search

volatilityfoundation / volatility3

Volatility 3.0 development
http://volatilityfoundation.org/
Other
2.52k stars 435 forks source link

Attribute error using windows.dumpfiles with pid #520

Closed KDPryor closed 8 months ago

KDPryor commented 3 years ago

Hi all, Trying to use dumpfiles on a Windows 10 memory image and get the following when running the command:

Traceback (most recent call last): File "/usr/local/bin/vol", line 11, in <module> load_entry_point('volatility3==1.0.1', 'console_scripts', 'vol')() File "/usr/local/lib/python3.6/dist-packages/volatility3-1.0.1-py3.6.egg/volatility3/cli/__init__.py", line 618, in main CommandLine().run() File "/usr/local/lib/python3.6/dist-packages/volatility3-1.0.1-py3.6.egg/volatility3/cli/__init__.py", line 326, in run renderers[args.renderer]().render(constructed.run()) File "/usr/local/lib/python3.6/dist-packages/volatility3-1.0.1-py3.6.egg/volatility3/cli/text_renderer.py", line 178, in render grid.populate(visitor, outfd) File "/usr/local/lib/python3.6/dist-packages/volatility3-1.0.1-py3.6.egg/volatility3/framework/renderers/__init__.py", line 211, in populate for (level, item) in self._generator: File "/usr/local/lib/python3.6/dist-packages/volatility3-1.0.1-py3.6.egg/volatility3/framework/plugins/windows/dumpfiles.py", line 208, in _generator for vad in proc.get_vad_root().traverse(): File "/usr/local/lib/python3.6/dist-packages/volatility3-1.0.1-py3.6.egg/volatility3/framework/symbols/windows/extensions/__init__.py", line 105, in traverse for vad_node in self.get_left_child().dereference().traverse(visited, depth + 1): File "/usr/local/lib/python3.6/dist-packages/volatility3-1.0.1-py3.6.egg/volatility3/framework/symbols/windows/extensions/__init__.py", line 105, in traverse for vad_node in self.get_left_child().dereference().traverse(visited, depth + 1): File "/usr/local/lib/python3.6/dist-packages/volatility3-1.0.1-py3.6.egg/volatility3/framework/symbols/windows/extensions/__init__.py", line 105, in traverse for vad_node in self.get_left_child().dereference().traverse(visited, depth + 1): [Previous line repeated 1 more time] File "/usr/local/lib/python3.6/dist-packages/volatility3-1.0.1-py3.6.egg/volatility3/framework/symbols/windows/extensions/__init__.py", line 111, in traverse for vad_node in self.get_right_child().dereference().traverse(visited, depth + 1): File "/usr/local/lib/python3.6/dist-packages/volatility3-1.0.1-py3.6.egg/volatility3/framework/symbols/windows/extensions/__init__.py", line 111, in traverse for vad_node in self.get_right_child().dereference().traverse(visited, depth + 1): File "/usr/local/lib/python3.6/dist-packages/volatility3-1.0.1-py3.6.egg/volatility3/framework/symbols/windows/extensions/__init__.py", line 111, in traverse for vad_node in self.get_right_child().dereference().traverse(visited, depth + 1): File "/usr/local/lib/python3.6/dist-packages/volatility3-1.0.1-py3.6.egg/volatility3/framework/symbols/windows/extensions/__init__.py", line 105, in traverse for vad_node in self.get_left_child().dereference().traverse(visited, depth + 1): File "/usr/local/lib/python3.6/dist-packages/volatility3-1.0.1-py3.6.egg/volatility3/framework/interfaces/objects.py", line 123, in __getattr__ raise AttributeError AttributeError

Context Volatility Version: Vol 1.0.1 Operating System: Linux Mint Python Version: 3.6.9 Suspected Operating System: Windows 10 Home 64 bit Command: vol -f 20210430-Win10Home-20H2-64bit-memdump.mem windows.dumpfiles --pid 6988

ikelos commented 3 years ago

Hmmm, that shouldn't raise an attribute error, but if an exception's throw in the traverse method, I think it reports that back as an attribute error. One for @iMHLv2 I think... 5:S

iMHLv2 commented 3 years ago

Hi @KDPryor - could you run -vvvv windows.vadinfo --pid 6988 and paste the full output? This is likely to ultimately result in a similar error, but unlike dumpfiles, it will print memory ranges leading up to the error, so we can see how many there are and how those addresses look right before the problem.

KDPryor commented 3 years ago

Thanks @iMHLv2 Also, I just downloaded 1.2.1 and noticed that dumpfiles isn't included. Here's the output:

`Volatility 3 Framework 1.0.1

PID Process Offset Start VPN End VPN Tag Protection CommitCharge PrivateMemory Parent File File output

6988 OneDrive.exe 0xbf0f6d868640 0x6f5a0000 0x6f5d0fff Vad PAGE_EXECUTE_WRITECOPY 3 0 0x0 \Windows\SysWOW64\DataExchange.dll Disabled 6988 OneDrive.exe 0xbf0f6d968680 0x81c0000 0x82bffff VadS PAGE_READWRITE 4 1 0xffffbf0f6d868640 N/A Disabled 6988 OneDrive.exe 0xbf0f6ccd9650 0x7040000 0x7040fff Vad PAGE_READONLY 0 0 0xffffbf0f6d968680 N/A Disabled 6988 OneDrive.exe 0xbf0f6ca59b90 0x49c0000 0x4abffff VadS PAGE_READWRITE 255 1 0xffffbf0f6ccd9650 N/A Disabled 6988 OneDrive.exe 0xbf0f6d71ee60 0x4740000 0x4743fff Vad PAGE_READONLY 0 0 0xffffbf0f6ca59b90 N/A Disabled 6988 OneDrive.exe 0xbf0f6b7f19d0 0x4400000 0x45fffff VadS PAGE_READWRITE 80 1 0xffffbf0f6d71ee60 N/A Disabled 6988 OneDrive.exe 0xbf0f6d720a80 0x43b0000 0x43b0fff Vad PAGE_READONLY 0 0 0xffffbf0f6b7f19d0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d71f7c0 0x3b0000 0x43affff Vad PAGE_NOACCESS 24 0 0xffffbf0f6d720a80 N/A Disabled 6988 OneDrive.exe 0xbf0f6d71f5e0 0x1c0000 0x3a1fff Vad PAGE_EXECUTE_WRITECOPY 5 0 0xffffbf0f6d71f7c0 \Users\John Doe\AppData\Local\Microsoft\OneDrive\OneDrive.exe Disabled 6988 OneDrive.exe 0xbf0f6d720760 0x43d0000 0x43dffff Vad PAGE_READWRITE 0 0 0xffffbf0f6d720a80 N/A Disabled 6988 OneDrive.exe 0xbf0f6d7203a0 0x43c0000 0x43c0fff Vad PAGE_READONLY 0 0 0xffffbf0f6d720760 N/A Disabled 6988 OneDrive.exe 0xbf0f6d721200 0x43e0000 0x43fcfff Vad PAGE_READONLY 0 0 0xffffbf0f6d720760 N/A Disabled 6988 OneDrive.exe 0xbf0f6b7f1a70 0x4640000 0x473ffff VadS PAGE_READWRITE 166 1 0xffffbf0f6b7f19d0 N/A Disabled 6988 OneDrive.exe 0xbf0f6b7f1a20 0x4600000 0x463ffff VadS PAGE_READWRITE 13 1 0xffffbf0f6b7f1a70 N/A Disabled 6988 OneDrive.exe 0xbf0f6c576aa0 0x47c0000 0x47cdfff VadS PAGE_READWRITE 3 1 0xffffbf0f6d71ee60 N/A Disabled 6988 OneDrive.exe 0xbf0f6b7f1250 0x4760000 0x4761fff VadS PAGE_READWRITE 2 1 0xffffbf0f6c576aa0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d721340 0x4750000 0x4752fff Vad PAGE_READONLY 0 0 0xffffbf0f6b7f1250 N/A Disabled 6988 OneDrive.exe 0xbf0f6d7209e0 0x4770000 0x4770fff Vad PAGE_READONLY 0 0 0xffffbf0f6b7f1250 N/A Disabled 6988 OneDrive.exe 0xbf0f6d95bbb0 0x4780000 0x47bffff VadS PAGE_READWRITE 11 1 0xffffbf0f6d7209e0 N/A Disabled 6988 OneDrive.exe 0xbf0f6ca50630 0x47e0000 0x47effff VadS PAGE_READWRITE 10 1 0xffffbf0f6c576aa0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d7224c0 0x47d0000 0x47d0fff Vad PAGE_READONLY 0 0 0xffffbf0f6ca50630 N/A Disabled 6988 OneDrive.exe 0xbf0f6d720300 0x47f0000 0x48b8fff Vad PAGE_READONLY 0 0 0xffffbf0f6ca50630 \Windows\System32\locale.nls Disabled 6988 OneDrive.exe 0xbf0f6d95ca10 0x48c0000 0x49bffff VadS PAGE_READWRITE 4 1 0xffffbf0f6d720300 N/A Disabled 6988 OneDrive.exe 0xbf0f6cc66ec0 0x6560000 0x656ffff VadS PAGE_READWRITE 15 1 0xffffbf0f6ca59b90 N/A Disabled 6988 OneDrive.exe 0xbf0f6d721840 0x4d60000 0x4f5ffff Vad PAGE_READONLY 0 0 0xffffbf0f6cc66ec0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d721b60 0x4d40000 0x4d40fff Vad PAGE_READONLY 0 0 0xffffbf0f6d721840 N/A Disabled 6988 OneDrive.exe 0xbf0f6d721e80 0x4d50000 0x4d50fff Vad PAGE_READONLY 0 0 0xffffbf0f6d721b60 N/A Disabled 6988 OneDrive.exe 0xbf0f6d723460 0x6510000 0x6510fff Vad PAGE_READWRITE 0 0 0xffffbf0f6d721840 N/A Disabled 6988 OneDrive.exe 0xbf0f6d7229c0 0x4f70000 0x50f0fff Vad PAGE_READONLY 0 0 0xffffbf0f6d723460 N/A Disabled 6988 OneDrive.exe 0xbf0f6d722740 0x4f60000 0x4f67fff Vad PAGE_READONLY 0 0 0xffffbf0f6d7229c0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d721a20 0x5100000 0x6500fff Vad PAGE_READONLY 0 0 0xffffbf0f6d7229c0 N/A Disabled 6988 OneDrive.exe 0xbf0f6cc690d0 0x6540000 0x6540fff VadS PAGE_READWRITE 1 1 0xffffbf0f6d723460 N/A Disabled 6988 OneDrive.exe 0xbf0f6cc69030 0x6520000 0x6539fff VadS PAGE_READWRITE 2 1 0xffffbf0f6cc690d0 N/A Disabled 6988 OneDrive.exe 0xbf0f6cc694e0 0x6550000 0x6550fff VadS PAGE_READWRITE 1 1 0xffffbf0f6cc690d0 N/A Disabled 6988 OneDrive.exe 0xbf0f6cc69b70 0x6940000 0x6a3ffff VadS PAGE_READWRITE 6 1 0xffffbf0f6cc66ec0 N/A Disabled 6988 OneDrive.exe 0xbf0f6ccd9f10 0x65d0000 0x65d0fff Vad PAGE_READONLY 0 0 0xffffbf0f6cc69b70 N/A Disabled 6988 OneDrive.exe 0xbf0f6d72a3a0 0x65b0000 0x65b0fff Vad PAGE_READONLY 0 0 0xffffbf0f6ccd9f10 N/A Disabled 6988 OneDrive.exe 0xbf0f6cc69580 0x6570000 0x65affff VadS PAGE_READWRITE 11 1 0xffffbf0f6d72a3a0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d72dc80 0x65c0000 0x65c0fff Vad PAGE_READONLY 0 0 0xffffbf0f6d72a3a0 N/A Disabled 6988 OneDrive.exe 0xbf0f6cc67e60 0x65f0000 0x65fffff VadS PAGE_READWRITE 7 1 0xffffbf0f6ccd9f10 N/A Disabled 6988 OneDrive.exe 0xbf0f6ccd96f0 0x65e0000 0x65e0fff Vad PAGE_READONLY 0 0 0xffffbf0f6cc67e60 N/A Disabled 6988 OneDrive.exe 0xbf0f6d7238c0 0x6600000 0x6937fff Vad PAGE_READONLY 0 0 0xffffbf0f6cc67e60 \Windows\Globalization\Sorting\SortDefault.nls Disabled 6988 OneDrive.exe 0xbf0f6cc70060 0x6e40000 0x6f3ffff VadS PAGE_READWRITE 3 1 0xffffbf0f6cc69b70 N/A Disabled 6988 OneDrive.exe 0xbf0f6cc6fe30 0x6e00000 0x6e3ffff VadS PAGE_READWRITE 11 1 0xffffbf0f6cc70060 N/A Disabled 6988 OneDrive.exe 0xbf0f6d966ba0 0x6f40000 0x703ffff VadS PAGE_READWRITE 91 1 0xffffbf0f6cc70060 N/A Disabled 6988 OneDrive.exe 0xbf0f6d967b40 0x78a0000 0x78a0fff VadS PAGE_READWRITE 1 1 0xffffbf0f6ccd9650 N/A Disabled 6988 OneDrive.exe 0xbf0f6d967190 0x7170000 0x717ffff VadS PAGE_READWRITE 1 1 0xffffbf0f6d967b40 N/A Disabled 6988 OneDrive.exe 0xbf0f6cce3330 0x70a0000 0x70a0fff Vad PAGE_READONLY 0 0 0xffffbf0f6d967190 N/A Disabled 6988 OneDrive.exe 0xbf0f6ccdb770 0x7070000 0x7070fff Vad PAGE_READONLY 0 0 0xffffbf0f6cce3330 N/A Disabled 6988 OneDrive.exe 0xbf0f6ccdb6d0 0x7060000 0x7060fff Vad PAGE_READONLY 0 0 0xffffbf0f6ccdb770 N/A Disabled 6988 OneDrive.exe 0xbf0f6ccd9790 0x7050000 0x7050fff Vad PAGE_READONLY 0 0 0xffffbf0f6ccdb6d0 N/A Disabled 6988 OneDrive.exe 0xbf0f6ccdcb70 0x7090000 0x7090fff Vad PAGE_READONLY 0 0 0xffffbf0f6ccdb770 N/A Disabled 6988 OneDrive.exe 0xbf0f6ccda5f0 0x7080000 0x7080fff Vad PAGE_READONLY 0 0 0xffffbf0f6ccdcb70 N/A Disabled 6988 OneDrive.exe 0xbf0f6d8663e0 0x70e0000 0x70e1fff Vad PAGE_READONLY 0 0 0xffffbf0f6cce3330 N/A Disabled 6988 OneDrive.exe 0xbf0f6d9670f0 0x70c0000 0x70cdfff VadS PAGE_READWRITE 2 1 0xffffbf0f6d8663e0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d864180 0x70b0000 0x70b1fff Vad PAGE_READONLY 0 0 0xffffbf0f6d9670f0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d8660c0 0x70d0000 0x70d3fff Vad PAGE_READONLY 0 0 0xffffbf0f6d9670f0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d967370 0x7130000 0x7130fff VadS PAGE_READWRITE 1 1 0xffffbf0f6d8663e0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d9675a0 0x70f0000 0x712ffff VadS PAGE_READWRITE 11 1 0xffffbf0f6d967370 N/A Disabled 6988 OneDrive.exe 0xbf0f6d9675f0 0x7140000 0x715dfff VadS PAGE_READWRITE 8 1 0xffffbf0f6d967370 N/A Disabled 6988 OneDrive.exe 0xbf0f6d967cd0 0x7160000 0x7160fff VadS PAGE_READWRITE 1 1 0xffffbf0f6d9675f0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d866520 0x7800000 0x7833fff Vad PAGE_READONLY 0 0 0xffffbf0f6d967190 \Users\John Doe\AppData\Local\Microsoft\OneDrive\21.062.0328.0001\FileSync.LocalizedResources.dll Disabled 6988 OneDrive.exe 0xbf0f6d865da0 0x7380000 0x7461fff Vad PAGE_READONLY 0 0 0xffffbf0f6d866520 N/A Disabled 6988 OneDrive.exe 0xbf0f6d9673c0 0x7280000 0x737ffff VadS PAGE_READWRITE 3 1 0xffffbf0f6d865da0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d966e20 0x7180000 0x727ffff VadS PAGE_READWRITE 254 1 0xffffbf0f6d9673c0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d9677d0 0x74b0000 0x75affff VadS PAGE_READWRITE 3 1 0xffffbf0f6d865da0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d967780 0x7470000 0x74affff VadS PAGE_READWRITE 11 1 0xffffbf0f6d9677d0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d865580 0x75b0000 0x77f5fff Vad PAGE_EXECUTE_WRITECOPY 0 0 0xffffbf0f6d9677d0 \Users\John Doe\AppData\Local\Microsoft\OneDrive\21.062.0328.0001\FileSync.Resources.dll Disabled 6988 OneDrive.exe 0xbf0f6d967dc0 0x7880000 0x7880fff VadS PAGE_READWRITE 1 1 0xffffbf0f6d866520 N/A Disabled 6988 OneDrive.exe 0xbf0f6d865ee0 0x7840000 0x7873fff Vad PAGE_EXECUTE_WRITECOPY 0 0 0xffffbf0f6d967dc0 \Users\John Doe\AppData\Local\Microsoft\OneDrive\21.062.0328.0001\FileSync.LocalizedResources.dll Disabled 6988 OneDrive.exe 0xbf0f6d967a50 0x7890000 0x7890fff VadS PAGE_READWRITE 1 1 0xffffbf0f6d967dc0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d968180 0x7e00000 0x7efffff VadS PAGE_READWRITE 3 1 0xffffbf0f6d967b40 N/A Disabled 6988 OneDrive.exe 0xbf0f6d967d20 0x7a60000 0x7a6ffff VadS PAGE_EXECUTE_READWRITE 16 1 0xffffbf0f6d968180 N/A Disabled 6988 OneDrive.exe 0xbf0f6d8665c0 0x78e0000 0x7913fff Vad PAGE_READONLY 0 0 0xffffbf0f6d967d20 \Users\John Doe\AppData\Local\Microsoft\OneDrive\21.062.0328.0001\en\FileSync.LocalizedResources.dll.mui Disabled 6988 OneDrive.exe 0xbf0f6d967af0 0x78c0000 0x78c0fff VadS PAGE_READWRITE 1 1 0xffffbf0f6d8665c0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d967aa0 0x78b0000 0x78b0fff VadS PAGE_READWRITE 1 1 0xffffbf0f6d967af0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d967b90 0x78d0000 0x78d0fff VadS PAGE_READWRITE 1 1 0xffffbf0f6d967af0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d8677e0 0x7920000 0x7a5efff Vad PAGE_READONLY 0 0 0xffffbf0f6d8665c0 \Windows\System32\en-US\KernelBase.dll.mui Disabled 6988 OneDrive.exe 0xbf0f6d967eb0 0x7c80000 0x7cbffff VadS PAGE_READWRITE 11 1 0xffffbf0f6d967d20 N/A Disabled 6988 OneDrive.exe 0xbf0f6d9678c0 0x7a80000 0x7c7ffff VadS PAGE_READWRITE 453 1 0xffffbf0f6d967eb0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d968130 0x7a70000 0x7a7dfff VadS PAGE_READWRITE 1 1 0xffffbf0f6d9678c0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d9680e0 0x7dc0000 0x7dfffff VadS PAGE_READWRITE 11 1 0xffffbf0f6d967eb0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d967fa0 0x7cc0000 0x7dbffff VadS PAGE_READWRITE 3 1 0xffffbf0f6d9680e0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d968400 0x8040000 0x807ffff VadS PAGE_READWRITE 11 1 0xffffbf0f6d968180 N/A Disabled 6988 OneDrive.exe 0xbf0f6d9683b0 0x7f40000 0x803ffff VadS PAGE_READWRITE 3 1 0xffffbf0f6d968400 N/A Disabled 6988 OneDrive.exe 0xbf0f6d9681d0 0x7f00000 0x7f3ffff VadS PAGE_READWRITE 11 1 0xffffbf0f6d9683b0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d968900 0x8180000 0x81bffff VadS PAGE_READWRITE 11 1 0xffffbf0f6d968400 N/A Disabled 6988 OneDrive.exe 0xbf0f6d968630 0x8080000 0x817ffff VadS PAGE_READWRITE 4 1 0xffffbf0f6d968900 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96aac0 0xa560000 0xa5affff VadS PAGE_READWRITE 3 1 0xffffbf0f6d968680 N/A Disabled 6988 OneDrive.exe 0xbf0f6d868140 0x9200000 0x9201fff Vad PAGE_READONLY 0 0 0xffffbf0f6d96aac0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d86fe40 0x8930000 0x893ffff Vad PAGE_READONLY 0 0 0xffffbf0f6d868140 N/A Disabled 6988 OneDrive.exe 0xbf0f6d968450 0x8460000 0x846ffff VadS PAGE_READWRITE 15 1 0xffffbf0f6d86fe40 N/A Disabled 6988 OneDrive.exe 0xbf0f6d968590 0x83e0000 0x841ffff VadS PAGE_READWRITE 11 1 0xffffbf0f6d968450 N/A Disabled 6988 OneDrive.exe 0xbf0f6d9686d0 0x82d0000 0x82ddfff VadS PAGE_READWRITE 1 1 0xffffbf0f6d968590 N/A Disabled 6988 OneDrive.exe 0xbf0f6d867920 0x82c0000 0x82c0fff Vad PAGE_READONLY 0 0 0xffffbf0f6d9686d0 \Windows\SysWOW64\msxml6r.dll Disabled 6988 OneDrive.exe 0xbf0f6d968540 0x82e0000 0x83dffff VadS PAGE_READWRITE 19 1 0xffffbf0f6d9686d0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d9685e0 0x8420000 0x845ffff VadS PAGE_READWRITE 11 1 0xffffbf0f6d968590 N/A Disabled 6988 OneDrive.exe 0xbf0f6d9687c0 0x86b0000 0x87affff VadS PAGE_READWRITE 5 1 0xffffbf0f6d968450 N/A Disabled 6988 OneDrive.exe 0xbf0f6d9689a0 0x8570000 0x866ffff VadS PAGE_READWRITE 5 1 0xffffbf0f6d9687c0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d968b30 0x8470000 0x856ffff VadS PAGE_READWRITE 5 1 0xffffbf0f6d9689a0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d968220 0x8670000 0x86affff VadS PAGE_READWRITE 11 1 0xffffbf0f6d9689a0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d968860 0x87f0000 0x882ffff VadS PAGE_READWRITE 11 1 0xffffbf0f6d9687c0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d865620 0x87b0000 0x87e3fff Vad PAGE_READONLY 0 0 0xffffbf0f6d968860 \Users\John Doe\AppData\Local\Microsoft\OneDrive\21.062.0328.0001\en\FileSync.LocalizedResources.dll.mui Disabled 6988 OneDrive.exe 0xbf0f6d9688b0 0x8830000 0x892ffff VadS PAGE_READWRITE 3 1 0xffffbf0f6d968860 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96c050 0x8b90000 0x8baffff VadS PAGE_READWRITE 5 1 0xffffbf0f6d86fe40 N/A Disabled 6988 OneDrive.exe 0xbf0f6d968a40 0x8ac0000 0x8acdfff VadS PAGE_READWRITE 1 1 0xffffbf0f6d96c050 N/A Disabled 6988 OneDrive.exe 0xbf0f6d9689f0 0x89a0000 0x89bffff VadS PAGE_READWRITE 17 1 0xffffbf0f6d968a40 N/A Disabled 6988 OneDrive.exe 0xbf0f6d8705c0 0x8940000 0x8992fff Vad PAGE_READONLY 0 0 0xffffbf0f6d9689f0 \Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-System.dat Disabled 6988 OneDrive.exe 0xbf0f6d968b80 0x89c0000 0x8abffff VadS PAGE_READWRITE 256 1 0xffffbf0f6d9689f0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96b4c0 0x8b30000 0x8b4ffff VadS PAGE_READWRITE 3 1 0xffffbf0f6d968a40 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96b740 0x8af0000 0x8b0ffff VadS PAGE_READWRITE 4 1 0xffffbf0f6d96b4c0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96b1f0 0x8ad0000 0x8aeffff VadS PAGE_READWRITE 5 1 0xffffbf0f6d96b740 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96b9c0 0x8b10000 0x8b2ffff VadS PAGE_READWRITE 10 1 0xffffbf0f6d96b740 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96be70 0x8b70000 0x8b8ffff VadS PAGE_READWRITE 6 1 0xffffbf0f6d96b4c0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96b510 0x8b50000 0x8b6ffff VadS PAGE_READWRITE 10 1 0xffffbf0f6d96be70 N/A Disabled 6988 OneDrive.exe 0xbf0f6d969580 0x8fc0000 0x90bffff VadS PAGE_READWRITE 231 1 0xffffbf0f6d96c050 N/A Disabled 6988 OneDrive.exe 0xbf0f6d9690d0 0x8d40000 0x8d7ffff VadS PAGE_READWRITE 11 1 0xffffbf0f6d969580 N/A Disabled 6988 OneDrive.exe 0xbf0f6d867380 0x8cf0000 0x8d36fff Vad PAGE_WRITECOPY 71 0 0xffffbf0f6d9690d0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d969530 0x8d80000 0x8e7ffff VadS PAGE_READWRITE 8 1 0xffffbf0f6d9690d0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d968c70 0x9100000 0x91fffff VadS PAGE_READWRITE 3 1 0xffffbf0f6d969580 N/A Disabled 6988 OneDrive.exe 0xbf0f6d968db0 0x90c0000 0x90fffff VadS PAGE_READWRITE 11 1 0xffffbf0f6d968c70 N/A Disabled 6988 OneDrive.exe 0xbf0f6d969ad0 0xa000000 0xa00ffff VadS PAGE_READWRITE 1 1 0xffffbf0f6d868140 N/A Disabled 6988 OneDrive.exe 0xbf0f6d8681e0 0x9df0000 0x9dfffff Vad PAGE_READONLY 0 0 0xffffbf0f6d969ad0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d868dc0 0x9bf0000 0x9bfdfff Vad PAGE_READONLY 0 0 0xffffbf0f6d8681e0 \Windows\SysWOW64\ieframe.dll Disabled 6988 OneDrive.exe 0xbf0f6d9692b0 0x92a0000 0x9a9ffff VadS PAGE_NOACCESS 1 1 0xffffbf0f6d868dc0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d868d20 0x9290000 0x9290fff Vad PAGE_READWRITE 0 0 0xffffbf0f6d9692b0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d9691c0 0x9210000 0x928ffff VadS PAGE_READWRITE 1 1 0xffffbf0f6d868d20 N/A Disabled 6988 OneDrive.exe 0xbf0f6d8686e0 0x9aa0000 0x9aa0fff Vad PAGE_READWRITE 0 0 0xffffbf0f6d9692b0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d867ba0 0x9db0000 0x9db0fff Vad PAGE_READWRITE 0 0 0xffffbf0f6d868dc0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d867b00 0x9c00000 0x9daafff Vad PAGE_READONLY 0 0 0xffffbf0f6d867ba0 \Windows\System32\en-US\ieframe.dll.mui Disabled 6988 OneDrive.exe 0xbf0f6d867d80 0x9dd0000 0x9dd0fff Vad PAGE_READONLY 0 0 0xffffbf0f6d867ba0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d867c40 0x9dc0000 0x9dc0fff Vad PAGE_READONLY 0 0 0xffffbf0f6d867d80 N/A Disabled 6988 OneDrive.exe 0xbf0f6d867e20 0x9de0000 0x9de0fff Vad PAGE_READWRITE 0 0 0xffffbf0f6d867d80 N/A Disabled 6988 OneDrive.exe 0xbf0f6d86d3c0 0x9f60000 0x9f62fff Vad PAGE_READONLY 0 0 0xffffbf0f6d8681e0 \Windows\System32\en-US\mswsock.dll.mui Disabled 6988 OneDrive.exe 0xbf0f6d969760 0x9e20000 0x9f1ffff VadS PAGE_READWRITE 42 1 0xffffbf0f6d86d3c0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d86a120 0x9e10000 0x9e1ffff Vad PAGE_READONLY 0 0 0xffffbf0f6d969760 N/A Disabled 6988 OneDrive.exe 0xbf0f6d8694a0 0x9e00000 0x9e00fff Vad PAGE_READWRITE 0 0 0xffffbf0f6d86a120 N/A Disabled 6988 OneDrive.exe 0xbf0f6d969b70 0x9f30000 0x9f3ffff VadS PAGE_READWRITE 15 1 0xffffbf0f6d969760 N/A Disabled 6988 OneDrive.exe 0xbf0f6d86d1e0 0x9f20000 0x9f20fff Vad PAGE_READWRITE 0 0 0xffffbf0f6d969b70 N/A Disabled 6988 OneDrive.exe 0xbf0f6d969e40 0x9f40000 0x9f5ffff VadS PAGE_READWRITE 16 1 0xffffbf0f6d969b70 N/A Disabled 6988 OneDrive.exe 0xbf0f6d86f1c0 0x9fd0000 0x9fddfff Vad PAGE_READONLY 0 0 0xffffbf0f6d86d3c0 \Windows\SysWOW64\en-US\urlmon.dll.mui Disabled 6988 OneDrive.exe 0xbf0f6d86e360 0x9fc0000 0x9fc0fff Vad PAGE_READWRITE 0 0 0xffffbf0f6d86f1c0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d86d780 0x9f70000 0x9f79fff Vad PAGE_READONLY 0 0 0xffffbf0f6d86e360 \Windows\System32\en-US\crypt32.dll.mui Disabled 6988 OneDrive.exe 0xbf0f6d864e00 0x9fe0000 0x9fe1fff Vad PAGE_READONLY 0 0 0xffffbf0f6d86f1c0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d86ea40 0x9ff0000 0x9ff0fff Vad PAGE_READWRITE 0 0 0xffffbf0f6d864e00 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96afc0 0xa2e0000 0xa32ffff VadS PAGE_READWRITE 3 1 0xffffbf0f6d969ad0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96b060 0xa250000 0xa29ffff VadS PAGE_READWRITE 3 1 0xffffbf0f6d96afc0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96af70 0xa210000 0xa24ffff VadS PAGE_READWRITE 11 1 0xffffbf0f6d96b060 N/A Disabled 6988 OneDrive.exe 0xbf0f6d9696c0 0xa010000 0xa10ffff VadS PAGE_READWRITE 226 1 0xffffbf0f6d96af70 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96aa20 0xa2a0000 0xa2dffff VadS PAGE_READWRITE 11 1 0xffffbf0f6d96b060 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96b100 0xa400000 0xa4fffff VadS PAGE_READWRITE 6 1 0xffffbf0f6d96afc0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96b380 0xa370000 0xa3bffff VadS PAGE_READWRITE 3 1 0xffffbf0f6d96b100 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96ae30 0xa330000 0xa36ffff VadS PAGE_READWRITE 11 1 0xffffbf0f6d96b380 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96b2e0 0xa3c0000 0xa3fffff VadS PAGE_READWRITE 11 1 0xffffbf0f6d96b380 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96b290 0xa520000 0xa55ffff VadS PAGE_READWRITE 11 1 0xffffbf0f6d96b100 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96b330 0xa500000 0xa51ffff VadS PAGE_READWRITE 15 1 0xffffbf0f6d96b290 N/A Disabled 6988 OneDrive.exe 0xbf0f6d86eea0 0x6c670000 0x6c8e2fff Vad PAGE_EXECUTE_WRITECOPY 7 0 0xffffbf0f6d96aac0 \Windows\SysWOW64\UIAutomationCore.dll Disabled 6988 OneDrive.exe 0xbf0f6d96c7d0 0xeb70000 0xeb8ffff VadS PAGE_READWRITE 1 1 0xffffbf0f6d86eea0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96b7e0 0xcc00000 0xcc1ffff VadS PAGE_READWRITE 9 1 0xffffbf0f6d96c7d0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d86e040 0xaa40000 0xaa40fff Vad PAGE_READWRITE 0 0 0xffffbf0f6d96b7e0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96ac00 0xa750000 0xa76ffff VadS PAGE_READWRITE 8 1 0xffffbf0f6d86e040 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96ab60 0xa610000 0xa70ffff VadS PAGE_READWRITE 4 1 0xffffbf0f6d96ac00 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96ab10 0xa5d0000 0xa60ffff VadS PAGE_READWRITE 11 1 0xffffbf0f6d96ab60 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96ad90 0xa5b0000 0xa5cffff VadS PAGE_READWRITE 19 1 0xffffbf0f6d96ab10 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96ade0 0xa730000 0xa74ffff VadS PAGE_READWRITE 10 1 0xffffbf0f6d96ab60 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96abb0 0xa710000 0xa72ffff VadS PAGE_READWRITE 32 1 0xffffbf0f6d96ade0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96ae80 0xa900000 0xa93ffff VadS PAGE_READWRITE 11 1 0xffffbf0f6d96ac00 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96acf0 0xa7c0000 0xa7fffff VadS PAGE_READWRITE 11 1 0xffffbf0f6d96ae80 N/A Disabled 6988 OneDrive.exe 0xbf0f6d86e2c0 0xa770000 0xa7b5fff Vad PAGE_READONLY 0 0 0xffffbf0f6d96acf0 \Windows\System32\en-US\mshtml.dll.mui Disabled 6988 OneDrive.exe 0xbf0f6d96ad40 0xa800000 0xa8fffff VadS PAGE_READWRITE 3 1 0xffffbf0f6d96acf0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96aed0 0xa940000 0xaa3ffff VadS PAGE_READWRITE 4 1 0xffffbf0f6d96ae80 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96bba0 0xaac0000 0xcabffff VadS PAGE_READWRITE 8 1 0xffffbf0f6d86e040 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96bb50 0xaa90000 0xaa90fff VadS PAGE_READWRITE 1 1 0xffffbf0f6d96bba0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d86f080 0xaa60000 0xaa7afff Vad PAGE_READONLY 0 0 0xffffbf0f6d96bb50 \Users\John Doe\AppData\Local\Microsoft\Windows\Caches{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db Disabled 6988 OneDrive.exe 0xbf0f6d86e680 0xaa50000 0xaa50fff Vad PAGE_READWRITE 0 0 0xffffbf0f6d86f080 N/A Disabled 6988 OneDrive.exe 0xbf0f6d86ef40 0xaa80000 0xaa80fff Vad PAGE_READWRITE 0 0 0xffffbf0f6d86f080 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96b790 0xaab0000 0xaab0fff VadS PAGE_READWRITE 1 1 0xffffbf0f6d96bb50 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96b600 0xaaa0000 0xaaa0fff VadS PAGE_READWRITE 1 1 0xffffbf0f6d96b790 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96b970 0xcb00000 0xcbfffff VadS PAGE_READWRITE 3 1 0xffffbf0f6d96bba0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96b920 0xcac0000 0xcafffff VadS PAGE_READWRITE 11 1 0xffffbf0f6d96b970 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96c320 0xe950000 0xe96ffff VadS PAGE_READWRITE 11 1 0xffffbf0f6d96b7e0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96bd30 0xccb0000 0xcccffff VadS PAGE_READWRITE 30 1 0xffffbf0f6d96c320 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96b6f0 0xcc70000 0xcc8ffff VadS PAGE_READWRITE 2 1 0xffffbf0f6d96bd30 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96bc40 0xcc30000 0xcc4ffff VadS PAGE_READWRITE 4 1 0xffffbf0f6d96b6f0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d8700c0 0xcc20000 0xcc20fff Vad PAGE_READONLY 0 0 0xffffbf0f6d96bc40 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96b650 0xcc50000 0xcc6ffff VadS PAGE_READWRITE 1 1 0xffffbf0f6d96bc40 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96ba10 0xcc90000 0xccaffff VadS PAGE_READWRITE 13 1 0xffffbf0f6d96b6f0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96bf60 0xe8d0000 0xe8effff VadS PAGE_READWRITE 5 1 0xffffbf0f6d96bd30 N/A Disabled 6988 OneDrive.exe 0xbf0f6d86fee0 0xdcd0000 0xe4cffff Vad PAGE_READONLY 0 0 0xffffbf0f6d96bf60 \Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-S-1-5-21-3061953532-2461696977-1363062292-1001.dat Disabled 6988 OneDrive.exe 0xbf0f6d86fa80 0xccd0000 0xdccffff Vad PAGE_READONLY 0 0 0xffffbf0f6d86fee0 \Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-FontFace.dat Disabled 6988 OneDrive.exe 0xbf0f6d963180 0xe4d0000 0xe8cffff VadS PAGE_READWRITE 181 1 0xffffbf0f6d86fee0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96c780 0xe910000 0xe92ffff VadS PAGE_READWRITE 12 1 0xffffbf0f6d96bf60 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96bfb0 0xe8f0000 0xe90ffff VadS PAGE_READWRITE 9 1 0xffffbf0f6d96c780 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96c410 0xe930000 0xe94ffff VadS PAGE_READWRITE 18 1 0xffffbf0f6d96c780 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96c500 0xea50000 0xea6ffff VadS PAGE_READWRITE 0 1 0xffffbf0f6d96c320 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96c0a0 0xe9d0000 0xe9effff VadS PAGE_READWRITE 15 1 0xffffbf0f6d96c500 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96c460 0xe990000 0xe9affff VadS PAGE_READWRITE 11 1 0xffffbf0f6d96c0a0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96c6e0 0xe970000 0xe98ffff VadS PAGE_READWRITE 6 1 0xffffbf0f6d96c460 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96c0f0 0xea10000 0xea2ffff VadS PAGE_READWRITE 2 1 0xffffbf0f6d96c0a0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96c4b0 0xe9f0000 0xea0ffff VadS PAGE_READWRITE 10 1 0xffffbf0f6d96c0f0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96c190 0xea30000 0xea4ffff VadS PAGE_READWRITE 10 1 0xffffbf0f6d96c0f0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96c730 0xead0000 0xeaeffff VadS PAGE_READWRITE 15 1 0xffffbf0f6d96c500 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96c5f0 0xea90000 0xeaaffff VadS PAGE_READWRITE 10 1 0xffffbf0f6d96c730 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96c1e0 0xea70000 0xea8ffff VadS PAGE_READWRITE 12 1 0xffffbf0f6d96c5f0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96bec0 0xeab0000 0xeacffff VadS PAGE_READWRITE 9 1 0xffffbf0f6d96c5f0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96c690 0xeb10000 0xeb2ffff VadS PAGE_READWRITE 9 1 0xffffbf0f6d96c730 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96c550 0xeaf0000 0xeb0ffff VadS PAGE_READWRITE 13 1 0xffffbf0f6d96c690 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96c370 0xeb30000 0xeb4ffff VadS PAGE_READWRITE 1 1 0xffffbf0f6d96c690 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96c8c0 0xef30000 0xef4ffff VadS PAGE_READWRITE 11 1 0xffffbf0f6d96c7d0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96c3c0 0xec50000 0xee4ffff VadS PAGE_READWRITE 139 1 0xffffbf0f6d96c8c0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96c230 0xebd0000 0xebeffff VadS PAGE_READWRITE 12 1 0xffffbf0f6d96c3c0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96bf10 0xeb90000 0xebaffff VadS PAGE_READWRITE 15 1 0xffffbf0f6d96c230 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96be20 0xebb0000 0xebcffff VadS PAGE_READWRITE 24 1 0xffffbf0f6d96bf10 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96c2d0 0xec10000 0xec2ffff VadS PAGE_READWRITE 14 1 0xffffbf0f6d96c230 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96c280 0xebf0000 0xec0ffff VadS PAGE_READWRITE 14 1 0xffffbf0f6d96c2d0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96c640 0xec30000 0xec4ffff VadS PAGE_READWRITE 8 1 0xffffbf0f6d96c2d0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96ccd0 0xeeb0000 0xeecffff VadS PAGE_READWRITE 9 1 0xffffbf0f6d96c3c0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96cf00 0xee70000 0xee8ffff VadS PAGE_READWRITE 6 1 0xffffbf0f6d96ccd0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96d130 0xee50000 0xee6ffff VadS PAGE_READWRITE 13 1 0xffffbf0f6d96cf00 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96c870 0xee90000 0xeeaffff VadS PAGE_READWRITE 5 1 0xffffbf0f6d96cf00 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96c910 0xeef0000 0xef0ffff VadS PAGE_READWRITE 6 1 0xffffbf0f6d96ccd0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96cf50 0xef10000 0xef2ffff VadS PAGE_READWRITE 9 1 0xffffbf0f6d96c910 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96cdc0 0xf120000 0xf13ffff VadS PAGE_READWRITE 3 1 0xffffbf0f6d96c8c0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96cd20 0xf0a0000 0xf0bffff VadS PAGE_READWRITE 4 1 0xffffbf0f6d96cdc0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96c820 0xef90000 0xf09ffff VadS PAGE_READWRITE 252 1 0xffffbf0f6d96cd20 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96cb90 0xef50000 0xef6ffff VadS PAGE_READWRITE 10 1 0xffffbf0f6d96c820 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96d180 0xf0e0000 0xf0fffff VadS PAGE_READWRITE 9 1 0xffffbf0f6d96cd20 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96cd70 0xf0c0000 0xf0dffff VadS PAGE_READWRITE 10 1 0xffffbf0f6d96d180 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96cc30 0xf100000 0xf11ffff VadS PAGE_READWRITE 10 1 0xffffbf0f6d96d180 N/A Disabled 6988 OneDrive.exe 0xbf0f6d8703e0 0xf220000 0xf227fff Vad PAGE_READONLY 0 0 0xffffbf0f6d96cdc0 \Windows\SysWOW64\en-US\jscript9.dll.mui Disabled 6988 OneDrive.exe 0xbf0f6d96ce10 0xf1a0000 0xf1bffff VadS PAGE_READWRITE 6 1 0xffffbf0f6d8703e0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96d1d0 0xf160000 0xf17ffff VadS PAGE_READWRITE 6 1 0xffffbf0f6d96ce10 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96cbe0 0xf140000 0xf15ffff VadS PAGE_READWRITE 7 1 0xffffbf0f6d96d1d0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96c960 0xf180000 0xf19ffff VadS PAGE_READWRITE 8 1 0xffffbf0f6d96d1d0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96ceb0 0xf1e0000 0xf1fffff VadS PAGE_READWRITE 7 1 0xffffbf0f6d96ce10 N/A Disabled 6988 OneDrive.exe 0xbf0f6d96d090 0xf1c0000 0xf1dffff VadS PAGE_READWRITE 6 1 0xffffbf0f6d96ceb0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d86f940 0x6c450000 0x6c4e1fff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d8703e0 \Windows\SysWOW64\Windows.Web.dll Disabled 6988 OneDrive.exe 0xbf0f6d870200 0xf230000 0xf231fff Vad PAGE_READONLY 0 0 0xffffbf0f6d86f940 \Windows\System32\en-US\Windows.Security.Authentication.Web.Core.dll.mui Disabled 6988 OneDrive.exe 0xbf0f6d8702a0 0x6c530000 0x6c56cfff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d86f940 \Windows\SysWOW64\OneCoreCommonProxyStub.dll Disabled 6988 OneDrive.exe 0xbf0f6d870340 0x6c4f0000 0x6c526fff Vad PAGE_EXECUTE_WRITECOPY 2 0 0xffffbf0f6d8702a0 \Windows\SysWOW64\vaultcli.dll Disabled 6988 OneDrive.exe 0xbf0f6d86f4e0 0x6c570000 0x6c668fff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d8702a0 \Windows\SysWOW64\Windows.Security.Authentication.Web.Core.dll Disabled 6988 OneDrive.exe 0xbf0f6d86dbe0 0x6dac0000 0x6dadefff Vad PAGE_EXECUTE_WRITECOPY 7 0 0xffffbf0f6d86eea0 \Windows\SysWOW64\ncryptsslp.dll Disabled 6988 OneDrive.exe 0xbf0f6d86e720 0x6cef0000 0x6d0fbfff Vad PAGE_EXECUTE_WRITECOPY 10 0 0xffffbf0f6d86dbe0 \Windows\SysWOW64\DWrite.dll Disabled 6988 OneDrive.exe 0xbf0f6d86ed60 0x6c8f0000 0x6c91bfff Vad PAGE_EXECUTE_WRITECOPY 5 0 0xffffbf0f6d86e720 \Windows\SysWOW64\DXCore.dll Disabled 6988 OneDrive.exe 0xbf0f6d86e540 0x6c920000 0x6cee1fff Vad PAGE_EXECUTE_WRITECOPY 25 0 0xffffbf0f6d86ed60 \Windows\SysWOW64\d3d10warp.dll Disabled 6988 OneDrive.exe 0xbf0f6d86de60 0x6d6c0000 0x6d6cdfff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d86e720 \Windows\SysWOW64\msimtf.dll Disabled 6988 OneDrive.exe 0xbf0f6d86e5e0 0x6d100000 0x6d614fff Vad PAGE_EXECUTE_WRITECOPY 5 0 0xffffbf0f6d86de60 \Windows\SysWOW64\d2d1.dll Disabled 6988 OneDrive.exe 0xbf0f6d86e400 0x6d620000 0x6d6befff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d86e5e0 \Windows\SysWOW64\apphelp.dll Disabled 6988 OneDrive.exe 0xbf0f6d86f120 0x6d6d0000 0x6da87fff Vad PAGE_EXECUTE_WRITECOPY 19 0 0xffffbf0f6d86de60 \Windows\SysWOW64\jscript9.dll Disabled 6988 OneDrive.exe 0xbf0f6d863dc0 0x6da90000 0x6dab4fff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d86f120 \Windows\SysWOW64\srpapi.dll Disabled 6988 OneDrive.exe 0xbf0f6d8685a0 0x6ef40000 0x6ef47fff Vad PAGE_EXECUTE_WRITECOPY 2 0 0xffffbf0f6d86dbe0 \Windows\SysWOW64\winnsi.dll Disabled 6988 OneDrive.exe 0xbf0f6d86cec0 0x6db20000 0x6db97fff Vad PAGE_EXECUTE_WRITECOPY 4 0 0xffffbf0f6d8685a0 \Windows\SysWOW64\schannel.dll Disabled 6988 OneDrive.exe 0xbf0f6d86d5a0 0x6dae0000 0x6db05fff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d86cec0 \Windows\SysWOW64\cryptnet.dll Disabled 6988 OneDrive.exe 0xbf0f6d86d0a0 0x6db10000 0x6db1ffff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d86d5a0 \Windows\SysWOW64\mskeyprotect.dll Disabled 6988 OneDrive.exe 0xbf0f6d869680 0x6dc40000 0x6ee92fff Vad PAGE_EXECUTE_WRITECOPY 303 0 0xffffbf0f6d86cec0 \Windows\SysWOW64\mshtml.dll Disabled 6988 OneDrive.exe 0xbf0f6d86dc80 0x6dc00000 0x6dc07fff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d869680 \Windows\SysWOW64\rasadhlp.dll Disabled 6988 OneDrive.exe 0xbf0f6d86db40 0x6dba0000 0x6dbf7fff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d86dc80 \Windows\SysWOW64\FWPUCLNT.DLL Disabled 6988 OneDrive.exe 0xbf0f6d86a1c0 0x6dc10000 0x6dc3efff Vad PAGE_EXECUTE_WRITECOPY 5 0 0xffffbf0f6d86dc80 \Windows\SysWOW64\MicrosoftAccountTokenProvider.dll Disabled 6988 OneDrive.exe 0xbf0f6d86a080 0x6eea0000 0x6eea7fff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d869680 \Windows\SysWOW64\dpapi.dll Disabled 6988 OneDrive.exe 0xbf0f6d868820 0x6eeb0000 0x6ef37fff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d86a080 \Windows\SysWOW64\sxs.dll Disabled 6988 OneDrive.exe 0xbf0f6d867f60 0x6f020000 0x6f048fff Vad PAGE_EXECUTE_WRITECOPY 4 0 0xffffbf0f6d8685a0 \Windows\SysWOW64\ntmarta.dll Disabled 6988 OneDrive.exe 0xbf0f6d8683c0 0x6efa0000 0x6eff1fff Vad PAGE_EXECUTE_WRITECOPY 4 0 0xffffbf0f6d867f60 \Windows\SysWOW64\mswsock.dll Disabled 6988 OneDrive.exe 0xbf0f6d868780 0x6ef50000 0x6ef92fff Vad PAGE_EXECUTE_WRITECOPY 4 0 0xffffbf0f6d8683c0 \Windows\SysWOW64\msIso.dll Disabled 6988 OneDrive.exe 0xbf0f6d868280 0x6f000000 0x6f011fff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d8683c0 \Windows\SysWOW64\OnDemandConnRouteHelper.dll Disabled 6988 OneDrive.exe 0xbf0f6d8680a0 0x6f2d0000 0x6f36afff Vad PAGE_EXECUTE_WRITECOPY 4 0 0xffffbf0f6d867f60 \Windows\SysWOW64\CoreMessaging.dll Disabled 6988 OneDrive.exe 0xbf0f6d868500 0x6f050000 0x6f2cdfff Vad PAGE_EXECUTE_WRITECOPY 5 0 0xffffbf0f6d8680a0 \Windows\SysWOW64\CoreUIComponents.dll Disabled 6988 OneDrive.exe 0xbf0f6d868320 0x6f370000 0x6f428fff Vad PAGE_EXECUTE_WRITECOPY 4 0 0xffffbf0f6d8680a0 \Windows\SysWOW64\TextInputFramework.dll Disabled 6988 OneDrive.exe 0xbf0f6d868b40 0x6f430000 0x6f593fff Vad PAGE_EXECUTE_WRITECOPY 10 0 0xffffbf0f6d868320 \Windows\SysWOW64\dcomp.dll Disabled 6988 OneDrive.exe 0xbf0f6ccd93d0 0x71820000 0x71c5dfff Vad PAGE_EXECUTE_WRITECOPY 10 0 0xffffbf0f6d868640 \Users\John Doe\AppData\Local\Microsoft\OneDrive\21.062.0328.0001\Qt5Widgets.dll Disabled 6988 OneDrive.exe 0xbf0f6d866840 0x70530000 0x70653fff Vad PAGE_EXECUTE_WRITECOPY 5 0 0xffffbf0f6ccd93d0 \Users\John Doe\AppData\Local\Microsoft\OneDrive\21.062.0328.0001\platforms\qwindows.dll Disabled 6988 OneDrive.exe 0xbf0f6d866f20 0x6fda0000 0x6fe5efff Vad PAGE_EXECUTE_WRITECOPY 4 0 0xffffbf0f6d866840 \Windows\SysWOW64\Windows.Services.TargetedContent.dll Disabled 6988 OneDrive.exe 0xbf0f6d8668e0 0x6f5f0000 0x6fc1afff Vad PAGE_EXECUTE_WRITECOPY 14 0 0xffffbf0f6d866f20 \Windows\SysWOW64\ieframe.dll Disabled 6988 OneDrive.exe 0xbf0f6d868460 0x6f5e0000 0x6f5effff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d8668e0 \Windows\SysWOW64\wkscli.dll Disabled 6988 OneDrive.exe 0xbf0f6d868aa0 0x6fc20000 0x6fc84fff Vad PAGE_EXECUTE_WRITECOPY 4 0 0xffffbf0f6d8668e0 \Windows\SysWOW64\msvcp110_win.dll Disabled 6988 OneDrive.exe 0xbf0f6d867a60 0x6fc90000 0x6fd91fff Vad PAGE_EXECUTE_WRITECOPY 8 0 0xffffbf0f6d868aa0 \Windows\SysWOW64\dsreg.dll Disabled 6988 OneDrive.exe 0xbf0f6d866660 0x70070000 0x70076fff Vad PAGE_EXECUTE_WRITECOPY 2 0 0xffffbf0f6d866f20 \Windows\SysWOW64\FamilySafetyExt.dll Disabled 6988 OneDrive.exe 0xbf0f6d8667a0 0x6fe80000 0x6ff05fff Vad PAGE_EXECUTE_WRITECOPY 6 0 0xffffbf0f6d866660 \Windows\SysWOW64\wlidprov.dll Disabled 6988 OneDrive.exe 0xbf0f6d866e80 0x6fe60000 0x6fe74fff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d8667a0 \Windows\SysWOW64\samcli.dll Disabled 6988 OneDrive.exe 0xbf0f6d867240 0x6ff10000 0x70064fff Vad PAGE_EXECUTE_WRITECOPY 64 0 0xffffbf0f6d8667a0 \Windows\SysWOW64\Wpc.dll Disabled 6988 OneDrive.exe 0xbf0f6d867880 0x70210000 0x703ecfff Vad PAGE_EXECUTE_WRITECOPY 8 0 0xffffbf0f6d866660 \Windows\SysWOW64\msxml6.dll Disabled 6988 OneDrive.exe 0xbf0f6d867740 0x70080000 0x7020efff Vad PAGE_EXECUTE_WRITECOPY 5 0 0xffffbf0f6d867880 \Windows\SysWOW64\twinapi.appcore.dll Disabled 6988 OneDrive.exe 0xbf0f6d866a20 0x704d0000 0x704dcfff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d867880 \Windows\SysWOW64\umpdc.dll Disabled 6988 OneDrive.exe 0xbf0f6d867420 0x703f0000 0x704cafff Vad PAGE_EXECUTE_WRITECOPY 4 0 0xffffbf0f6d866a20 \Windows\SysWOW64\WinTypes.dll Disabled 6988 OneDrive.exe 0xbf0f6d866700 0x704e0000 0x70523fff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d866a20 \Windows\SysWOW64\powrprof.dll Disabled 6988 OneDrive.exe 0xbf0f6d8635a0 0x70b30000 0x70b57fff Vad PAGE_EXECUTE_WRITECOPY 2 0 0xffffbf0f6d866840 \Windows\SysWOW64\ntasn1.dll Disabled 6988 OneDrive.exe 0xbf0f6d866480 0x70a40000 0x70a4cfff Vad PAGE_EXECUTE_WRITECOPY 4 0 0xffffbf0f6d8635a0 \Windows\SysWOW64\atlthunk.dll Disabled 6988 OneDrive.exe 0xbf0f6d865e40 0x70660000 0x709fffff Vad PAGE_EXECUTE_WRITECOPY 10 0 0xffffbf0f6d866480 \Windows\SysWOW64\OneCoreUAPCommonProxyStub.dll Disabled 6988 OneDrive.exe 0xbf0f6d865a80 0x70a00000 0x70a33fff Vad PAGE_EXECUTE_WRITECOPY 6 0 0xffffbf0f6d865e40 \Windows\SysWOW64\mlang.dll Disabled 6988 OneDrive.exe 0xbf0f6d865940 0x70ab0000 0x70ab7fff Vad PAGE_EXECUTE_WRITECOPY 2 0 0xffffbf0f6d866480 \Windows\SysWOW64\fltLib.dll Disabled 6988 OneDrive.exe 0xbf0f6d865760 0x70a50000 0x70aaefff Vad PAGE_EXECUTE_WRITECOPY 7 0 0xffffbf0f6d865940 \Users\John Doe\AppData\Local\Microsoft\OneDrive\21.062.0328.0001\FileSyncFALWB.dll Disabled 6988 OneDrive.exe 0xbf0f6d865300 0x70ae0000 0x70aedfff Vad PAGE_EXECUTE_WRITECOPY 2 0 0xffffbf0f6d865940 \Windows\SysWOW64\msasn1.dll Disabled 6988 OneDrive.exe 0xbf0f6d8658a0 0x70ac0000 0x70adbfff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d865300 \Windows\SysWOW64\cldapi.dll Disabled 6988 OneDrive.exe 0xbf0f6d863d20 0x70af0000 0x70b2ffff Vad PAGE_EXECUTE_WRITECOPY 5 0 0xffffbf0f6d865300 \Windows\SysWOW64\wscapi.dll Disabled 6988 OneDrive.exe 0xbf0f6ccdca30 0x70d40000 0x70d58fff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d8635a0 \Windows\SysWOW64\mpr.dll Disabled 6988 OneDrive.exe 0xbf0f6cce7c50 0x70c20000 0x70cb1fff Vad PAGE_EXECUTE_WRITECOPY 4 0 0xffffbf0f6ccdca30 \Windows\SysWOW64\dnsapi.dll Disabled 6988 OneDrive.exe 0xbf0f6ccf8410 0x70b80000 0x70b8afff Vad PAGE_EXECUTE_WRITECOPY 2 0 0xffffbf0f6cce7c50 \Windows\SysWOW64\netutils.dll Disabled 6988 OneDrive.exe 0xbf0f6af54880 0x70b60000 0x70b7cfff Vad PAGE_EXECUTE_WRITECOPY 11 0 0xffffbf0f6ccf8410 \Windows\SysWOW64\srvcli.dll Disabled 6988 OneDrive.exe 0xbf0f6cce6e90 0x70b90000 0x70c16fff Vad PAGE_EXECUTE_WRITECOPY 5 0 0xffffbf0f6ccf8410 \Users\John Doe\AppData\Local\Microsoft\OneDrive\21.062.0328.0001\libssl-1_1.dll Disabled 6988 OneDrive.exe 0xbf0f6ccdc350 0x70cf0000 0x70d17fff Vad PAGE_EXECUTE_WRITECOPY 4 0 0xffffbf0f6cce7c50 \Windows\SysWOW64\winmm.dll Disabled 6988 OneDrive.exe 0xbf0f6cce33d0 0x70cc0000 0x70ce0fff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6ccdc350 \Windows\SysWOW64\sspicli.dll Disabled 6988 OneDrive.exe 0xbf0f6ccdc210 0x70d20000 0x70d32fff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6ccdc350 \Windows\SysWOW64\netapi32.dll Disabled 6988 OneDrive.exe 0xbf0f6ccdb8b0 0x711f0000 0x712e8fff Vad PAGE_EXECUTE_WRITECOPY 6 0 0xffffbf0f6ccdca30 \Users\John Doe\AppData\Local\Microsoft\OneDrive\21.062.0328.0001\Qt5Network.dll Disabled 6988 OneDrive.exe 0xbf0f6ccda690 0x70e30000 0x70e93fff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6ccdb8b0 \Users\John Doe\AppData\Local\Microsoft\OneDrive\21.062.0328.0001\Qt5QmlModels.dll Disabled 6988 OneDrive.exe 0xbf0f6ccdcc10 0x70d60000 0x70e21fff Vad PAGE_EXECUTE_WRITECOPY 6 0 0xffffbf0f6ccda690 \Windows\SysWOW64\dxgi.dll Disabled 6988 OneDrive.exe 0xbf0f6ccda550 0x70ea0000 0x7107ffff Vad PAGE_EXECUTE_WRITECOPY 6 0 0xffffbf0f6ccda690 \Windows\SysWOW64\d3d11.dll Disabled 6988 OneDrive.exe 0xbf0f6ccdc0d0 0x71080000 0x711e4fff Vad PAGE_EXECUTE_WRITECOPY 11 0 0xffffbf0f6ccda550 \Users\John Doe\AppData\Local\Microsoft\OneDrive\21.062.0328.0001\adal.dll Disabled 6988 OneDrive.exe 0xbf0f6ccdb450 0x71320000 0x7132cfff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6ccdb8b0 \Windows\SysWOW64\credui.dll Disabled 6988 OneDrive.exe 0xbf0f6ccdb630 0x712f0000 0x71310fff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6ccdb450 \Windows\SysWOW64\ncrypt.dll Disabled 6988 OneDrive.exe 0xbf0f6ccdb4f0 0x71560000 0x71592fff Vad PAGE_EXECUTE_WRITECOPY 2 0 0xffffbf0f6ccdb450 \Users\John Doe\AppData\Local\Microsoft\OneDrive\21.062.0328.0001\Qt5WinExtras.dll Disabled 6988 OneDrive.exe 0xbf0f6ccdb590 0x71330000 0x7155afff Vad PAGE_EXECUTE_WRITECOPY 10 0 0xffffbf0f6ccdb4f0 \Windows\SysWOW64\iertutil.dll Disabled 6988 OneDrive.exe 0xbf0f6ccdb1d0 0x715a0000 0x71816fff Vad PAGE_EXECUTE_WRITECOPY 7 0 0xffffbf0f6ccdb4f0 \Users\John Doe\AppData\Local\Microsoft\OneDrive\21.062.0328.0001\libcrypto-1_1.dll Disabled 6988 OneDrive.exe 0xbf0f6d7244a0 0x749b0000 0x749e1fff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6ccd93d0 \Windows\SysWOW64\IPHLPAPI.DLL Disabled 6988 OneDrive.exe 0xbf0f6ccd9dd0 0x730f0000 0x7319dfff Vad PAGE_EXECUTE_WRITECOPY 5 0 0xffffbf0f6d7244a0 \Windows\SysWOW64\wer.dll Disabled 6988 OneDrive.exe 0xbf0f6ccd95b0 0x72240000 0x7274ffff Vad PAGE_EXECUTE_WRITECOPY 8 0 0xffffbf0f6ccd9dd0 \Users\John Doe\AppData\Local\Microsoft\OneDrive\21.062.0328.0001\Qt5Core.dll Disabled 6988 OneDrive.exe 0xbf0f6ccda050 0x71c60000 0x721bbfff Vad PAGE_EXECUTE_WRITECOPY 14 0 0xffffbf0f6ccd95b0 \Users\John Doe\AppData\Local\Microsoft\OneDrive\21.062.0328.0001\Qt5Gui.dll Disabled 6988 OneDrive.exe 0xbf0f6ccd9a10 0x721c0000 0x72239fff Vad PAGE_EXECUTE_WRITECOPY 5 0 0xffffbf0f6ccda050 \Users\John Doe\AppData\Local\Microsoft\OneDrive\21.062.0328.0001\WnsClientApi.dll Disabled 6988 OneDrive.exe 0xbf0f6ccd91f0 0x72d70000 0x72e32fff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6ccd95b0 \Windows\SysWOW64\propsys.dll Disabled 6988 OneDrive.exe 0xbf0f6ccda4b0 0x72a10000 0x72d6afff Vad PAGE_EXECUTE_WRITECOPY 14 0 0xffffbf0f6ccd91f0 \Users\John Doe\AppData\Local\Microsoft\OneDrive\21.062.0328.0001\Qt5Quick.dll Disabled 6988 OneDrive.exe 0xbf0f6ccd9ab0 0x72750000 0x72a0efff Vad PAGE_EXECUTE_WRITECOPY 10 0 0xffffbf0f6ccda4b0 \Users\John Doe\AppData\Local\Microsoft\OneDrive\21.062.0328.0001\Qt5Qml.dll Disabled 6988 OneDrive.exe 0xbf0f6ccd9e70 0x72ff0000 0x730b9fff Vad PAGE_EXECUTE_WRITECOPY 4 0 0xffffbf0f6ccd91f0 \Windows\SysWOW64\winhttp.dll Disabled 6988 OneDrive.exe 0xbf0f6ccda2d0 0x72e40000 0x72fe8fff Vad PAGE_EXECUTE_WRITECOPY 14 0 0xffffbf0f6ccd9e70 \Windows\SysWOW64\urlmon.dll Disabled 6988 OneDrive.exe 0xbf0f6ccd98d0 0x730c0000 0x730eafff Vad PAGE_EXECUTE_WRITECOPY 2 0 0xffffbf0f6ccd9e70 \Windows\SysWOW64\xmllite.dll Disabled 6988 OneDrive.exe 0xbf0f6d73e120 0x73aa0000 0x74297fff Vad PAGE_EXECUTE_WRITECOPY 53 0 0xffffbf0f6ccd9dd0 \Users\John Doe\AppData\Local\Microsoft\OneDrive\21.062.0328.0001\SyncEngine.dll Disabled 6988 OneDrive.exe 0xbf0f6ccda230 0x73550000 0x7375ffff Vad PAGE_EXECUTE_WRITECOPY 5 0 0xffffbf0f6d73e120 \Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.844_none_11adecdf30011423\comctl32.dll Disabled 6988 OneDrive.exe 0xbf0f6ccd9d30 0x731d0000 0x73339fff Vad PAGE_EXECUTE_WRITECOPY 4 0 0xffffbf0f6ccda230 \Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.928_none_429ce31a8a8fefd2\GdiPlus.dll Disabled 6988 OneDrive.exe 0xbf0f6ccd9510 0x731a0000 0x731c5fff Vad PAGE_EXECUTE_WRITECOPY 5 0 0xffffbf0f6ccd9d30 \Windows\SysWOW64\dwmapi.dll Disabled 6988 OneDrive.exe 0xbf0f6ccda370 0x73340000 0x7354ffff Vad PAGE_EXECUTE_WRITECOPY 7 0 0xffffbf0f6ccd9d30 \Users\John Doe\AppData\Local\Microsoft\OneDrive\21.062.0328.0001\FileSyncViews.dll Disabled 6988 OneDrive.exe 0xbf0f6d73ee40 0x73760000 0x73769fff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6ccda230 \Windows\SysWOW64\secur32.dll Disabled 6988 OneDrive.exe 0xbf0f6ccd9330 0x73770000 0x73a95fff Vad PAGE_EXECUTE_WRITECOPY 27 0 0xffffbf0f6d73ee40 \Users\John Doe\AppData\Local\Microsoft\OneDrive\21.062.0328.0001\FileSyncSessions.dll Disabled 6988 OneDrive.exe 0xbf0f6d72ec20 0x748a0000 0x748abfff Vad PAGE_EXECUTE_WRITECOPY 2 0 0xffffbf0f6d73e120 \Windows\SysWOW64\diagnosticdataquery.dll Disabled 6988 OneDrive.exe 0xbf0f6d7376e0 0x74340000 0x74379fff Vad PAGE_EXECUTE_WRITECOPY 4 0 0xffffbf0f6d72ec20 \Users\John Doe\AppData\Local\Microsoft\OneDrive\21.062.0328.0001\Telemetry.dll Disabled 6988 OneDrive.exe 0xbf0f6d737960 0x742a0000 0x7433ffff Vad PAGE_EXECUTE_WRITECOPY 9 0 0xffffbf0f6d7376e0 \Users\John Doe\AppData\Local\Microsoft\OneDrive\21.062.0328.0001\LogUploader.dll Disabled 6988 OneDrive.exe 0xbf0f6d733cc0 0x743e0000 0x74889fff Vad PAGE_EXECUTE_WRITECOPY 67 0 0xffffbf0f6d7376e0 \Users\John Doe\AppData\Local\Microsoft\OneDrive\21.062.0328.0001\FileSyncClient.dll Disabled 6988 OneDrive.exe 0xbf0f6d733d60 0x74380000 0x743ddfff Vad PAGE_EXECUTE_WRITECOPY 5 0 0xffffbf0f6d733cc0 \Users\John Doe\AppData\Local\Microsoft\OneDrive\21.062.0328.0001\UpdateRingSettings.dll Disabled 6988 OneDrive.exe 0xbf0f6d731d80 0x74890000 0x7489dfff Vad PAGE_EXECUTE_WRITECOPY 2 0 0xffffbf0f6d733cc0 \Windows\SysWOW64\Windows.System.Diagnostics.Telemetry.PlatformTelemetryClient.dll Disabled 6988 OneDrive.exe 0xbf0f6d72cce0 0x748c0000 0x748f0fff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d72ec20 \Windows\SysWOW64\netprofm.dll Disabled 6988 OneDrive.exe 0xbf0f6d72d3c0 0x748b0000 0x748b9fff Vad PAGE_EXECUTE_WRITECOPY 2 0 0xffffbf0f6d72cce0 \Windows\SysWOW64\npmproxy.dll Disabled 6988 OneDrive.exe 0xbf0f6d72cc40 0x74900000 0x7498efff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d72cce0 \Windows\SysWOW64\Windows.Networking.Connectivity.dll Disabled 6988 OneDrive.exe 0xbf0f6d72b480 0x74990000 0x749a5fff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d72cc40 \Windows\SysWOW64\dhcpcsvc.dll Disabled 6988 OneDrive.exe 0xbf0f6d721980 0x75960000 0x75a60fff Vad PAGE_EXECUTE_WRITECOPY 6 0 0xffffbf0f6d7244a0 \Windows\SysWOW64\crypt32.dll Disabled 6988 OneDrive.exe 0xbf0f6d7230a0 0x74be0000 0x74bf3fff Vad PAGE_EXECUTE_WRITECOPY 2 0 0xffffbf0f6d721980 \Users\John Doe\AppData\Local\Microsoft\OneDrive\21.062.0328.0001\vcruntime140.dll Disabled 6988 OneDrive.exe 0xbf0f6be41bd0 0x74b80000 0x74baefff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d7230a0 \Windows\SysWOW64\rsaenh.dll Disabled 6988 OneDrive.exe 0xbf0f6d724b80 0x749f0000 0x74b59fff Vad PAGE_EXECUTE_WRITECOPY 20 0 0xffffbf0f6be41bd0 \Users\John Doe\AppData\Local\Microsoft\OneDrive\21.062.0328.0001\OneDriveTelemetryExperimental.dll Disabled 6988 OneDrive.exe 0xbf0f6d724a40 0x74b60000 0x74b77fff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d724b80 \Windows\SysWOW64\profapi.dll Disabled 6988 OneDrive.exe 0xbf0f6d723500 0x74bb0000 0x74bc2fff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6be41bd0 \Windows\SysWOW64\cryptsp.dll Disabled 6988 OneDrive.exe 0xbf0f6d723280 0x74bd0000 0x74bd9fff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d723500 \Windows\SysWOW64\cryptbase.dll Disabled 6988 OneDrive.exe 0xbf0f6d723d20 0x75420000 0x75493fff Vad PAGE_EXECUTE_WRITECOPY 5 0 0xffffbf0f6d7230a0 \Windows\SysWOW64\uxtheme.dll Disabled 6988 OneDrive.exe 0xbf0f6d7233c0 0x74cc0000 0x74ddffff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d723d20 \Users\John Doe\AppData\Local\Microsoft\OneDrive\21.062.0328.0001\ucrtbase.dll Disabled 6988 OneDrive.exe 0xbf0f6d722f60 0x74c00000 0x74c6cfff Vad PAGE_EXECUTE_WRITECOPY 4 0 0xffffbf0f6d7233c0 \Users\John Doe\AppData\Local\Microsoft\OneDrive\21.062.0328.0001\msvcp140.dll Disabled 6988 OneDrive.exe 0xbf0f6d723dc0 0x74c70000 0x74cbdfff Vad PAGE_EXECUTE_WRITECOPY 4 0 0xffffbf0f6d722f60 \Users\John Doe\AppData\Local\Microsoft\OneDrive\21.062.0328.0001\LoggingPlatform.dll Disabled 6988 OneDrive.exe 0xbf0f6d722ce0 0x74de0000 0x74e03fff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d7233c0 \Windows\SysWOW64\wldp.dll Disabled 6988 OneDrive.exe 0xbf0f6d723a00 0x74e10000 0x75418fff Vad PAGE_EXECUTE_WRITECOPY 8 0 0xffffbf0f6d722ce0 \Windows\SysWOW64\windows.storage.dll Disabled 6988 OneDrive.exe 0xbf0f6d722600 0x754b0000 0x754befff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d723d20 \Windows\SysWOW64\wtsapi32.dll Disabled 6988 OneDrive.exe 0xbf0f6d721ca0 0x754a0000 0x754aefff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d722600 \Windows\SysWOW64\kernel.appcore.dll Disabled 6988 OneDrive.exe 0xbf0f6d7226a0 0x75920000 0x75944fff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d722600 \Windows\SysWOW64\userenv.dll Disabled 6988 OneDrive.exe 0xbf0f6d721660 0x754c0000 0x75919fff Vad PAGE_EXECUTE_WRITECOPY 6 0 0xffffbf0f6d7226a0 \Windows\SysWOW64\wininet.dll Disabled 6988 OneDrive.exe 0xbf0f6d721ac0 0x75950000 0x75957fff Vad PAGE_EXECUTE_WRITECOPY 2 0 0xffffbf0f6d7226a0 \Windows\SysWOW64\version.dll Disabled 6988 OneDrive.exe 0xbf0f6d720620 0x76a00000 0x76aeffff Vad PAGE_EXECUTE_WRITECOPY 5 0 0xffffbf0f6d721980 \Windows\SysWOW64\kernel32.dll Disabled 6988 OneDrive.exe 0xbf0f6d7208a0 0x75e20000 0x75e9afff Vad PAGE_EXECUTE_WRITECOPY 5 0 0xffffbf0f6d720620 \Windows\SysWOW64\msvcp_win.dll Disabled 6988 OneDrive.exe 0xbf0f6d720d00 0x75be0000 0x75c9ffff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d7208a0 \Windows\SysWOW64\rpcrt4.dll Disabled 6988 OneDrive.exe 0xbf0f6d720ee0 0x75b30000 0x75b47fff Vad PAGE_EXECUTE_WRITECOPY 2 0 0xffffbf0f6d720d00 \Windows\SysWOW64\win32u.dll Disabled 6988 OneDrive.exe 0xbf0f6d7210c0 0x75a70000 0x75b2efff Vad PAGE_EXECUTE_WRITECOPY 7 0 0xffffbf0f6d720ee0 \Windows\SysWOW64\msvcrt.dll Disabled 6988 OneDrive.exe 0xbf0f6d720c60 0x75b60000 0x75bd9fff Vad PAGE_EXECUTE_WRITECOPY 6 0 0xffffbf0f6d720ee0 \Windows\SysWOW64\advapi32.dll Disabled 6988 OneDrive.exe 0xbf0f6d724d60 0x75b50000 0x75b56fff Vad PAGE_EXECUTE_WRITECOPY 2 0 0xffffbf0f6d720c60 \Windows\SysWOW64\nsi.dll Disabled 6988 OneDrive.exe 0xbf0f6d722240 0x75d00000 0x75de2fff Vad PAGE_EXECUTE_WRITECOPY 4 0 0xffffbf0f6d720d00 \Windows\SysWOW64\ole32.dll Disabled 6988 OneDrive.exe 0xbf0f6d721f20 0x75ca0000 0x75cfcfff Vad PAGE_EXECUTE_WRITECOPY 2 0 0xffffbf0f6d722240 \Windows\SysWOW64\bcryptprimitives.dll Disabled 6988 OneDrive.exe 0xbf0f6d722920 0x75df0000 0x75e14fff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d722240 \Windows\SysWOW64\imm32.dll Disabled 6988 OneDrive.exe 0xbf0f6d721160 0x76200000 0x76274fff Vad PAGE_EXECUTE_WRITECOPY 5 0 0xffffbf0f6d7208a0 \Windows\SysWOW64\sechost.dll Disabled 6988 OneDrive.exe 0xbf0f6d721020 0x75f80000 0x76115fff Vad PAGE_EXECUTE_WRITECOPY 6 0 0xffffbf0f6d721160 \Windows\SysWOW64\user32.dll Disabled 6988 OneDrive.exe 0xbf0f6d722100 0x75ee0000 0x75f75fff Vad PAGE_EXECUTE_WRITECOPY 4 0 0xffffbf0f6d721020 \Windows\SysWOW64\oleaut32.dll Disabled 6988 OneDrive.exe 0xbf0f6d86e0e0 0x75ea0000 0x75edafff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d722100 \Windows\SysWOW64\cfgmgr32.dll Disabled 6988 OneDrive.exe 0xbf0f6d866160 0x76120000 0x761f2fff Vad PAGE_EXECUTE_WRITECOPY 5 0 0xffffbf0f6d721020 \Windows\SysWOW64\msctf.dll Disabled 6988 OneDrive.exe 0xbf0f6d722420 0x763a0000 0x763e4fff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d721160 \Windows\SysWOW64\shlwapi.dll Disabled 6988 OneDrive.exe 0xbf0f6d720940 0x76280000 0x7639ffff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d722420 \Windows\SysWOW64\ucrtbase.dll Disabled 6988 OneDrive.exe 0xbf0f6d723140 0x76490000 0x764f2fff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d722420 \Windows\SysWOW64\ws2_32.dll Disabled 6988 OneDrive.exe 0xbf0f6d8679c0 0x76480000 0x76486fff Vad PAGE_EXECUTE_WRITECOPY 2 0 0xffffbf0f6d723140 \Windows\SysWOW64\normaliz.dll Disabled 6988 OneDrive.exe 0xbf0f6d721c00 0x76970000 0x769f6fff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d723140 \Windows\SysWOW64\SHCore.dll Disabled 6988 OneDrive.exe 0xbf0f6b7f1160 0x7ffe8000 0x7ffe8fff VadS PAGE_READONLY 1 1 0xffffbf0f6d720620 N/A Disabled 6988 OneDrive.exe 0xbf0f6d7206c0 0x77430000 0x77643fff Vad PAGE_EXECUTE_WRITECOPY 6 0 0xffffbf0f6b7f1160 \Windows\SysWOW64\KernelBase.dll Disabled 6988 OneDrive.exe 0xbf0f6d720800 0x76b70000 0x76c4bfff Vad PAGE_EXECUTE_WRITECOPY 5 0 0xffffbf0f6d7206c0 \Windows\SysWOW64\gdi32full.dll Disabled 6988 OneDrive.exe 0xbf0f6d72a760 0x76af0000 0x76b6dfff Vad PAGE_EXECUTE_WRITECOPY 6 0 0xffffbf0f6d720800 \Windows\SysWOW64\clbcatq.dll Disabled 6988 OneDrive.exe 0xbf0f6d7212a0 0x76e20000 0x773d2fff Vad PAGE_EXECUTE_WRITECOPY 11 0 0xffffbf0f6d720800 \Windows\SysWOW64\shell32.dll Disabled 6988 OneDrive.exe 0xbf0f6d737820 0x773e0000 0x77426fff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d7212a0 \Windows\SysWOW64\wintrust.dll Disabled 6988 OneDrive.exe 0xbf0f6d7215c0 0x77aa0000 0x77aa9fff Vad PAGE_EXECUTE_WRITECOPY 2 0 0xffffbf0f6d7206c0 \Windows\System32\wow64cpu.dll Disabled 6988 OneDrive.exe 0xbf0f6d7218e0 0x777e0000 0x77a61fff Vad PAGE_EXECUTE_WRITECOPY 6 0 0xffffbf0f6d7215c0 \Windows\SysWOW64\combase.dll Disabled 6988 OneDrive.exe 0xbf0f6cac8a10 0x776b0000 0x776c8fff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d7218e0 \Windows\SysWOW64\bcrypt.dll Disabled 6988 OneDrive.exe 0xbf0f6d720440 0x77a70000 0x77a92fff Vad PAGE_EXECUTE_WRITECOPY 3 0 0xffffbf0f6d7218e0 \Windows\SysWOW64\gdi32.dll Disabled 6988 OneDrive.exe 0xbf0f6d71f720 0x77ab0000 0x77c52fff Vad PAGE_EXECUTE_WRITECOPY 9 0 0xffffbf0f6d7215c0 \Windows\SysWOW64\ntdll.dll Disabled 6988 OneDrive.exe 0xbf0f6b7f1570 0x7ffe0000 0x7ffe0fff VadS PAGE_READONLY 1 1 0xffffbf0f6d71f720 N/A Disabled 6988 OneDrive.exe 0xbf0f6d71f860 0xff640000 0xff662fff Vad PAGE_READONLY 0 0 0xffffbf0f6b7f1160 N/A Disabled 6988 OneDrive.exe 0xbf0f6ca58bf0 0xff5e0000 0xff5e1fff VadS PAGE_READWRITE 1 1 0xffffbf0f6d71f860 N/A Disabled 6988 OneDrive.exe 0xbf0f6ca592d0 0xff5c0000 0xff5d0fff VadS PAGE_READWRITE 1 1 0xffffbf0f6ca58bf0 N/A Disabled 6988 OneDrive.exe 0xbf0f6d720bc0 0xff4c0000 0xff5bffff Vad PAGE_READONLY 0 0 0xffffbf0f6ca592d0 N/A Disabled 6988 OneDrive.exe 0xbf0f6b7f2330 0xff620000 0xff621fff VadS PAGE_READWRITE 1 1 0xffffbf0f6ca58bf0 N/A Disabled 6988 OneDrive.exe 0xbf0f6ca4f820 0xff5f0000 0xff610fff VadS PAGE_READWRITE 1 1 0xffffbf0f6b7f2330 N/A Disabled 6988 OneDrive.exe 0xbf0f6d71f0e0 0xff630000 0xff630fff Vad PAGE_READONLY 0 0 0xffffbf0f6b7f2330 N/A Disabled 6988 OneDrive.exe 0xbf0f6d71f040 0x7df5aa700000 0x7ff5aa6fffff Vad PAGE_NOACCESS 732 0 0xffffbf0f6d71f860 N/A Disabled 6988 OneDrive.exe 0xbf0f6b7f1390 0xffff0000 0xffffffff VadS PAGE_READONLY 2147483647 1 0xffffbf0f6d71f040 N/A Disabled 6988 OneDrive.exe 0xbf0f6d721520 0x7ffd89530000 0x7ffd895b2fff Vad PAGE_EXECUTE_WRITECOPY 5 0 0xffffbf0f6d71f040 \Windows\System32\wow64win.dll Disabled 6988 OneDrive.exe 0xbf0f6d720580 0x7ffd88110000 0x7ffd88168fff Vad PAGE_EXECUTE_WRITECOPY 5 0 0xffffbf0f6d721520 \Windows\System32\wow64.dll Disabled 6988 OneDrive.exe 0xbf0f6d71ef00 0x7ffd89810000 0x7ffd89a04fff Vad PAGE_EXECUTE_WRITECOPY 17 0 0xffffbf0f6d721520 \Windows\System32\ntdll.dll Disabled`

iMHLv2 commented 2 years ago

Hi @KDPryor - sorry for the delay. Those are interesting results, because vadinfo didn't have an issue parsing the VADs for pid 6988, but dumpfiles does (and dumpfiles just internally calls the same methods as vadinfo). Is the memory sample sharable, by any chance? Also, 1.2.1 should still have the dumpfiles plugin - we haven't removed it!

github-actions[bot] commented 10 months ago

This issue is stale because it has been open for 200 days with no activity.

github-actions[bot] commented 8 months ago

This issue was closed because it has been inactive for 60 days since being marked as stale.