x86;C:\Program Files (x86)\Intel\OpenCL SDK\2.0\bin\x64;C:\Program Files (x86)\Sudowin\Clients\Console;C:\Program Files (x86)\Sudowin\Clients\Console;C:\Progr, dbghelp, .dll) [c:\windows\system32\werfault.exe]
SearchPath(C:\Windows\System32\WINXP;C:\Windows\System32\winext;C:\Windows\System32\winext\arcade;C:\Windows\System32\pri;C:\Windows\System32;C:\Windows\System32\winext\arcade;C:\Program Files (x86)\RSA SecurID Token Common;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Intel\OpenCL SDK\2.0\bin\x86;C:\Program Files (x86)\Intel\OpenCL SDK\2.0\bin\x64;C:\Program Files (x86)\Sudowin\Clients\Console;C:\Program Files (x86)\Sudowin\Clients\Console;C:\Progr, ext, .dll) [c:\windows\system32\werfault.exe]
LdrFindEntryForAddress(0x000007FEFD120000) [c:\windows\system32\werfault.exe]
VirtualQueryEx(C:\Windows\System32\WerFault.exe, MemoryRegionInformation, BaseAddress=0x0000000002540000) [c:\windows\system32\werfault.exe]
SearchPath(C:\Windows\System32\WINXP;C:\Windows\System32\winext;C:\Windows\System32\winext\arcade;C:\Windows\System32\pri;C:\Windows\System32;C:\Windows\System32\winext\arcade;C:\Program Files (x86)\RSA SecurID Token Common;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Intel\OpenCL SDK\2.0\bin\x86;C:\Program Files (x86)\Intel\OpenCL SDK\2.0\bin\x64;C:\Program Files (x86)\Sudowin\Clients\Console;C:\Program Files (x86)\Sudowin\Clients\Console;C:\Progr, exts, .dll) [c:\windows\system32\werfault.exe]
SearchPath(C:\Windows\System32\WINXP;C:\Windows\System32\winext;C:\Windows\System32\winext\arcade;C:\Windows\System32\pri;C:\Windows\System32;C:\Windows\System32\winext\arcade;C:\Program Files (x86)\RSA SecurID Token Common;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Intel\OpenCL SDK\2.0\bin\x86;C:\Program Files (x86)\Intel\OpenCL SDK\2.0\bin\x64;C:\Program Files (x86)\Sudowin\Clients\Console;C:\Program Files (x86)\Sudowin\Clients\Console;C:\Progr, uext, .dll) [c:\windows\system32\werfault.exe]
SearchPath(C:\Windows\System32\WINXP;C:\Windows\System32\winext;C:\Windows\System32\winext\arcade;C:\Windows\System32\pri;C:\Windows\System32;C:\Windows\System32\winext\arcade;C:\Program Files (x86)\RSA SecurID Token Common;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Intel\OpenCL SDK\2.0\bin\x86;C:\Program Files (x86)\Intel\OpenCL SDK\2.0\bin\x64;C:\Program Files (x86)\Sudowin\Clients\Console;C:\Program Files (x86)\Sudowin\Clients\Console;C:\Progr, ntsdexts, .dll) [c:\windows\system32\werfault.exe]
SuspendThread(5608) [c:\windows\system32\werfault.exe]
ResumeThread(5608) [c:\windows\system32\werfault.exe]
ResumeThread(2128) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000774002C0, BufferSize=0x0000000000000040) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FFFFFDC008, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000007FFFFFDC010, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000077250000, BufferSize=0x0000000000000002) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000772501E8, BufferSize=0x0000000000000118) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000077356270, BufferSize=0x0000000000000028) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000007735126C, BufferSize=0x000000000000001C) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000773512A8, BufferSize=0x0000000000000022) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000077351288, BufferSize=0x000000000000001C) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000077356270, BufferSize=0x0000000000000D90) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000077357000, BufferSize=0x0000000000001000) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000077358000, BufferSize=0x0000000000001000) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000077359000, BufferSize=0x0000000000001000) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000007735A000, BufferSize=0x0000000000001000) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000007735B000, BufferSize=0x0000000000001000) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000007735C000, BufferSize=0x0000000000001000) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000007735D000, BufferSize=0x0000000000001000) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000007735E000, BufferSize=0x0000000000001000) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000007735F000, BufferSize=0x0000000000001000) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000077360000, BufferSize=0x0000000000001000) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000077361000, BufferSize=0x0000000000001000) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000077362000, BufferSize=0x0000000000001000) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000077363000, BufferSize=0x0000000000001000) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000077364000, BufferSize=0x0000000000001000) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000077365000, BufferSize=0x000000000000040C) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x00000000000B6000) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x0000000077382510, BufferSize=0x0000000000000010) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000000028CE08, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000000028CE10, BufferSize=0x0000000000000020) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000000028CE10, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x000000000028CE18, BufferSize=0x0000000000000020) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000774002EA, BufferSize=0x0000000000000001) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Program Files\Windows NT\Accessories\wordpad.exe, BaseAddress=0x00000000774002EA, BufferSize=0x0000000000000002) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x0000000000009000) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x000000000000F000) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x0000000000015000) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x000000000003C000) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x000000000000B000) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x0000000000053000) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x0000000000032000) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x000000000001C000) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x0000000000038000) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x0000000000064000) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x000000000002D000) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x00000000000C6000) [c:\windows\system32\werfault.exe]
FreeLibrary(C:\Windows\System32\dbghelp.dll) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Windows\System32\WerFault.exe, BaseAddress=0x000000000012D378, BufferSize=0x0000000000000010) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Windows\System32\WerFault.exe, BaseAddress=0x000000000012EE80, BufferSize=0x0000000000000098) [c:\windows\system32\werfault.exe]
CreateMutex(Global\?a) [c:\windows\system32\werfault.exe]
LdrFindEntryForAddress(0x000007FEF6B60000) [c:\windows\system32\werfault.exe]
VirtualQueryEx(C:\Windows\System32\WerFault.exe, MemoryRegionInformation, BaseAddress=0x0000000001D60000) [c:\windows\system32\werfault.exe]
OpenProcessToken(C:\Windows\System32\WerFault.exe, TOKEN_QUERY, TOKEN_READ) [c:\windows\system32\werfault.exe]
RegOpenKeyEx(\HKLM\Software\Policies\Microsoft\Windows\Windows Error Reporting, KEY_ENUMERATE_SUB_KEYS, KEY_READ, KEY_NOTIFY, KEY_QUERY_VALUE, KEY_WOW64_64KEY, KEY_WRITE, READ_CONTROL) [c:\windows\system32\werfault.exe]
RegOpenKeyEx(\HKLM\Software\Microsoft\Windows\Windows Error Reporting, KEY_ENUMERATE_SUB_KEYS, KEY_READ, KEY_NOTIFY, KEY_QUERY_VALUE, KEY_WOW64_64KEY, KEY_WRITE, READ_CONTROL) [c:\windows\system32\werfault.exe]
RegOpenKeyEx(\HKLM\software\microsoft\Windows\Windows Error Reporting\Consent, KEY_ENUMERATE_SUB_KEYS, KEY_READ, KEY_NOTIFY, KEY_QUERY_VALUE, KEY_WOW64_64KEY, KEY_WRITE, READ_CONTROL) [c:\windows\system32\werfault.exe]
RegCloseKey(\HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent) [c:\windows\system32\werfault.exe]
RegOpenKeyEx(\HKLM\software\microsoft\Windows\Windows Error Reporting\ExcludedApplications, KEY_ENUMERATE_SUB_KEYS, KEY_READ, KEY_NOTIFY, KEY_QUERY_VALUE, KEY_WOW64_64KEY, KEY_WRITE, READ_CONTROL) [c:\windows\system32\werfault.exe]
RegOpenKeyEx(\HKLM\software\microsoft\Windows\Windows Error Reporting\DebugApplications, KEY_ENUMERATE_SUB_KEYS, KEY_READ, KEY_NOTIFY, KEY_QUERY_VALUE, KEY_WOW64_64KEY, KEY_WRITE, READ_CONTROL) [c:\windows\system32\werfault.exe]
RegOpenKeyEx(\HKCU\Software\Policies\Microsoft\Windows\Windows Error Reporting, KEY_ENUMERATE_SUB_KEYS, KEY_READ, KEY_NOTIFY, KEY_QUERY_VALUE, KEY_WOW64_64KEY, KEY_WRITE, READ_CONTROL) [c:\windows\system32\werfault.exe]
RegOpenKeyEx(\HKCU\Software\Microsoft\Windows\Windows Error Reporting, KEY_ENUMERATE_SUB_KEYS, KEY_READ, KEY_NOTIFY, KEY_QUERY_VALUE, KEY_WOW64_64KEY, KEY_WRITE, READ_CONTROL) [c:\windows\system32\werfault.exe]
RegOpenKeyEx(\HKCU\S-1-5-21-1941945027-3115137342-1228438717-1001\Software\Microsoft\Windows\Windows Error Reporting\Consent, KEY_ENUMERATE_SUB_KEYS, KEY_READ, KEY_NOTIFY, KEY_QUERY_VALUE, KEY_WOW64_64KEY, KEY_WRITE, READ_CONTROL) [c:\windows\system32\werfault.exe]
RegCloseKey(\HKCU\S-1-5-21-1941945027-3115137342-1228438717-1001\Software\Microsoft\Windows\Windows Error Reporting\Consent) [c:\windows\system32\werfault.exe]
RegOpenKeyEx(\HKCU\S-1-5-21-1941945027-3115137342-1228438717-1001\Software\Microsoft\Windows\Windows Error Reporting\ExcludedApplications, KEY_ENUMERATE_SUB_KEYS, KEY_READ, KEY_NOTIFY, KEY_QUERY_VALUE, KEY_WOW64_64KEY, KEY_WRITE, READ_CONTROL) [c:\windows\system32\werfault.exe]
RegOpenKeyEx(\HKCU\S-1-5-21-1941945027-3115137342-1228438717-1001\Software\Microsoft\Windows\Windows Error Reporting\DebugApplications, KEY_ENUMERATE_SUB_KEYS, KEY_READ, KEY_NOTIFY, KEY_QUERY_VALUE, KEY_WOW64_64KEY, KEY_WRITE, READ_CONTROL) [c:\windows\system32\werfault.exe]
RegOpenKeyEx(\HKLM\SOFTWARE\Microsoft\Reliability Analysis\RAC, KEY_READ, KEY_QUERY_VALUE, KEY_WOW64_64KEY) [c:\windows\system32\werfault.exe]
RegCloseKey(\HKLM\SOFTWARE\Microsoft\Reliability Analysis\RAC) [c:\windows\system32\werfault.exe]
QuerySystemInformation(SystemTimeOfDayInformation) [c:\windows\system32\werfault.exe]
GetFileAttributes(C:\Program Files\Windows NT\Accessories\wordpad.exe) [c:\windows\system32\werfault.exe]
LoadLibrary(SensApi.dll) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT MEM_RESERVE MEM_TOP_DOWN, PAGE_READWRITE, RegionSize=0x0000000000102000) [c:\windows\system32\werfault.exe]
OpenFile(C:\Windows\System32\werui.dll.2.config) [c:\windows\system32\werfault.exe]
LoadLibrary(werui.dll) [c:\windows\system32\werfault.exe]
LdrFindEntryForAddress(0x000007FEF5B70000) [c:\windows\system32\werfault.exe]
VirtualQueryEx(C:\Windows\System32\WerFault.exe, MemoryRegionInformation, BaseAddress=0x0000000002610000) [c:\windows\system32\werfault.exe]
OpenProcess(C:\Program Files\Windows NT\Accessories\wordpad.exe, PROCESS_QUERY_LIMITED_INFORMATION) [c:\windows\system32\werfault.exe]
QueryProcessInformation(C:\Program Files\Windows NT\Accessories\wordpad.exe, ProcessConsoleHostProcess) [c:\windows\system32\werfault.exe]
LoadLibrary(CRYPTBASE.dll) [c:\windows\system32\werfault.exe]
LoadLibrary(shell32.dll) [c:\windows\system32\werfault.exe]
OpenProcess(C:\Windows\System32\WerFault.exe, PROCESS_QUERY_INFORMATION) [c:\windows\system32\werfault.exe]
QueryProcessInformation(C:\Windows\System32\WerFault.exe, ProcessSessionInformation) [c:\windows\system32\werfault.exe]
SystemParametersInfo(SPI_GETCURSORSHADOW, 0) [c:\windows\system32\werfault.exe]
SystemParametersInfo(SPI_GETHOTTRACKING, 0) [c:\windows\system32\werfault.exe]
ResumeThread(3912) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_RESERVE, PAGE_READWRITE, RegionSize=0x000000000003FFF0) [c:\windows\system32\werfault.exe]
GetModuleHandle(advapi32.dll) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT MEM_RESERVE MEM_TOP_DOWN, PAGE_READWRITE, RegionSize=0x0000000000010000) [c:\windows\system32\werfault.exe]
LoadLibrary(DUser.dll) [c:\windows\system32\werfault.exe]
ResumeThread(5940) [c:\windows\system32\werfault.exe]
GetForegroundWindow() [c:\windows\system32\werfault.exe]
LoadLibrary(dwmapi.dll) [c:\windows\system32\werfault.exe]
LoadLibrary(PROPSYS.dll) [c:\windows\system32\werfault.exe]
FindWindow(Shell_TrayWnd, null) [c:\windows\system32\werfault.exe]
OpenFile(C:\Windows\System32\WerFault.exe) [c:\windows\system32\werfault.exe]
GetFileAttributes(C:\Windows\System32\WerFault.exe) [c:\windows\system32\werfault.exe]
FreeLibrary(C:\Windows\System32\WerFault.exe) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_RESERVE, PAGE_READWRITE, RegionSize=0x0000000000140000) [c:\windows\system32\werfault.exe]
RegOpenKeyEx(\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink, KEY_ENUMERATE_SUB_KEYS, KEY_READ, KEY_QUERY_VALUE, KEY_WOW64_64KEY) [c:\windows\system32\werfault.exe]
RegEnumValue(\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink) [c:\windows\system32\werfault.exe]
RegCloseKey(\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink) [c:\windows\system32\werfault.exe]
RegOpenKeyEx(\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0, KEY_READ, KEY_QUERY_VALUE, KEY_WOW64_64KEY) [c:\windows\system32\werfault.exe]
RegCloseKey(\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0) [c:\windows\system32\werfault.exe]
OpenFile(C:\Windows\Fonts\staticcache.dat) [c:\windows\system32\werfault.exe]
RegOpenKeyEx(\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback, KEY_READ, KEY_QUERY_VALUE, KEY_WOW64_64KEY) [c:\windows\system32\werfault.exe]
RegCloseKey(\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback) [c:\windows\system32\werfault.exe]
RegOpenKeyEx(\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback, KEY_ENUMERATE_SUB_KEYS, KEY_READ, KEY_QUERY_VALUE, KEY_WOW64_64KEY) [c:\windows\system32\werfault.exe]
RegEnumKeyEx(\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback) [c:\windows\system32\werfault.exe]
RegOpenKeyEx(\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI, KEY_READ, KEY_QUERY_VALUE, KEY_WOW64_64KEY) [c:\windows\system32\werfault.exe]
SystemParametersInfo(SPI_GETANIMATION, 8) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x0000000000011000) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_RESERVE, PAGE_READWRITE, RegionSize=0x00000000000FFFF0) [c:\windows\system32\werfault.exe]
LoadLibrary(xmllite.dll) [c:\windows\system32\werfault.exe]
VirtualQueryEx(C:\Windows\System32\WerFault.exe, MemoryBasicInformation, BaseAddress=0x000000000274E588) [c:\windows\system32\werfault.exe]
VirtualQueryEx(C:\Windows\System32\WerFault.exe, MemoryBasicInformation, BaseAddress=0x000000000274E508) [c:\windows\system32\werfault.exe]
VirtualQueryEx(C:\Windows\System32\WerFault.exe, MemoryBasicInformation, BaseAddress=0x000000000274E458) [c:\windows\system32\werfault.exe]
VirtualQueryEx(C:\Windows\System32\WerFault.exe, MemoryBasicInformation, BaseAddress=0x000000000274E3D8) [c:\windows\system32\werfault.exe]
LdrFindEntryForAddress(0x000007FEFB1C0000) [c:\windows\system32\werfault.exe]
VirtualQueryEx(C:\Windows\System32\WerFault.exe, MemoryRegionInformation, BaseAddress=0x0000000003D29468) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT, PAGE_EXECUTE_READWRITE, RegionSize=0x0000000000001000) [c:\windows\system32\werfault.exe]
GetWindowTextLength() [c:\windows\system32\werfault.exe]
LdrFindEntryForAddress(0x000007FEFBAD0000) [c:\windows\system32\werfault.exe]
VirtualQueryEx(C:\Windows\System32\WerFault.exe, MemoryRegionInformation, BaseAddress=0x00000000026A0000) [c:\windows\system32\werfault.exe]
VirtualQueryEx(C:\Windows\System32\WerFault.exe, MemoryRegionInformation, BaseAddress=0x00000000054759A0) [c:\windows\system32\werfault.exe]
SystemParametersInfo(SPI_GETNONCLIENTMETRICS, 504) [c:\windows\system32\werfault.exe]
SetTimer(0x0000000000000000, Elapse=0x00001388) [c:\windows\system32\werfault.exe]
FreeLibrary(C:\Windows\system32\xmllite.dll) [c:\windows\system32\werfault.exe]
SetTimer(0x00000000001214FA, Elapse=0x0000001E) [c:\windows\system32\werfault.exe]
RegOpenKeyEx(\HKLM\Software\Microsoft\Windows\Windows Error Reporting\Debug, KEY_READ, KEY_QUERY_VALUE, KEY_WOW64_64KEY) [c:\windows\system32\werfault.exe]
RegCreateKeyEx(\HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles, KEY_CREATE_SUB_KEY, KEY_READ, KEY_SET_VALUE, KEY_WOW64_64KEY, KEY_WRITE, READ_CONTROL) [c:\windows\system32\werfault.exe]
RegSetValueEx(\HKCU\S-1-5-21-1941945027-3115137342-1228438717-1001\software\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles, CheckingForSolutionDialog, REG_QWORD) [c:\windows\system32\werfault.exe]
RegCloseKey(\HKCU\S-1-5-21-1941945027-3115137342-1228438717-1001\software\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles) [c:\windows\system32\werfault.exe]
RegCreateKeyEx(\HKLM\Software\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles, KEY_CREATE_SUB_KEY, KEY_READ, KEY_SET_VALUE, KEY_WOW64_64KEY, KEY_WRITE, READ_CONTROL) [c:\windows\system32\werfault.exe]
RegSetValueEx(\HKLM\software\microsoft\Windows\Windows Error Reporting\Debug\UIHandles, CheckingForSolutionDialog, REG_QWORD) [c:\windows\system32\werfault.exe]
GetFileAttributes(C:\Users\admin\AppData\Local\Temp\) [c:\windows\system32\werfault.exe]
RegCloseKey(\HKLM\software\microsoft\Windows\Windows Error Reporting\Debug\UIHandles) [c:\windows\system32\werfault.exe]
DeleteFile(C:\Users\admin\AppData\Local\Temp\WERE85.tmp) [c:\windows\system32\werfault.exe]
DeleteFile(C:\Users\admin\AppData\Local\Temp\WERE85.tmp.WERInternalMetadata.xml) [c:\windows\system32\werfault.exe]
CreateFile(C:\Users\admin\AppData\Local\Temp\WERE85.tmp.WERInternalMetadata.xml) [c:\windows\system32\werfault.exe]
GetFileAttributes(C:\Users\admin\AppData\Local\Temp\WERE85.tmp.WERInternalMetadata.xml) [c:\windows\system32\werfault.exe]
RegOpenKeyEx(\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion, KEY_READ, KEY_QUERY_VALUE, KEY_WOW64_64KEY) [c:\windows\system32\werfault.exe]
OpenProcess(C:\Windows\explorer.exe, PROCESS_QUERY_INFORMATION, PROCESS_VM_READ) [c:\windows\system32\werfault.exe]
QueryProcessInformation(C:\Windows\explorer.exe, ProcessBasicInformation) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Windows\explorer.exe, BaseAddress=0x000007FFFFFD5000, BufferSize=0x0000000000000380) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Windows\explorer.exe, BaseAddress=0x0000000000261F10, BufferSize=0x0000000000000400) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\Windows\explorer.exe, BaseAddress=0x0000000000262878, BufferSize=0x000000000000002E) [c:\windows\system32\werfault.exe]
QueryFullProcessImageName(C:\Windows\explorer.exe) [c:\windows\system32\werfault.exe]
RegOpenKeyEx(\HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation, KEY_READ, KEY_QUERY_VALUE) [c:\windows\system32\werfault.exe]
RegCloseKey(\HKLM\SYSTEM\ControlSet002\Control\SystemInformation) [c:\windows\system32\werfault.exe]
OpenFile(C:\Users\admin\AppData\Local\Temp\WERE85.tmp.WERInternalMetadata.xml) [c:\windows\system32\werfault.exe]
ResumeThread(4264) [c:\windows\system32\werfault.exe]
RegOpenKeyEx(\HKLM\SYSTEM\CurrentControlSet\Control\Windows, KEY_READ, KEY_QUERY_VALUE, KEY_WOW64_64KEY) [c:\windows\system32\werfault.exe]
RegCloseKey(\HKLM\SYSTEM\ControlSet002\Control\Windows) [c:\windows\system32\werfault.exe]
RegOpenKeyEx(\HKLM\Software\Microsoft\Windows\CurrentVersion\CEIPRole\RolesInWER, KEY_ENUMERATE_SUB_KEYS, KEY_READ, KEY_NOTIFY, KEY_QUERY_VALUE, KEY_WOW64_64KEY, KEY_WRITE, READ_CONTROL) [c:\windows\system32\werfault.exe]
LoadLibrary(WINHTTP.dll) [c:\windows\system32\werfault.exe]
LoadLibrary(webio.dll) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_RESERVE, PAGE_READWRITE, RegionSize=0x00000000001F0000) [c:\windows\system32\werfault.exe]
LoadLibrary(WS2_32.dll) [c:\windows\system32\werfault.exe]
LoadLibrary(NSI.dll) [c:\windows\system32\werfault.exe]
GetModuleHandle(kernel32.dll) [c:\windows\system32\werfault.exe]
GetModuleHandle(ntdll.dll) [c:\windows\system32\werfault.exe]
ResumeThread(3324) [c:\windows\system32\werfault.exe]
GetModuleHandle(verifier.dll) [c:\windows\system32\werfault.exe]
LoadLibrary(SspiCli.dll) [c:\windows\system32\werfault.exe]
LoadLibrary(cryptsp.dll) [c:\windows\system32\werfault.exe]
LoadLibrary(credssp.dll) [c:\windows\system32\werfault.exe]
LoadLibrary(mswsock.dll) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_RESERVE, PAGE_READWRITE, RegionSize=0x0000000000180000) [c:\windows\system32\werfault.exe]
LoadLibrary(wshtcpip.dll) [c:\windows\system32\werfault.exe]
LoadLibrary(wship6.dll) [c:\windows\system32\werfault.exe]
LoadLibrary(IPHLPAPI.DLL) [c:\windows\system32\werfault.exe]
LoadLibrary(WINNSI.DLL) [c:\windows\system32\werfault.exe]
OpenFile(\\.\Nsi) [c:\windows\system32\werfault.exe]
LoadLibrary(dhcpcsvc6.DLL) [c:\windows\system32\werfault.exe]
LoadLibrary(dhcpcsvc.DLL) [c:\windows\system32\werfault.exe]
OpenProcessToken(C:\Windows\System32\WerFault.exe, TOKEN_EXECUTE, TOKEN_QUERY, TOKEN_READ, TOKEN_WRITE, READ_CONTROL) [c:\windows\system32\werfault.exe]
LoadLibrary(CFGMGR32.dll) [c:\windows\system32\werfault.exe]
RegOpenKeyEx(\HKLM\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}, KEY_ENUMERATE_SUB_KEYS, KEY_READ, KEY_NOTIFY, KEY_QUERY_VALUE, KEY_WRITE, READ_CONTROL) [c:\windows\system32\werfault.exe]
OpenSCManager(LocalMachine, ServicesActiveDatabase, SC_MANAGER_CONNECT) [c:\windows\system32\werfault.exe]
OpenService(WinHttpAutoProxySvc, SC_MANAGER_ENUMERATE_SERVICE, SC_MANAGER_QUERY_LOCK_STATUS) [c:\windows\system32\werfault.exe]
ResumeThread(5520) [c:\windows\system32\werfault.exe]
StartService() [c:\windows\system32\werfault.exe]
Sleep(0) [c:\windows\system32\werfault.exe]
QueueUserAPC(0) [c:\windows\system32\werfault.exe]
LoadLibrary(DNSAPI.dll) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_RESERVE, PAGE_READWRITE, RegionSize=0x0000000000030000) [c:\windows\system32\werfault.exe]
LoadLibrary(NLAapi.dll) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_RESERVE, PAGE_READWRITE, RegionSize=0x0000000000080000) [c:\windows\system32\werfault.exe]
LoadLibrary(napinsp.dll) [c:\windows\system32\werfault.exe]
LoadLibrary(pnrpnsp.dll) [c:\windows\system32\werfault.exe]
LoadLibrary(winrnr.dll) [c:\windows\system32\werfault.exe]
LoadLibrary(rasadhlp.dll) [c:\windows\system32\werfault.exe]
LoadLibrary(fwpuclnt.dll) [c:\windows\system32\werfault.exe]
bind(port=0) [c:\windows\system32\werfault.exe]
GetModuleHandle(schannel) [c:\windows\system32\werfault.exe]
LoadLibrary(schannel.DLL) [c:\windows\system32\werfault.exe]
LoadLibrary(CRYPT32.dll) [c:\windows\system32\werfault.exe]
LoadLibrary(MSASN1.dll) [c:\windows\system32\werfault.exe]
RegCreateKeyEx(\HKLM\System\CurrentControlSet\Control\SecurityProviders\Schannel, KEY_ENUMERATE_SUB_KEYS, KEY_READ, KEY_NOTIFY, KEY_QUERY_VALUE, KEY_WRITE, READ_CONTROL) [c:\windows\system32\werfault.exe]
RegCloseKey(\HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\SCHANNEL) [c:\windows\system32\werfault.exe]
LoadLibrary(secur32.dll) [c:\windows\system32\werfault.exe]
GetProcessImageFileName(C:\Windows\System32\WerFault.exe) [c:\windows\system32\werfault.exe]
LoadLibrary(ncrypt.dll) [c:\windows\system32\werfault.exe]
LoadLibrary(bcrypt.dll) [c:\windows\system32\werfault.exe]
LoadLibrary(bcryptprimitives.dll) [c:\windows\system32\werfault.exe]
LdrFindEntryForAddress(0x000007FEFD250000) [c:\windows\system32\werfault.exe]
VirtualQueryEx(C:\Windows\System32\WerFault.exe, MemoryRegionInformation, BaseAddress=0x0000000005216910) [c:\windows\system32\werfault.exe]
CreateProcess(null, "C:\delete\SandboxiePortable\App\Sandboxie\SandboxieCrypto.exe", null) [c:\windows\system32\werfault.exe]
OpenFile(C:\Windows\system32) [c:\windows\system32\werfault.exe]
GetFileAttributes(C:\delete\SandboxiePortable\App\Sandboxie\SandboxieCrypto.exe) [c:\windows\system32\werfault.exe]
OpenFile(C:\delete\SandboxiePortable\App\Sandboxie\SandboxieCrypto.exe) [c:\windows\system32\werfault.exe]
GetFileAttributes(C:\PROGRA~1\MICROS~2\Office15\OUTLOOK.EXE) [c:\windows\system32\werfault.exe]
ReadProcessMemory(C:\delete\SandboxiePortable\App\Sandboxie\SandboxieCrypto.exe, BaseAddress=0x000007FFFFFD5010, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
OpenFile(C:\delete\SandboxiePortable\App\Sandboxie\Manifest1.txt) [c:\windows\system32\werfault.exe]
OpenFile(C:\delete\SandboxiePortable\App\Sandboxie\Manifest2.txt) [c:\windows\system32\werfault.exe]
WriteProcessMemory(C:\delete\SandboxiePortable\App\Sandboxie\SandboxieCrypto.exe, BaseAddress=0x0000000000010008, BufferSize=0x0000000000000004) [c:\windows\system32\werfault.exe]
LoadLibrary(apphelp.dll) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\delete\SandboxiePortable\App\Sandboxie\SandboxieCrypto.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x0000000000000058) [c:\windows\system32\werfault.exe]
WriteProcessMemory(C:\delete\SandboxiePortable\App\Sandboxie\SandboxieCrypto.exe, BaseAddress=0x0000000000060000, BufferSize=0x0000000000000020) [c:\windows\system32\werfault.exe]
WriteProcessMemory(C:\delete\SandboxiePortable\App\Sandboxie\SandboxieCrypto.exe, BaseAddress=0x0000000000060020, BufferSize=0x0000000000000034) [c:\windows\system32\werfault.exe]
WriteProcessMemory(C:\delete\SandboxiePortable\App\Sandboxie\SandboxieCrypto.exe, BaseAddress=0x000007FFFFFD5368, BufferSize=0x0000000000000008) [c:\windows\system32\werfault.exe]
ResumeThread(1312) [c:\windows\system32\werfault.exe]
Sleep(500) [c:\windows\system32\werfault.exe]
LoadLibrary(USERENV.dll) [c:\windows\system32\werfault.exe]
LoadLibrary(profapi.dll) [c:\windows\system32\werfault.exe]
FindNextFile() [c:\windows\system32\werfault.exe]
QuerySystemInformation(SystemKernelDebuggerInformation) [c:\windows\system32\werfault.exe]
OpenFile(C:\Windows\system32\rsaenh.dll) [c:\windows\system32\werfault.exe]
LoadLibrary(rsaenh.dll) [c:\windows\system32\werfault.exe]
RegOpenKeyEx(\HKLM\Software\Microsoft\Windows\Windows Error Reporting\Debug\DataRequest, KEY_ENUMERATE_SUB_KEYS, KEY_READ, KEY_NOTIFY, KEY_QUERY_VALUE, KEY_WOW64_64KEY, KEY_WRITE, READ_CONTROL) [c:\windows\system32\werfault.exe]
GetFileAttributes(C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportArchive) [c:\windows\system32\werfault.exe]
FindFirstFile(C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportArchive\*_*_*_*) [c:\windows\system32\werfault.exe]
CreateDirectory(C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_wordpad.exe_68904fd2507d3f7533a388b8e2a6936ab7f5ed8_14933ab3) [c:\windows\system32\werfault.exe]
CreateFile(C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_wordpad.exe_68904fd2507d3f7533a388b8e2a6936ab7f5ed8_14933ab3\Report.wer) [c:\windows\system32\werfault.exe]
ResumeThread(5732) [c:\windows\system32\werfault.exe]
FreeLibrary(C:\Windows\system32\USER32.dll) [c:\windows\system32\werfault.exe]
FreeLibrary(C:\Windows\System32\DUser.dll) [c:\windows\system32\werfault.exe]
FreeLibrary(C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll) [c:\windows\system32\werfault.exe]
GetFileAttributes(C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_wordpad.exe_68904fd2507d3f7533a388b8e2a6936ab7f5ed8_14933ab3) [c:\windows\system32\werfault.exe]
RegCreateKeyEx(\HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug, KEY_CREATE_SUB_KEY, KEY_READ, KEY_SET_VALUE, KEY_WOW64_64KEY, KEY_WRITE, READ_CONTROL) [c:\windows\system32\werfault.exe]
RegSetValueEx(\HKCU\S-1-5-21-1941945027-3115137342-1228438717-1001\software\Microsoft\Windows\Windows Error Reporting\Debug, StoreLocation, REG_SZ, C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_wordpad.exe_68904fd2507d3f7533a388b8e2a6936ab7f5ed8_14933ab3) [c:\windows\system32\werfault.exe]
RegCloseKey(\HKCU\S-1-5-21-1941945027-3115137342-1228438717-1001\software\Microsoft\Windows\Windows Error Reporting\Debug) [c:\windows\system32\werfault.exe]
RegCreateKeyEx(\HKLM\Software\Microsoft\Windows\Windows Error Reporting\Debug, KEY_CREATE_SUB_KEY, KEY_READ, KEY_SET_VALUE, KEY_WOW64_64KEY, KEY_WRITE, READ_CONTROL) [c:\windows\system32\werfault.exe]
RegSetValueEx(\HKLM\software\microsoft\Windows\Windows Error Reporting\Debug, StoreLocation, REG_SZ, C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_wordpad.exe_68904fd2507d3f7533a388b8e2a6936ab7f5ed8_14933ab3) [c:\windows\system32\werfault.exe]
RegOpenKeyEx(\HKLM\Software\Microsoft\Windows\Windows Error Reporting\LocalDumps, KEY_READ, KEY_QUERY_VALUE, KEY_WOW64_64KEY) [c:\windows\system32\werfault.exe]
ResumeThread(5772) [c:\windows\system32\werfault.exe]
VirtualAllocEx(C:\Windows\System32\WerFault.exe, MEM_COMMIT, PAGE_READWRITE, RegionSize=0x000000000000D000) [c:\windows\system32\werfault.exe]
ExitProcess(0) [c:\windows\system32\werfault.exe]
FreeLibrary(C:\Windows\system32\bcryptprimitives.dll) [c:\windows\system32\werfault.exe]
FreeLibrary(C:\Windows\System32\secur32.dll) [c:\windows\system32\werfault.exe]
FreeLibrary(C:\Windows\System32\PROPSYS.dll) [c:\windows\system32\werfault.exe]
TerminateProcess() [c:\windows\system32\werfault.exe]