| 1 | 20c8.1664: Log file opened: 6.0.10r132072 g_hStartupLog=0000000000000074 g_uNtVerCombined=0xa047ba00
|
|---|
| 2 | 20c8.1664: \SystemRoot\System32\ntdll.dll:
|
|---|
| 3 | 20c8.1664: CreationTime: 2019-08-15T16:59:08.887803400Z
|
|---|
| 4 | 20c8.1664: LastWriteTime: 2019-08-15T16:59:08.936034800Z
|
|---|
| 5 | 20c8.1664: ChangeTime: 2019-08-21T20:12:13.531869000Z
|
|---|
| 6 | 20c8.1664: FileAttributes: 0x20
|
|---|
| 7 | 20c8.1664: Size: 0x1e8320
|
|---|
| 8 | 20c8.1664: NT Headers: 0xd8
|
|---|
| 9 | 20c8.1664: Timestamp: 0xc00f8a30
|
|---|
| 10 | 20c8.1664: Machine: 0x8664 - amd64
|
|---|
| 11 | 20c8.1664: Timestamp: 0xc00f8a30
|
|---|
| 12 | 20c8.1664: Image Version: 10.0
|
|---|
| 13 | 20c8.1664: SizeOfImage: 0x1f0000 (2031616)
|
|---|
| 14 | 20c8.1664: Resource Dir: 0x17f000 LB 0x6f1d8
|
|---|
| 15 | 20c8.1664: [Version info resource found at 0xd8! (ID/Name: 0x1; SubID/SubName: 0x409)]
|
|---|
| 16 | 20c8.1664: [Raw version resource data: 0x17f0f0 LB 0x380, codepage 0x0 (reserved 0x0)]
|
|---|
| 17 | 20c8.1664: ProductName: Microsoft® Windows® Operating System
|
|---|
| 18 | 20c8.1664: ProductVersion: 10.0.18362.267
|
|---|
| 19 | 20c8.1664: FileVersion: 10.0.18362.267 (WinBuild.160101.0800)
|
|---|
| 20 | 20c8.1664: FileDescription: NT Layer DLL
|
|---|
| 21 | 20c8.1664: \SystemRoot\System32\kernel32.dll:
|
|---|
| 22 | 20c8.1664: CreationTime: 2019-07-10T17:27:27.183520100Z
|
|---|
| 23 | 20c8.1664: LastWriteTime: 2019-07-10T17:27:27.198510000Z
|
|---|
| 24 | 20c8.1664: ChangeTime: 2019-08-15T17:00:07.527946600Z
|
|---|
| 25 | 20c8.1664: FileAttributes: 0x20
|
|---|
| 26 | 20c8.1664: Size: 0xb0498
|
|---|
| 27 | 20c8.1664: NT Headers: 0xe8
|
|---|
| 28 | 20c8.1664: Timestamp: 0xd12f214a
|
|---|
| 29 | 20c8.1664: Machine: 0x8664 - amd64
|
|---|
| 30 | 20c8.1664: Timestamp: 0xd12f214a
|
|---|
| 31 | 20c8.1664: Image Version: 10.0
|
|---|
| 32 | 20c8.1664: SizeOfImage: 0xb2000 (729088)
|
|---|
| 33 | 20c8.1664: Resource Dir: 0xb0000 LB 0x520
|
|---|
| 34 | 20c8.1664: [Version info resource found at 0x90! (ID/Name: 0x1; SubID/SubName: 0x409)]
|
|---|
| 35 | 20c8.1664: [Raw version resource data: 0xb00b0 LB 0x3a4, codepage 0x0 (reserved 0x0)]
|
|---|
| 36 | 20c8.1664: ProductName: Microsoft® Windows® Operating System
|
|---|
| 37 | 20c8.1664: ProductVersion: 10.0.18362.86
|
|---|
| 38 | 20c8.1664: FileVersion: 10.0.18362.86 (WinBuild.160101.0800)
|
|---|
| 39 | 20c8.1664: FileDescription: Windows NT BASE API Client DLL
|
|---|
| 40 | 20c8.1664: \SystemRoot\System32\KernelBase.dll:
|
|---|
| 41 | 20c8.1664: CreationTime: 2019-08-15T16:59:09.529742900Z
|
|---|
| 42 | 20c8.1664: LastWriteTime: 2019-08-15T16:59:09.609609700Z
|
|---|
| 43 | 20c8.1664: ChangeTime: 2019-08-21T20:12:12.063222700Z
|
|---|
| 44 | 20c8.1664: FileAttributes: 0x20
|
|---|
| 45 | 20c8.1664: Size: 0x2a2d08
|
|---|
| 46 | 20c8.1664: NT Headers: 0x100
|
|---|
| 47 | 20c8.1664: Timestamp: 0xf09944f9
|
|---|
| 48 | 20c8.1664: Machine: 0x8664 - amd64
|
|---|
| 49 | 20c8.1664: Timestamp: 0xf09944f9
|
|---|
| 50 | 20c8.1664: Image Version: 10.0
|
|---|
| 51 | 20c8.1664: SizeOfImage: 0x2a3000 (2764800)
|
|---|
| 52 | 20c8.1664: Resource Dir: 0x27d000 LB 0x548
|
|---|
| 53 | 20c8.1664: [Version info resource found at 0x90! (ID/Name: 0x1; SubID/SubName: 0x409)]
|
|---|
| 54 | 20c8.1664: [Raw version resource data: 0x27d0b0 LB 0x3bc, codepage 0x0 (reserved 0x0)]
|
|---|
| 55 | 20c8.1664: ProductName: Microsoft® Windows® Operating System
|
|---|
| 56 | 20c8.1664: ProductVersion: 10.0.18362.267
|
|---|
| 57 | 20c8.1664: FileVersion: 10.0.18362.267 (WinBuild.160101.0800)
|
|---|
| 58 | 20c8.1664: FileDescription: Windows NT BASE API Client DLL
|
|---|
| 59 | 20c8.1664: \SystemRoot\System32\apisetschema.dll:
|
|---|
| 60 | 20c8.1664: CreationTime: 2019-03-19T04:43:54.837151500Z
|
|---|
| 61 | 20c8.1664: LastWriteTime: 2019-03-19T04:43:54.837151500Z
|
|---|
| 62 | 20c8.1664: ChangeTime: 2019-08-15T17:00:07.511955400Z
|
|---|
| 63 | 20c8.1664: FileAttributes: 0x20
|
|---|
| 64 | 20c8.1664: Size: 0x1d028
|
|---|
| 65 | 20c8.1664: NT Headers: 0xc8
|
|---|
| 66 | 20c8.1664: Timestamp: 0xd6ced080
|
|---|
| 67 | 20c8.1664: Machine: 0x8664 - amd64
|
|---|
| 68 | 20c8.1664: Timestamp: 0xd6ced080
|
|---|
| 69 | 20c8.1664: Image Version: 10.0
|
|---|
| 70 | 20c8.1664: SizeOfImage: 0x1e000 (122880)
|
|---|
| 71 | 20c8.1664: Resource Dir: 0x1d000 LB 0x408
|
|---|
| 72 | 20c8.1664: [Version info resource found at 0x48! (ID/Name: 0x1; SubID/SubName: 0x409)]
|
|---|
| 73 | 20c8.1664: [Raw version resource data: 0x1d060 LB 0x3a8, codepage 0x0 (reserved 0x0)]
|
|---|
| 74 | 20c8.1664: ProductName: Microsoft® Windows® Operating System
|
|---|
| 75 | 20c8.1664: ProductVersion: 10.0.18362.1
|
|---|
| 76 | 20c8.1664: FileVersion: 10.0.18362.1 (WinBuild.160101.0800)
|
|---|
| 77 | 20c8.1664: FileDescription: ApiSet Schema DLL
|
|---|
| 78 | 20c8.1664: NtOpenDirectoryObject failed on \Driver: 0xc0000022
|
|---|
| 79 | 20c8.1664: supR3HardenedWinFindAdversaries: 0x0
|
|---|
| 80 | 20c8.1664: supR3HardenedWinInitAppBin(0x0): '\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox'
|
|---|
| 81 | 20c8.1664: Calling main()
|
|---|
| 82 | 20c8.1664: SUPR3HardenedMain: pszProgName=VirtualBoxVM fFlags=0x2
|
|---|
| 83 | 20c8.1664: supR3HardenedWinInitAppBin(0x2): '\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox'
|
|---|
| 84 | 20c8.1664: SUPR3HardenedMain: Respawn #1
|
|---|
| 85 | 20c8.1664: System32: \Device\HarddiskVolume4\Windows\System32
|
|---|
| 86 | 20c8.1664: WinSxS: \Device\HarddiskVolume4\Windows\WinSxS
|
|---|
| 87 | 20c8.1664: KnownDllPath: C:\WINDOWS\System32
|
|---|
| 88 | 20c8.1664: '\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe' has no imports
|
|---|
| 89 | 20c8.1664: supHardenedWinVerifyImageByHandle: -> 24202 (\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe)
|
|---|
| 90 | 20c8.1664: supR3HardNtEnableThreadCreation:
|
|---|
| 91 | 20c8.1664: supR3HardNtDisableThreadCreation: pvLdrInitThunk=00007ffff3a11790 pvNtTerminateThread=00007ffff3a3cab0
|
|---|
| 92 | 20c8.1664: supR3HardenedWinDoReSpawn(1): New child b34.9f4 [kernel32].
|
|---|
| 93 | 20c8.1664: supR3HardNtChildGatherData: PebBaseAddress=000000000045c000 cbPeb=0x388
|
|---|
| 94 | 20c8.1664: supR3HardNtPuChFindNtdll: uNtDllParentAddr=00007ffff39a0000 uNtDllChildAddr=00007ffff39a0000
|
|---|
| 95 | 20c8.1664: supR3HardenedWinSetupChildInit: uLdrInitThunk=00007ffff3a11790
|
|---|
| 96 | 20c8.1664: supR3HardenedWinSetupChildInit: Start child.
|
|---|
| 97 | 20c8.1664: supR3HardNtChildWaitFor: Found expected request 0 (PurifyChildAndCloseHandles) after 0 ms.
|
|---|
| 98 | 20c8.1664: supR3HardNtChildPurify: Startup delay kludge #1/0: 260 ms, 30 sleeps
|
|---|
| 99 | 20c8.1664: supHardNtVpScanVirtualMemory: enmKind=CHILD_PURIFICATION
|
|---|
| 100 | 20c8.1664: *0000000000000000-00000000002affff 0x0001/0x0000 0x0000000
|
|---|
| 101 | 20c8.1664: *00000000002b0000-00000000002cffff 0x0004/0x0004 0x0020000
|
|---|
| 102 | 20c8.1664: *00000000002d0000-00000000002eafff 0x0002/0x0002 0x0040000
|
|---|
| 103 | 20c8.1664: 00000000002eb000-00000000002effff 0x0001/0x0000 0x0000000
|
|---|
| 104 | 20c8.1664: *00000000002f0000-00000000003eafff 0x0000/0x0004 0x0020000
|
|---|
| 105 | 20c8.1664: 00000000003eb000-00000000003edfff 0x0104/0x0004 0x0020000
|
|---|
| 106 | 20c8.1664: 00000000003ee000-00000000003effff 0x0004/0x0004 0x0020000
|
|---|
| 107 | 20c8.1664: *00000000003f0000-00000000003f3fff 0x0002/0x0002 0x0040000
|
|---|
| 108 | 20c8.1664: 00000000003f4000-00000000003fffff 0x0001/0x0000 0x0000000
|
|---|
| 109 | 20c8.1664: *0000000000400000-000000000045bfff 0x0000/0x0004 0x0020000
|
|---|
| 110 | 20c8.1664: 000000000045c000-000000000045efff 0x0004/0x0004 0x0020000
|
|---|
| 111 | 20c8.1664: 000000000045f000-00000000005fffff 0x0000/0x0004 0x0020000
|
|---|
| 112 | 20c8.1664: *0000000000600000-0000000000601fff 0x0004/0x0004 0x0020000
|
|---|
| 113 | 20c8.1664: 0000000000602000-00000000007fffff 0x0001/0x0000 0x0000000
|
|---|
| 114 | 20c8.1664: *0000000000800000-0000000000803fff 0x0004/0x0004 0x0020000
|
|---|
| 115 | 20c8.1664: 0000000000804000-000000007ffdffff 0x0001/0x0000 0x0000000
|
|---|
| 116 | 20c8.1664: *000000007ffe0000-000000007ffe0fff 0x0002/0x0002 0x0020000
|
|---|
| 117 | 20c8.1664: 000000007ffe1000-000000007ffe4fff 0x0001/0x0000 0x0000000
|
|---|
| 118 | 20c8.1664: *000000007ffe5000-000000007ffe5fff 0x0002/0x0002 0x0020000
|
|---|
| 119 | 20c8.1664: 000000007ffe6000-00007ff5fea7ffff 0x0001/0x0000 0x0000000
|
|---|
| 120 | 20c8.1664: *00007ff5fea80000-00007ff5fea80fff 0x0002/0x0002 0x0040000
|
|---|
| 121 | 20c8.1664: 00007ff5fea81000-00007ff5fea8ffff 0x0001/0x0000 0x0000000
|
|---|
| 122 | 20c8.1664: *00007ff5fea90000-00007ff5feab2fff 0x0002/0x0002 0x0040000
|
|---|
| 123 | 20c8.1664: 00007ff5feab3000-00007ff754ccffff 0x0001/0x0000 0x0000000
|
|---|
| 124 | 20c8.1664: *00007ff754cd0000-00007ff754cd0fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 125 | 20c8.1664: 00007ff754cd1000-00007ff754d45fff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 126 | 20c8.1664: 00007ff754d46000-00007ff754d46fff 0x0080/0x0080 0x1000000 \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 127 | 20c8.1664: 00007ff754d47000-00007ff754d8dfff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 128 | 20c8.1664: 00007ff754d8e000-00007ff754d8efff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 129 | 20c8.1664: 00007ff754d8f000-00007ff754d8ffff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 130 | 20c8.1664: 00007ff754d90000-00007ff754d94fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 131 | 20c8.1664: 00007ff754d95000-00007ff754d95fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 132 | 20c8.1664: 00007ff754d96000-00007ff754d96fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 133 | 20c8.1664: 00007ff754d97000-00007ff754d9afff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 134 | 20c8.1664: 00007ff754d9b000-00007ff754de3fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 135 | 20c8.1664: 00007ff754de4000-00007ffff394ffff 0x0001/0x0000 0x0000000
|
|---|
| 136 | 20c8.1664: *00007ffff3950000-00007ffff3950fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume4\Windows\System32\Itcspea.Dll
|
|---|
| 137 | 20c8.1664: supHardNtVpScanVirtualMemory: Unmapping image mem at 00007ffff3950000 (00007ffff3950000 LB 0x1000) - 'Itcspea.Dll'
|
|---|
| 138 | 20c8.1664: 00007ffff3951000-00007ffff399ffff 0x0001/0x0000 0x0000000
|
|---|
| 139 | 20c8.1664: *00007ffff39a0000-00007ffff39a0fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume4\Windows\System32\ntdll.dll
|
|---|
| 140 | 20c8.1664: 00007ffff39a1000-00007ffff3ab7fff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume4\Windows\System32\ntdll.dll
|
|---|
| 141 | 20c8.1664: 00007ffff3ab8000-00007ffff3afefff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume4\Windows\System32\ntdll.dll
|
|---|
| 142 | 20c8.1664: 00007ffff3aff000-00007ffff3b0afff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume4\Windows\System32\ntdll.dll
|
|---|
| 143 | 20c8.1664: 00007ffff3b0b000-00007ffff3b19fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume4\Windows\System32\ntdll.dll
|
|---|
| 144 | 20c8.1664: 00007ffff3b1a000-00007ffff3b1afff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume4\Windows\System32\ntdll.dll
|
|---|
| 145 | 20c8.1664: 00007ffff3b1b000-00007ffff3b1dfff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume4\Windows\System32\ntdll.dll
|
|---|
| 146 | 20c8.1664: 00007ffff3b1e000-00007ffff3b8ffff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume4\Windows\System32\ntdll.dll
|
|---|
| 147 | 20c8.1664: 00007ffff3b90000-00007ffffffeffff 0x0001/0x0000 0x0000000
|
|---|
| 148 | 20c8.1664: VirtualBoxVM.exe: timestamp 0x5d284665 (rc=VINF_SUCCESS)
|
|---|
| 149 | 20c8.1664: '\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe' has no imports
|
|---|
| 150 | 20c8.1664: '\Device\HarddiskVolume4\Windows\System32\ntdll.dll' has no imports
|
|---|
| 151 | 20c8.1664: supR3HardNtChildPurify: Done after 320 ms and 0 fixes (loop #0).
|
|---|
| 152 | b34.9f4: Log file opened: 6.0.10r132072 g_hStartupLog=0000000000000004 g_uNtVerCombined=0xa047ba00
|
|---|
| 153 | b34.9f4: supR3HardenedVmProcessInit: uNtDllAddr=00007ffff39a0000 g_uNtVerCombined=0xa047ba00
|
|---|
| 154 | b34.9f4: ntdll.dll: timestamp 0xc00f8a30 (rc=VINF_SUCCESS)
|
|---|
| 155 | b34.9f4: New simple heap: #1 0000000000810000 LB 0x400000 (for 2031616 allocation)
|
|---|
| 156 | 20c8.1664: supR3HardNtEnableThreadCreation:
|
|---|
| 157 | b34.9f4: supR3HardenedWinInitAppBin(0x0): '\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox'
|
|---|
| 158 | b34.9f4: System32: \Device\HarddiskVolume4\Windows\System32
|
|---|
| 159 | b34.9f4: WinSxS: \Device\HarddiskVolume4\Windows\WinSxS
|
|---|
| 160 | b34.9f4: KnownDllPath: C:\WINDOWS\System32
|
|---|
| 161 | b34.9f4: supR3HardenedVmProcessInit: Opening vboxdrv stub...
|
|---|
| 162 | b34.9f4: supR3HardenedVmProcessInit: Restoring LdrInitializeThunk...
|
|---|
| 163 | b34.9f4: supR3HardenedVmProcessInit: Returning to LdrInitializeThunk...
|
|---|
| 164 | b34.9f4: Registered Dll notification callback with NTDLL.
|
|---|
| 165 | b34.9f4: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume4\Windows\System32\kernel32.dll)
|
|---|
| 166 | b34.9f4: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume4\Windows\System32\kernel32.dll
|
|---|
| 167 | b34.9f4: supR3HardenedMonitor_LdrLoadDll: pName=C:\WINDOWS\System32\KERNEL32.DLL (Input=KERNEL32.DLL, rcNtResolve=0xc0150008) *pfFlags=0xffffffff pwszSearchPath=0000000000004001:<flags> [calling]
|
|---|
| 168 | b34.9f4: supR3HardenedDllNotificationCallback: load 00007ffff0ee0000 LB 0x002a3000 C:\WINDOWS\System32\KERNELBASE.dll [fFlags=0x0]
|
|---|
| 169 | b34.9f4: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume4\Windows\System32\KernelBase.dll)
|
|---|
| 170 | b34.9f4: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume4\Windows\System32\KernelBase.dll
|
|---|
| 171 | b34.9f4: supR3HardenedDllNotificationCallback: load 00007ffff37d0000 LB 0x000b2000 C:\WINDOWS\System32\KERNEL32.DLL [fFlags=0x0]
|
|---|
| 172 | b34.9f4: supR3HardenedScreenImage/LdrLoadDll: cache hit (VINF_SUCCESS) on \Device\HarddiskVolume4\Windows\System32\kernel32.dll [lacks WinVerifyTrust]
|
|---|
| 173 | b34.9f4: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=00007ffff37d0000 'C:\WINDOWS\System32\KERNEL32.DLL'
|
|---|
| 174 | b34.9f4: supR3HardenedDllNotificationCallback: load 00007ff754cd0000 LB 0x00114000 C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe [fFlags=0x0]
|
|---|
| 175 | b34.9f4: '\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe' has no imports
|
|---|
| 176 | b34.9f4: supHardenedWinVerifyImageByHandle: -> 24202 (\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe)
|
|---|
| 177 | b34.9f4: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 178 | b34.9f4: supR3HardNtDisableThreadCreation: pvLdrInitThunk=00007ffff3a11790 pvNtTerminateThread=00007ffff3a3cab0
|
|---|
| 179 | 20c8.1664: supR3HardNtChildWaitFor: Found expected request 1 (CloseEvents) after 102 ms.
|
|---|
| 180 | b34.9f4: \SystemRoot\System32\ntdll.dll:
|
|---|
| 181 | b34.9f4: CreationTime: 2019-08-15T16:59:08.887803400Z
|
|---|
| 182 | b34.9f4: LastWriteTime: 2019-08-15T16:59:08.936034800Z
|
|---|
| 183 | b34.9f4: ChangeTime: 2019-08-21T20:12:13.531869000Z
|
|---|
| 184 | b34.9f4: FileAttributes: 0x20
|
|---|
| 185 | b34.9f4: Size: 0x1e8320
|
|---|
| 186 | b34.9f4: NT Headers: 0xd8
|
|---|
| 187 | b34.9f4: Timestamp: 0xc00f8a30
|
|---|
| 188 | b34.9f4: Machine: 0x8664 - amd64
|
|---|
| 189 | b34.9f4: Timestamp: 0xc00f8a30
|
|---|
| 190 | b34.9f4: Image Version: 10.0
|
|---|
| 191 | b34.9f4: SizeOfImage: 0x1f0000 (2031616)
|
|---|
| 192 | b34.9f4: Resource Dir: 0x17f000 LB 0x6f1d8
|
|---|
| 193 | b34.9f4: [Version info resource found at 0xd8! (ID/Name: 0x1; SubID/SubName: 0x409)]
|
|---|
| 194 | b34.9f4: [Raw version resource data: 0x17f0f0 LB 0x380, codepage 0x0 (reserved 0x0)]
|
|---|
| 195 | b34.9f4: ProductName: Microsoft® Windows® Operating System
|
|---|
| 196 | b34.9f4: ProductVersion: 10.0.18362.267
|
|---|
| 197 | b34.9f4: FileVersion: 10.0.18362.267 (WinBuild.160101.0800)
|
|---|
| 198 | b34.9f4: FileDescription: NT Layer DLL
|
|---|
| 199 | b34.9f4: \SystemRoot\System32\kernel32.dll:
|
|---|
| 200 | b34.9f4: CreationTime: 2019-07-10T17:27:27.183520100Z
|
|---|
| 201 | b34.9f4: LastWriteTime: 2019-07-10T17:27:27.198510000Z
|
|---|
| 202 | b34.9f4: ChangeTime: 2019-08-15T17:00:07.527946600Z
|
|---|
| 203 | b34.9f4: FileAttributes: 0x20
|
|---|
| 204 | b34.9f4: Size: 0xb0498
|
|---|
| 205 | b34.9f4: NT Headers: 0xe8
|
|---|
| 206 | b34.9f4: Timestamp: 0xd12f214a
|
|---|
| 207 | b34.9f4: Machine: 0x8664 - amd64
|
|---|
| 208 | b34.9f4: Timestamp: 0xd12f214a
|
|---|
| 209 | b34.9f4: Image Version: 10.0
|
|---|
| 210 | b34.9f4: SizeOfImage: 0xb2000 (729088)
|
|---|
| 211 | b34.9f4: Resource Dir: 0xb0000 LB 0x520
|
|---|
| 212 | b34.9f4: [Version info resource found at 0x90! (ID/Name: 0x1; SubID/SubName: 0x409)]
|
|---|
| 213 | b34.9f4: [Raw version resource data: 0xb00b0 LB 0x3a4, codepage 0x0 (reserved 0x0)]
|
|---|
| 214 | b34.9f4: ProductName: Microsoft® Windows® Operating System
|
|---|
| 215 | b34.9f4: ProductVersion: 10.0.18362.86
|
|---|
| 216 | b34.9f4: FileVersion: 10.0.18362.86 (WinBuild.160101.0800)
|
|---|
| 217 | b34.9f4: FileDescription: Windows NT BASE API Client DLL
|
|---|
| 218 | b34.9f4: \SystemRoot\System32\KernelBase.dll:
|
|---|
| 219 | b34.9f4: CreationTime: 2019-08-15T16:59:09.529742900Z
|
|---|
| 220 | b34.9f4: LastWriteTime: 2019-08-15T16:59:09.609609700Z
|
|---|
| 221 | b34.9f4: ChangeTime: 2019-08-21T20:12:12.063222700Z
|
|---|
| 222 | b34.9f4: FileAttributes: 0x20
|
|---|
| 223 | b34.9f4: Size: 0x2a2d08
|
|---|
| 224 | b34.9f4: NT Headers: 0x100
|
|---|
| 225 | b34.9f4: Timestamp: 0xf09944f9
|
|---|
| 226 | b34.9f4: Machine: 0x8664 - amd64
|
|---|
| 227 | b34.9f4: Timestamp: 0xf09944f9
|
|---|
| 228 | b34.9f4: Image Version: 10.0
|
|---|
| 229 | b34.9f4: SizeOfImage: 0x2a3000 (2764800)
|
|---|
| 230 | b34.9f4: Resource Dir: 0x27d000 LB 0x548
|
|---|
| 231 | b34.9f4: [Version info resource found at 0x90! (ID/Name: 0x1; SubID/SubName: 0x409)]
|
|---|
| 232 | b34.9f4: [Raw version resource data: 0x27d0b0 LB 0x3bc, codepage 0x0 (reserved 0x0)]
|
|---|
| 233 | b34.9f4: ProductName: Microsoft® Windows® Operating System
|
|---|
| 234 | b34.9f4: ProductVersion: 10.0.18362.267
|
|---|
| 235 | b34.9f4: FileVersion: 10.0.18362.267 (WinBuild.160101.0800)
|
|---|
| 236 | b34.9f4: FileDescription: Windows NT BASE API Client DLL
|
|---|
| 237 | b34.9f4: \SystemRoot\System32\apisetschema.dll:
|
|---|
| 238 | b34.9f4: CreationTime: 2019-03-19T04:43:54.837151500Z
|
|---|
| 239 | b34.9f4: LastWriteTime: 2019-03-19T04:43:54.837151500Z
|
|---|
| 240 | b34.9f4: ChangeTime: 2019-08-15T17:00:07.511955400Z
|
|---|
| 241 | b34.9f4: FileAttributes: 0x20
|
|---|
| 242 | b34.9f4: Size: 0x1d028
|
|---|
| 243 | b34.9f4: NT Headers: 0xc8
|
|---|
| 244 | b34.9f4: Timestamp: 0xd6ced080
|
|---|
| 245 | b34.9f4: Machine: 0x8664 - amd64
|
|---|
| 246 | b34.9f4: Timestamp: 0xd6ced080
|
|---|
| 247 | b34.9f4: Image Version: 10.0
|
|---|
| 248 | b34.9f4: SizeOfImage: 0x1e000 (122880)
|
|---|
| 249 | b34.9f4: Resource Dir: 0x1d000 LB 0x408
|
|---|
| 250 | b34.9f4: [Version info resource found at 0x48! (ID/Name: 0x1; SubID/SubName: 0x409)]
|
|---|
| 251 | b34.9f4: [Raw version resource data: 0x1d060 LB 0x3a8, codepage 0x0 (reserved 0x0)]
|
|---|
| 252 | b34.9f4: ProductName: Microsoft® Windows® Operating System
|
|---|
| 253 | b34.9f4: ProductVersion: 10.0.18362.1
|
|---|
| 254 | b34.9f4: FileVersion: 10.0.18362.1 (WinBuild.160101.0800)
|
|---|
| 255 | b34.9f4: FileDescription: ApiSet Schema DLL
|
|---|
| 256 | b34.9f4: NtOpenDirectoryObject failed on \Driver: 0xc0000022
|
|---|
| 257 | b34.9f4: supR3HardenedWinFindAdversaries: 0x0
|
|---|
| 258 | b34.9f4: supR3HardenedWinInitAppBin(0x0): '\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox'
|
|---|
| 259 | b34.9f4: Calling main()
|
|---|
| 260 | b34.9f4: SUPR3HardenedMain: pszProgName=VirtualBoxVM fFlags=0x2
|
|---|
| 261 | b34.9f4: supR3HardenedWinInitAppBin(0x2): '\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox'
|
|---|
| 262 | b34.9f4: '\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe' has no imports
|
|---|
| 263 | b34.9f4: supHardenedWinVerifyImageByHandle: -> 24202 (\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe)
|
|---|
| 264 | b34.9f4: SUPR3HardenedMain: Respawn #2
|
|---|
| 265 | b34.9f4: supR3HardNtEnableThreadCreation:
|
|---|
| 266 | b34.9f4: supR3HardenedDllNotificationCallback: load 00007ffff1d50000 LB 0x00120000 C:\WINDOWS\System32\RPCRT4.dll [fFlags=0x0]
|
|---|
| 267 | b34.9f4: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume4\Windows\System32\rpcrt4.dll)
|
|---|
| 268 | b34.9f4: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume4\Windows\System32\rpcrt4.dll
|
|---|
| 269 | b34.9f4: supR3HardenedDllNotificationCallback: load 00007ffff1ba0000 LB 0x00097000 C:\WINDOWS\System32\sechost.dll [fFlags=0x0]
|
|---|
| 270 | b34.9f4: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #11 'rpcrt4.dll'.
|
|---|
| 271 | b34.9f4: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume4\Windows\System32\sechost.dll)
|
|---|
| 272 | b34.9f4: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume4\Windows\System32\sechost.dll
|
|---|
| 273 | b34.9f4: '\Device\HarddiskVolume4\Windows\System32\ntdll.dll' has no imports
|
|---|
| 274 | b34.9f4: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume4\Windows\System32\ntdll.dll)
|
|---|
| 275 | b34.9f4: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume4\Windows\System32\ntdll.dll
|
|---|
| 276 | b34.9f4: supR3HardenedWinVerifyCacheProcessImportTodos: Processing 'rpcrt4.dll'...
|
|---|
| 277 | b34.9f4: supR3HardenedWinVerifyCacheProcessImportTodos: 'rpcrt4.dll' -> '\Device\HarddiskVolume4\Windows\System32\rpcrt4.dll' [rcNtRedir=0xc0150008]
|
|---|
| 278 | b34.9f4: supR3HardenedScreenImage/Imports: cache hit (VINF_SUCCESS) on \Device\HarddiskVolume4\Windows\System32\rpcrt4.dll [lacks WinVerifyTrust]
|
|---|
| 279 | b34.9f4: supR3HardenedMonitor_LdrLoadDll: pName=C:\WINDOWS\System32\ntdll.dll (Input=ntdll.dll, rcNtResolve=0xc0150008) *pfFlags=0x0 pwszSearchPath=0000000000000801:<flags> [calling]
|
|---|
| 280 | b34.9f4: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=00007ffff39a0000 'C:\WINDOWS\System32\ntdll.dll'
|
|---|
| 281 | b34.9f4: supR3HardNtDisableThreadCreation: pvLdrInitThunk=00007ffff3a11790 pvNtTerminateThread=00007ffff3a3cab0
|
|---|
| 282 | b34.9f4: supR3HardenedWinDoReSpawn(2): New child f0.f4 [kernel32].
|
|---|
| 283 | b34.9f4: supR3HardenedWinReSpawn: NtSetInformationThread/ThreadHideFromDebugger failed: 0xc0000022 (harmless)
|
|---|
| 284 | b34.9f4: supR3HardNtChildGatherData: PebBaseAddress=0000000001045000 cbPeb=0x388
|
|---|
| 285 | b34.9f4: supR3HardNtPuChFindNtdll: uNtDllParentAddr=00007ffff39a0000 uNtDllChildAddr=00007ffff39a0000
|
|---|
| 286 | b34.9f4: supR3HardenedWinSetupChildInit: uLdrInitThunk=00007ffff3a11790
|
|---|
| 287 | b34.9f4: supR3HardenedWinSetupChildInit: Start child.
|
|---|
| 288 | b34.9f4: supR3HardNtChildWaitFor: Found expected request 0 (PurifyChildAndCloseHandles) after 0 ms.
|
|---|
| 289 | b34.9f4: supR3HardNtChildPurify: Startup delay kludge #1/0: 263 ms, 31 sleeps
|
|---|
| 290 | b34.9f4: supHardNtVpScanVirtualMemory: enmKind=CHILD_PURIFICATION
|
|---|
| 291 | b34.9f4: *0000000000000000-0000000000e6ffff 0x0001/0x0000 0x0000000
|
|---|
| 292 | b34.9f4: *0000000000e70000-0000000000e8ffff 0x0004/0x0004 0x0020000
|
|---|
| 293 | b34.9f4: *0000000000e90000-0000000000eaafff 0x0002/0x0002 0x0040000
|
|---|
| 294 | b34.9f4: 0000000000eab000-0000000000eaffff 0x0001/0x0000 0x0000000
|
|---|
| 295 | b34.9f4: *0000000000eb0000-0000000000faafff 0x0000/0x0004 0x0020000
|
|---|
| 296 | b34.9f4: 0000000000fab000-0000000000fadfff 0x0104/0x0004 0x0020000
|
|---|
| 297 | b34.9f4: 0000000000fae000-0000000000faffff 0x0004/0x0004 0x0020000
|
|---|
| 298 | b34.9f4: *0000000000fb0000-0000000000fb3fff 0x0002/0x0002 0x0040000
|
|---|
| 299 | b34.9f4: 0000000000fb4000-0000000000fbffff 0x0001/0x0000 0x0000000
|
|---|
| 300 | b34.9f4: *0000000000fc0000-0000000000fc1fff 0x0004/0x0004 0x0020000
|
|---|
| 301 | b34.9f4: 0000000000fc2000-0000000000ffffff 0x0001/0x0000 0x0000000
|
|---|
| 302 | b34.9f4: *0000000001000000-0000000001044fff 0x0000/0x0004 0x0020000
|
|---|
| 303 | b34.9f4: 0000000001045000-0000000001047fff 0x0004/0x0004 0x0020000
|
|---|
| 304 | b34.9f4: 0000000001048000-00000000011fffff 0x0000/0x0004 0x0020000
|
|---|
| 305 | b34.9f4: 0000000001200000-000000000124ffff 0x0001/0x0000 0x0000000
|
|---|
| 306 | b34.9f4: *0000000001250000-0000000001253fff 0x0004/0x0004 0x0020000
|
|---|
| 307 | b34.9f4: 0000000001254000-000000007ffdffff 0x0001/0x0000 0x0000000
|
|---|
| 308 | b34.9f4: *000000007ffe0000-000000007ffe0fff 0x0002/0x0002 0x0020000
|
|---|
| 309 | b34.9f4: 000000007ffe1000-000000007ffe4fff 0x0001/0x0000 0x0000000
|
|---|
| 310 | b34.9f4: *000000007ffe5000-000000007ffe5fff 0x0002/0x0002 0x0020000
|
|---|
| 311 | b34.9f4: 000000007ffe6000-00007ff560d9ffff 0x0001/0x0000 0x0000000
|
|---|
| 312 | b34.9f4: *00007ff560da0000-00007ff560da0fff 0x0002/0x0002 0x0040000
|
|---|
| 313 | b34.9f4: 00007ff560da1000-00007ff560daffff 0x0001/0x0000 0x0000000
|
|---|
| 314 | b34.9f4: *00007ff560db0000-00007ff560dd2fff 0x0002/0x0002 0x0040000
|
|---|
| 315 | b34.9f4: 00007ff560dd3000-00007ff754ccffff 0x0001/0x0000 0x0000000
|
|---|
| 316 | b34.9f4: *00007ff754cd0000-00007ff754cd0fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 317 | b34.9f4: 00007ff754cd1000-00007ff754d45fff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 318 | b34.9f4: 00007ff754d46000-00007ff754d46fff 0x0080/0x0080 0x1000000 \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 319 | b34.9f4: 00007ff754d47000-00007ff754d8dfff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 320 | b34.9f4: 00007ff754d8e000-00007ff754d8efff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 321 | b34.9f4: 00007ff754d8f000-00007ff754d8ffff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 322 | b34.9f4: 00007ff754d90000-00007ff754d94fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 323 | b34.9f4: 00007ff754d95000-00007ff754d95fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 324 | b34.9f4: 00007ff754d96000-00007ff754d96fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 325 | b34.9f4: 00007ff754d97000-00007ff754d9afff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 326 | b34.9f4: 00007ff754d9b000-00007ff754de3fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 327 | b34.9f4: 00007ff754de4000-00007ffff394ffff 0x0001/0x0000 0x0000000
|
|---|
| 328 | b34.9f4: *00007ffff3950000-00007ffff3950fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume4\Windows\System32\Itcspea.Dll
|
|---|
| 329 | b34.9f4: supHardNtVpScanVirtualMemory: Unmapping image mem at 00007ffff3950000 (00007ffff3950000 LB 0x1000) - 'Itcspea.Dll'
|
|---|
| 330 | b34.9f4: 00007ffff3951000-00007ffff399ffff 0x0001/0x0000 0x0000000
|
|---|
| 331 | b34.9f4: *00007ffff39a0000-00007ffff39a0fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume4\Windows\System32\ntdll.dll
|
|---|
| 332 | b34.9f4: 00007ffff39a1000-00007ffff3ab7fff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume4\Windows\System32\ntdll.dll
|
|---|
| 333 | b34.9f4: 00007ffff3ab8000-00007ffff3afefff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume4\Windows\System32\ntdll.dll
|
|---|
| 334 | b34.9f4: 00007ffff3aff000-00007ffff3b0afff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume4\Windows\System32\ntdll.dll
|
|---|
| 335 | b34.9f4: 00007ffff3b0b000-00007ffff3b19fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume4\Windows\System32\ntdll.dll
|
|---|
| 336 | b34.9f4: 00007ffff3b1a000-00007ffff3b1afff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume4\Windows\System32\ntdll.dll
|
|---|
| 337 | b34.9f4: 00007ffff3b1b000-00007ffff3b1dfff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume4\Windows\System32\ntdll.dll
|
|---|
| 338 | b34.9f4: 00007ffff3b1e000-00007ffff3b8ffff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume4\Windows\System32\ntdll.dll
|
|---|
| 339 | b34.9f4: 00007ffff3b90000-00007ffffffeffff 0x0001/0x0000 0x0000000
|
|---|
| 340 | b34.9f4: VirtualBoxVM.exe: timestamp 0x5d284665 (rc=VINF_SUCCESS)
|
|---|
| 341 | b34.9f4: '\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe' has no imports
|
|---|
| 342 | b34.9f4: '\Device\HarddiskVolume4\Windows\System32\ntdll.dll' has no imports
|
|---|
| 343 | b34.9f4: supR3HardNtChildPurify: Done after 327 ms and 0 fixes (loop #0).
|
|---|
| 344 | f0.f4: Log file opened: 6.0.10r132072 g_hStartupLog=0000000000000004 g_uNtVerCombined=0xa047ba00
|
|---|
| 345 | f0.f4: supR3HardenedVmProcessInit: uNtDllAddr=00007ffff39a0000 g_uNtVerCombined=0xa047ba00
|
|---|
| 346 | b34.9f4: supR3HardenedEarlyCompact: Removed heap 1 (0x00000000810000 LB 0x400000)
|
|---|
| 347 | f0.f4: ntdll.dll: timestamp 0xc00f8a30 (rc=VINF_SUCCESS)
|
|---|
| 348 | f0.f4: New simple heap: #1 0000000001360000 LB 0x400000 (for 2031616 allocation)
|
|---|
| 349 | b34.9f4: supR3HardNtEnableThreadCreation:
|
|---|
| 350 | f0.f4: supR3HardenedWinInitAppBin(0x0): '\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox'
|
|---|
| 351 | f0.f4: System32: \Device\HarddiskVolume4\Windows\System32
|
|---|
| 352 | f0.f4: WinSxS: \Device\HarddiskVolume4\Windows\WinSxS
|
|---|
| 353 | f0.f4: KnownDllPath: C:\WINDOWS\System32
|
|---|
| 354 | f0.f4: supR3HardenedVmProcessInit: Opening vboxdrv...
|
|---|
| 355 | f0.f4: supR3HardenedVmProcessInit: Restoring LdrInitializeThunk...
|
|---|
| 356 | f0.f4: supR3HardenedVmProcessInit: Returning to LdrInitializeThunk...
|
|---|
| 357 | f0.f4: Registered Dll notification callback with NTDLL.
|
|---|
| 358 | f0.f4: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume4\Windows\System32\kernel32.dll)
|
|---|
| 359 | f0.f4: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume4\Windows\System32\kernel32.dll
|
|---|
| 360 | f0.f4: supR3HardenedMonitor_LdrLoadDll: pName=C:\WINDOWS\System32\KERNEL32.DLL (Input=KERNEL32.DLL, rcNtResolve=0xc0150008) *pfFlags=0xffffffff pwszSearchPath=0000000000004001:<flags> [calling]
|
|---|
| 361 | f0.f4: supR3HardenedDllNotificationCallback: load 00007ffff0ee0000 LB 0x002a3000 C:\WINDOWS\System32\KERNELBASE.dll [fFlags=0x0]
|
|---|
| 362 | f0.f4: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume4\Windows\System32\KernelBase.dll)
|
|---|
| 363 | f0.f4: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume4\Windows\System32\KernelBase.dll
|
|---|
| 364 | f0.f4: supR3HardenedDllNotificationCallback: load 00007ffff37d0000 LB 0x000b2000 C:\WINDOWS\System32\KERNEL32.DLL [fFlags=0x0]
|
|---|
| 365 | f0.f4: supR3HardenedScreenImage/LdrLoadDll: cache hit (VINF_SUCCESS) on \Device\HarddiskVolume4\Windows\System32\kernel32.dll [lacks WinVerifyTrust]
|
|---|
| 366 | f0.f4: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=00007ffff37d0000 'C:\WINDOWS\System32\KERNEL32.DLL'
|
|---|
| 367 | f0.f4: supR3HardenedDllNotificationCallback: load 00007ff754cd0000 LB 0x00114000 C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe [fFlags=0x0]
|
|---|
| 368 | f0.f4: '\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe' has no imports
|
|---|
| 369 | f0.f4: supHardenedWinVerifyImageByHandle: -> 24202 (\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe)
|
|---|
| 370 | f0.f4: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 371 | f0.f4: supR3HardNtDisableThreadCreation: pvLdrInitThunk=00007ffff3a11790 pvNtTerminateThread=00007ffff3a3cab0
|
|---|
| 372 | b34.9f4: supR3HardNtChildWaitFor: Found expected request 1 (CloseEvents) after 124 ms.
|
|---|
| 373 | f0.f4: \SystemRoot\System32\ntdll.dll:
|
|---|
| 374 | f0.f4: CreationTime: 2019-08-15T16:59:08.887803400Z
|
|---|
| 375 | f0.f4: LastWriteTime: 2019-08-15T16:59:08.936034800Z
|
|---|
| 376 | f0.f4: ChangeTime: 2019-08-21T20:12:13.531869000Z
|
|---|
| 377 | f0.f4: FileAttributes: 0x20
|
|---|
| 378 | f0.f4: Size: 0x1e8320
|
|---|
| 379 | f0.f4: NT Headers: 0xd8
|
|---|
| 380 | f0.f4: Timestamp: 0xc00f8a30
|
|---|
| 381 | f0.f4: Machine: 0x8664 - amd64
|
|---|
| 382 | f0.f4: Timestamp: 0xc00f8a30
|
|---|
| 383 | f0.f4: Image Version: 10.0
|
|---|
| 384 | f0.f4: SizeOfImage: 0x1f0000 (2031616)
|
|---|
| 385 | f0.f4: Resource Dir: 0x17f000 LB 0x6f1d8
|
|---|
| 386 | f0.f4: [Version info resource found at 0xd8! (ID/Name: 0x1; SubID/SubName: 0x409)]
|
|---|
| 387 | f0.f4: [Raw version resource data: 0x17f0f0 LB 0x380, codepage 0x0 (reserved 0x0)]
|
|---|
| 388 | f0.f4: ProductName: Microsoft® Windows® Operating System
|
|---|
| 389 | f0.f4: ProductVersion: 10.0.18362.267
|
|---|
| 390 | f0.f4: FileVersion: 10.0.18362.267 (WinBuild.160101.0800)
|
|---|
| 391 | f0.f4: FileDescription: NT Layer DLL
|
|---|
| 392 | f0.f4: \SystemRoot\System32\kernel32.dll:
|
|---|
| 393 | f0.f4: CreationTime: 2019-07-10T17:27:27.183520100Z
|
|---|
| 394 | f0.f4: LastWriteTime: 2019-07-10T17:27:27.198510000Z
|
|---|
| 395 | f0.f4: ChangeTime: 2019-08-15T17:00:07.527946600Z
|
|---|
| 396 | f0.f4: FileAttributes: 0x20
|
|---|
| 397 | f0.f4: Size: 0xb0498
|
|---|
| 398 | f0.f4: NT Headers: 0xe8
|
|---|
| 399 | f0.f4: Timestamp: 0xd12f214a
|
|---|
| 400 | f0.f4: Machine: 0x8664 - amd64
|
|---|
| 401 | f0.f4: Timestamp: 0xd12f214a
|
|---|
| 402 | f0.f4: Image Version: 10.0
|
|---|
| 403 | f0.f4: SizeOfImage: 0xb2000 (729088)
|
|---|
| 404 | f0.f4: Resource Dir: 0xb0000 LB 0x520
|
|---|
| 405 | f0.f4: [Version info resource found at 0x90! (ID/Name: 0x1; SubID/SubName: 0x409)]
|
|---|
| 406 | f0.f4: [Raw version resource data: 0xb00b0 LB 0x3a4, codepage 0x0 (reserved 0x0)]
|
|---|
| 407 | f0.f4: ProductName: Microsoft® Windows® Operating System
|
|---|
| 408 | f0.f4: ProductVersion: 10.0.18362.86
|
|---|
| 409 | f0.f4: FileVersion: 10.0.18362.86 (WinBuild.160101.0800)
|
|---|
| 410 | f0.f4: FileDescription: Windows NT BASE API Client DLL
|
|---|
| 411 | f0.f4: \SystemRoot\System32\KernelBase.dll:
|
|---|
| 412 | f0.f4: CreationTime: 2019-08-15T16:59:09.529742900Z
|
|---|
| 413 | f0.f4: LastWriteTime: 2019-08-15T16:59:09.609609700Z
|
|---|
| 414 | f0.f4: ChangeTime: 2019-08-21T20:12:12.063222700Z
|
|---|
| 415 | f0.f4: FileAttributes: 0x20
|
|---|
| 416 | f0.f4: Size: 0x2a2d08
|
|---|
| 417 | f0.f4: NT Headers: 0x100
|
|---|
| 418 | f0.f4: Timestamp: 0xf09944f9
|
|---|
| 419 | f0.f4: Machine: 0x8664 - amd64
|
|---|
| 420 | f0.f4: Timestamp: 0xf09944f9
|
|---|
| 421 | f0.f4: Image Version: 10.0
|
|---|
| 422 | f0.f4: SizeOfImage: 0x2a3000 (2764800)
|
|---|
| 423 | f0.f4: Resource Dir: 0x27d000 LB 0x548
|
|---|
| 424 | f0.f4: [Version info resource found at 0x90! (ID/Name: 0x1; SubID/SubName: 0x409)]
|
|---|
| 425 | f0.f4: [Raw version resource data: 0x27d0b0 LB 0x3bc, codepage 0x0 (reserved 0x0)]
|
|---|
| 426 | f0.f4: ProductName: Microsoft® Windows® Operating System
|
|---|
| 427 | f0.f4: ProductVersion: 10.0.18362.267
|
|---|
| 428 | f0.f4: FileVersion: 10.0.18362.267 (WinBuild.160101.0800)
|
|---|
| 429 | f0.f4: FileDescription: Windows NT BASE API Client DLL
|
|---|
| 430 | f0.f4: \SystemRoot\System32\apisetschema.dll:
|
|---|
| 431 | f0.f4: CreationTime: 2019-03-19T04:43:54.837151500Z
|
|---|
| 432 | f0.f4: LastWriteTime: 2019-03-19T04:43:54.837151500Z
|
|---|
| 433 | f0.f4: ChangeTime: 2019-08-15T17:00:07.511955400Z
|
|---|
| 434 | f0.f4: FileAttributes: 0x20
|
|---|
| 435 | f0.f4: Size: 0x1d028
|
|---|
| 436 | f0.f4: NT Headers: 0xc8
|
|---|
| 437 | f0.f4: Timestamp: 0xd6ced080
|
|---|
| 438 | f0.f4: Machine: 0x8664 - amd64
|
|---|
| 439 | f0.f4: Timestamp: 0xd6ced080
|
|---|
| 440 | f0.f4: Image Version: 10.0
|
|---|
| 441 | f0.f4: SizeOfImage: 0x1e000 (122880)
|
|---|
| 442 | f0.f4: Resource Dir: 0x1d000 LB 0x408
|
|---|
| 443 | f0.f4: [Version info resource found at 0x48! (ID/Name: 0x1; SubID/SubName: 0x409)]
|
|---|
| 444 | f0.f4: [Raw version resource data: 0x1d060 LB 0x3a8, codepage 0x0 (reserved 0x0)]
|
|---|
| 445 | f0.f4: ProductName: Microsoft® Windows® Operating System
|
|---|
| 446 | f0.f4: ProductVersion: 10.0.18362.1
|
|---|
| 447 | f0.f4: FileVersion: 10.0.18362.1 (WinBuild.160101.0800)
|
|---|
| 448 | f0.f4: FileDescription: ApiSet Schema DLL
|
|---|
| 449 | f0.f4: NtOpenDirectoryObject failed on \Driver: 0xc0000022
|
|---|
| 450 | f0.f4: supR3HardenedWinFindAdversaries: 0x0
|
|---|
| 451 | f0.f4: supR3HardenedWinInitAppBin(0x0): '\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox'
|
|---|
| 452 | f0.f4: Calling main()
|
|---|
| 453 | f0.f4: SUPR3HardenedMain: pszProgName=VirtualBoxVM fFlags=0x2
|
|---|
| 454 | f0.f4: supR3HardenedWinInitAppBin(0x2): '\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox'
|
|---|
| 455 | f0.f4: '\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe' has no imports
|
|---|
| 456 | f0.f4: supHardenedWinVerifyImageByHandle: -> 24202 (\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe)
|
|---|
| 457 | f0.f4: SUPR3HardenedMain: Final process, opening VBoxDrv...
|
|---|
| 458 | f0.f4: supR3HardenedEarlyCompact: Removed heap 1 (0x00000001360000 LB 0x400000)
|
|---|
| 459 | f0.f4: supR3HardNtEnableThreadCreation:
|
|---|
| 460 | f0.f4: supHardenedWinVerifyImageByHandle: -> 24202 (\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VBoxSupLib.dll)
|
|---|
| 461 | f0.f4: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VBoxSupLib.dll
|
|---|
| 462 | f0.f4: supR3HardenedMonitor_LdrLoadDll: pName=C:\Program Files\Oracle\VirtualBox\VBoxSupLib.DLL (rcNtResolve=0xc0150008) *pfFlags=0x0 pwszSearchPath=0000000000000801:<flags> [calling]
|
|---|
| 463 | f0.f4: supR3HardenedScreenImage/NtCreateSection: cache hit (Unknown Status 24202 (0x5e8a)) on \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VBoxSupLib.dll [lacks WinVerifyTrust]
|
|---|
| 464 | f0.f4: supR3HardenedDllNotificationCallback: load 00007fffebc30000 LB 0x00005000 C:\Program Files\Oracle\VirtualBox\VBoxSupLib.DLL [fFlags=0x0]
|
|---|
| 465 | f0.f4: supR3HardenedScreenImage/LdrLoadDll: cache hit (Unknown Status 24202 (0x5e8a)) on \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VBoxSupLib.dll [lacks WinVerifyTrust]
|
|---|
| 466 | f0.f4: supR3HardenedScreenImage/LdrLoadDll: cache hit (Unknown Status 24202 (0x5e8a)) on \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VBoxSupLib.dll [lacks WinVerifyTrust]
|
|---|
| 467 | f0.f4: supR3HardenedMonitor_LdrLoadDll: pName=C:\Program Files\Oracle\VirtualBox\VBoxSupLib.DLL (rcNtResolve=0xc0150008) *pfFlags=0x0 pwszSearchPath=0000000000000001:<flags> [calling]
|
|---|
| 468 | f0.f4: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=00007fffebc30000 'C:\Program Files\Oracle\VirtualBox\VBoxSupLib.DLL'
|
|---|
| 469 | f0.f4: supR3HardenedScreenImage/LdrLoadDll: cache hit (Unknown Status 24202 (0x5e8a)) on \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VBoxSupLib.dll [lacks WinVerifyTrust]
|
|---|
| 470 | f0.f4: supR3HardenedMonitor_LdrLoadDll: pName=C:\Program Files\Oracle\VirtualBox\VBoxSupLib.DLL (rcNtResolve=0xc0150008) *pfFlags=0x0 pwszSearchPath=0000000000000001:<flags> [calling]
|
|---|
| 471 | f0.f4: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=00007fffebc30000 'C:\Program Files\Oracle\VirtualBox\VBoxSupLib.DLL'
|
|---|
| 472 | f0.f4: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=00007fffebc30000 'C:\Program Files\Oracle\VirtualBox\VBoxSupLib.DLL'
|
|---|
| 473 | f0.f4: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #0 'msvcrt.dll'.
|
|---|
| 474 | f0.f4: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #1 'msasn1.dll'.
|
|---|
| 475 | f0.f4: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #6 'crypt32.dll'.
|
|---|
| 476 | f0.f4: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #27 'rpcrt4.dll'.
|
|---|
| 477 | f0.f4: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume4\Windows\System32\wintrust.dll)
|
|---|
| 478 | f0.f4: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume4\Windows\System32\wintrust.dll
|
|---|
| 479 | f0.f4: supR3HardenedWinVerifyCacheProcessImportTodos: Processing 'rpcrt4.dll'...
|
|---|
| 480 | f0.f4: supR3HardenedWinVerifyCacheProcessImportTodos: 'rpcrt4.dll' -> '\Device\HarddiskVolume4\Windows\System32\rpcrt4.dll' [rcNtRedir=0xc0150008]
|
|---|
| 481 | f0.f4: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume4\Windows\System32\rpcrt4.dll)
|
|---|
| 482 | f0.f4: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume4\Windows\System32\rpcrt4.dll
|
|---|
| 483 | f0.f4: supR3HardenedWinVerifyCacheProcessImportTodos: Processing 'crypt32.dll'...
|
|---|
| 484 | f0.f4: supR3HardenedWinVerifyCacheProcessImportTodos: 'crypt32.dll' -> '\Device\HarddiskVolume4\Windows\System32\crypt32.dll' [rcNtRedir=0xc0150008]
|
|---|
| 485 | f0.f4: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #34 'msasn1.dll'.
|
|---|
| 486 | f0.f4: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume4\Windows\System32\crypt32.dll)
|
|---|
| 487 | f0.f4: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume4\Windows\System32\crypt32.dll
|
|---|
| 488 | f0.f4: supR3HardenedWinVerifyCacheProcessImportTodos: Processing 'msasn1.dll'...
|
|---|
| 489 | f0.f4: supR3HardenedWinVerifyCacheProcessImportTodos: 'msasn1.dll' -> '\Device\HarddiskVolume4\Windows\System32\msasn1.dll' [rcNtRedir=0xc0150008]
|
|---|
| 490 | f0.f4: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume4\Windows\System32\msasn1.dll)
|
|---|
| 491 | f0.f4: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume4\Windows\System32\msasn1.dll
|
|---|
| 492 | f0.f4: supR3HardenedWinVerifyCacheProcessImportTodos: Processing 'msvcrt.dll'...
|
|---|
| 493 | f0.f4: supR3HardenedWinVerifyCacheProcessImportTodos: 'msvcrt.dll' -> '\Device\HarddiskVolume4\Windows\System32\msvcrt.dll' [rcNtRedir=0xc0150008]
|
|---|
| 494 | f0.f4: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume4\Windows\System32\msvcrt.dll)
|
|---|
| 495 | f0.f4: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume4\Windows\System32\msvcrt.dll
|
|---|
| 496 | f0.f4: supR3HardenedWinVerifyCacheProcessImportTodos: Processing 'msasn1.dll'...
|
|---|
| 497 | f0.f4: supR3HardenedWinVerifyCacheProcessImportTodos: 'msasn1.dll' -> '\Device\HarddiskVolume4\Windows\System32\msasn1.dll' [rcNtRedir=0xc0150008]
|
|---|
| 498 | f0.f4: supR3HardenedScreenImage/Imports: cache hit (VINF_SUCCESS) on \Device\HarddiskVolume4\Windows\System32\msasn1.dll [lacks WinVerifyTrust]
|
|---|
| 499 | f0.f4: supR3HardenedMonitor_LdrLoadDll: pName=C:\WINDOWS\system32\Wintrust.dll (rcNtResolve=0xc0150008) *pfFlags=0x0 pwszSearchPath=0000000000000801:<flags> [calling]
|
|---|
| 500 | f0.f4: supR3HardenedIsApiSetDll: ApiSetQueryApiSetPresence(ext-ms-win-kernel32-errorhandling-l1-1-0.dll) -> 0x0, fPresent=1
|
|---|
| 501 | f0.f4: supR3HardenedMonitor_LdrLoadDll: pName=ext-ms-win-kernel32-errorhandling-l1-1-0.dll (rcNtResolve=0x0) *pfFlags=0x0 pwszSearchPath=0000000000000001:<flags> [calling]
|
|---|
| 502 | f0.f4: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=00007ffff37d0000 'ext-ms-win-kernel32-errorhandling-l1-1-0.dll'
|
|---|
| 503 | f0.f4: supR3HardenedDllNotificationCallback: load 00007ffff1d50000 LB 0x00120000 C:\WINDOWS\System32\RPCRT4.dll [fFlags=0x0]
|
|---|
| 504 | f0.f4: supR3HardenedScreenImage/LdrLoadDll: cache hit (VINF_SUCCESS) on \Device\HarddiskVolume4\Windows\System32\rpcrt4.dll [lacks WinVerifyTrust]
|
|---|
| 505 | f0.f4: supR3HardenedDllNotificationCallback: load 00007ffff1ba0000 LB 0x00097000 C:\WINDOWS\System32\sechost.dll [fFlags=0x0]
|
|---|
| 506 | f0.f4: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #11 'rpcrt4.dll'.
|
|---|
| 507 | f0.f4: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume4\Windows\System32\sechost.dll)
|
|---|
| 508 | f0.f4: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume4\Windows\System32\sechost.dll
|
|---|
| 509 | f0.f4: '\Device\HarddiskVolume4\Windows\System32\ntdll.dll' has no imports
|
|---|
| 510 | f0.f4: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume4\Windows\System32\ntdll.dll)
|
|---|
| 511 | f0.f4: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume4\Windows\System32\ntdll.dll
|
|---|
| 512 | f0.f4: supR3HardenedWinVerifyCacheProcessImportTodos: Processing 'rpcrt4.dll'...
|
|---|
| 513 | f0.f4: supR3HardenedWinVerifyCacheProcessImportTodos: 'rpcrt4.dll' -> '\Device\HarddiskVolume4\Windows\System32\rpcrt4.dll' [rcNtRedir=0xc0150008]
|
|---|
| 514 | f0.f4: supR3HardenedScreenImage/Imports: cache hit (VINF_SUCCESS) on \Device\HarddiskVolume4\Windows\System32\rpcrt4.dll [lacks WinVerifyTrust]
|
|---|
| 515 | f0.f4: supR3HardenedMonitor_LdrLoadDll: pName=C:\WINDOWS\System32\ntdll.dll (Input=ntdll.dll, rcNtResolve=0xc0150008) *pfFlags=0x0 pwszSearchPath=0000000000000801:<flags> [calling]
|
|---|
| 516 | f0.f4: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=00007ffff39a0000 'C:\WINDOWS\System32\ntdll.dll'
|
|---|
| 517 | b34.9f4: supR3HardNtChildWaitFor[2]: Quitting: ExitCode=0xc0000005 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 9541 ms, the end);
|
|---|
| 518 | 20c8.1664: supR3HardNtChildWaitFor[1]: Quitting: ExitCode=0xc0000005 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 10082 ms, the end);
|
|---|