| 1 | 397c.3980: Log file opened: 6.1.10r138449 g_hStartupLog=0000000000000074 g_uNtVerCombined=0xa0456300
|
|---|
| 2 | 397c.3980: \SystemRoot\System32\ntdll.dll:
|
|---|
| 3 | 397c.3980: CreationTime: 2020-05-26T07:46:58.961376500Z
|
|---|
| 4 | 397c.3980: LastWriteTime: 2020-05-26T07:46:59.067755000Z
|
|---|
| 5 | 397c.3980: ChangeTime: 2020-05-26T09:00:47.491954900Z
|
|---|
| 6 | 397c.3980: FileAttributes: 0x20
|
|---|
| 7 | 397c.3980: Size: 0x1e7010
|
|---|
| 8 | 397c.3980: NT Headers: 0xe0
|
|---|
| 9 | 397c.3980: Timestamp: 0x5854f5da
|
|---|
| 10 | 397c.3980: Machine: 0x8664 - amd64
|
|---|
| 11 | 397c.3980: Timestamp: 0x5854f5da
|
|---|
| 12 | 397c.3980: Image Version: 10.0
|
|---|
| 13 | 397c.3980: SizeOfImage: 0x1ed000 (2019328)
|
|---|
| 14 | 397c.3980: Resource Dir: 0x17d000 LB 0x6eb48
|
|---|
| 15 | 397c.3980: [Version info resource found at 0xd8! (ID/Name: 0x1; SubID/SubName: 0x409)]
|
|---|
| 16 | 397c.3980: [Raw version resource data: 0x17d0f0 LB 0x380, codepage 0x0 (reserved 0x0)]
|
|---|
| 17 | 397c.3980: ProductName: Microsoft® Windows® Operating System
|
|---|
| 18 | 397c.3980: ProductVersion: 10.0.17763.1192
|
|---|
| 19 | 397c.3980: FileVersion: 10.0.17763.1192 (WinBuild.160101.0800)
|
|---|
| 20 | 397c.3980: FileDescription: NT Layer DLL
|
|---|
| 21 | 397c.3980: \SystemRoot\System32\kernel32.dll:
|
|---|
| 22 | 397c.3980: CreationTime: 2020-04-29T18:47:47.414874300Z
|
|---|
| 23 | 397c.3980: LastWriteTime: 2020-04-29T18:47:47.462833000Z
|
|---|
| 24 | 397c.3980: ChangeTime: 2020-05-26T07:49:56.708165800Z
|
|---|
| 25 | 397c.3980: FileAttributes: 0x20
|
|---|
| 26 | 397c.3980: Size: 0xb1390
|
|---|
| 27 | 397c.3980: NT Headers: 0xe8
|
|---|
| 28 | 397c.3980: Timestamp: 0x6314bdeb
|
|---|
| 29 | 397c.3980: Machine: 0x8664 - amd64
|
|---|
| 30 | 397c.3980: Timestamp: 0x6314bdeb
|
|---|
| 31 | 397c.3980: Image Version: 10.0
|
|---|
| 32 | 397c.3980: SizeOfImage: 0xb3000 (733184)
|
|---|
| 33 | 397c.3980: Resource Dir: 0xb1000 LB 0x520
|
|---|
| 34 | 397c.3980: [Version info resource found at 0x90! (ID/Name: 0x1; SubID/SubName: 0x409)]
|
|---|
| 35 | 397c.3980: [Raw version resource data: 0xb10b0 LB 0x3a4, codepage 0x0 (reserved 0x0)]
|
|---|
| 36 | 397c.3980: ProductName: Microsoft® Windows® Operating System
|
|---|
| 37 | 397c.3980: ProductVersion: 10.0.17763.1158
|
|---|
| 38 | 397c.3980: FileVersion: 10.0.17763.1158 (WinBuild.160101.0800)
|
|---|
| 39 | 397c.3980: FileDescription: Windows NT BASE API Client DLL
|
|---|
| 40 | 397c.3980: \SystemRoot\System32\KernelBase.dll:
|
|---|
| 41 | 397c.3980: CreationTime: 2020-05-26T07:46:58.687423000Z
|
|---|
| 42 | 397c.3980: LastWriteTime: 2020-05-26T07:46:58.795776700Z
|
|---|
| 43 | 397c.3980: ChangeTime: 2020-05-26T09:00:45.867071800Z
|
|---|
| 44 | 397c.3980: FileAttributes: 0x20
|
|---|
| 45 | 397c.3980: Size: 0x295510
|
|---|
| 46 | 397c.3980: NT Headers: 0x100
|
|---|
| 47 | 397c.3980: Timestamp: 0x7889407f
|
|---|
| 48 | 397c.3980: Machine: 0x8664 - amd64
|
|---|
| 49 | 397c.3980: Timestamp: 0x7889407f
|
|---|
| 50 | 397c.3980: Image Version: 10.0
|
|---|
| 51 | 397c.3980: SizeOfImage: 0x295000 (2707456)
|
|---|
| 52 | 397c.3980: Resource Dir: 0x271000 LB 0x548
|
|---|
| 53 | 397c.3980: [Version info resource found at 0x90! (ID/Name: 0x1; SubID/SubName: 0x409)]
|
|---|
| 54 | 397c.3980: [Raw version resource data: 0x2710b0 LB 0x3bc, codepage 0x0 (reserved 0x0)]
|
|---|
| 55 | 397c.3980: ProductName: Microsoft® Windows® Operating System
|
|---|
| 56 | 397c.3980: ProductVersion: 10.0.17763.1192
|
|---|
| 57 | 397c.3980: FileVersion: 10.0.17763.1192 (WinBuild.160101.0800)
|
|---|
| 58 | 397c.3980: FileDescription: Windows NT BASE API Client DLL
|
|---|
| 59 | 397c.3980: \SystemRoot\System32\apisetschema.dll:
|
|---|
| 60 | 397c.3980: CreationTime: 2018-09-15T07:28:25.403122600Z
|
|---|
| 61 | 397c.3980: LastWriteTime: 2018-09-15T07:28:25.403122600Z
|
|---|
| 62 | 397c.3980: ChangeTime: 2019-01-14T10:16:21.000579800Z
|
|---|
| 63 | 397c.3980: FileAttributes: 0x20
|
|---|
| 64 | 397c.3980: Size: 0x1c738
|
|---|
| 65 | 397c.3980: NT Headers: 0xd0
|
|---|
| 66 | 397c.3980: Timestamp: 0x33775897
|
|---|
| 67 | 397c.3980: Machine: 0x8664 - amd64
|
|---|
| 68 | 397c.3980: Timestamp: 0x33775897
|
|---|
| 69 | 397c.3980: Image Version: 10.0
|
|---|
| 70 | 397c.3980: SizeOfImage: 0x1d000 (118784)
|
|---|
| 71 | 397c.3980: Resource Dir: 0x1c000 LB 0x408
|
|---|
| 72 | 397c.3980: [Version info resource found at 0x48! (ID/Name: 0x1; SubID/SubName: 0x409)]
|
|---|
| 73 | 397c.3980: [Raw version resource data: 0x1c060 LB 0x3a8, codepage 0x0 (reserved 0x0)]
|
|---|
| 74 | 397c.3980: ProductName: Microsoft® Windows® Operating System
|
|---|
| 75 | 397c.3980: ProductVersion: 10.0.17763.1
|
|---|
| 76 | 397c.3980: FileVersion: 10.0.17763.1 (WinBuild.160101.0800)
|
|---|
| 77 | 397c.3980: FileDescription: ApiSet Schema DLL
|
|---|
| 78 | 397c.3980: NtOpenDirectoryObject failed on \Driver: 0xc0000022
|
|---|
| 79 | 397c.3980: supR3HardenedWinFindAdversaries: 0x40000
|
|---|
| 80 | 397c.3980: \SystemRoot\System32\drivers\SophosED.sys:
|
|---|
| 81 | 397c.3980: CreationTime: 2018-09-05T12:39:36.486269100Z
|
|---|
| 82 | 397c.3980: LastWriteTime: 2020-02-03T20:27:53.000000000Z
|
|---|
| 83 | 397c.3980: ChangeTime: 2020-04-27T12:47:41.839047600Z
|
|---|
| 84 | 397c.3980: FileAttributes: 0x20
|
|---|
| 85 | 397c.3980: Size: 0x10aae0
|
|---|
| 86 | 397c.3980: NT Headers: 0xf0
|
|---|
| 87 | 397c.3980: Timestamp: 0x5e384b3c
|
|---|
| 88 | 397c.3980: Machine: 0x8664 - amd64
|
|---|
| 89 | 397c.3980: Timestamp: 0x5e384b3c
|
|---|
| 90 | 397c.3980: Image Version: 10.0
|
|---|
| 91 | 397c.3980: SizeOfImage: 0x10c000 (1097728)
|
|---|
| 92 | 397c.3980: Resource Dir: 0x104000 LB 0x6740
|
|---|
| 93 | 397c.3980: [Version info resource found at 0x570! (ID/Name: 0x1; SubID/SubName: 0x409)]
|
|---|
| 94 | 397c.3980: [Raw version resource data: 0x104580 LB 0x4b8, codepage 0x0 (reserved 0x0)]
|
|---|
| 95 | 397c.3980: ProductName: Sophos Endpoint Defense
|
|---|
| 96 | 397c.3980: ProductVersion: 2.2.0
|
|---|
| 97 | 397c.3980: FileVersion: 2.2.0.3438
|
|---|
| 98 | 397c.3980: FileDescription: Sophos Endpoint Defense Mini-Filter Driver
|
|---|
| 99 | 397c.3980: supR3HardenedWinInitAppBin(0x0): '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox'
|
|---|
| 100 | 397c.3980: Calling main()
|
|---|
| 101 | 397c.3980: SUPR3HardenedMain: pszProgName=VirtualBoxVM fFlags=0x2
|
|---|
| 102 | 397c.3980: supR3HardenedWinInitAppBin(0x2): '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox'
|
|---|
| 103 | 397c.3980: SUPR3HardenedMain: Respawn #1
|
|---|
| 104 | 397c.3980: System32: \Device\HarddiskVolume2\Windows\System32
|
|---|
| 105 | 397c.3980: WinSxS: \Device\HarddiskVolume2\Windows\WinSxS
|
|---|
| 106 | 397c.3980: KnownDllPath: C:\WINDOWS\System32
|
|---|
| 107 | 397c.3980: supR3HardenedWinInit: Performing a limited self purification...
|
|---|
| 108 | 397c.3980: supHardNtVpScanVirtualMemory: enmKind=SELF_PURIFICATION
|
|---|
| 109 | 397c.3980: *0000000000000000-000000000099ffff 0x0001/0x0000 0x0000000
|
|---|
| 110 | 397c.3980: *00000000009a0000-00000000009affff 0x0004/0x0004 0x0040000
|
|---|
| 111 | 397c.3980: 00000000009b0000-00000000009bffff 0x0001/0x0000 0x0000000
|
|---|
| 112 | 397c.3980: *00000000009c0000-00000000009d9fff 0x0002/0x0002 0x0040000
|
|---|
| 113 | 397c.3980: 00000000009da000-00000000009dffff 0x0001/0x0000 0x0000000
|
|---|
| 114 | 397c.3980: *00000000009e0000-00000000009e3fff 0x0002/0x0002 0x0040000
|
|---|
| 115 | 397c.3980: 00000000009e4000-00000000009effff 0x0001/0x0000 0x0000000
|
|---|
| 116 | 397c.3980: *00000000009f0000-00000000009f1fff 0x0004/0x0004 0x0020000
|
|---|
| 117 | 397c.3980: 00000000009f2000-00000000009fffff 0x0001/0x0000 0x0000000
|
|---|
| 118 | 397c.3980: *0000000000a00000-0000000000ad9fff 0x0000/0x0004 0x0020000
|
|---|
| 119 | 397c.3980: 0000000000ada000-0000000000adcfff 0x0004/0x0004 0x0020000
|
|---|
| 120 | 397c.3980: 0000000000add000-0000000000bfffff 0x0000/0x0004 0x0020000
|
|---|
| 121 | 397c.3980: *0000000000c00000-0000000000cb0fff 0x0000/0x0004 0x0020000
|
|---|
| 122 | 397c.3980: 0000000000cb1000-0000000000cb3fff 0x0104/0x0004 0x0020000
|
|---|
| 123 | 397c.3980: 0000000000cb4000-0000000000cfffff 0x0004/0x0004 0x0020000
|
|---|
| 124 | 397c.3980: 0000000000d00000-0000000000d0ffff 0x0001/0x0000 0x0000000
|
|---|
| 125 | 397c.3980: *0000000000d10000-0000000000d11fff 0x0004/0x0004 0x0020000
|
|---|
| 126 | 397c.3980: 0000000000d12000-0000000000d41fff 0x0000/0x0004 0x0020000
|
|---|
| 127 | 397c.3980: 0000000000d42000-0000000000d7ffff 0x0001/0x0000 0x0000000
|
|---|
| 128 | 397c.3980: *0000000000d80000-0000000000e24fff 0x0004/0x0004 0x0020000
|
|---|
| 129 | 397c.3980: 0000000000e25000-0000000000e7ffff 0x0000/0x0004 0x0020000
|
|---|
| 130 | 397c.3980: *0000000000e80000-0000000000f44fff 0x0002/0x0002 0x0040000
|
|---|
| 131 | 397c.3980: 0000000000f45000-0000000000f4ffff 0x0001/0x0000 0x0000000
|
|---|
| 132 | 397c.3980: *0000000000f50000-0000000000f51fff 0x0004/0x0004 0x0020000
|
|---|
| 133 | 397c.3980: 0000000000f52000-0000000000f81fff 0x0000/0x0004 0x0020000
|
|---|
| 134 | 397c.3980: 0000000000f82000-0000000000faffff 0x0001/0x0000 0x0000000
|
|---|
| 135 | 397c.3980: *0000000000fb0000-00000000010affff 0x0004/0x0004 0x0020000
|
|---|
| 136 | 397c.3980: 00000000010b0000-000000000111ffff 0x0001/0x0000 0x0000000
|
|---|
| 137 | 397c.3980: *0000000001120000-000000000112efff 0x0004/0x0004 0x0020000
|
|---|
| 138 | 397c.3980: 000000000112f000-000000000112ffff 0x0000/0x0004 0x0020000
|
|---|
| 139 | 397c.3980: *0000000001130000-000000000113cfff 0x0000/0x0004 0x0020000
|
|---|
| 140 | 397c.3980: 000000000113d000-000000000132afff 0x0004/0x0004 0x0020000
|
|---|
| 141 | 397c.3980: 000000000132b000-000000000132bfff 0x0000/0x0004 0x0020000
|
|---|
| 142 | 397c.3980: 000000000132c000-000000000132ffff 0x0001/0x0000 0x0000000
|
|---|
| 143 | 397c.3980: *0000000001330000-000000000134cfff 0x0004/0x0004 0x0020000
|
|---|
| 144 | 397c.3980: 000000000134d000-000000000142ffff 0x0000/0x0004 0x0020000
|
|---|
| 145 | 397c.3980: 0000000001430000-000000007ffdffff 0x0001/0x0000 0x0000000
|
|---|
| 146 | 397c.3980: *000000007ffe0000-000000007ffe0fff 0x0002/0x0002 0x0020000
|
|---|
| 147 | 397c.3980: 000000007ffe1000-000000007ffe4fff 0x0001/0x0000 0x0000000
|
|---|
| 148 | 397c.3980: *000000007ffe5000-000000007ffe5fff 0x0002/0x0002 0x0020000
|
|---|
| 149 | 397c.3980: 000000007ffe6000-00007ff4cbc1ffff 0x0001/0x0000 0x0000000
|
|---|
| 150 | 397c.3980: *00007ff4cbc20000-00007ff4cbc24fff 0x0002/0x0002 0x0040000
|
|---|
| 151 | 397c.3980: 00007ff4cbc25000-00007ff4cbd1ffff 0x0000/0x0002 0x0040000
|
|---|
| 152 | 397c.3980: *00007ff4cbd20000-00007ff5cbd3ffff 0x0000/0x0004 0x0020000
|
|---|
| 153 | 397c.3980: *00007ff5cbd40000-00007ff5cdd3ffff 0x0000/0x0004 0x0020000
|
|---|
| 154 | 397c.3980: 00007ff5cdd40000-00007ff5cdd40fff 0x0004/0x0004 0x0020000
|
|---|
| 155 | 397c.3980: 00007ff5cdd41000-00007ff5cdd4ffff 0x0001/0x0000 0x0000000
|
|---|
| 156 | 397c.3980: *00007ff5cdd50000-00007ff5cdd50fff 0x0002/0x0002 0x0040000
|
|---|
| 157 | 397c.3980: 00007ff5cdd51000-00007ff5cdd5ffff 0x0001/0x0000 0x0000000
|
|---|
| 158 | 397c.3980: *00007ff5cdd60000-00007ff5cdd82fff 0x0002/0x0002 0x0040000
|
|---|
| 159 | 397c.3980: 00007ff5cdd83000-00007ff6a7ceffff 0x0001/0x0000 0x0000000
|
|---|
| 160 | 397c.3980: *00007ff6a7cf0000-00007ff6a7cf0fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 161 | 397c.3980: 00007ff6a7cf1000-00007ff6a7d66fff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 162 | 397c.3980: 00007ff6a7d67000-00007ff6a7d67fff 0x0080/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 163 | 397c.3980: 00007ff6a7d68000-00007ff6a7daffff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 164 | 397c.3980: 00007ff6a7db0000-00007ff6a7db2fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 165 | 397c.3980: 00007ff6a7db3000-00007ff6a7db5fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 166 | 397c.3980: 00007ff6a7db6000-00007ff6a7db8fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 167 | 397c.3980: 00007ff6a7db9000-00007ff6a7db9fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 168 | 397c.3980: 00007ff6a7dba000-00007ff6a7dbbfff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 169 | 397c.3980: 00007ff6a7dbc000-00007ff6a7dbcfff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 170 | 397c.3980: 00007ff6a7dbd000-00007ff6a7e05fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 171 | 397c.3980: 00007ff6a7e06000-00007ffec8e2ffff 0x0001/0x0000 0x0000000
|
|---|
| 172 | 397c.3980: *00007ffec8e30000-00007ffec8e30fff 0x0020/0x0040 0x0020000 !!
|
|---|
| 173 | 397c.3980: 00007ffec8e31000-00007ffeee3cffff 0x0001/0x0000 0x0000000
|
|---|
| 174 | 397c.3980: *00007ffeee3d0000-00007ffeee3d0fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\hmpalert.dll
|
|---|
| 175 | 397c.3980: supHardNtVpScanVirtualMemory: Ignoring unknown mem at 00007ffeee3d0000 LB 0x1000 (base 00007ffeee3d0000) - 'hmpalert.dll'
|
|---|
| 176 | 397c.3980: 00007ffeee3d1000-00007ffeee48bfff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\hmpalert.dll
|
|---|
| 177 | 397c.3980: supHardNtVpScanVirtualMemory: Ignoring unknown mem at 00007ffeee3d1000 LB 0xbb000 (base 00007ffeee3d0000) - 'hmpalert.dll'
|
|---|
| 178 | 397c.3980: 00007ffeee48c000-00007ffeee4cafff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\hmpalert.dll
|
|---|
| 179 | 397c.3980: supHardNtVpScanVirtualMemory: Ignoring unknown mem at 00007ffeee48c000 LB 0x3f000 (base 00007ffeee3d0000) - 'hmpalert.dll'
|
|---|
| 180 | 397c.3980: 00007ffeee4cb000-00007ffeee4cbfff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\hmpalert.dll
|
|---|
| 181 | 397c.3980: supHardNtVpScanVirtualMemory: Ignoring unknown mem at 00007ffeee4cb000 LB 0x1000 (base 00007ffeee3d0000) - 'hmpalert.dll'
|
|---|
| 182 | 397c.3980: 00007ffeee4cc000-00007ffeee4ccfff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\hmpalert.dll
|
|---|
| 183 | 397c.3980: supHardNtVpScanVirtualMemory: Ignoring unknown mem at 00007ffeee4cc000 LB 0x1000 (base 00007ffeee3d0000) - 'hmpalert.dll'
|
|---|
| 184 | 397c.3980: 00007ffeee4cd000-00007ffeee4cffff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\hmpalert.dll
|
|---|
| 185 | 397c.3980: supHardNtVpScanVirtualMemory: Ignoring unknown mem at 00007ffeee4cd000 LB 0x3000 (base 00007ffeee3d0000) - 'hmpalert.dll'
|
|---|
| 186 | 397c.3980: 00007ffeee4d0000-00007ffeee4d3fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\hmpalert.dll
|
|---|
| 187 | 397c.3980: supHardNtVpScanVirtualMemory: Ignoring unknown mem at 00007ffeee4d0000 LB 0x4000 (base 00007ffeee3d0000) - 'hmpalert.dll'
|
|---|
| 188 | 397c.3980: 00007ffeee4d4000-00007ffeee4d4fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\hmpalert.dll
|
|---|
| 189 | 397c.3980: supHardNtVpScanVirtualMemory: Ignoring unknown mem at 00007ffeee4d4000 LB 0x1000 (base 00007ffeee3d0000) - 'hmpalert.dll'
|
|---|
| 190 | 397c.3980: 00007ffeee4d5000-00007ffeee4d5fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\hmpalert.dll
|
|---|
| 191 | 397c.3980: supHardNtVpScanVirtualMemory: Ignoring unknown mem at 00007ffeee4d5000 LB 0x1000 (base 00007ffeee3d0000) - 'hmpalert.dll'
|
|---|
| 192 | 397c.3980: 00007ffeee4d6000-00007ffeee4dbfff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\hmpalert.dll
|
|---|
| 193 | 397c.3980: supHardNtVpScanVirtualMemory: Ignoring unknown mem at 00007ffeee4d6000 LB 0x6000 (base 00007ffeee3d0000) - 'hmpalert.dll'
|
|---|
| 194 | 397c.3980: 00007ffeee4dc000-00007ffeee4f6fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\hmpalert.dll
|
|---|
| 195 | 397c.3980: supHardNtVpScanVirtualMemory: Ignoring unknown mem at 00007ffeee4dc000 LB 0x1b000 (base 00007ffeee3d0000) - 'hmpalert.dll'
|
|---|
| 196 | 397c.3980: 00007ffeee4f7000-00007ffefc75ffff 0x0001/0x0000 0x0000000
|
|---|
| 197 | 397c.3980: *00007ffefc760000-00007ffefc760fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\KernelBase.dll
|
|---|
| 198 | 397c.3980: 00007ffefc761000-00007ffefc864fff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\KernelBase.dll
|
|---|
| 199 | 397c.3980: 00007ffefc865000-00007ffefc9bbfff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\KernelBase.dll
|
|---|
| 200 | 397c.3980: 00007ffefc9bc000-00007ffefc9bffff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\KernelBase.dll
|
|---|
| 201 | 397c.3980: 00007ffefc9c0000-00007ffefc9c0fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\KernelBase.dll
|
|---|
| 202 | 397c.3980: 00007ffefc9c1000-00007ffefc9f4fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\KernelBase.dll
|
|---|
| 203 | 397c.3980: 00007ffefc9f5000-00007ffefcdeffff 0x0001/0x0000 0x0000000
|
|---|
| 204 | 397c.3980: *00007ffefcdf0000-00007ffefcdf0fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\kernel32.dll
|
|---|
| 205 | 397c.3980: 00007ffefcdf1000-00007ffefce66fff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\kernel32.dll
|
|---|
| 206 | 397c.3980: 00007ffefce67000-00007ffefce98fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\kernel32.dll
|
|---|
| 207 | 397c.3980: 00007ffefce99000-00007ffefce99fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\kernel32.dll
|
|---|
| 208 | 397c.3980: 00007ffefce9a000-00007ffefce9afff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\kernel32.dll
|
|---|
| 209 | 397c.3980: 00007ffefce9b000-00007ffefcea2fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\kernel32.dll
|
|---|
| 210 | 397c.3980: 00007ffefcea3000-00007ffeffbcffff 0x0001/0x0000 0x0000000
|
|---|
| 211 | 397c.3980: *00007ffeffbd0000-00007ffeffbd0fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
|
|---|
| 212 | 397c.3980: 00007ffeffbd1000-00007ffeffce7fff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
|
|---|
| 213 | 397c.3980: 00007ffeffce8000-00007ffeffd2efff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
|
|---|
| 214 | 397c.3980: 00007ffeffd2f000-00007ffeffd2ffff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
|
|---|
| 215 | 397c.3980: 00007ffeffd30000-00007ffeffd31fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
|
|---|
| 216 | 397c.3980: 00007ffeffd32000-00007ffeffd39fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
|
|---|
| 217 | 397c.3980: 00007ffeffd3a000-00007ffeffdbcfff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
|
|---|
| 218 | 397c.3980: 00007ffeffdbd000-00007ffffffeffff 0x0001/0x0000 0x0000000
|
|---|
| 219 | 397c.3980: kernel32.dll: timestamp 0x6314bdeb (rc=VINF_SUCCESS)
|
|---|
| 220 | 397c.3980: kernelbase.dll: timestamp 0x7889407f (rc=VINF_SUCCESS)
|
|---|
| 221 | 397c.3980: VirtualBoxVM.exe: timestamp 0x5ed9201b (rc=VINF_SUCCESS)
|
|---|
| 222 | 397c.3980: '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe' has no imports
|
|---|
| 223 | 397c.3980: '\Device\HarddiskVolume2\Windows\System32\ntdll.dll' has no imports
|
|---|
| 224 | 397c.3980: ntdll.dll: Differences in section #1 (.text) between file and memory:
|
|---|
| 225 | 397c.3980: 00007ffeffc157e0 / 0x00457e0: 48 != e9
|
|---|
| 226 | 397c.3980: 00007ffeffc157e1 / 0x00457e1: 89 != 2f
|
|---|
| 227 | 397c.3980: 00007ffeffc157e2 / 0x00457e2: 5c != b6
|
|---|
| 228 | 397c.3980: 00007ffeffc157e3 / 0x00457e3: 24 != 21
|
|---|
| 229 | 397c.3980: 00007ffeffc157e4 / 0x00457e4: 10 != c9
|
|---|
| 230 | 397c.3980: Restored 0x2000 bytes of original file content at 00007ffeffc15000
|
|---|
| 231 | 397c.3980: ntdll.dll: Differences in section #1 (.text) between file and memory:
|
|---|
| 232 | 397c.3980: 00007ffeffc27f50 / 0x0057f50: 48 != e9
|
|---|
| 233 | 397c.3980: 00007ffeffc27f51 / 0x0057f51: 89 != 43
|
|---|
| 234 | 397c.3980: 00007ffeffc27f52 / 0x0057f52: 5c != 90
|
|---|
| 235 | 397c.3980: 00007ffeffc27f53 / 0x0057f53: 24 != 20
|
|---|
| 236 | 397c.3980: 00007ffeffc27f54 / 0x0057f54: 08 != c9
|
|---|
| 237 | 397c.3980: Restored 0x2000 bytes of original file content at 00007ffeffc27000
|
|---|
| 238 | 397c.3980: ntdll.dll: Differences in section #1 (.text) between file and memory:
|
|---|
| 239 | 397c.3980: 00007ffeffc6fa50 / 0x009fa50: 4c != e9
|
|---|
| 240 | 397c.3980: 00007ffeffc6fa51 / 0x009fa51: 8b != 01
|
|---|
| 241 | 397c.3980: 00007ffeffc6fa52 / 0x009fa52: d1 != 15
|
|---|
| 242 | 397c.3980: 00007ffeffc6fa53 / 0x009fa53: b8 != 1c
|
|---|
| 243 | 397c.3980: 00007ffeffc6fa54 / 0x009fa54: 18 != c9
|
|---|
| 244 | 397c.3980: 00007ffeffc6fb10 / 0x009fb10: 4c != e9
|
|---|
| 245 | 397c.3980: 00007ffeffc6fb11 / 0x009fb11: 8b != 01
|
|---|
| 246 | 397c.3980: 00007ffeffc6fb12 / 0x009fb12: d1 != 14
|
|---|
| 247 | 397c.3980: 00007ffeffc6fb13 / 0x009fb13: b8 != 1c
|
|---|
| 248 | 397c.3980: 00007ffeffc6fb14 / 0x009fb14: 1e != c9
|
|---|
| 249 | 397c.3980: 00007ffeffc6fc50 / 0x009fc50: 4c != e9
|
|---|
| 250 | 397c.3980: 00007ffeffc6fc51 / 0x009fc51: 8b != 41
|
|---|
| 251 | 397c.3980: 00007ffeffc6fc52 / 0x009fc52: d1 != 12
|
|---|
| 252 | 397c.3980: 00007ffeffc6fc53 / 0x009fc53: b8 != 1c
|
|---|
| 253 | 397c.3980: 00007ffeffc6fc54 / 0x009fc54: 28 != c9
|
|---|
| 254 | 397c.3980: 00007ffeffc6fc90 / 0x009fc90: 4c != e9
|
|---|
| 255 | 397c.3980: 00007ffeffc6fc91 / 0x009fc91: 8b != c1
|
|---|
| 256 | 397c.3980: 00007ffeffc6fc92 / 0x009fc92: d1 != 11
|
|---|
| 257 | 397c.3980: 00007ffeffc6fc93 / 0x009fc93: b8 != 1c
|
|---|
| 258 | 397c.3980: 00007ffeffc6fc94 / 0x009fc94: 2a != c9
|
|---|
| 259 | 397c.3980: 00007ffeffc70150 / 0x00a0150: 4c != e9
|
|---|
| 260 | 397c.3980: 00007ffeffc70151 / 0x00a0151: 8b != 81
|
|---|
| 261 | 397c.3980: 00007ffeffc70152 / 0x00a0152: d1 != 0d
|
|---|
| 262 | 397c.3980: 00007ffeffc70153 / 0x00a0153: b8 != 1c
|
|---|
| 263 | 397c.3980: 00007ffeffc70154 / 0x00a0154: 50 != c9
|
|---|
| 264 | 397c.3980: 00007ffeffc70620 / 0x00a0620: 4c != e9
|
|---|
| 265 | 397c.3980: 00007ffeffc70621 / 0x00a0621: 8b != 31
|
|---|
| 266 | 397c.3980: 00007ffeffc70622 / 0x00a0622: d1 != 07
|
|---|
| 267 | 397c.3980: 00007ffeffc70623 / 0x00a0623: b8 != 1c
|
|---|
| 268 | 397c.3980: 00007ffeffc70624 / 0x00a0624: 77 != c9
|
|---|
| 269 | 397c.3980: Restored 0x2000 bytes of original file content at 00007ffeffc6f66e
|
|---|
| 270 | 397c.3980: ntdll.dll: Differences in section #1 (.text) between file and memory:
|
|---|
| 271 | 397c.3980: 00007ffeffc727c0 / 0x00a27c0: 4c != e9
|
|---|
| 272 | 397c.3980: 00007ffeffc727c1 / 0x00a27c1: 8b != 11
|
|---|
| 273 | 397c.3980: 00007ffeffc727c2 / 0x00a27c2: d1 != e6
|
|---|
| 274 | 397c.3980: 00007ffeffc727c3 / 0x00a27c3: b8 != 1b
|
|---|
| 275 | 397c.3980: 00007ffeffc727c4 / 0x00a27c4: 84 != c9
|
|---|
| 276 | 397c.3980: 00007ffeffc73080 / 0x00a3080: 4c != e9
|
|---|
| 277 | 397c.3980: 00007ffeffc73081 / 0x00a3081: 8b != 51
|
|---|
| 278 | 397c.3980: 00007ffeffc73082 / 0x00a3082: d1 != df
|
|---|
| 279 | 397c.3980: 00007ffeffc73083 / 0x00a3083: b8 != 1b
|
|---|
| 280 | 397c.3980: 00007ffeffc73084 / 0x00a3084: ca != c9
|
|---|
| 281 | 397c.3980: Restored 0x1d12 bytes of original file content at 00007ffeffc7166e
|
|---|
| 282 | 397c.3980: kernelbase.dll: Differences in section #1 (.text) between file and memory:
|
|---|
| 283 | 397c.3980: 00007ffefc7a6740 / 0x0046740: 40 != e9
|
|---|
| 284 | 397c.3980: 00007ffefc7a6741 / 0x0046741: 53 != 4f
|
|---|
| 285 | 397c.3980: 00007ffefc7a6742 / 0x0046742: 56 != a6
|
|---|
| 286 | 397c.3980: 00007ffefc7a6743 / 0x0046743: 57 != 68
|
|---|
| 287 | 397c.3980: 00007ffefc7a6744 / 0x0046744: 41 != cc
|
|---|
| 288 | 397c.3980: Restored 0x2000 bytes of original file content at 00007ffefc7a5000
|
|---|
| 289 | 397c.3980: supR3HardenedWinInit: SUPHARDNTVPKIND_SELF_PURIFICATION_LIMITED -> VINF_SUCCESS, cFixes=5
|
|---|
| 290 | 397c.3980: '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe' has no imports
|
|---|
| 291 | 397c.3980: supHardenedWinVerifyImageByHandle: -> 24202 (\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe)
|
|---|
| 292 | 397c.3980: supR3HardNtEnableThreadCreationEx:
|
|---|
| 293 | 397c.3980: supR3HardNtDisableThreadCreation: pvLdrInitThunk=00007ffeffc45660 pvNtTerminateThread=00007ffeffc701b0
|
|---|
| 294 | 397c.3980: supR3HardenedWinDoReSpawn(1): New child 39b8.39bc [kernel32].
|
|---|
| 295 | 397c.3980: supR3HardNtChildGatherData: PebBaseAddress=00000000003f3000 cbPeb=0x388
|
|---|
| 296 | 397c.3980: supR3HardNtPuChFindNtdll: uNtDllParentAddr=00007ffeffbd0000 uNtDllChildAddr=00007ffeffbd0000
|
|---|
| 297 | 397c.3980: supR3HardenedWinSetupChildInit: uLdrInitThunk=00007ffeffc45660
|
|---|
| 298 | 397c.3980: supR3HardenedWinSetupChildInit: Initial context:
|
|---|
| 299 | rax=0000000000000000 rbx=0000000000000000 rcx=00007ff6a7cf7900 rdx=00000000003f3000
|
|---|
| 300 | rsi=0000000000000000 rdi=0000000000000000 r8 =0000000000000000 r9 =0000000000000000
|
|---|
| 301 | r10=0000000000000000 r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
|
|---|
| 302 | r14=0000000000000000 r15=0000000000000000 P1=0000000000000000 P2=0000000000000000
|
|---|
| 303 | rip=00007ffeffc3a250 rsp=00000000004fffb8 rbp=0000000000000000 ctxflags=0010001b
|
|---|
| 304 | cs=0033 ss=002b ds=0000 es=0000 fs=0000 gs=0000 eflags=00000200 mxcrx=00001f80
|
|---|
| 305 | P3=0000000000000000 P4=0000000000000000 P5=0000000000000000 P6=0000000000000000
|
|---|
| 306 | dr0=0000000000000000 dr1=0000000000000000 dr2=0000000000000000 dr3=0000000000000000
|
|---|
| 307 | dr6=0000000000000000 dr7=0000000000000000 vcr=0000000000000000 dcr=0000000000000000
|
|---|
| 308 | lbt=0000000000000000 lbf=0000000000000000 lxt=0000000000000000 lxf=0000000000000000
|
|---|
| 309 | 397c.3980: supR3HardenedWinSetupChildInit: Start child.
|
|---|
| 310 | 397c.3980: supR3HardNtChildWaitFor: Found expected request 0 (PurifyChildAndCloseHandles) after 0 ms.
|
|---|
| 311 | 397c.3980: supR3HardNtChildPurify: Startup delay kludge #1/0: 517 ms, 30 sleeps
|
|---|
| 312 | 397c.3980: supHardNtVpScanVirtualMemory: enmKind=CHILD_PURIFICATION
|
|---|
| 313 | 397c.3980: *0000000000000000-00000000000dffff 0x0001/0x0000 0x0000000
|
|---|
| 314 | 397c.3980: *00000000000e0000-00000000000fffff 0x0004/0x0004 0x0020000
|
|---|
| 315 | 397c.3980: *0000000000100000-0000000000119fff 0x0002/0x0002 0x0040000
|
|---|
| 316 | 397c.3980: 000000000011a000-000000000011ffff 0x0001/0x0000 0x0000000
|
|---|
| 317 | 397c.3980: *0000000000120000-0000000000123fff 0x0002/0x0002 0x0040000
|
|---|
| 318 | 397c.3980: 0000000000124000-000000000012ffff 0x0001/0x0000 0x0000000
|
|---|
| 319 | 397c.3980: *0000000000130000-0000000000131fff 0x0004/0x0004 0x0020000
|
|---|
| 320 | 397c.3980: 0000000000132000-000000000013ffff 0x0001/0x0000 0x0000000
|
|---|
| 321 | 397c.3980: *0000000000140000-0000000000140fff 0x0040/0x0040 0x0020000 !!
|
|---|
| 322 | 397c.3980: supHardNtVpFreeOrReplacePrivateExecMemory: Freeing exec mem at 0000000000140000 (LB 0x1000, 0000000000140000 LB 0x1000)
|
|---|
| 323 | 397c.3980: 000000000134d280/0000: 70 63 c1 ff fe 7f 00 00-10 00 00 00 00 00 00 00 pc..............
|
|---|
| 324 | 000000000134d290/0010: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
|
|---|
| 325 | 000000000134d2a0/0020: 40 00 40 00 00 00 00 00-40 00 14 00 00 00 00 00 @.@.....@.......
|
|---|
| 326 | 000000000134d2b0/0030: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
|
|---|
| 327 | 000000000134d2c0/0040: 43 00 3a 00 5c 00 57 00-69 00 6e 00 64 00 6f 00 C.:.\.W.i.n.d.o.
|
|---|
| 328 | 000000000134d2d0/0050: 77 00 73 00 5c 00 73 00-79 00 73 00 74 00 65 00 w.s.\.s.y.s.t.e.
|
|---|
| 329 | 000000000134d2e0/0060: 6d 00 33 00 32 00 5c 00-68 00 6d 00 70 00 61 00 m.3.2.\.h.m.p.a.
|
|---|
| 330 | 000000000134d2f0/0070: 6c 00 65 00 72 00 74 00-2e 00 64 00 6c 00 6c 00 l.e.r.t...d.l.l.
|
|---|
| 331 | 000000000134d300/0080: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
|
|---|
| 332 | **************** **** <ditto x 6>
|
|---|
| 333 | 000000000134d370/00f0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
|
|---|
| 334 | 397c.3980: 000000000134d380/0000: 90 50 51 52 53 41 50 41-51 56 57 48 81 ec 88 00 .PQRSAPAQVWH....
|
|---|
| 335 | 000000000134d390/0010: 00 00 90 90 90 e8 db 00-00 00 74 08 e9 b5 00 00 ..........t.....
|
|---|
| 336 | 000000000134d3a0/0020: 00 90 90 90 48 83 c9 ff-48 ba 00 00 14 00 00 00 ....H...H.......
|
|---|
| 337 | 000000000134d3b0/0030: 00 00 49 b8 08 00 14 00-00 00 00 00 49 b9 40 00 ..I.........I.@.
|
|---|
| 338 | 000000000134d3c0/0040: 00 00 00 00 00 00 48 8d-44 24 78 48 89 44 24 20 ......H.D$xH.D$
|
|---|
| 339 | 000000000134d3d0/0050: 48 b8 50 01 c7 ff fe 7f-00 00 ff d0 48 be 00 03 H.P.........H...
|
|---|
| 340 | 000000000134d3e0/0060: 14 00 00 00 00 00 48 bf-70 63 c1 ff fe 7f 00 00 ......H.pc......
|
|---|
| 341 | 000000000134d3f0/0070: 48 ad 48 ab 90 ad 90 ab-48 83 c9 ff 48 ba 00 00 H.H.....H...H...
|
|---|
| 342 | 000000000134d400/0080: 14 00 00 00 00 00 49 b8-08 00 14 00 00 00 00 00 ......I.........
|
|---|
| 343 | 000000000134d410/0090: 49 b9 20 00 00 00 00 00-00 00 48 8d 44 24 78 48 I. .......H.D$xH
|
|---|
| 344 | 000000000134d420/00a0: 89 44 24 20 48 b8 50 01-c7 ff fe 7f 00 00 ff d0 .D$ H.P.........
|
|---|
| 345 | 000000000134d430/00b0: 48 31 c9 48 31 d2 49 b8-20 00 14 00 00 00 00 00 H1.H1.I. .......
|
|---|
| 346 | 000000000134d440/00c0: 49 b9 10 00 14 00 00 00-00 00 48 b8 e0 57 c1 ff I.........H..W..
|
|---|
| 347 | 000000000134d450/00d0: fe 7f 00 00 ff d0 48 81-c4 88 00 00 00 5f 5e 41 ......H......_^A
|
|---|
| 348 | 000000000134d460/00e0: 59 41 58 5b 5a 59 48 b8-00 03 14 00 00 00 00 00 YAX[ZYH.........
|
|---|
| 349 | 000000000134d470/00f0: 48 87 04 24 c3 48 85 c9-74 0c e8 08 00 00 00 90 H..$.H..t.......
|
|---|
| 350 | 397c.3980: 000000000134d480/0000: 90 90 90 90 90 90 c3 48-8b 11 48 81 fa 18 00 1a .......H..H.....
|
|---|
| 351 | 000000000134d490/0010: 00 75 31 48 8b 51 08 8b-52 0c 81 fa 33 00 32 00 .u1H.Q..R...3.2.
|
|---|
| 352 | 000000000134d4a0/0020: 75 22 eb 1d 48 8b 11 48-81 fa 18 00 1a 00 75 14 u"..H..H......u.
|
|---|
| 353 | 000000000134d4b0/0030: 48 8b 51 08 8b 52 0c 81-fa 65 00 72 00 75 05 eb H.Q..R...e.r.u..
|
|---|
| 354 | 000000000134d4c0/0040: 00 31 db c3 31 db ff cb-c3 00 00 00 00 00 00 00 .1..1...........
|
|---|
| 355 | 000000000134d4d0/0050: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
|
|---|
| 356 | **************** **** <ditto x 9>
|
|---|
| 357 | 000000000134d570/00f0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
|
|---|
| 358 | 397c.3980: 000000000134d580/0000: 40 55 53 56 57 41 56 41-57 48 8d 6c 24 88 50 48 @USVWAVAWH.l$.PH
|
|---|
| 359 | 000000000134d590/0010: b8 7e 63 c1 ff fe 7f 00-00 48 87 04 24 c3 00 00 .~c......H..$...
|
|---|
| 360 | 000000000134d5a0/0020: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
|
|---|
| 361 | **************** **** <ditto x 12>
|
|---|
| 362 | 000000000134d670/00f0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
|
|---|
| 363 | 397c.3980: 000000000134e180/0000: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
|
|---|
| 364 | **************** **** <ditto x 14>
|
|---|
| 365 | 000000000134e270/00f0: 7d 57 c4 ff fe 7f 00 00-00 00 00 00 48 4d 50 41 }W..........HMPA
|
|---|
| 366 | 397c.3980: supHardNtVpFreeOrReplacePrivateExecMemory: Free attempt #1 succeeded: 0x0 [0000000000140000/0000000000140000 LB 0/0x1000]
|
|---|
| 367 | 397c.3980: supHardNtVpFreeOrReplacePrivateExecMemory: QVM after free 0: [0000000000000000]/0000000000140000 LB 0xc0000 s=0x10000 ap=0x0 rp=0x00000000000001
|
|---|
| 368 | 397c.3980: 0000000000141000-00000000001fffff 0x0001/0x0000 0x0000000
|
|---|
| 369 | 397c.3980: *0000000000200000-00000000003f2fff 0x0000/0x0004 0x0020000
|
|---|
| 370 | 397c.3980: 00000000003f3000-00000000003f5fff 0x0004/0x0004 0x0020000
|
|---|
| 371 | 397c.3980: 00000000003f6000-00000000003fffff 0x0000/0x0004 0x0020000
|
|---|
| 372 | 397c.3980: *0000000000400000-00000000004fafff 0x0000/0x0004 0x0020000
|
|---|
| 373 | 397c.3980: 00000000004fb000-00000000004fdfff 0x0104/0x0004 0x0020000
|
|---|
| 374 | 397c.3980: 00000000004fe000-00000000004fffff 0x0004/0x0004 0x0020000
|
|---|
| 375 | 397c.3980: 0000000000500000-000000007ffdffff 0x0001/0x0000 0x0000000
|
|---|
| 376 | 397c.3980: *000000007ffe0000-000000007ffe0fff 0x0002/0x0002 0x0020000
|
|---|
| 377 | 397c.3980: 000000007ffe1000-000000007ffe4fff 0x0001/0x0000 0x0000000
|
|---|
| 378 | 397c.3980: *000000007ffe5000-000000007ffe5fff 0x0002/0x0002 0x0020000
|
|---|
| 379 | 397c.3980: 000000007ffe6000-00007ff5fe72ffff 0x0001/0x0000 0x0000000
|
|---|
| 380 | 397c.3980: *00007ff5fe730000-00007ff5fe730fff 0x0002/0x0002 0x0040000
|
|---|
| 381 | 397c.3980: 00007ff5fe731000-00007ff5fe73ffff 0x0001/0x0000 0x0000000
|
|---|
| 382 | 397c.3980: *00007ff5fe740000-00007ff5fe762fff 0x0002/0x0002 0x0040000
|
|---|
| 383 | 397c.3980: 00007ff5fe763000-00007ff6a7ceffff 0x0001/0x0000 0x0000000
|
|---|
| 384 | 397c.3980: *00007ff6a7cf0000-00007ff6a7cf0fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 385 | 397c.3980: 00007ff6a7cf1000-00007ff6a7d66fff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 386 | 397c.3980: 00007ff6a7d67000-00007ff6a7d67fff 0x0080/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 387 | 397c.3980: 00007ff6a7d68000-00007ff6a7daffff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 388 | 397c.3980: 00007ff6a7db0000-00007ff6a7db0fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 389 | 397c.3980: 00007ff6a7db1000-00007ff6a7db1fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 390 | 397c.3980: 00007ff6a7db2000-00007ff6a7db6fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 391 | 397c.3980: 00007ff6a7db7000-00007ff6a7db7fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 392 | 397c.3980: 00007ff6a7db8000-00007ff6a7db8fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 393 | 397c.3980: 00007ff6a7db9000-00007ff6a7dbcfff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 394 | 397c.3980: 00007ff6a7dbd000-00007ff6a7e05fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 395 | 397c.3980: 00007ff6a7e06000-00007ffeffbcffff 0x0001/0x0000 0x0000000
|
|---|
| 396 | 397c.3980: *00007ffeffbd0000-00007ffeffbd0fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
|
|---|
| 397 | 397c.3980: 00007ffeffbd1000-00007ffeffc15fff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
|
|---|
| 398 | 397c.3980: 00007ffeffc16000-00007ffeffc16fff 0x0040/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
|
|---|
| 399 | 397c.3980: 00007ffeffc17000-00007ffeffce7fff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
|
|---|
| 400 | 397c.3980: 00007ffeffce8000-00007ffeffd2efff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
|
|---|
| 401 | 397c.3980: 00007ffeffd2f000-00007ffeffd39fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
|
|---|
| 402 | 397c.3980: 00007ffeffd3a000-00007ffeffd47fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
|
|---|
| 403 | 397c.3980: 00007ffeffd48000-00007ffeffd48fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
|
|---|
| 404 | 397c.3980: 00007ffeffd49000-00007ffeffd4bfff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
|
|---|
| 405 | 397c.3980: 00007ffeffd4c000-00007ffeffdbcfff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
|
|---|
| 406 | 397c.3980: 00007ffeffdbd000-00007ffffffeffff 0x0001/0x0000 0x0000000
|
|---|
| 407 | 397c.3980: ntdll.dll: Differences in section #1 (.text) between file and memory:
|
|---|
| 408 | 397c.3980: 00007ffeffc16370 / 0x0046370: 40 != 48
|
|---|
| 409 | 397c.3980: 00007ffeffc16371 / 0x0046371: 55 != b8
|
|---|
| 410 | 397c.3980: 00007ffeffc16372 / 0x0046372: 53 != 00
|
|---|
| 411 | 397c.3980: 00007ffeffc16373 / 0x0046373: 56 != 01
|
|---|
| 412 | 397c.3980: 00007ffeffc16374 / 0x0046374: 57 != 14
|
|---|
| 413 | 397c.3980: 00007ffeffc16375 / 0x0046375: 41 != 00
|
|---|
| 414 | 397c.3980: 00007ffeffc16376 / 0x0046376: 56 != 00
|
|---|
| 415 | 397c.3980: 00007ffeffc16377 / 0x0046377: 41 != 00
|
|---|
| 416 | 397c.3980: 00007ffeffc16378 / 0x0046378: 57 != 00
|
|---|
| 417 | 397c.3980: 00007ffeffc16379 / 0x0046379: 48 != 00
|
|---|
| 418 | 397c.3980: 00007ffeffc1637a / 0x004637a: 8d != ff
|
|---|
| 419 | 397c.3980: 00007ffeffc1637b / 0x004637b: 6c != e0
|
|---|
| 420 | 397c.3980: Restored 0x2000 bytes of original file content at 00007ffeffc15000
|
|---|
| 421 | 397c.3980: supR3HardNtChildPurify: cFixes=2 g_fSupAdversaries=0x40000
|
|---|
| 422 | 397c.3980: supR3HardNtChildPurify: Startup delay kludge #1/1: 518 ms, 30 sleeps
|
|---|
| 423 | 397c.3980: supHardNtVpScanVirtualMemory: enmKind=CHILD_PURIFICATION
|
|---|
| 424 | 397c.3980: *0000000000000000-00000000000dffff 0x0001/0x0000 0x0000000
|
|---|
| 425 | 397c.3980: *00000000000e0000-00000000000fffff 0x0004/0x0004 0x0020000
|
|---|
| 426 | 397c.3980: *0000000000100000-0000000000119fff 0x0002/0x0002 0x0040000
|
|---|
| 427 | 397c.3980: 000000000011a000-000000000011ffff 0x0001/0x0000 0x0000000
|
|---|
| 428 | 397c.3980: *0000000000120000-0000000000123fff 0x0002/0x0002 0x0040000
|
|---|
| 429 | 397c.3980: 0000000000124000-000000000012ffff 0x0001/0x0000 0x0000000
|
|---|
| 430 | 397c.3980: *0000000000130000-0000000000131fff 0x0004/0x0004 0x0020000
|
|---|
| 431 | 397c.3980: 0000000000132000-00000000001fffff 0x0001/0x0000 0x0000000
|
|---|
| 432 | 397c.3980: *0000000000200000-00000000003f2fff 0x0000/0x0004 0x0020000
|
|---|
| 433 | 397c.3980: 00000000003f3000-00000000003f5fff 0x0004/0x0004 0x0020000
|
|---|
| 434 | 397c.3980: 00000000003f6000-00000000003fffff 0x0000/0x0004 0x0020000
|
|---|
| 435 | 397c.3980: *0000000000400000-00000000004fafff 0x0000/0x0004 0x0020000
|
|---|
| 436 | 397c.3980: 00000000004fb000-00000000004fdfff 0x0104/0x0004 0x0020000
|
|---|
| 437 | 397c.3980: 00000000004fe000-00000000004fffff 0x0004/0x0004 0x0020000
|
|---|
| 438 | 397c.3980: 0000000000500000-000000007ffdffff 0x0001/0x0000 0x0000000
|
|---|
| 439 | 397c.3980: *000000007ffe0000-000000007ffe0fff 0x0002/0x0002 0x0020000
|
|---|
| 440 | 397c.3980: 000000007ffe1000-000000007ffe4fff 0x0001/0x0000 0x0000000
|
|---|
| 441 | 397c.3980: *000000007ffe5000-000000007ffe5fff 0x0002/0x0002 0x0020000
|
|---|
| 442 | 397c.3980: 000000007ffe6000-00007ff5fe72ffff 0x0001/0x0000 0x0000000
|
|---|
| 443 | 397c.3980: *00007ff5fe730000-00007ff5fe730fff 0x0002/0x0002 0x0040000
|
|---|
| 444 | 397c.3980: 00007ff5fe731000-00007ff5fe73ffff 0x0001/0x0000 0x0000000
|
|---|
| 445 | 397c.3980: *00007ff5fe740000-00007ff5fe762fff 0x0002/0x0002 0x0040000
|
|---|
| 446 | 397c.3980: 00007ff5fe763000-00007ff6a7ceffff 0x0001/0x0000 0x0000000
|
|---|
| 447 | 397c.3980: *00007ff6a7cf0000-00007ff6a7cf0fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 448 | 397c.3980: 00007ff6a7cf1000-00007ff6a7d66fff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 449 | 397c.3980: 00007ff6a7d67000-00007ff6a7d67fff 0x0040/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 450 | 397c.3980: 00007ff6a7d68000-00007ff6a7daffff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 451 | 397c.3980: 00007ff6a7db0000-00007ff6a7dbcfff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 452 | 397c.3980: 00007ff6a7dbd000-00007ff6a7e05fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
|
|---|
| 453 | 397c.3980: 00007ff6a7e06000-00007ffeffbcffff 0x0001/0x0000 0x0000000
|
|---|
| 454 | 397c.3980: *00007ffeffbd0000-00007ffeffbd0fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
|
|---|
| 455 | 397c.3980: 00007ffeffbd1000-00007ffeffce7fff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
|
|---|
| 456 | 397c.3980: 00007ffeffce8000-00007ffeffd2efff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
|
|---|
| 457 | 397c.3980: 00007ffeffd2f000-00007ffeffd32fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
|
|---|
| 458 | 397c.3980: 00007ffeffd33000-00007ffeffd39fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
|
|---|
| 459 | 397c.3980: 00007ffeffd3a000-00007ffeffd47fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
|
|---|
| 460 | 397c.3980: 00007ffeffd48000-00007ffeffd48fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
|
|---|
| 461 | 397c.3980: 00007ffeffd49000-00007ffeffd4bfff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
|
|---|
| 462 | 397c.3980: 00007ffeffd4c000-00007ffeffdbcfff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
|
|---|
| 463 | 397c.3980: 00007ffeffdbd000-00007ffffffeffff 0x0001/0x0000 0x0000000
|
|---|
| 464 | 397c.3980: supR3HardNtChildPurify: Done after 1035 ms and 2 fixes (loop #1).
|
|---|
| 465 | 39b8.39bc: Log file opened: 6.1.10r138449 g_hStartupLog=0000000000000004 g_uNtVerCombined=0xa0456300
|
|---|
| 466 | 39b8.39bc: supR3HardenedVmProcessInit: uNtDllAddr=00007ffeffbd0000 g_uNtVerCombined=0xa0456300 (stack ~00000000004ffa48)
|
|---|
| 467 | 39b8.39bc: ntdll.dll: timestamp 0x5854f5da (rc=VINF_SUCCESS)
|
|---|
| 468 | 39b8.39bc: New simple heap: #1 0000000000600000 LB 0x400000 (for 2019328 allocation)
|
|---|
| 469 | 397c.3980: supR3HardNtEnableThreadCreationEx:
|
|---|
| 470 | 39b8.39bc: supR3HardenedWinInitAppBin(0x0): '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox'
|
|---|
| 471 | 39b8.39bc: System32: \Device\HarddiskVolume2\Windows\System32
|
|---|
| 472 | 39b8.39bc: WinSxS: \Device\HarddiskVolume2\Windows\WinSxS
|
|---|
| 473 | 39b8.39bc: KnownDllPath: C:\WINDOWS\System32
|
|---|
| 474 | 39b8.39bc: supR3HardenedVmProcessInit: Opening vboxdrv stub...
|
|---|
| 475 | 39b8.39bc: supR3HardenedWinReadErrorInfoDevice: 'ntdll.dll: 11 differences between 0xa34e2 and 0xa34ec in #1 (.text), first: 8b != b8'
|
|---|
| 476 | 39b8.39bc: Error -5600 in supR3HardenedWinReSpawn! (enmWhat=3)
|
|---|
| 477 | 39b8.39bc: NtCreateFile(\Device\VBoxDrvStub) failed: Unknown Status -5600 (0xffffea20) (rcNt=0xe986ea20)
|
|---|
| 478 | VBoxDrvStub error: ntdll.dll: 11 differences between 0xa34e2 and 0xa34ec in #1 (.text), first: 8b != b8
|
|---|
| 479 | 397c.3980: supR3HardenedWinCheckChild: enmRequest=2 rc=-5600 enmWhat=3 supR3HardenedWinReSpawn: NtCreateFile(\Device\VBoxDrvStub) failed: Unknown Status -5600 (0xffffea20) (rcNt=0xe986ea20)
|
|---|
| 480 | VBoxDrvStub error: ntdll.dll: 11 differences between 0xa34e2 and 0xa34ec in #1 (.text), first: 8b != b8
|
|---|
| 481 | 39b8.39bc: KiUserExceptionDispatcher: 0xc0000005 (0000000000000001, 0000000000000024) @ 00007ffeffc1df33 (flags=0x0)
|
|---|
| 482 | rax=ffffffffffffffff rbx=00007ffeffd352a0 rcx=0000000000000000 rdx=ffffffffffffffff
|
|---|
| 483 | rsi=00007ffeffd34ee0 rdi=0000000000000000 r8 =00000000fffffffa r9 =00000000ffffea00
|
|---|
| 484 | r10=0000000000000000 r11=00000000004f92e0 r12=0000000000000000 r13=ffffffffffffffff
|
|---|
| 485 | r14=00000000003f4000 r15=0000000000000000 P1=0000000000000000 P2=0000000000000000
|
|---|
| 486 | rip=00007ffeffc1df33 rsp=00000000004f91e0 rbp=0000000000000001 ctxflags=0010005f
|
|---|
| 487 | cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b eflags=00010213 mxcrx=00001f80
|
|---|
| 488 | P3=0000000000000000 P4=0000000000000000 P5=00000000004fac40 P6=0000000000000003
|
|---|
| 489 | dr0=0000000000000000 dr1=0000000000000000 dr2=0000000000000000 dr3=0000000000000000
|
|---|
| 490 | dr6=0000000000000000 dr7=0000000000000000 vcr=00000000004f9078 dcr=000000000000000a
|
|---|
| 491 | lbt=0000000000000000 lbf=0000000000000000 lxt=0000000000000000 lxf=0000000000000000
|
|---|
| 492 | 397c.3980: Error -5600 in supR3HardenedWinReSpawn! (enmWhat=3)
|
|---|
| 493 | 397c.3980: NtCreateFile(\Device\VBoxDrvStub) failed: Unknown Status -5600 (0xffffea20) (rcNt=0xe986ea20)
|
|---|
| 494 | VBoxDrvStub error: ntdll.dll: 11 differences between 0xa34e2 and 0xa34ec in #1 (.text), first: 8b != b8
|
|---|