| 1 | ca0.2a2c: Log file opened: 5.2.4r119785 g_hStartupLog=0000000000000070 g_uNtVerCombined=0xa0383900
|
|---|
| 2 | ca0.2a2c: \SystemRoot\System32\ntdll.dll:
|
|---|
| 3 | ca0.2a2c: CreationTime: 2017-09-14T07:01:46.664917300Z
|
|---|
| 4 | ca0.2a2c: LastWriteTime: 2017-09-07T06:03:35.589628500Z
|
|---|
| 5 | ca0.2a2c: ChangeTime: 2017-09-14T08:15:40.988885300Z
|
|---|
| 6 | ca0.2a2c: FileAttributes: 0x20
|
|---|
| 7 | ca0.2a2c: Size: 0x1cccb0
|
|---|
| 8 | ca0.2a2c: NT Headers: 0xd8
|
|---|
| 9 | ca0.2a2c: Timestamp: 0x59b0d03e
|
|---|
| 10 | ca0.2a2c: Machine: 0x8664 - amd64
|
|---|
| 11 | ca0.2a2c: Timestamp: 0x59b0d03e
|
|---|
| 12 | ca0.2a2c: Image Version: 10.0
|
|---|
| 13 | ca0.2a2c: SizeOfImage: 0x1d2000 (1908736)
|
|---|
| 14 | ca0.2a2c: Resource Dir: 0x169000 LB 0x67a50
|
|---|
| 15 | ca0.2a2c: [Version info resource found at 0xd8! (ID/Name: 0x1; SubID/SubName: 0x409)]
|
|---|
| 16 | ca0.2a2c: [Raw version resource data: 0x1690f0 LB 0x398, codepage 0x0 (reserved 0x0)]
|
|---|
| 17 | ca0.2a2c: ProductName: Microsoft® Windows® Operating System
|
|---|
| 18 | ca0.2a2c: ProductVersion: 10.0.14393.1715
|
|---|
| 19 | ca0.2a2c: FileVersion: 10.0.14393.1715 (rs1_release_inmarket.170906-1810)
|
|---|
| 20 | ca0.2a2c: FileDescription: NT Layer DLL
|
|---|
| 21 | ca0.2a2c: \SystemRoot\System32\kernel32.dll:
|
|---|
| 22 | ca0.2a2c: CreationTime: 2017-09-14T07:02:03.004530200Z
|
|---|
| 23 | ca0.2a2c: LastWriteTime: 2017-04-28T00:49:43.332433600Z
|
|---|
| 24 | ca0.2a2c: ChangeTime: 2017-09-14T08:15:21.281079100Z
|
|---|
| 25 | ca0.2a2c: FileAttributes: 0x20
|
|---|
| 26 | ca0.2a2c: Size: 0xab208
|
|---|
| 27 | ca0.2a2c: NT Headers: 0xf0
|
|---|
| 28 | ca0.2a2c: Timestamp: 0x59028368
|
|---|
| 29 | ca0.2a2c: Machine: 0x8664 - amd64
|
|---|
| 30 | ca0.2a2c: Timestamp: 0x59028368
|
|---|
| 31 | ca0.2a2c: Image Version: 10.0
|
|---|
| 32 | ca0.2a2c: SizeOfImage: 0xac000 (704512)
|
|---|
| 33 | ca0.2a2c: Resource Dir: 0xaa000 LB 0x530
|
|---|
| 34 | ca0.2a2c: [Version info resource found at 0x90! (ID/Name: 0x1; SubID/SubName: 0x409)]
|
|---|
| 35 | ca0.2a2c: [Raw version resource data: 0xaa0b0 LB 0x3b4, codepage 0x0 (reserved 0x0)]
|
|---|
| 36 | ca0.2a2c: ProductName: Microsoft® Windows® Operating System
|
|---|
| 37 | ca0.2a2c: ProductVersion: 10.0.14393.1198
|
|---|
| 38 | ca0.2a2c: FileVersion: 10.0.14393.1198 (rs1_release_sec.170427-1353)
|
|---|
| 39 | ca0.2a2c: FileDescription: Windows NT BASE API Client DLL
|
|---|
| 40 | ca0.2a2c: \SystemRoot\System32\KernelBase.dll:
|
|---|
| 41 | ca0.2a2c: CreationTime: 2017-09-14T07:03:41.892462800Z
|
|---|
| 42 | ca0.2a2c: LastWriteTime: 2017-09-07T06:03:59.714868700Z
|
|---|
| 43 | ca0.2a2c: ChangeTime: 2017-09-14T08:15:37.972503200Z
|
|---|
| 44 | ca0.2a2c: FileAttributes: 0x20
|
|---|
| 45 | ca0.2a2c: Size: 0x21c780
|
|---|
| 46 | ca0.2a2c: NT Headers: 0xf8
|
|---|
| 47 | ca0.2a2c: Timestamp: 0x59b0d106
|
|---|
| 48 | ca0.2a2c: Machine: 0x8664 - amd64
|
|---|
| 49 | ca0.2a2c: Timestamp: 0x59b0d106
|
|---|
| 50 | ca0.2a2c: Image Version: 10.0
|
|---|
| 51 | ca0.2a2c: SizeOfImage: 0x21d000 (2215936)
|
|---|
| 52 | ca0.2a2c: Resource Dir: 0x201000 LB 0x560
|
|---|
| 53 | ca0.2a2c: [Version info resource found at 0x90! (ID/Name: 0x1; SubID/SubName: 0x409)]
|
|---|
| 54 | ca0.2a2c: [Raw version resource data: 0x2010b0 LB 0x3d4, codepage 0x0 (reserved 0x0)]
|
|---|
| 55 | ca0.2a2c: ProductName: Microsoft® Windows® Operating System
|
|---|
| 56 | ca0.2a2c: ProductVersion: 10.0.14393.1715
|
|---|
| 57 | ca0.2a2c: FileVersion: 10.0.14393.1715 (rs1_release_inmarket.170906-1810)
|
|---|
| 58 | ca0.2a2c: FileDescription: Windows NT BASE API Client DLL
|
|---|
| 59 | ca0.2a2c: \SystemRoot\System32\apisetschema.dll:
|
|---|
| 60 | ca0.2a2c: CreationTime: 2017-09-14T07:02:01.403113700Z
|
|---|
| 61 | ca0.2a2c: LastWriteTime: 2017-07-12T06:15:56.983190800Z
|
|---|
| 62 | ca0.2a2c: ChangeTime: 2017-09-14T08:15:31.752249900Z
|
|---|
| 63 | ca0.2a2c: FileAttributes: 0x20
|
|---|
| 64 | ca0.2a2c: Size: 0x18b60
|
|---|
| 65 | ca0.2a2c: NT Headers: 0xc8
|
|---|
| 66 | ca0.2a2c: Timestamp: 0x5965b2bd
|
|---|
| 67 | ca0.2a2c: Machine: 0x8664 - amd64
|
|---|
| 68 | ca0.2a2c: Timestamp: 0x5965b2bd
|
|---|
| 69 | ca0.2a2c: Image Version: 10.0
|
|---|
| 70 | ca0.2a2c: SizeOfImage: 0x19000 (102400)
|
|---|
| 71 | ca0.2a2c: Resource Dir: 0x18000 LB 0x408
|
|---|
| 72 | ca0.2a2c: [Version info resource found at 0x48! (ID/Name: 0x1; SubID/SubName: 0x409)]
|
|---|
| 73 | ca0.2a2c: [Raw version resource data: 0x18060 LB 0x3a4, codepage 0x0 (reserved 0x0)]
|
|---|
| 74 | ca0.2a2c: ProductName: Microsoft® Windows® Operating System
|
|---|
| 75 | ca0.2a2c: ProductVersion: 10.0.14393.1532
|
|---|
| 76 | ca0.2a2c: FileVersion: 10.0.14393.1532 (rs1_release_d.170711-1840)
|
|---|
| 77 | ca0.2a2c: FileDescription: ApiSet Schema DLL
|
|---|
| 78 | ca0.2a2c: NtOpenDirectoryObject failed on \Driver: 0xc0000022
|
|---|
| 79 | ca0.2a2c: supR3HardenedWinFindAdversaries: 0x0
|
|---|
| 80 | ca0.2a2c: supR3HardenedWinInitAppBin(0x0): '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox'
|
|---|
| 81 | ca0.2a2c: Calling main()
|
|---|
| 82 | ca0.2a2c: SUPR3HardenedMain: pszProgName=VirtualBox fFlags=0x2
|
|---|
| 83 | ca0.2a2c: supR3HardenedWinInitAppBin(0x2): '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox'
|
|---|
| 84 | ca0.2a2c: SUPR3HardenedMain: Respawn #1
|
|---|
| 85 | ca0.2a2c: System32: \Device\HarddiskVolume2\Windows\System32
|
|---|
| 86 | ca0.2a2c: WinSxS: \Device\HarddiskVolume2\Windows\WinSxS
|
|---|
| 87 | ca0.2a2c: KnownDllPath: C:\WINDOWS\System32
|
|---|
| 88 | ca0.2a2c: '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe' has no imports
|
|---|
| 89 | ca0.2a2c: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe)
|
|---|
| 90 | ca0.2a2c: supR3HardNtEnableThreadCreation:
|
|---|
| 91 | ca0.2a2c: supR3HardNtDisableThreadCreation: pvLdrInitThunk=00007fff3e789f60 pvNtTerminateThread=00007fff3e7b6af0
|
|---|
| 92 | ca0.2a2c: supR3HardenedWinDoReSpawn(1): New child 2328.2e04 [kernel32].
|
|---|
| 93 | ca0.2a2c: supR3HardNtChildGatherData: PebBaseAddress=0000000000826000 cbPeb=0x388
|
|---|
| 94 | ca0.2a2c: supR3HardNtPuChFindNtdll: uNtDllParentAddr=00007fff3e710000 uNtDllChildAddr=00007fff3e710000
|
|---|
| 95 | ca0.2a2c: supR3HardenedWinSetupChildInit: uLdrInitThunk=00007fff3e789f60
|
|---|
| 96 | ca0.2a2c: supR3HardenedWinSetupChildInit: Start child.
|
|---|
| 97 | ca0.2a2c: supR3HardNtChildWaitFor: Found expected request 0 (PurifyChildAndCloseHandles) after 0 ms.
|
|---|
| 98 | ca0.2a2c: supR3HardNtChildPurify: Startup delay kludge #1/0: 258 ms, 31 sleeps
|
|---|
| 99 | ca0.2a2c: supHardNtVpScanVirtualMemory: enmKind=CHILD_PURIFICATION
|
|---|
| 100 | ca0.2a2c: *0000000000000000-000000000066ffff 0x0001/0x0000 0x0000000
|
|---|
| 101 | ca0.2a2c: *0000000000670000-000000000068ffff 0x0004/0x0004 0x0020000
|
|---|
| 102 | ca0.2a2c: *0000000000690000-00000000006a5fff 0x0002/0x0002 0x0040000
|
|---|
| 103 | ca0.2a2c: 00000000006a6000-00000000006affff 0x0001/0x0000 0x0000000
|
|---|
| 104 | ca0.2a2c: *00000000006b0000-00000000007aafff 0x0000/0x0004 0x0020000
|
|---|
| 105 | ca0.2a2c: 00000000007ab000-00000000007adfff 0x0104/0x0004 0x0020000
|
|---|
| 106 | ca0.2a2c: 00000000007ae000-00000000007affff 0x0004/0x0004 0x0020000
|
|---|
| 107 | ca0.2a2c: *00000000007b0000-00000000007b3fff 0x0002/0x0002 0x0040000
|
|---|
| 108 | ca0.2a2c: 00000000007b4000-00000000007bffff 0x0001/0x0000 0x0000000
|
|---|
| 109 | ca0.2a2c: *00000000007c0000-00000000007c1fff 0x0004/0x0004 0x0020000
|
|---|
| 110 | ca0.2a2c: 00000000007c2000-00000000007fffff 0x0001/0x0000 0x0000000
|
|---|
| 111 | ca0.2a2c: *0000000000800000-0000000000825fff 0x0000/0x0004 0x0020000
|
|---|
| 112 | ca0.2a2c: 0000000000826000-0000000000828fff 0x0004/0x0004 0x0020000
|
|---|
| 113 | ca0.2a2c: 0000000000829000-00000000009fffff 0x0000/0x0004 0x0020000
|
|---|
| 114 | ca0.2a2c: 0000000000a00000-00000000052affff 0x0001/0x0000 0x0000000
|
|---|
| 115 | ca0.2a2c: *00000000052b0000-00000000052b0fff 0x0020/0x0040 0x0020000 !!
|
|---|
| 116 | ca0.2a2c: supHardNtVpFreeOrReplacePrivateExecMemory: Freeing exec mem at 00000000052b0000 (LB 0x1000, 00000000052b0000 LB 0x1000)
|
|---|
| 117 | ca0.2a2c: supHardNtVpFreeOrReplacePrivateExecMemory: Free attempt #1 succeeded: 0x0 [00000000052b0000/00000000052b0000 LB 0/0x1000]
|
|---|
| 118 | ca0.2a2c: supHardNtVpFreeOrReplacePrivateExecMemory: QVM after free 0: [0000000000000000]/00000000052b0000 LB 0x7ad30000 s=0x10000 ap=0x0 rp=0x00000000000001
|
|---|
| 119 | ca0.2a2c: 00000000052b1000-000000007ffdffff 0x0001/0x0000 0x0000000
|
|---|
| 120 | ca0.2a2c: *000000007ffe0000-000000007ffe0fff 0x0002/0x0002 0x0020000
|
|---|
| 121 | ca0.2a2c: 000000007ffe1000-000000007ffeffff 0x0000/0x0002 0x0020000
|
|---|
| 122 | ca0.2a2c: 000000007fff0000-00007ff72c9bffff 0x0001/0x0000 0x0000000
|
|---|
| 123 | ca0.2a2c: *00007ff72c9c0000-00007ff72c9e2fff 0x0002/0x0002 0x0040000
|
|---|
| 124 | ca0.2a2c: 00007ff72c9e3000-00007ff72d76ffff 0x0001/0x0000 0x0000000
|
|---|
| 125 | ca0.2a2c: *00007ff72d770000-00007ff72d770fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE
|
|---|
| 126 | ca0.2a2c: supHardNtVpNewImage: 8dot3 -> long: '\Device\HarddiskVolume2\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE' -> '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe'
|
|---|
| 127 | ca0.2a2c: 00007ff72d771000-00007ff72d7e1fff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE
|
|---|
| 128 | ca0.2a2c: 00007ff72d7e2000-00007ff72d7e2fff 0x0080/0x0080 0x1000000 \Device\HarddiskVolume2\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE
|
|---|
| 129 | ca0.2a2c: 00007ff72d7e3000-00007ff72d828fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE
|
|---|
| 130 | ca0.2a2c: 00007ff72d829000-00007ff72d829fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE
|
|---|
| 131 | ca0.2a2c: 00007ff72d82a000-00007ff72d82afff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE
|
|---|
| 132 | ca0.2a2c: 00007ff72d82b000-00007ff72d82ffff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE
|
|---|
| 133 | ca0.2a2c: 00007ff72d830000-00007ff72d830fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE
|
|---|
| 134 | ca0.2a2c: 00007ff72d831000-00007ff72d831fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE
|
|---|
| 135 | ca0.2a2c: 00007ff72d832000-00007ff72d835fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE
|
|---|
| 136 | ca0.2a2c: 00007ff72d836000-00007ff72d87dfff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE
|
|---|
| 137 | ca0.2a2c: 00007ff72d87e000-00007fff3e70ffff 0x0001/0x0000 0x0000000
|
|---|
| 138 | ca0.2a2c: *00007fff3e710000-00007fff3e710fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
|
|---|
| 139 | ca0.2a2c: 00007fff3e711000-00007fff3e818fff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
|
|---|
| 140 | ca0.2a2c: 00007fff3e819000-00007fff3e85cfff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
|
|---|
| 141 | ca0.2a2c: 00007fff3e85d000-00007fff3e865fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
|
|---|
| 142 | ca0.2a2c: 00007fff3e866000-00007fff3e873fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
|
|---|
| 143 | ca0.2a2c: 00007fff3e874000-00007fff3e874fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
|
|---|
| 144 | ca0.2a2c: 00007fff3e875000-00007fff3e877fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
|
|---|
| 145 | ca0.2a2c: 00007fff3e878000-00007fff3e8e1fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
|
|---|
| 146 | ca0.2a2c: 00007fff3e8e2000-00007ffffffdffff 0x0001/0x0000 0x0000000
|
|---|
| 147 | ca0.2a2c: *00007ffffffe0000-00007ffffffeffff 0x0001/0x0002 0x0020000
|
|---|
| 148 | ca0.2a2c: VirtualBox.exe: timestamp 0x5a37e337 (rc=VINF_SUCCESS)
|
|---|
| 149 | ca0.2a2c: Error (rc=-5618):
|
|---|
| 150 | ca0.2a2c: Process image name does not match the exectuable we found: \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe vs \Device\HarddiskVolume2\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE.
|
|---|
| 151 | ca0.2a2c: Error (rc=-5618):
|
|---|
| 152 | ca0.2a2c: supHardenedWinVerifyProcess failed with Unknown Status -5618 (0xffffea0e): Process image name does not match the exectuable we found: \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe vs \Device\HarddiskVolume2\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE.
|
|---|
| 153 | ca0.2a2c: Error -5618 in supR3HardNtChildPurify! (enmWhat=5)
|
|---|
| 154 | ca0.2a2c: supHardenedWinVerifyProcess failed with Unknown Status -5618 (0xffffea0e): Process image name does not match the exectuable we found: \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe vs \Device\HarddiskVolume2\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE.
|
|---|
| 155 | ca0.2a2c: supR3HardNtEnableThreadCreation:
|
|---|