2718.708: Log file opened: 5.2.8r121009 g_hStartupLog=000000000000006c g_uNtVerCombined=0xa03fab00 2718.708: \SystemRoot\System32\ntdll.dll: 2718.708: CreationTime: 2018-04-10T08:52:14.098777500Z 2718.708: LastWriteTime: 2018-03-13T07:02:15.839353900Z 2718.708: ChangeTime: 2018-04-11T06:58:30.408905200Z 2718.708: FileAttributes: 0x20 2718.708: Size: 0x1dd100 2718.708: NT Headers: 0xe0 2718.708: Timestamp: 0xe508fc03 2718.708: Machine: 0x8664 - amd64 2718.708: Timestamp: 0xe508fc03 2718.708: Image Version: 10.0 2718.708: SizeOfImage: 0x1e0000 (1966080) 2718.708: Resource Dir: 0x174000 LB 0x6a1d8 2718.708: [Version info resource found at 0xd8! (ID/Name: 0x1; SubID/SubName: 0x409)] 2718.708: [Raw version resource data: 0x1740f0 LB 0x380, codepage 0x0 (reserved 0x0)] 2718.708: ProductName: Microsoft® Windows® Operating System 2718.708: ProductVersion: 10.0.16299.334 2718.708: FileVersion: 10.0.16299.334 (WinBuild.160101.0800) 2718.708: FileDescription: NT Layer DLL 2718.708: \SystemRoot\System32\kernel32.dll: 2718.708: CreationTime: 2017-09-29T13:42:04.954227600Z 2718.708: LastWriteTime: 2017-09-29T13:42:04.954227600Z 2718.708: ChangeTime: 2018-04-10T11:13:57.710048700Z 2718.708: FileAttributes: 0x20 2718.708: Size: 0xab868 2718.708: NT Headers: 0xe8 2718.708: Timestamp: 0xc2cf900 2718.708: Machine: 0x8664 - amd64 2718.708: Timestamp: 0xc2cf900 2718.708: Image Version: 10.0 2718.708: SizeOfImage: 0xae000 (712704) 2718.708: Resource Dir: 0xac000 LB 0x520 2718.708: [Version info resource found at 0x90! (ID/Name: 0x1; SubID/SubName: 0x409)] 2718.708: [Raw version resource data: 0xac0b0 LB 0x3a4, codepage 0x0 (reserved 0x0)] 2718.708: ProductName: Microsoft® Windows® Operating System 2718.708: ProductVersion: 10.0.16299.15 2718.708: FileVersion: 10.0.16299.15 (WinBuild.160101.0800) 2718.708: FileDescription: Windows NT BASE API Client DLL 2718.708: \SystemRoot\System32\KernelBase.dll: 2718.708: CreationTime: 2018-04-11T06:21:03.844568400Z 2718.708: LastWriteTime: 2018-03-30T05:08:26.893801200Z 2718.708: ChangeTime: 2018-04-11T06:57:55.481510900Z 2718.708: FileAttributes: 0x20 2718.708: Size: 0x265c00 2718.708: NT Headers: 0xf0 2718.708: Timestamp: 0x6369e29f 2718.708: Machine: 0x8664 - amd64 2718.708: Timestamp: 0x6369e29f 2718.708: Image Version: 10.0 2718.708: SizeOfImage: 0x266000 (2514944) 2718.708: Resource Dir: 0x245000 LB 0x548 2718.708: [Version info resource found at 0x90! (ID/Name: 0x1; SubID/SubName: 0x409)] 2718.708: [Raw version resource data: 0x2450b0 LB 0x3bc, codepage 0x0 (reserved 0x0)] 2718.708: ProductName: Microsoft® Windows® Operating System 2718.708: ProductVersion: 10.0.16299.371 2718.708: FileVersion: 10.0.16299.371 (WinBuild.160101.0800) 2718.708: FileDescription: Windows NT BASE API Client DLL 2718.708: \SystemRoot\System32\apisetschema.dll: 2718.708: CreationTime: 2017-09-29T13:42:07.095026600Z 2718.708: LastWriteTime: 2017-09-29T13:42:07.095026600Z 2718.708: ChangeTime: 2018-04-11T07:37:29.079921700Z 2718.708: FileAttributes: 0x20 2718.708: Size: 0x1b398 2718.708: NT Headers: 0xc8 2718.708: Timestamp: 0xf30abf31 2718.708: Machine: 0x8664 - amd64 2718.708: Timestamp: 0xf30abf31 2718.708: Image Version: 10.0 2718.708: SizeOfImage: 0x1c000 (114688) 2718.708: Resource Dir: 0x1b000 LB 0x408 2718.708: [Version info resource found at 0x48! (ID/Name: 0x1; SubID/SubName: 0x409)] 2718.708: [Raw version resource data: 0x1b060 LB 0x3a8, codepage 0x0 (reserved 0x0)] 2718.708: ProductName: Microsoft® Windows® Operating System 2718.708: ProductVersion: 10.0.16299.15 2718.708: FileVersion: 10.0.16299.15 (WinBuild.160101.0800) 2718.708: FileDescription: ApiSet Schema DLL 2718.708: supR3HardenedWinFindAdversaries: 0x0 2718.708: supR3HardenedWinInitAppBin(0x0): '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox' 2718.708: Calling main() 2718.708: SUPR3HardenedMain: pszProgName=VBoxHeadless fFlags=0x0 2718.708: supR3HardenedWinInitAppBin(0x0): '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox' 2718.708: SUPR3HardenedMain: Respawn #1 2718.708: System32: \Device\HarddiskVolume2\Windows\System32 2718.708: WinSxS: \Device\HarddiskVolume2\Windows\WinSxS 2718.708: KnownDllPath: C:\WINDOWS\System32 2718.708: '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe' has no imports 2718.708: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe) 2718.708: supR3HardNtEnableThreadCreation: 2718.708: supR3HardNtDisableThreadCreation: pvLdrInitThunk=00007ffbebe49280 pvNtTerminateThread=00007ffbebe70d10 2718.708: supR3HardenedWinDoReSpawn(1): New child aa4.283c [kernel32]. 2718.708: supR3HardNtChildGatherData: PebBaseAddress=0000000000745000 cbPeb=0x388 2718.708: supR3HardNtPuChFindNtdll: uNtDllParentAddr=00007ffbebdd0000 uNtDllChildAddr=00007ffbebdd0000 2718.708: supR3HardenedWinSetupChildInit: uLdrInitThunk=00007ffbebe49280 2718.708: supR3HardenedWinSetupChildInit: Start child. 2718.708: supR3HardNtChildWaitFor: Found expected request 0 (PurifyChildAndCloseHandles) after 1 ms. 2718.708: supR3HardNtChildPurify: Startup delay kludge #1/0: 258 ms, 31 sleeps 2718.708: supHardNtVpScanVirtualMemory: enmKind=CHILD_PURIFICATION 2718.708: *0000000000000000-00000000004cffff 0x0001/0x0000 0x0000000 2718.708: *00000000004d0000-00000000004effff 0x0004/0x0004 0x0020000 2718.708: *00000000004f0000-0000000000508fff 0x0002/0x0002 0x0040000 2718.708: 0000000000509000-000000000050ffff 0x0001/0x0000 0x0000000 2718.708: *0000000000510000-0000000000510fff 0x0004/0x0004 0x0020000 2718.708: 0000000000511000-0000000000519fff 0x0020/0x0004 0x0020000 !! 2718.708: supHardNtVpFreeOrReplacePrivateExecMemory: Freeing exec mem at 0000000000510000 (LB 0x10000, 0000000000511000 LB 0x9000) 2718.708: supHardNtVpFreeOrReplacePrivateExecMemory: Free attempt #1 succeeded: 0x0 [0000000000510000/0000000000510000 LB 0/0x10000] 2718.708: supHardNtVpFreeOrReplacePrivateExecMemory: QVM after free 0: [0000000000000000]/0000000000510000 LB 0x10000 s=0x10000 ap=0x0 rp=0x82a0656300000001 2718.708: 000000000051a000-000000000051ffff 0x0001/0x0000 0x0000000 2718.708: *0000000000520000-0000000000520fff 0x0002/0x0002 0x0040000 2718.708: 0000000000521000-000000000052ffff 0x0001/0x0000 0x0000000 2718.708: *0000000000530000-0000000000533fff 0x0002/0x0002 0x0040000 2718.708: 0000000000534000-000000000053ffff 0x0001/0x0000 0x0000000 2718.708: *0000000000540000-0000000000540fff 0x0004/0x0004 0x0020000 2718.708: 0000000000541000-00000000005fffff 0x0001/0x0000 0x0000000 2718.708: *0000000000600000-0000000000744fff 0x0000/0x0004 0x0020000 2718.708: 0000000000745000-0000000000747fff 0x0004/0x0004 0x0020000 2718.708: 0000000000748000-00000000007fffff 0x0000/0x0004 0x0020000 2718.708: *0000000000800000-00000000008fafff 0x0000/0x0004 0x0020000 2718.708: 00000000008fb000-00000000008fdfff 0x0104/0x0004 0x0020000 2718.708: 00000000008fe000-00000000008fffff 0x0004/0x0004 0x0020000 2718.708: 0000000000900000-0000000000a9ffff 0x0001/0x0000 0x0000000 2718.708: *0000000000aa0000-0000000000aa1fff 0x0004/0x0004 0x0020000 2718.708: 0000000000aa2000-000000007ffdffff 0x0001/0x0000 0x0000000 2718.708: *000000007ffe0000-000000007ffe0fff 0x0002/0x0002 0x0020000 2718.708: *000000007ffe1000-000000007ffeffff 0x0000/0x0002 0x0020000 2718.708: 000000007fff0000-00007ff6d937ffff 0x0001/0x0000 0x0000000 2718.708: *00007ff6d9380000-00007ff6d93a2fff 0x0002/0x0002 0x0040000 2718.708: 00007ff6d93a3000-00007ff6d97fffff 0x0001/0x0000 0x0000000 2718.708: *00007ff6d9800000-00007ff6d9800fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe 2718.708: 00007ff6d9801000-00007ff6d9871fff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe 2718.708: 00007ff6d9872000-00007ff6d9872fff 0x0080/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe 2718.708: 00007ff6d9873000-00007ff6d98b8fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe 2718.708: 00007ff6d98b9000-00007ff6d98b9fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe 2718.708: 00007ff6d98ba000-00007ff6d98bafff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe 2718.708: 00007ff6d98bb000-00007ff6d98bffff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe 2718.708: 00007ff6d98c0000-00007ff6d98c0fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe 2718.708: 00007ff6d98c1000-00007ff6d98c1fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe 2718.708: 00007ff6d98c2000-00007ff6d98c5fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe 2718.708: 00007ff6d98c6000-00007ff6d990dfff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe 2718.708: 00007ff6d990e000-00007ffbebd8ffff 0x0001/0x0000 0x0000000 2718.708: *00007ffbebd90000-00007ffbebd90fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\Itcspea.Dll 2718.708: supHardNtVpScanVirtualMemory: Unmapping image mem at 00007ffbebd90000 (00007ffbebd90000 LB 0x1000) - 'Itcspea.Dll' 2718.708: 00007ffbebd91000-00007ffbebdcffff 0x0001/0x0000 0x0000000 2718.708: *00007ffbebdd0000-00007ffbebdd0fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 2718.708: 00007ffbebdd1000-00007ffbebee2fff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 2718.708: 00007ffbebee3000-00007ffbebf28fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 2718.708: 00007ffbebf29000-00007ffbebf30fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 2718.708: 00007ffbebf31000-00007ffbebf3efff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 2718.708: 00007ffbebf3f000-00007ffbebf3ffff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 2718.708: 00007ffbebf40000-00007ffbebf42fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 2718.708: 00007ffbebf43000-00007ffbebfaffff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 2718.708: 00007ffbebfb0000-00007ffffffdffff 0x0001/0x0000 0x0000000 2718.708: *00007ffffffe0000-00007ffffffeffff 0x0001/0x0002 0x0020000 2718.708: VBoxHeadless.exe: timestamp 0x5a942b95 (rc=VINF_SUCCESS) 2718.708: '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe' has no imports 2718.708: '\Device\HarddiskVolume2\Windows\System32\ntdll.dll' has no imports 2718.708: ntdll.dll: Differences in section #1 (.text) between file and memory: 2718.708: 00007ffbebe70450 / 0x00a0450: 4c != b8 2718.708: 00007ffbebe70451 / 0x00a0451: 8b != 20 2718.708: 00007ffbebe70452 / 0x00a0452: d1 != 4f 2718.708: 00007ffbebe70453 / 0x00a0453: b8 != 51 2718.708: 00007ffbebe70454 / 0x00a0454: 0d != 00 2718.708: 00007ffbebe70455 / 0x00a0455: 00 != 48 2718.708: 00007ffbebe70456 / 0x00a0456: 00 != 63 2718.708: 00007ffbebe70457 / 0x00a0457: 00 != c0 2718.708: 00007ffbebe70458 / 0x00a0458: f6 != ff 2718.708: 00007ffbebe70459 / 0x00a0459: 04 != e0 2718.708: 00007ffbebe707b0 / 0x00a07b0: 4c != b8 2718.708: 00007ffbebe707b1 / 0x00a07b1: 8b != 60 2718.708: 00007ffbebe707b2 / 0x00a07b2: d1 != 4b 2718.708: 00007ffbebe707b3 / 0x00a07b3: b8 != 51 2718.708: 00007ffbebe707b4 / 0x00a07b4: 28 != 00 2718.708: 00007ffbebe707b5 / 0x00a07b5: 00 != 48 2718.708: 00007ffbebe707b6 / 0x00a07b6: 00 != 63 2718.708: 00007ffbebe707b7 / 0x00a07b7: 00 != c0 2718.708: 00007ffbebe707b8 / 0x00a07b8: f6 != ff 2718.708: 00007ffbebe707b9 / 0x00a07b9: 04 != e0 2718.708: 00007ffbebe707f0 / 0x00a07f0: 4c != b8 2718.708: 00007ffbebe707f1 / 0x00a07f1: 8b != f0 2718.708: 00007ffbebe707f2 / 0x00a07f2: d1 != 4c 2718.708: 00007ffbebe707f3 / 0x00a07f3: b8 != 51 2718.708: 00007ffbebe707f4 / 0x00a07f4: 2a != 00 2718.708: 00007ffbebe707f5 / 0x00a07f5: 00 != 48 2718.708: 00007ffbebe707f6 / 0x00a07f6: 00 != 63 2718.708: 00007ffbebe707f7 / 0x00a07f7: 00 != c0 2718.708: 00007ffbebe707f8 / 0x00a07f8: f6 != ff 2718.708: 00007ffbebe707f9 / 0x00a07f9: 04 != e0 2718.708: 00007ffbebe709f0 / 0x00a09f0: 4c != b8 2718.708: 00007ffbebe709f1 / 0x00a09f1: 8b != c0 2718.708: 00007ffbebe709f2 / 0x00a09f2: d1 != 42 2718.708: 00007ffbebe709f3 / 0x00a09f3: b8 != 51 2718.708: 00007ffbebe709f4 / 0x00a09f4: 3a != 00 2718.708: 00007ffbebe709f5 / 0x00a09f5: 00 != 48 2718.708: 00007ffbebe709f6 / 0x00a09f6: 00 != 63 2718.708: 00007ffbebe709f7 / 0x00a09f7: 00 != c0 2718.708: 00007ffbebe709f8 / 0x00a09f8: f6 != ff 2718.708: 00007ffbebe709f9 / 0x00a09f9: 04 != e0 2718.708: 00007ffbebe70b50 / 0x00a0b50: 4c != b8 2718.708: 00007ffbebe70b51 / 0x00a0b51: 8b != 50 2718.708: 00007ffbebe70b52 / 0x00a0b52: d1 != 48 2718.708: 00007ffbebe70b53 / 0x00a0b53: b8 != 51 2718.708: 00007ffbebe70b54 / 0x00a0b54: 45 != 00 2718.708: 00007ffbebe70b55 / 0x00a0b55: 00 != 48 2718.708: 00007ffbebe70b56 / 0x00a0b56: 00 != 63 2718.708: 00007ffbebe70b57 / 0x00a0b57: 00 != c0 2718.708: 00007ffbebe70b58 / 0x00a0b58: f6 != ff 2718.708: 00007ffbebe70b59 / 0x00a0b59: 04 != e0 2718.708: 00007ffbebe70bf0 / 0x00a0bf0: 4c != b8 2718.708: 00007ffbebe70bf1 / 0x00a0bf1: 8b != 70 2718.708: 00007ffbebe70bf2 / 0x00a0bf2: d1 != 51 2718.708: 00007ffbebe70bf3 / 0x00a0bf3: b8 != 51 2718.708: 00007ffbebe70bf4 / 0x00a0bf4: 4a != 00 2718.708: 00007ffbebe70bf5 / 0x00a0bf5: 00 != 48 2718.708: 00007ffbebe70bf6 / 0x00a0bf6: 00 != 63 2718.708: 00007ffbebe70bf7 / 0x00a0bf7: 00 != c0 2718.708: 00007ffbebe70bf8 / 0x00a0bf8: f6 != ff 2718.708: 00007ffbebe70bf9 / 0x00a0bf9: 04 != e0 2718.708: 00007ffbebe70c70 / 0x00a0c70: 4c != b8 2718.708: 00007ffbebe70c71 / 0x00a0c71: 8b != 60 2718.708: 00007ffbebe70c72 / 0x00a0c72: d1 != 44 2718.708: 00007ffbebe70c73 / 0x00a0c73: b8 != 51 2718.708: 00007ffbebe70c74 / 0x00a0c74: 4e != 00 2718.708: 00007ffbebe70c75 / 0x00a0c75: 00 != 48 2718.708: 00007ffbebe70c76 / 0x00a0c76: 00 != 63 2718.708: 00007ffbebe70c77 / 0x00a0c77: 00 != c0 2718.708: 00007ffbebe70c78 / 0x00a0c78: f6 != ff 2718.708: 00007ffbebe70c79 / 0x00a0c79: 04 != e0 2718.708: Restored 0x2000 bytes of original file content at 00007ffbebe6f28e 2718.708: ntdll.dll: Differences in section #1 (.text) between file and memory: 2718.708: 00007ffbebe719e0 / 0x00a19e0: 4c != b8 2718.708: 00007ffbebe719e1 / 0x00a19e1: 8b != 60 2718.708: 00007ffbebe719e2 / 0x00a19e2: d1 != 46 2718.708: 00007ffbebe719e3 / 0x00a19e3: b8 != 51 2718.708: 00007ffbebe719e4 / 0x00a19e4: ba != 00 2718.708: 00007ffbebe719e5 / 0x00a19e5: 00 != 48 2718.708: 00007ffbebe719e6 / 0x00a19e6: 00 != 63 2718.708: 00007ffbebe719e7 / 0x00a19e7: 00 != c0 2718.708: 00007ffbebe719e8 / 0x00a19e8: f6 != ff 2718.708: 00007ffbebe719e9 / 0x00a19e9: 04 != e0 2718.708: 00007ffbebe723a0 / 0x00a23a0: 4c != b8 2718.708: 00007ffbebe723a1 / 0x00a23a1: 8b != e0 2718.708: 00007ffbebe723a2 / 0x00a23a2: d1 != 54 2718.708: 00007ffbebe723a3 / 0x00a23a3: b8 != 51 2718.708: 00007ffbebe723a4 / 0x00a23a4: 08 != 00 2718.708: 00007ffbebe723a5 / 0x00a23a5: 01 != 48 2718.708: 00007ffbebe723a6 / 0x00a23a6: 00 != 63 2718.708: 00007ffbebe723a7 / 0x00a23a7: 00 != c0 2718.708: 00007ffbebe723a8 / 0x00a23a8: f6 != ff 2718.708: 00007ffbebe723a9 / 0x00a23a9: 04 != e0 2718.708: 00007ffbebe72e00 / 0x00a2e00: 4c != b8 2718.708: 00007ffbebe72e01 / 0x00a2e01: 8b != d0 2718.708: 00007ffbebe72e02 / 0x00a2e02: d1 != 49 2718.708: 00007ffbebe72e03 / 0x00a2e03: b8 != 51 2718.708: 00007ffbebe72e04 / 0x00a2e04: 5b != 00 2718.708: 00007ffbebe72e05 / 0x00a2e05: 01 != 48 2718.708: 00007ffbebe72e06 / 0x00a2e06: 00 != 63 2718.708: 00007ffbebe72e07 / 0x00a2e07: 00 != c0 2718.708: 00007ffbebe72e08 / 0x00a2e08: f6 != ff 2718.708: 00007ffbebe72e09 / 0x00a2e09: 04 != e0 2718.708: Restored 0x2000 bytes of original file content at 00007ffbebe7128e 2718.708: ntdll.dll: Differences in section #1 (.text) between file and memory: 2718.708: 00007ffbebe732c0 / 0x00a32c0: 4c != b8 2718.708: 00007ffbebe732c1 / 0x00a32c1: 8b != 00 2718.708: 00007ffbebe732c2 / 0x00a32c2: d1 != 4e 2718.708: 00007ffbebe732c3 / 0x00a32c3: b8 != 51 2718.708: 00007ffbebe732c4 / 0x00a32c4: 81 != 00 2718.708: 00007ffbebe732c5 / 0x00a32c5: 01 != 48 2718.708: 00007ffbebe732c6 / 0x00a32c6: 00 != 63 2718.708: 00007ffbebe732c7 / 0x00a32c7: 00 != c0 2718.708: 00007ffbebe732c8 / 0x00a32c8: f6 != ff 2718.708: 00007ffbebe732c9 / 0x00a32c9: 04 != e0 2718.708: 00007ffbebe736a0 / 0x00a36a0: 4c != b8 2718.708: 00007ffbebe736a1 / 0x00a36a1: 8b != e0 2718.708: 00007ffbebe736a2 / 0x00a36a2: d1 != 52 2718.708: 00007ffbebe736a3 / 0x00a36a3: b8 != 51 2718.708: 00007ffbebe736a4 / 0x00a36a4: a0 != 00 2718.708: 00007ffbebe736a5 / 0x00a36a5: 01 != 48 2718.708: 00007ffbebe736a6 / 0x00a36a6: 00 != 63 2718.708: 00007ffbebe736a7 / 0x00a36a7: 00 != c0 2718.708: 00007ffbebe736a8 / 0x00a36a8: f6 != ff 2718.708: 00007ffbebe736a9 / 0x00a36a9: 04 != e0 2718.708: 00007ffbebe736e0 / 0x00a36e0: 4c != b8 2718.708: 00007ffbebe736e1 / 0x00a36e1: 8b != f0 2718.708: 00007ffbebe736e2 / 0x00a36e2: d1 != 53 2718.708: 00007ffbebe736e3 / 0x00a36e3: b8 != 51 2718.708: 00007ffbebe736e4 / 0x00a36e4: a2 != 00 2718.708: 00007ffbebe736e5 / 0x00a36e5: 01 != 48 2718.708: 00007ffbebe736e6 / 0x00a36e6: 00 != 63 2718.708: 00007ffbebe736e7 / 0x00a36e7: 00 != c0 2718.708: 00007ffbebe736e8 / 0x00a36e8: f6 != ff 2718.708: 00007ffbebe736e9 / 0x00a36e9: 04 != e0 2718.708: Restored 0x2000 bytes of original file content at 00007ffbebe7328e 2718.708: supR3HardNtChildPurify: cFixes=4 g_fSupAdversaries=0x80000000 2718.708: supR3HardNtChildPurify: Startup delay kludge #1/1: 516 ms, 62 sleeps 2718.708: supHardNtVpScanVirtualMemory: enmKind=CHILD_PURIFICATION 2718.708: *0000000000000000-00000000004cffff 0x0001/0x0000 0x0000000 2718.708: *00000000004d0000-00000000004effff 0x0004/0x0004 0x0020000 2718.708: *00000000004f0000-0000000000508fff 0x0002/0x0002 0x0040000 2718.708: 0000000000509000-000000000051ffff 0x0001/0x0000 0x0000000 2718.708: *0000000000520000-0000000000520fff 0x0002/0x0002 0x0040000 2718.708: 0000000000521000-000000000052ffff 0x0001/0x0000 0x0000000 2718.708: *0000000000530000-0000000000533fff 0x0002/0x0002 0x0040000 2718.708: 0000000000534000-000000000053ffff 0x0001/0x0000 0x0000000 2718.708: *0000000000540000-0000000000540fff 0x0004/0x0004 0x0020000 2718.708: 0000000000541000-00000000005fffff 0x0001/0x0000 0x0000000 2718.708: *0000000000600000-0000000000744fff 0x0000/0x0004 0x0020000 2718.708: 0000000000745000-0000000000747fff 0x0004/0x0004 0x0020000 2718.708: 0000000000748000-00000000007fffff 0x0000/0x0004 0x0020000 2718.708: *0000000000800000-00000000008fafff 0x0000/0x0004 0x0020000 2718.708: 00000000008fb000-00000000008fdfff 0x0104/0x0004 0x0020000 2718.708: 00000000008fe000-00000000008fffff 0x0004/0x0004 0x0020000 2718.708: 0000000000900000-0000000000a9ffff 0x0001/0x0000 0x0000000 2718.708: *0000000000aa0000-0000000000aa1fff 0x0004/0x0004 0x0020000 2718.708: 0000000000aa2000-000000007ffdffff 0x0001/0x0000 0x0000000 2718.708: *000000007ffe0000-000000007ffe0fff 0x0002/0x0002 0x0020000 2718.708: *000000007ffe1000-000000007ffeffff 0x0000/0x0002 0x0020000 2718.708: 000000007fff0000-00007ff6d937ffff 0x0001/0x0000 0x0000000 2718.708: *00007ff6d9380000-00007ff6d93a2fff 0x0002/0x0002 0x0040000 2718.708: 00007ff6d93a3000-00007ff6d97fffff 0x0001/0x0000 0x0000000 2718.708: *00007ff6d9800000-00007ff6d9800fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe 2718.708: 00007ff6d9801000-00007ff6d9871fff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe 2718.708: 00007ff6d9872000-00007ff6d9872fff 0x0040/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe 2718.708: 00007ff6d9873000-00007ff6d98b8fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe 2718.708: 00007ff6d98b9000-00007ff6d98c5fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe 2718.708: 00007ff6d98c6000-00007ff6d990dfff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe 2718.708: 00007ff6d990e000-00007ffbebdcffff 0x0001/0x0000 0x0000000 2718.708: *00007ffbebdd0000-00007ffbebdd0fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 2718.708: 00007ffbebdd1000-00007ffbebee2fff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 2718.708: 00007ffbebee3000-00007ffbebf28fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 2718.708: 00007ffbebf29000-00007ffbebf2cfff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 2718.708: 00007ffbebf2d000-00007ffbebf30fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 2718.708: 00007ffbebf31000-00007ffbebf3efff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 2718.708: 00007ffbebf3f000-00007ffbebf3ffff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 2718.708: 00007ffbebf40000-00007ffbebf42fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 2718.708: 00007ffbebf43000-00007ffbebfaffff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 2718.708: 00007ffbebfb0000-00007ffffffdffff 0x0001/0x0000 0x0000000 2718.708: *00007ffffffe0000-00007ffffffeffff 0x0001/0x0002 0x0020000 2718.708: supR3HardNtChildPurify: Done after 809 ms and 4 fixes (loop #1). aa4.283c: Log file opened: 5.2.8r121009 g_hStartupLog=0000000000000008 g_uNtVerCombined=0xa03fab00 aa4.283c: supR3HardenedVmProcessInit: uNtDllAddr=00007ffbebdd0000 g_uNtVerCombined=0xa03fab00 aa4.283c: ntdll.dll: timestamp 0xe508fc03 (rc=VINF_SUCCESS) aa4.283c: New simple heap: #1 0000000000ab0000 LB 0x400000 (for 1966080 allocation) 2718.708: supR3HardNtEnableThreadCreation: aa4.283c: supR3HardenedWinInitAppBin(0x0): '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox' aa4.283c: System32: \Device\HarddiskVolume2\Windows\System32 aa4.283c: WinSxS: \Device\HarddiskVolume2\Windows\WinSxS aa4.283c: KnownDllPath: C:\WINDOWS\System32 aa4.283c: supR3HardenedVmProcessInit: Opening vboxdrv stub... aa4.283c: supR3HardenedVmProcessInit: Restoring LdrInitializeThunk... aa4.283c: supR3HardenedVmProcessInit: Returning to LdrInitializeThunk... aa4.283c: Registered Dll notification callback with NTDLL. aa4.283c: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume2\Windows\System32\kernel32.dll) aa4.283c: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume2\Windows\System32\kernel32.dll aa4.283c: supR3HardenedMonitor_LdrLoadDll: pName=C:\WINDOWS\System32\KERNEL32.DLL (Input=KERNEL32.DLL, rcNtResolve=0xc0150008) *pfFlags=0xffffffff pwszSearchPath=0000000000004001: [calling] aa4.283c: supR3HardenedDllNotificationCallback: load 00007ffbe8390000 LB 0x00266000 C:\WINDOWS\System32\KERNELBASE.dll [fFlags=0x0] aa4.283c: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume2\Windows\System32\KernelBase.dll) aa4.283c: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume2\Windows\System32\KernelBase.dll aa4.283c: supR3HardenedDllNotificationCallback: load 00007ffbe94a0000 LB 0x000ae000 C:\WINDOWS\System32\KERNEL32.DLL [fFlags=0x0] aa4.283c: supR3HardenedScreenImage/LdrLoadDll: cache hit (VINF_SUCCESS) on \Device\HarddiskVolume2\Windows\System32\kernel32.dll [lacks WinVerifyTrust] aa4.283c: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=00007ffbe94a0000 'C:\WINDOWS\System32\KERNEL32.DLL' aa4.283c: supR3HardenedDllNotificationCallback: load 00007ff6d9800000 LB 0x0010e000 C:\Program Files\Oracle\VirtualBox\VBoxHeadless.exe [fFlags=0x0] aa4.283c: '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe' has no imports aa4.283c: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe) aa4.283c: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe aa4.283c: supR3HardNtDisableThreadCreation: pvLdrInitThunk=00007ffbebe49280 pvNtTerminateThread=00007ffbebe70d10 2718.708: supR3HardNtChildWaitFor: Found expected request 1 (CloseEvents) after 67 ms. aa4.283c: \SystemRoot\System32\ntdll.dll: aa4.283c: CreationTime: 2018-04-10T08:52:14.098777500Z aa4.283c: LastWriteTime: 2018-03-13T07:02:15.839353900Z aa4.283c: ChangeTime: 2018-04-11T06:58:30.408905200Z aa4.283c: FileAttributes: 0x20 aa4.283c: Size: 0x1dd100 aa4.283c: NT Headers: 0xe0 aa4.283c: Timestamp: 0xe508fc03 aa4.283c: Machine: 0x8664 - amd64 aa4.283c: Timestamp: 0xe508fc03 aa4.283c: Image Version: 10.0 aa4.283c: SizeOfImage: 0x1e0000 (1966080) aa4.283c: Resource Dir: 0x174000 LB 0x6a1d8 aa4.283c: [Version info resource found at 0xd8! (ID/Name: 0x1; SubID/SubName: 0x409)] aa4.283c: [Raw version resource data: 0x1740f0 LB 0x380, codepage 0x0 (reserved 0x0)] aa4.283c: ProductName: Microsoft® Windows® Operating System aa4.283c: ProductVersion: 10.0.16299.334 aa4.283c: FileVersion: 10.0.16299.334 (WinBuild.160101.0800) aa4.283c: FileDescription: NT Layer DLL aa4.283c: \SystemRoot\System32\kernel32.dll: aa4.283c: CreationTime: 2017-09-29T13:42:04.954227600Z aa4.283c: LastWriteTime: 2017-09-29T13:42:04.954227600Z aa4.283c: ChangeTime: 2018-04-10T11:13:57.710048700Z aa4.283c: FileAttributes: 0x20 aa4.283c: Size: 0xab868 aa4.283c: NT Headers: 0xe8 aa4.283c: Timestamp: 0xc2cf900 aa4.283c: Machine: 0x8664 - amd64 aa4.283c: Timestamp: 0xc2cf900 aa4.283c: Image Version: 10.0 aa4.283c: SizeOfImage: 0xae000 (712704) aa4.283c: Resource Dir: 0xac000 LB 0x520 aa4.283c: [Version info resource found at 0x90! (ID/Name: 0x1; SubID/SubName: 0x409)] aa4.283c: [Raw version resource data: 0xac0b0 LB 0x3a4, codepage 0x0 (reserved 0x0)] aa4.283c: ProductName: Microsoft® Windows® Operating System aa4.283c: ProductVersion: 10.0.16299.15 aa4.283c: FileVersion: 10.0.16299.15 (WinBuild.160101.0800) aa4.283c: FileDescription: Windows NT BASE API Client DLL aa4.283c: \SystemRoot\System32\KernelBase.dll: aa4.283c: CreationTime: 2018-04-11T06:21:03.844568400Z aa4.283c: LastWriteTime: 2018-03-30T05:08:26.893801200Z aa4.283c: ChangeTime: 2018-04-11T06:57:55.481510900Z aa4.283c: FileAttributes: 0x20 aa4.283c: Size: 0x265c00 aa4.283c: NT Headers: 0xf0 aa4.283c: Timestamp: 0x6369e29f aa4.283c: Machine: 0x8664 - amd64 aa4.283c: Timestamp: 0x6369e29f aa4.283c: Image Version: 10.0 aa4.283c: SizeOfImage: 0x266000 (2514944) aa4.283c: Resource Dir: 0x245000 LB 0x548 aa4.283c: [Version info resource found at 0x90! (ID/Name: 0x1; SubID/SubName: 0x409)] aa4.283c: [Raw version resource data: 0x2450b0 LB 0x3bc, codepage 0x0 (reserved 0x0)] aa4.283c: ProductName: Microsoft® Windows® Operating System aa4.283c: ProductVersion: 10.0.16299.371 aa4.283c: FileVersion: 10.0.16299.371 (WinBuild.160101.0800) aa4.283c: FileDescription: Windows NT BASE API Client DLL aa4.283c: \SystemRoot\System32\apisetschema.dll: aa4.283c: CreationTime: 2017-09-29T13:42:07.095026600Z aa4.283c: LastWriteTime: 2017-09-29T13:42:07.095026600Z aa4.283c: ChangeTime: 2018-04-11T07:37:29.079921700Z aa4.283c: FileAttributes: 0x20 aa4.283c: Size: 0x1b398 aa4.283c: NT Headers: 0xc8 aa4.283c: Timestamp: 0xf30abf31 aa4.283c: Machine: 0x8664 - amd64 aa4.283c: Timestamp: 0xf30abf31 aa4.283c: Image Version: 10.0 aa4.283c: SizeOfImage: 0x1c000 (114688) aa4.283c: Resource Dir: 0x1b000 LB 0x408 aa4.283c: [Version info resource found at 0x48! (ID/Name: 0x1; SubID/SubName: 0x409)] aa4.283c: [Raw version resource data: 0x1b060 LB 0x3a8, codepage 0x0 (reserved 0x0)] aa4.283c: ProductName: Microsoft® Windows® Operating System aa4.283c: ProductVersion: 10.0.16299.15 aa4.283c: FileVersion: 10.0.16299.15 (WinBuild.160101.0800) aa4.283c: FileDescription: ApiSet Schema DLL aa4.283c: supR3HardenedWinFindAdversaries: 0x0 aa4.283c: supR3HardenedWinInitAppBin(0x0): '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox' aa4.283c: Calling main() aa4.283c: SUPR3HardenedMain: pszProgName=VBoxHeadless fFlags=0x0 aa4.283c: supR3HardenedWinInitAppBin(0x0): '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox' aa4.283c: '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe' has no imports aa4.283c: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe) aa4.283c: SUPR3HardenedMain: Respawn #2 aa4.283c: supR3HardNtEnableThreadCreation: aa4.283c: '\Device\HarddiskVolume2\Windows\System32\ntdll.dll' has no imports aa4.283c: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume2\Windows\System32\ntdll.dll) aa4.283c: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume2\Windows\System32\ntdll.dll aa4.283c: supR3HardenedMonitor_LdrLoadDll: pName=C:\WINDOWS\System32\ntdll.dll (Input=ntdll.dll, rcNtResolve=0xc0150008) *pfFlags=0x0 pwszSearchPath=0000000000000801: [calling] aa4.283c: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=00007ffbebdd0000 'C:\WINDOWS\System32\ntdll.dll' aa4.283c: supR3HardNtDisableThreadCreation: pvLdrInitThunk=00007ffbebe49280 pvNtTerminateThread=00007ffbebe70d10 aa4.283c: supR3HardenedWinDoReSpawn(2): New child 2878.1308 [kernel32]. aa4.283c: supR3HardenedWinReSpawn: NtSetInformationThread/ThreadHideFromDebugger failed: 0xc0000022 (harmless) aa4.283c: supR3HardNtChildGatherData: PebBaseAddress=0000000000b29000 cbPeb=0x388 aa4.283c: supR3HardNtPuChFindNtdll: uNtDllParentAddr=00007ffbebdd0000 uNtDllChildAddr=00007ffbebdd0000 aa4.283c: supR3HardenedWinSetupChildInit: uLdrInitThunk=00007ffbebe49280 aa4.283c: supR3HardenedWinSetupChildInit: Start child. aa4.283c: supR3HardNtChildWaitFor: Found expected request 0 (PurifyChildAndCloseHandles) after 0 ms. aa4.283c: supR3HardNtChildPurify: Startup delay kludge #1/0: 257 ms, 31 sleeps aa4.283c: supHardNtVpScanVirtualMemory: enmKind=CHILD_PURIFICATION aa4.283c: *0000000000000000-000000000084ffff 0x0001/0x0000 0x0000000 aa4.283c: *0000000000850000-000000000086ffff 0x0004/0x0004 0x0020000 aa4.283c: *0000000000870000-0000000000888fff 0x0002/0x0002 0x0040000 aa4.283c: 0000000000889000-000000000088ffff 0x0001/0x0000 0x0000000 aa4.283c: *0000000000890000-000000000098afff 0x0000/0x0004 0x0020000 aa4.283c: 000000000098b000-000000000098dfff 0x0104/0x0004 0x0020000 aa4.283c: 000000000098e000-000000000098ffff 0x0004/0x0004 0x0020000 aa4.283c: *0000000000990000-0000000000990fff 0x0004/0x0004 0x0020000 aa4.283c: 0000000000991000-0000000000999fff 0x0020/0x0004 0x0020000 !! aa4.283c: supHardNtVpFreeOrReplacePrivateExecMemory: Freeing exec mem at 0000000000990000 (LB 0x10000, 0000000000991000 LB 0x9000) aa4.283c: supHardNtVpFreeOrReplacePrivateExecMemory: Free attempt #1 succeeded: 0x0 [0000000000990000/0000000000990000 LB 0/0x10000] aa4.283c: supHardNtVpFreeOrReplacePrivateExecMemory: QVM after free 0: [0000000000000000]/0000000000990000 LB 0x10000 s=0x10000 ap=0x0 rp=0x82a0656300000001 aa4.283c: 000000000099a000-000000000099ffff 0x0001/0x0000 0x0000000 aa4.283c: *00000000009a0000-00000000009a0fff 0x0002/0x0002 0x0040000 aa4.283c: 00000000009a1000-00000000009affff 0x0001/0x0000 0x0000000 aa4.283c: *00000000009b0000-00000000009b3fff 0x0002/0x0002 0x0040000 aa4.283c: 00000000009b4000-00000000009bffff 0x0001/0x0000 0x0000000 aa4.283c: *00000000009c0000-00000000009c0fff 0x0004/0x0004 0x0020000 aa4.283c: 00000000009c1000-00000000009fffff 0x0001/0x0000 0x0000000 aa4.283c: *0000000000a00000-0000000000b28fff 0x0000/0x0004 0x0020000 aa4.283c: 0000000000b29000-0000000000b2bfff 0x0004/0x0004 0x0020000 aa4.283c: 0000000000b2c000-0000000000bfffff 0x0000/0x0004 0x0020000 aa4.283c: 0000000000c00000-0000000000cdffff 0x0001/0x0000 0x0000000 aa4.283c: *0000000000ce0000-0000000000ce1fff 0x0004/0x0004 0x0020000 aa4.283c: 0000000000ce2000-000000007ffdffff 0x0001/0x0000 0x0000000 aa4.283c: *000000007ffe0000-000000007ffe0fff 0x0002/0x0002 0x0020000 aa4.283c: *000000007ffe1000-000000007ffeffff 0x0000/0x0002 0x0020000 aa4.283c: 000000007fff0000-00007ff6d909ffff 0x0001/0x0000 0x0000000 aa4.283c: *00007ff6d90a0000-00007ff6d90c2fff 0x0002/0x0002 0x0040000 aa4.283c: 00007ff6d90c3000-00007ff6d97fffff 0x0001/0x0000 0x0000000 aa4.283c: *00007ff6d9800000-00007ff6d9800fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe aa4.283c: 00007ff6d9801000-00007ff6d9871fff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe aa4.283c: 00007ff6d9872000-00007ff6d9872fff 0x0080/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe aa4.283c: 00007ff6d9873000-00007ff6d98b8fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe aa4.283c: 00007ff6d98b9000-00007ff6d98b9fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe aa4.283c: 00007ff6d98ba000-00007ff6d98bafff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe aa4.283c: 00007ff6d98bb000-00007ff6d98bffff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe aa4.283c: 00007ff6d98c0000-00007ff6d98c0fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe aa4.283c: 00007ff6d98c1000-00007ff6d98c1fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe aa4.283c: 00007ff6d98c2000-00007ff6d98c5fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe aa4.283c: 00007ff6d98c6000-00007ff6d990dfff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe aa4.283c: 00007ff6d990e000-00007ffbebd8ffff 0x0001/0x0000 0x0000000 aa4.283c: *00007ffbebd90000-00007ffbebd90fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\Itcspea.Dll aa4.283c: supHardNtVpScanVirtualMemory: Unmapping image mem at 00007ffbebd90000 (00007ffbebd90000 LB 0x1000) - 'Itcspea.Dll' aa4.283c: 00007ffbebd91000-00007ffbebdcffff 0x0001/0x0000 0x0000000 aa4.283c: *00007ffbebdd0000-00007ffbebdd0fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll aa4.283c: 00007ffbebdd1000-00007ffbebee2fff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll aa4.283c: 00007ffbebee3000-00007ffbebf28fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll aa4.283c: 00007ffbebf29000-00007ffbebf30fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll aa4.283c: 00007ffbebf31000-00007ffbebf3efff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll aa4.283c: 00007ffbebf3f000-00007ffbebf3ffff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll aa4.283c: 00007ffbebf40000-00007ffbebf42fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll aa4.283c: 00007ffbebf43000-00007ffbebfaffff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll aa4.283c: 00007ffbebfb0000-00007ffffffdffff 0x0001/0x0000 0x0000000 aa4.283c: *00007ffffffe0000-00007ffffffeffff 0x0001/0x0002 0x0020000 aa4.283c: VBoxHeadless.exe: timestamp 0x5a942b95 (rc=VINF_SUCCESS) aa4.283c: '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe' has no imports aa4.283c: '\Device\HarddiskVolume2\Windows\System32\ntdll.dll' has no imports aa4.283c: ntdll.dll: Differences in section #1 (.text) between file and memory: aa4.283c: 00007ffbebe70450 / 0x00a0450: 4c != b8 aa4.283c: 00007ffbebe70451 / 0x00a0451: 8b != 20 aa4.283c: 00007ffbebe70452 / 0x00a0452: d1 != 4f aa4.283c: 00007ffbebe70453 / 0x00a0453: b8 != 99 aa4.283c: 00007ffbebe70454 / 0x00a0454: 0d != 00 aa4.283c: 00007ffbebe70455 / 0x00a0455: 00 != 48 aa4.283c: 00007ffbebe70456 / 0x00a0456: 00 != 63 aa4.283c: 00007ffbebe70457 / 0x00a0457: 00 != c0 aa4.283c: 00007ffbebe70458 / 0x00a0458: f6 != ff aa4.283c: 00007ffbebe70459 / 0x00a0459: 04 != e0 aa4.283c: 00007ffbebe707b0 / 0x00a07b0: 4c != b8 aa4.283c: 00007ffbebe707b1 / 0x00a07b1: 8b != 60 aa4.283c: 00007ffbebe707b2 / 0x00a07b2: d1 != 4b aa4.283c: 00007ffbebe707b3 / 0x00a07b3: b8 != 99 aa4.283c: 00007ffbebe707b4 / 0x00a07b4: 28 != 00 aa4.283c: 00007ffbebe707b5 / 0x00a07b5: 00 != 48 aa4.283c: 00007ffbebe707b6 / 0x00a07b6: 00 != 63 aa4.283c: 00007ffbebe707b7 / 0x00a07b7: 00 != c0 aa4.283c: 00007ffbebe707b8 / 0x00a07b8: f6 != ff aa4.283c: 00007ffbebe707b9 / 0x00a07b9: 04 != e0 aa4.283c: 00007ffbebe707f0 / 0x00a07f0: 4c != b8 aa4.283c: 00007ffbebe707f1 / 0x00a07f1: 8b != f0 aa4.283c: 00007ffbebe707f2 / 0x00a07f2: d1 != 4c aa4.283c: 00007ffbebe707f3 / 0x00a07f3: b8 != 99 aa4.283c: 00007ffbebe707f4 / 0x00a07f4: 2a != 00 aa4.283c: 00007ffbebe707f5 / 0x00a07f5: 00 != 48 aa4.283c: 00007ffbebe707f6 / 0x00a07f6: 00 != 63 aa4.283c: 00007ffbebe707f7 / 0x00a07f7: 00 != c0 aa4.283c: 00007ffbebe707f8 / 0x00a07f8: f6 != ff aa4.283c: 00007ffbebe707f9 / 0x00a07f9: 04 != e0 aa4.283c: 00007ffbebe709f0 / 0x00a09f0: 4c != b8 aa4.283c: 00007ffbebe709f1 / 0x00a09f1: 8b != c0 aa4.283c: 00007ffbebe709f2 / 0x00a09f2: d1 != 42 aa4.283c: 00007ffbebe709f3 / 0x00a09f3: b8 != 99 aa4.283c: 00007ffbebe709f4 / 0x00a09f4: 3a != 00 aa4.283c: 00007ffbebe709f5 / 0x00a09f5: 00 != 48 aa4.283c: 00007ffbebe709f6 / 0x00a09f6: 00 != 63 aa4.283c: 00007ffbebe709f7 / 0x00a09f7: 00 != c0 aa4.283c: 00007ffbebe709f8 / 0x00a09f8: f6 != ff aa4.283c: 00007ffbebe709f9 / 0x00a09f9: 04 != e0 aa4.283c: 00007ffbebe70b50 / 0x00a0b50: 4c != b8 aa4.283c: 00007ffbebe70b51 / 0x00a0b51: 8b != 50 aa4.283c: 00007ffbebe70b52 / 0x00a0b52: d1 != 48 aa4.283c: 00007ffbebe70b53 / 0x00a0b53: b8 != 99 aa4.283c: 00007ffbebe70b54 / 0x00a0b54: 45 != 00 aa4.283c: 00007ffbebe70b55 / 0x00a0b55: 00 != 48 aa4.283c: 00007ffbebe70b56 / 0x00a0b56: 00 != 63 aa4.283c: 00007ffbebe70b57 / 0x00a0b57: 00 != c0 aa4.283c: 00007ffbebe70b58 / 0x00a0b58: f6 != ff aa4.283c: 00007ffbebe70b59 / 0x00a0b59: 04 != e0 aa4.283c: 00007ffbebe70bf0 / 0x00a0bf0: 4c != b8 aa4.283c: 00007ffbebe70bf1 / 0x00a0bf1: 8b != 70 aa4.283c: 00007ffbebe70bf2 / 0x00a0bf2: d1 != 51 aa4.283c: 00007ffbebe70bf3 / 0x00a0bf3: b8 != 99 aa4.283c: 00007ffbebe70bf4 / 0x00a0bf4: 4a != 00 aa4.283c: 00007ffbebe70bf5 / 0x00a0bf5: 00 != 48 aa4.283c: 00007ffbebe70bf6 / 0x00a0bf6: 00 != 63 aa4.283c: 00007ffbebe70bf7 / 0x00a0bf7: 00 != c0 aa4.283c: 00007ffbebe70bf8 / 0x00a0bf8: f6 != ff aa4.283c: 00007ffbebe70bf9 / 0x00a0bf9: 04 != e0 aa4.283c: 00007ffbebe70c70 / 0x00a0c70: 4c != b8 aa4.283c: 00007ffbebe70c71 / 0x00a0c71: 8b != 60 aa4.283c: 00007ffbebe70c72 / 0x00a0c72: d1 != 44 aa4.283c: 00007ffbebe70c73 / 0x00a0c73: b8 != 99 aa4.283c: 00007ffbebe70c74 / 0x00a0c74: 4e != 00 aa4.283c: 00007ffbebe70c75 / 0x00a0c75: 00 != 48 aa4.283c: 00007ffbebe70c76 / 0x00a0c76: 00 != 63 aa4.283c: 00007ffbebe70c77 / 0x00a0c77: 00 != c0 aa4.283c: 00007ffbebe70c78 / 0x00a0c78: f6 != ff aa4.283c: 00007ffbebe70c79 / 0x00a0c79: 04 != e0 aa4.283c: Restored 0x2000 bytes of original file content at 00007ffbebe6f28e aa4.283c: ntdll.dll: Differences in section #1 (.text) between file and memory: aa4.283c: 00007ffbebe719e0 / 0x00a19e0: 4c != b8 aa4.283c: 00007ffbebe719e1 / 0x00a19e1: 8b != 60 aa4.283c: 00007ffbebe719e2 / 0x00a19e2: d1 != 46 aa4.283c: 00007ffbebe719e3 / 0x00a19e3: b8 != 99 aa4.283c: 00007ffbebe719e4 / 0x00a19e4: ba != 00 aa4.283c: 00007ffbebe719e5 / 0x00a19e5: 00 != 48 aa4.283c: 00007ffbebe719e6 / 0x00a19e6: 00 != 63 aa4.283c: 00007ffbebe719e7 / 0x00a19e7: 00 != c0 aa4.283c: 00007ffbebe719e8 / 0x00a19e8: f6 != ff aa4.283c: 00007ffbebe719e9 / 0x00a19e9: 04 != e0 aa4.283c: 00007ffbebe723a0 / 0x00a23a0: 4c != b8 aa4.283c: 00007ffbebe723a1 / 0x00a23a1: 8b != e0 aa4.283c: 00007ffbebe723a2 / 0x00a23a2: d1 != 54 aa4.283c: 00007ffbebe723a3 / 0x00a23a3: b8 != 99 aa4.283c: 00007ffbebe723a4 / 0x00a23a4: 08 != 00 aa4.283c: 00007ffbebe723a5 / 0x00a23a5: 01 != 48 aa4.283c: 00007ffbebe723a6 / 0x00a23a6: 00 != 63 aa4.283c: 00007ffbebe723a7 / 0x00a23a7: 00 != c0 aa4.283c: 00007ffbebe723a8 / 0x00a23a8: f6 != ff aa4.283c: 00007ffbebe723a9 / 0x00a23a9: 04 != e0 aa4.283c: 00007ffbebe72e00 / 0x00a2e00: 4c != b8 aa4.283c: 00007ffbebe72e01 / 0x00a2e01: 8b != d0 aa4.283c: 00007ffbebe72e02 / 0x00a2e02: d1 != 49 aa4.283c: 00007ffbebe72e03 / 0x00a2e03: b8 != 99 aa4.283c: 00007ffbebe72e04 / 0x00a2e04: 5b != 00 aa4.283c: 00007ffbebe72e05 / 0x00a2e05: 01 != 48 aa4.283c: 00007ffbebe72e06 / 0x00a2e06: 00 != 63 aa4.283c: 00007ffbebe72e07 / 0x00a2e07: 00 != c0 aa4.283c: 00007ffbebe72e08 / 0x00a2e08: f6 != ff aa4.283c: 00007ffbebe72e09 / 0x00a2e09: 04 != e0 aa4.283c: Restored 0x2000 bytes of original file content at 00007ffbebe7128e aa4.283c: ntdll.dll: Differences in section #1 (.text) between file and memory: aa4.283c: 00007ffbebe732c0 / 0x00a32c0: 4c != b8 aa4.283c: 00007ffbebe732c1 / 0x00a32c1: 8b != 00 aa4.283c: 00007ffbebe732c2 / 0x00a32c2: d1 != 4e aa4.283c: 00007ffbebe732c3 / 0x00a32c3: b8 != 99 aa4.283c: 00007ffbebe732c4 / 0x00a32c4: 81 != 00 aa4.283c: 00007ffbebe732c5 / 0x00a32c5: 01 != 48 aa4.283c: 00007ffbebe732c6 / 0x00a32c6: 00 != 63 aa4.283c: 00007ffbebe732c7 / 0x00a32c7: 00 != c0 aa4.283c: 00007ffbebe732c8 / 0x00a32c8: f6 != ff aa4.283c: 00007ffbebe732c9 / 0x00a32c9: 04 != e0 aa4.283c: 00007ffbebe736a0 / 0x00a36a0: 4c != b8 aa4.283c: 00007ffbebe736a1 / 0x00a36a1: 8b != e0 aa4.283c: 00007ffbebe736a2 / 0x00a36a2: d1 != 52 aa4.283c: 00007ffbebe736a3 / 0x00a36a3: b8 != 99 aa4.283c: 00007ffbebe736a4 / 0x00a36a4: a0 != 00 aa4.283c: 00007ffbebe736a5 / 0x00a36a5: 01 != 48 aa4.283c: 00007ffbebe736a6 / 0x00a36a6: 00 != 63 aa4.283c: 00007ffbebe736a7 / 0x00a36a7: 00 != c0 aa4.283c: 00007ffbebe736a8 / 0x00a36a8: f6 != ff aa4.283c: 00007ffbebe736a9 / 0x00a36a9: 04 != e0 aa4.283c: 00007ffbebe736e0 / 0x00a36e0: 4c != b8 aa4.283c: 00007ffbebe736e1 / 0x00a36e1: 8b != f0 aa4.283c: 00007ffbebe736e2 / 0x00a36e2: d1 != 53 aa4.283c: 00007ffbebe736e3 / 0x00a36e3: b8 != 99 aa4.283c: 00007ffbebe736e4 / 0x00a36e4: a2 != 00 aa4.283c: 00007ffbebe736e5 / 0x00a36e5: 01 != 48 aa4.283c: 00007ffbebe736e6 / 0x00a36e6: 00 != 63 aa4.283c: 00007ffbebe736e7 / 0x00a36e7: 00 != c0 aa4.283c: 00007ffbebe736e8 / 0x00a36e8: f6 != ff aa4.283c: 00007ffbebe736e9 / 0x00a36e9: 04 != e0 aa4.283c: Restored 0x2000 bytes of original file content at 00007ffbebe7328e aa4.283c: supR3HardNtChildPurify: cFixes=4 g_fSupAdversaries=0x80000000 aa4.283c: supR3HardNtChildPurify: Startup delay kludge #1/1: 518 ms, 63 sleeps aa4.283c: supHardNtVpScanVirtualMemory: enmKind=CHILD_PURIFICATION aa4.283c: *0000000000000000-000000000084ffff 0x0001/0x0000 0x0000000 aa4.283c: *0000000000850000-000000000086ffff 0x0004/0x0004 0x0020000 aa4.283c: *0000000000870000-0000000000888fff 0x0002/0x0002 0x0040000 aa4.283c: 0000000000889000-000000000088ffff 0x0001/0x0000 0x0000000 aa4.283c: *0000000000890000-000000000098afff 0x0000/0x0004 0x0020000 aa4.283c: 000000000098b000-000000000098dfff 0x0104/0x0004 0x0020000 aa4.283c: 000000000098e000-000000000098ffff 0x0004/0x0004 0x0020000 aa4.283c: 0000000000990000-000000000099ffff 0x0001/0x0000 0x0000000 aa4.283c: *00000000009a0000-00000000009a0fff 0x0002/0x0002 0x0040000 aa4.283c: 00000000009a1000-00000000009affff 0x0001/0x0000 0x0000000 aa4.283c: *00000000009b0000-00000000009b3fff 0x0002/0x0002 0x0040000 aa4.283c: 00000000009b4000-00000000009bffff 0x0001/0x0000 0x0000000 aa4.283c: *00000000009c0000-00000000009c0fff 0x0004/0x0004 0x0020000 aa4.283c: 00000000009c1000-00000000009fffff 0x0001/0x0000 0x0000000 aa4.283c: *0000000000a00000-0000000000b28fff 0x0000/0x0004 0x0020000 aa4.283c: 0000000000b29000-0000000000b2bfff 0x0004/0x0004 0x0020000 aa4.283c: 0000000000b2c000-0000000000bfffff 0x0000/0x0004 0x0020000 aa4.283c: 0000000000c00000-0000000000cdffff 0x0001/0x0000 0x0000000 aa4.283c: *0000000000ce0000-0000000000ce1fff 0x0004/0x0004 0x0020000 aa4.283c: 0000000000ce2000-000000007ffdffff 0x0001/0x0000 0x0000000 aa4.283c: *000000007ffe0000-000000007ffe0fff 0x0002/0x0002 0x0020000 aa4.283c: *000000007ffe1000-000000007ffeffff 0x0000/0x0002 0x0020000 aa4.283c: 000000007fff0000-00007ff6d909ffff 0x0001/0x0000 0x0000000 aa4.283c: *00007ff6d90a0000-00007ff6d90c2fff 0x0002/0x0002 0x0040000 aa4.283c: 00007ff6d90c3000-00007ff6d97fffff 0x0001/0x0000 0x0000000 aa4.283c: *00007ff6d9800000-00007ff6d9800fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe aa4.283c: 00007ff6d9801000-00007ff6d9871fff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe aa4.283c: 00007ff6d9872000-00007ff6d9872fff 0x0040/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe aa4.283c: 00007ff6d9873000-00007ff6d98b8fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe aa4.283c: 00007ff6d98b9000-00007ff6d98c5fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe aa4.283c: 00007ff6d98c6000-00007ff6d990dfff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe aa4.283c: 00007ff6d990e000-00007ffbebdcffff 0x0001/0x0000 0x0000000 aa4.283c: *00007ffbebdd0000-00007ffbebdd0fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll aa4.283c: 00007ffbebdd1000-00007ffbebee2fff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll aa4.283c: 00007ffbebee3000-00007ffbebf28fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll aa4.283c: 00007ffbebf29000-00007ffbebf2cfff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll aa4.283c: 00007ffbebf2d000-00007ffbebf30fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll aa4.283c: 00007ffbebf31000-00007ffbebf3efff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll aa4.283c: 00007ffbebf3f000-00007ffbebf3ffff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll aa4.283c: 00007ffbebf40000-00007ffbebf42fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll aa4.283c: 00007ffbebf43000-00007ffbebfaffff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll aa4.283c: 00007ffbebfb0000-00007ffffffdffff 0x0001/0x0000 0x0000000 aa4.283c: *00007ffffffe0000-00007ffffffeffff 0x0001/0x0002 0x0020000 aa4.283c: supR3HardNtChildPurify: Done after 809 ms and 4 fixes (loop #1). 2878.1308: Log file opened: 5.2.8r121009 g_hStartupLog=0000000000000008 g_uNtVerCombined=0xa03fab00 2878.1308: supR3HardenedVmProcessInit: uNtDllAddr=00007ffbebdd0000 g_uNtVerCombined=0xa03fab00 aa4.283c: supR3HardenedEarlyCompact: Removed heap 1 (0x00000000ab0000 LB 0x400000) 2878.1308: ntdll.dll: timestamp 0xe508fc03 (rc=VINF_SUCCESS) 2878.1308: New simple heap: #1 0000000000df0000 LB 0x400000 (for 1966080 allocation) aa4.283c: supR3HardNtEnableThreadCreation: 2878.1308: supR3HardenedWinInitAppBin(0x0): '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox' 2878.1308: System32: \Device\HarddiskVolume2\Windows\System32 2878.1308: WinSxS: \Device\HarddiskVolume2\Windows\WinSxS 2878.1308: KnownDllPath: C:\WINDOWS\System32 2878.1308: supR3HardenedVmProcessInit: Opening vboxdrv... 2878.1308: supR3HardenedVmProcessInit: Restoring LdrInitializeThunk... 2878.1308: supR3HardenedVmProcessInit: Returning to LdrInitializeThunk... 2878.1308: Registered Dll notification callback with NTDLL. 2878.1308: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume2\Windows\System32\kernel32.dll) 2878.1308: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume2\Windows\System32\kernel32.dll 2878.1308: supR3HardenedMonitor_LdrLoadDll: pName=C:\WINDOWS\System32\KERNEL32.DLL (Input=KERNEL32.DLL, rcNtResolve=0xc0150008) *pfFlags=0xffffffff pwszSearchPath=0000000000004001: [calling] 2878.1308: supR3HardenedDllNotificationCallback: load 00007ffbe8390000 LB 0x00266000 C:\WINDOWS\System32\KERNELBASE.dll [fFlags=0x0] 2878.1308: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume2\Windows\System32\KernelBase.dll) 2878.1308: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume2\Windows\System32\KernelBase.dll 2878.1308: supR3HardenedDllNotificationCallback: load 00007ffbe94a0000 LB 0x000ae000 C:\WINDOWS\System32\KERNEL32.DLL [fFlags=0x0] 2878.1308: supR3HardenedScreenImage/LdrLoadDll: cache hit (VINF_SUCCESS) on \Device\HarddiskVolume2\Windows\System32\kernel32.dll [lacks WinVerifyTrust] 2878.1308: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=00007ffbe94a0000 'C:\WINDOWS\System32\KERNEL32.DLL' 2878.1308: supR3HardenedDllNotificationCallback: load 00007ff6d9800000 LB 0x0010e000 C:\Program Files\Oracle\VirtualBox\VBoxHeadless.exe [fFlags=0x0] 2878.1308: '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe' has no imports 2878.1308: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe) 2878.1308: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe 2878.1308: supR3HardNtDisableThreadCreation: pvLdrInitThunk=00007ffbebe49280 pvNtTerminateThread=00007ffbebe70d10 aa4.283c: supR3HardNtChildWaitFor: Found expected request 1 (CloseEvents) after 73 ms. 2878.1308: \SystemRoot\System32\ntdll.dll: 2878.1308: CreationTime: 2018-04-10T08:52:14.098777500Z 2878.1308: LastWriteTime: 2018-03-13T07:02:15.839353900Z 2878.1308: ChangeTime: 2018-04-11T06:58:30.408905200Z 2878.1308: FileAttributes: 0x20 2878.1308: Size: 0x1dd100 2878.1308: NT Headers: 0xe0 2878.1308: Timestamp: 0xe508fc03 2878.1308: Machine: 0x8664 - amd64 2878.1308: Timestamp: 0xe508fc03 2878.1308: Image Version: 10.0 2878.1308: SizeOfImage: 0x1e0000 (1966080) 2878.1308: Resource Dir: 0x174000 LB 0x6a1d8 2878.1308: [Version info resource found at 0xd8! (ID/Name: 0x1; SubID/SubName: 0x409)] 2878.1308: [Raw version resource data: 0x1740f0 LB 0x380, codepage 0x0 (reserved 0x0)] 2878.1308: ProductName: Microsoft® Windows® Operating System 2878.1308: ProductVersion: 10.0.16299.334 2878.1308: FileVersion: 10.0.16299.334 (WinBuild.160101.0800) 2878.1308: FileDescription: NT Layer DLL 2878.1308: \SystemRoot\System32\kernel32.dll: 2878.1308: CreationTime: 2017-09-29T13:42:04.954227600Z 2878.1308: LastWriteTime: 2017-09-29T13:42:04.954227600Z 2878.1308: ChangeTime: 2018-04-10T11:13:57.710048700Z 2878.1308: FileAttributes: 0x20 2878.1308: Size: 0xab868 2878.1308: NT Headers: 0xe8 2878.1308: Timestamp: 0xc2cf900 2878.1308: Machine: 0x8664 - amd64 2878.1308: Timestamp: 0xc2cf900 2878.1308: Image Version: 10.0 2878.1308: SizeOfImage: 0xae000 (712704) 2878.1308: Resource Dir: 0xac000 LB 0x520 2878.1308: [Version info resource found at 0x90! (ID/Name: 0x1; SubID/SubName: 0x409)] 2878.1308: [Raw version resource data: 0xac0b0 LB 0x3a4, codepage 0x0 (reserved 0x0)] 2878.1308: ProductName: Microsoft® Windows® Operating System 2878.1308: ProductVersion: 10.0.16299.15 2878.1308: FileVersion: 10.0.16299.15 (WinBuild.160101.0800) 2878.1308: FileDescription: Windows NT BASE API Client DLL 2878.1308: \SystemRoot\System32\KernelBase.dll: 2878.1308: CreationTime: 2018-04-11T06:21:03.844568400Z 2878.1308: LastWriteTime: 2018-03-30T05:08:26.893801200Z 2878.1308: ChangeTime: 2018-04-11T06:57:55.481510900Z 2878.1308: FileAttributes: 0x20 2878.1308: Size: 0x265c00 2878.1308: NT Headers: 0xf0 2878.1308: Timestamp: 0x6369e29f 2878.1308: Machine: 0x8664 - amd64 2878.1308: Timestamp: 0x6369e29f 2878.1308: Image Version: 10.0 2878.1308: SizeOfImage: 0x266000 (2514944) 2878.1308: Resource Dir: 0x245000 LB 0x548 2878.1308: [Version info resource found at 0x90! (ID/Name: 0x1; SubID/SubName: 0x409)] 2878.1308: [Raw version resource data: 0x2450b0 LB 0x3bc, codepage 0x0 (reserved 0x0)] 2878.1308: ProductName: Microsoft® Windows® Operating System 2878.1308: ProductVersion: 10.0.16299.371 2878.1308: FileVersion: 10.0.16299.371 (WinBuild.160101.0800) 2878.1308: FileDescription: Windows NT BASE API Client DLL 2878.1308: \SystemRoot\System32\apisetschema.dll: 2878.1308: CreationTime: 2017-09-29T13:42:07.095026600Z 2878.1308: LastWriteTime: 2017-09-29T13:42:07.095026600Z 2878.1308: ChangeTime: 2018-04-11T07:37:29.079921700Z 2878.1308: FileAttributes: 0x20 2878.1308: Size: 0x1b398 2878.1308: NT Headers: 0xc8 2878.1308: Timestamp: 0xf30abf31 2878.1308: Machine: 0x8664 - amd64 2878.1308: Timestamp: 0xf30abf31 2878.1308: Image Version: 10.0 2878.1308: SizeOfImage: 0x1c000 (114688) 2878.1308: Resource Dir: 0x1b000 LB 0x408 2878.1308: [Version info resource found at 0x48! (ID/Name: 0x1; SubID/SubName: 0x409)] 2878.1308: [Raw version resource data: 0x1b060 LB 0x3a8, codepage 0x0 (reserved 0x0)] 2878.1308: ProductName: Microsoft® Windows® Operating System 2878.1308: ProductVersion: 10.0.16299.15 2878.1308: FileVersion: 10.0.16299.15 (WinBuild.160101.0800) 2878.1308: FileDescription: ApiSet Schema DLL 2878.1308: supR3HardenedWinFindAdversaries: 0x0 2878.1308: supR3HardenedWinInitAppBin(0x0): '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox' 2878.1308: Calling main() 2878.1308: SUPR3HardenedMain: pszProgName=VBoxHeadless fFlags=0x0 2878.1308: supR3HardenedWinInitAppBin(0x0): '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox' 2878.1308: '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe' has no imports 2878.1308: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxHeadless.exe) 2878.1308: SUPR3HardenedMain: Final process, opening VBoxDrv... 2878.1308: supR3HardenedEarlyCompact: Removed heap 1 (0x00000000df0000 LB 0x400000) 2878.1308: supR3HardNtEnableThreadCreation: 2878.1308: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxSupLib.dll) 2878.1308: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxSupLib.dll 2878.1308: supR3HardenedMonitor_LdrLoadDll: pName=C:\Program Files\Oracle\VirtualBox\VBoxSupLib.DLL (rcNtResolve=0xc0150008) *pfFlags=0x0 pwszSearchPath=0000000000000801: [calling] 2878.1308: supR3HardenedScreenImage/NtCreateSection: cache hit (VINF_SUCCESS) on \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxSupLib.dll [lacks WinVerifyTrust] 2878.1308: supR3HardenedDllNotificationCallback: load 00007ffbe0100000 LB 0x00005000 C:\Program Files\Oracle\VirtualBox\VBoxSupLib.DLL [fFlags=0x0] 2878.1308: supR3HardenedScreenImage/LdrLoadDll: cache hit (VINF_SUCCESS) on \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxSupLib.dll [lacks WinVerifyTrust] 2878.1308: supR3HardenedScreenImage/LdrLoadDll: cache hit (VINF_SUCCESS) on \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxSupLib.dll [lacks WinVerifyTrust] 2878.1308: supR3HardenedMonitor_LdrLoadDll: pName=C:\Program Files\Oracle\VirtualBox\VBoxSupLib.DLL (rcNtResolve=0xc0150008) *pfFlags=0x0 pwszSearchPath=0000000000000001: [calling] 2878.1308: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=00007ffbe0100000 'C:\Program Files\Oracle\VirtualBox\VBoxSupLib.DLL' 2878.1308: supR3HardenedScreenImage/LdrLoadDll: cache hit (VINF_SUCCESS) on \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VBoxSupLib.dll [lacks WinVerifyTrust] 2878.1308: supR3HardenedMonitor_LdrLoadDll: pName=C:\Program Files\Oracle\VirtualBox\VBoxSupLib.DLL (rcNtResolve=0xc0150008) *pfFlags=0x0 pwszSearchPath=0000000000000001: [calling] 2878.1308: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=00007ffbe0100000 'C:\Program Files\Oracle\VirtualBox\VBoxSupLib.DLL' 2878.1308: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=00007ffbe0100000 'C:\Program Files\Oracle\VirtualBox\VBoxSupLib.DLL' 2878.1308: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #0 'msvcrt.dll'. 2878.1308: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #1 'msasn1.dll'. 2878.1308: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #6 'crypt32.dll'. 2878.1308: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #27 'rpcrt4.dll'. 2878.1308: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume2\Windows\System32\wintrust.dll) 2878.1308: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume2\Windows\System32\wintrust.dll 2878.1308: supR3HardenedWinVerifyCacheProcessImportTodos: Processing 'rpcrt4.dll'... 2878.1308: supR3HardenedWinVerifyCacheProcessImportTodos: 'rpcrt4.dll' -> '\Device\HarddiskVolume2\Windows\System32\rpcrt4.dll' [rcNtRedir=0xc0150008] 2878.1308: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume2\Windows\System32\rpcrt4.dll) 2878.1308: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume2\Windows\System32\rpcrt4.dll 2878.1308: supR3HardenedWinVerifyCacheProcessImportTodos: Processing 'crypt32.dll'... 2878.1308: supR3HardenedWinVerifyCacheProcessImportTodos: 'crypt32.dll' -> '\Device\HarddiskVolume2\Windows\System32\crypt32.dll' [rcNtRedir=0xc0150008] 2878.1308: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #33 'msasn1.dll'. 2878.1308: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume2\Windows\System32\crypt32.dll) 2878.1308: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume2\Windows\System32\crypt32.dll 2878.1308: supR3HardenedWinVerifyCacheProcessImportTodos: Processing 'msasn1.dll'... 2878.1308: supR3HardenedWinVerifyCacheProcessImportTodos: 'msasn1.dll' -> '\Device\HarddiskVolume2\Windows\System32\msasn1.dll' [rcNtRedir=0xc0150008] 2878.1308: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume2\Windows\System32\msasn1.dll) 2878.1308: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume2\Windows\System32\msasn1.dll 2878.1308: supR3HardenedWinVerifyCacheProcessImportTodos: Processing 'msvcrt.dll'... 2878.1308: supR3HardenedWinVerifyCacheProcessImportTodos: 'msvcrt.dll' -> '\Device\HarddiskVolume2\Windows\System32\msvcrt.dll' [rcNtRedir=0xc0150008] 2878.1308: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume2\Windows\System32\msvcrt.dll) 2878.1308: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume2\Windows\System32\msvcrt.dll 2878.1308: supR3HardenedWinVerifyCacheProcessImportTodos: Processing 'msasn1.dll'... 2878.1308: supR3HardenedWinVerifyCacheProcessImportTodos: 'msasn1.dll' -> '\Device\HarddiskVolume2\Windows\System32\msasn1.dll' [rcNtRedir=0xc0150008] 2878.1308: supR3HardenedScreenImage/Imports: cache hit (VINF_SUCCESS) on \Device\HarddiskVolume2\Windows\System32\msasn1.dll [lacks WinVerifyTrust] 2878.1308: supR3HardenedMonitor_LdrLoadDll: pName=C:\WINDOWS\system32\Wintrust.dll (rcNtResolve=0xc0150008) *pfFlags=0x0 pwszSearchPath=0000000000000801: [calling] 2878.1308: supR3HardenedIsApiSetDll: ApiSetQueryApiSetPresence(ext-ms-win-kernel32-errorhandling-l1-1-0.dll) -> 0x0, fPresent=1 2878.1308: supR3HardenedMonitor_LdrLoadDll: pName=ext-ms-win-kernel32-errorhandling-l1-1-0.dll (rcNtResolve=0x0) *pfFlags=0x0 pwszSearchPath=0000000000000001: [calling] 2878.1308: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=00007ffbe94a0000 'ext-ms-win-kernel32-errorhandling-l1-1-0.dll' 2878.1308: '\Device\HarddiskVolume2\Windows\System32\ntdll.dll' has no imports 2878.1308: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume2\Windows\System32\ntdll.dll) 2878.1308: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume2\Windows\System32\ntdll.dll 2878.1308: supR3HardenedMonitor_LdrLoadDll: pName=C:\WINDOWS\System32\ntdll.dll (Input=ntdll.dll, rcNtResolve=0xc0150008) *pfFlags=0x0 pwszSearchPath=0000000000000801: [calling] 2878.1308: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=00007ffbebdd0000 'C:\WINDOWS\System32\ntdll.dll' aa4.283c: supR3HardNtChildWaitFor[2]: Quitting: ExitCode=0xc0000005 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 3063 ms, the end); 2718.708: supR3HardNtChildWaitFor[1]: Quitting: ExitCode=0xc0000005 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 3984 ms, the end);