| 1 | f4.1858: Log file opened: 5.0.20r106931 g_hStartupLog=0000000000000084 g_uNtVerCombined=0xa0295a00
|
|---|
| 2 | f4.1858: \SystemRoot\System32\ntdll.dll:
|
|---|
| 3 | f4.1858: CreationTime: 2016-05-24T11:23:17.033864600Z
|
|---|
| 4 | f4.1858: LastWriteTime: 2016-04-23T05:24:28.464629900Z
|
|---|
| 5 | f4.1858: ChangeTime: 2016-05-24T12:41:34.595936100Z
|
|---|
| 6 | f4.1858: FileAttributes: 0x20
|
|---|
| 7 | f4.1858: Size: 0x1bc248
|
|---|
| 8 | f4.1858: NT Headers: 0xe0
|
|---|
| 9 | f4.1858: Timestamp: 0x571af2eb
|
|---|
| 10 | f4.1858: Machine: 0x8664 - amd64
|
|---|
| 11 | f4.1858: Timestamp: 0x571af2eb
|
|---|
| 12 | f4.1858: Image Version: 10.0
|
|---|
| 13 | f4.1858: SizeOfImage: 0x1c1000 (1839104)
|
|---|
| 14 | f4.1858: Resource Dir: 0x159000 LB 0x66218
|
|---|
| 15 | f4.1858: ProductName: Microsoft® Windows® Operating System
|
|---|
| 16 | f4.1858: ProductVersion: 10.0.10586.306
|
|---|
| 17 | f4.1858: FileVersion: 10.0.10586.306 (th2_release_sec.160422-1850)
|
|---|
| 18 | f4.1858: FileDescription: NT Layer DLL
|
|---|
| 19 | f4.1858: \SystemRoot\System32\kernel32.dll:
|
|---|
| 20 | f4.1858: CreationTime: 2015-10-30T07:17:46.221743200Z
|
|---|
| 21 | f4.1858: LastWriteTime: 2015-10-30T07:17:46.221743200Z
|
|---|
| 22 | f4.1858: ChangeTime: 2016-05-24T13:37:16.549608400Z
|
|---|
| 23 | f4.1858: FileAttributes: 0x20
|
|---|
| 24 | f4.1858: Size: 0xac430
|
|---|
| 25 | f4.1858: NT Headers: 0xf0
|
|---|
| 26 | f4.1858: Timestamp: 0x5632d5aa
|
|---|
| 27 | f4.1858: Machine: 0x8664 - amd64
|
|---|
| 28 | f4.1858: Timestamp: 0x5632d5aa
|
|---|
| 29 | f4.1858: Image Version: 10.0
|
|---|
| 30 | f4.1858: SizeOfImage: 0xad000 (708608)
|
|---|
| 31 | f4.1858: Resource Dir: 0xab000 LB 0x528
|
|---|
| 32 | f4.1858: ProductName: Microsoft® Windows® Operating System
|
|---|
| 33 | f4.1858: ProductVersion: 10.0.10586.0
|
|---|
| 34 | f4.1858: FileVersion: 10.0.10586.0 (th2_release.151029-1700)
|
|---|
| 35 | f4.1858: FileDescription: Windows NT BASE API Client DLL
|
|---|
| 36 | f4.1858: \SystemRoot\System32\KernelBase.dll:
|
|---|
| 37 | f4.1858: CreationTime: 2016-05-24T11:24:05.220372200Z
|
|---|
| 38 | f4.1858: LastWriteTime: 2016-04-23T05:24:41.063286800Z
|
|---|
| 39 | f4.1858: ChangeTime: 2016-05-24T12:41:33.611507200Z
|
|---|
| 40 | f4.1858: FileAttributes: 0x20
|
|---|
| 41 | f4.1858: Size: 0x1e7a10
|
|---|
| 42 | f4.1858: NT Headers: 0xf0
|
|---|
| 43 | f4.1858: Timestamp: 0x571af331
|
|---|
| 44 | f4.1858: Machine: 0x8664 - amd64
|
|---|
| 45 | f4.1858: Timestamp: 0x571af331
|
|---|
| 46 | f4.1858: Image Version: 10.0
|
|---|
| 47 | f4.1858: SizeOfImage: 0x1e8000 (1998848)
|
|---|
| 48 | f4.1858: Resource Dir: 0x1d1000 LB 0x548
|
|---|
| 49 | f4.1858: ProductName: Microsoft® Windows® Operating System
|
|---|
| 50 | f4.1858: ProductVersion: 10.0.10586.306
|
|---|
| 51 | f4.1858: FileVersion: 10.0.10586.306 (th2_release_sec.160422-1850)
|
|---|
| 52 | f4.1858: FileDescription: Windows NT BASE API Client DLL
|
|---|
| 53 | f4.1858: \SystemRoot\System32\apisetschema.dll:
|
|---|
| 54 | f4.1858: CreationTime: 2015-10-30T07:17:57.502957900Z
|
|---|
| 55 | f4.1858: LastWriteTime: 2015-10-30T07:17:57.502957900Z
|
|---|
| 56 | f4.1858: ChangeTime: 2016-05-24T13:37:15.315173200Z
|
|---|
| 57 | f4.1858: FileAttributes: 0x20
|
|---|
| 58 | f4.1858: Size: 0x16d60
|
|---|
| 59 | f4.1858: NT Headers: 0xc8
|
|---|
| 60 | f4.1858: Timestamp: 0x5632d94c
|
|---|
| 61 | f4.1858: Machine: 0x8664 - amd64
|
|---|
| 62 | f4.1858: Timestamp: 0x5632d94c
|
|---|
| 63 | f4.1858: Image Version: 10.0
|
|---|
| 64 | f4.1858: SizeOfImage: 0x18000 (98304)
|
|---|
| 65 | f4.1858: Resource Dir: 0x17000 LB 0x400
|
|---|
| 66 | f4.1858: ProductName: Microsoft® Windows® Operating System
|
|---|
| 67 | f4.1858: ProductVersion: 10.0.10586.0
|
|---|
| 68 | f4.1858: FileVersion: 10.0.10586.0 (th2_release.151029-1700)
|
|---|
| 69 | f4.1858: FileDescription: ApiSet Schema DLL
|
|---|
| 70 | f4.1858: NtOpenDirectoryObject failed on \Driver: 0xc0000022
|
|---|
| 71 | f4.1858: supR3HardenedWinFindAdversaries: 0x0
|
|---|
| 72 | f4.1858: supR3HardenedWinInitAppBin(0x0): '\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox'
|
|---|
| 73 | f4.1858: Calling main()
|
|---|
| 74 | f4.1858: SUPR3HardenedMain: pszProgName=VirtualBox fFlags=0x2
|
|---|
| 75 | f4.1858: supR3HardenedWinInitAppBin(0x2): '\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox'
|
|---|
| 76 | f4.1858: SUPR3HardenedMain: Respawn #1
|
|---|
| 77 | f4.1858: System32: \Device\HarddiskVolume4\Windows\System32
|
|---|
| 78 | f4.1858: WinSxS: \Device\HarddiskVolume4\Windows\WinSxS
|
|---|
| 79 | f4.1858: KnownDllPath: C:\WINDOWS\system32
|
|---|
| 80 | f4.1858: '\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBox.exe' has no imports
|
|---|
| 81 | f4.1858: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBox.exe)
|
|---|
| 82 | f4.1858: supR3HardNtEnableThreadCreation:
|
|---|
| 83 | f4.1858: supR3HardNtDisableThreadCreation: pvLdrInitThunk=00007ffd6f9f6d50 pvNtTerminateThread=00007ffd6fa25b30
|
|---|
| 84 | f4.1858: supR3HardenedWinDoReSpawn(1): New child 173c.100 [kernel32].
|
|---|
| 85 | f4.1858: supR3HardNtChildGatherData: PebBaseAddress=00000000003e8000 cbPeb=0x388
|
|---|
| 86 | f4.1858: supR3HardNtPuChFindNtdll: uNtDllParentAddr=00007ffd6f980000 uNtDllChildAddr=00007ffd6f980000
|
|---|
| 87 | f4.1858: supR3HardenedWinSetupChildInit: uLdrInitThunk=00007ffd6f9f6d50
|
|---|
| 88 | f4.1858: supR3HardenedWinSetupChildInit: Start child.
|
|---|
| 89 | f4.1858: supR3HardNtChildWaitFor: Found expected request 0 (PurifyChildAndCloseHandles) after 0 ms.
|
|---|
| 90 | f4.1858: supR3HardNtChildPurify: Startup delay kludge #1/0: 259 ms, 29 sleeps
|
|---|
| 91 | f4.1858: supHardNtVpScanVirtualMemory: enmKind=CHILD_PURIFICATION
|
|---|
| 92 | f4.1858: *0000000000000000-fffffffffffeffff 0x0001/0x0000 0x0000000
|
|---|
| 93 | f4.1858: *0000000000010000-fffffffffffeffff 0x0004/0x0004 0x0020000
|
|---|
| 94 | f4.1858: *0000000000030000-000000000001afff 0x0002/0x0002 0x0040000
|
|---|
| 95 | f4.1858: 0000000000045000-0000000000039fff 0x0001/0x0000 0x0000000
|
|---|
| 96 | f4.1858: *0000000000050000-fffffffffff54fff 0x0000/0x0004 0x0020000
|
|---|
| 97 | f4.1858: 000000000014b000-0000000000147fff 0x0104/0x0004 0x0020000
|
|---|
| 98 | f4.1858: 000000000014e000-000000000014bfff 0x0004/0x0004 0x0020000
|
|---|
| 99 | f4.1858: *0000000000150000-000000000014bfff 0x0002/0x0002 0x0040000
|
|---|
| 100 | f4.1858: 0000000000154000-0000000000147fff 0x0001/0x0000 0x0000000
|
|---|
| 101 | f4.1858: *0000000000160000-000000000015dfff 0x0004/0x0004 0x0020000
|
|---|
| 102 | f4.1858: 0000000000162000-00000000000c3fff 0x0001/0x0000 0x0000000
|
|---|
| 103 | f4.1858: *0000000000200000-0000000000017fff 0x0000/0x0004 0x0020000
|
|---|
| 104 | f4.1858: 00000000003e8000-00000000003e4fff 0x0004/0x0004 0x0020000
|
|---|
| 105 | f4.1858: 00000000003eb000-00000000003d5fff 0x0000/0x0004 0x0020000
|
|---|
| 106 | f4.1858: 0000000000400000-ffffffff8081ffff 0x0001/0x0000 0x0000000
|
|---|
| 107 | f4.1858: *000000007ffe0000-000000007ffdefff 0x0002/0x0002 0x0020000
|
|---|
| 108 | f4.1858: 000000007ffe1000-000000007ffd1fff 0x0000/0x0002 0x0020000
|
|---|
| 109 | f4.1858: 000000007fff0000-ffff800936d2ffff 0x0001/0x0000 0x0000000
|
|---|
| 110 | f4.1858: *00007ff7c92b0000-00007ff7c92aefff 0x0040/0x0040 0x0020000 !!
|
|---|
| 111 | f4.1858: supHardNtVpFreeOrReplacePrivateExecMemory: Freeing exec mem at 00007ff7c92b0000 (LB 0x1000, 00007ff7c92b0000 LB 0x1000)
|
|---|
| 112 | f4.1858: supHardNtVpFreeOrReplacePrivateExecMemory: Free attempt #1 succeeded: 0x0 [00007ff7c92b0000/00007ff7c92b0000 LB 0/0x1000]
|
|---|
| 113 | f4.1858: supHardNtVpFreeOrReplacePrivateExecMemory: QVM after free 0: [0000000000000000]/00007ff7c92b0000 LB 0x10000 s=0x10000 ap=0x0 rp=0x00400100000001
|
|---|
| 114 | f4.1858: 00007ff7c92b1000-00007ff7c92a1fff 0x0001/0x0000 0x0000000
|
|---|
| 115 | f4.1858: *00007ff7c92c0000-00007ff7c929cfff 0x0002/0x0002 0x0040000
|
|---|
| 116 | f4.1858: 00007ff7c92e3000-00007ff7c9275fff 0x0001/0x0000 0x0000000
|
|---|
| 117 | f4.1858: *00007ff7c9350000-00007ff7c9350fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume4\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE
|
|---|
| 118 | f4.1858: 00007ff7c9351000-00007ff7c93c0fff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume4\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE
|
|---|
| 119 | f4.1858: 00007ff7c93c1000-00007ff7c93c1fff 0x0080/0x0080 0x1000000 \Device\HarddiskVolume4\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE
|
|---|
| 120 | f4.1858: 00007ff7c93c2000-00007ff7c9406fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume4\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE
|
|---|
| 121 | f4.1858: 00007ff7c9407000-00007ff7c9407fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume4\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE
|
|---|
| 122 | f4.1858: 00007ff7c9408000-00007ff7c9408fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume4\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE
|
|---|
| 123 | f4.1858: 00007ff7c9409000-00007ff7c940dfff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume4\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE
|
|---|
| 124 | f4.1858: 00007ff7c940e000-00007ff7c940efff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume4\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE
|
|---|
| 125 | f4.1858: 00007ff7c940f000-00007ff7c940ffff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume4\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE
|
|---|
| 126 | f4.1858: 00007ff7c9410000-00007ff7c9413fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume4\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE
|
|---|
| 127 | f4.1858: 00007ff7c9414000-00007ff7c945bfff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume4\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE
|
|---|
| 128 | f4.1858: 00007ff7c945c000-00007ff222f37fff 0x0001/0x0000 0x0000000
|
|---|
| 129 | f4.1858: *00007ffd6f980000-00007ffd6f980fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume4\Windows\System32\ntdll.dll
|
|---|
| 130 | f4.1858: 00007ffd6f981000-00007ffd6fa7dfff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume4\Windows\System32\ntdll.dll
|
|---|
| 131 | f4.1858: 00007ffd6fa7e000-00007ffd6fabefff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume4\Windows\System32\ntdll.dll
|
|---|
| 132 | f4.1858: 00007ffd6fabf000-00007ffd6fac7fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume4\Windows\System32\ntdll.dll
|
|---|
| 133 | f4.1858: 00007ffd6fac8000-00007ffd6fad4fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume4\Windows\System32\ntdll.dll
|
|---|
| 134 | f4.1858: 00007ffd6fad5000-00007ffd6fad5fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume4\Windows\System32\ntdll.dll
|
|---|
| 135 | f4.1858: 00007ffd6fad6000-00007ffd6fad8fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume4\Windows\System32\ntdll.dll
|
|---|
| 136 | f4.1858: 00007ffd6fad9000-00007ffd6fb40fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume4\Windows\System32\ntdll.dll
|
|---|
| 137 | f4.1858: 00007ffd6fb41000-00007ffadf6a1fff 0x0001/0x0000 0x0000000
|
|---|
| 138 | f4.1858: *00007ffffffe0000-00007ffffffcffff 0x0001/0x0002 0x0020000
|
|---|
| 139 | f4.1858: VirtualBox.exe: timestamp 0x57220aaf (rc=VINF_SUCCESS)
|
|---|
| 140 | f4.1858: Error (rc=-5618):
|
|---|
| 141 | f4.1858: Process image name does not match the exectuable we found: \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBox.exe vs \Device\HarddiskVolume4\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE.
|
|---|
| 142 | f4.1858: Error (rc=-5618):
|
|---|
| 143 | f4.1858: supHardenedWinVerifyProcess failed with Unknown Status -5618 (0xffffea0e): Process image name does not match the exectuable we found: \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBox.exe vs \Device\HarddiskVolume4\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE.
|
|---|
| 144 | f4.1858: Error -5618 in supR3HardNtChildPurify! (enmWhat=5)
|
|---|
| 145 | f4.1858: supHardenedWinVerifyProcess failed with Unknown Status -5618 (0xffffea0e): Process image name does not match the exectuable we found: \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBox.exe vs \Device\HarddiskVolume4\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE.
|
|---|
| 146 | f4.1858: supR3HardNtEnableThreadCreation:
|
|---|