397c.3980: Log file opened: 6.1.10r138449 g_hStartupLog=0000000000000074 g_uNtVerCombined=0xa0456300 397c.3980: \SystemRoot\System32\ntdll.dll: 397c.3980: CreationTime: 2020-05-26T07:46:58.961376500Z 397c.3980: LastWriteTime: 2020-05-26T07:46:59.067755000Z 397c.3980: ChangeTime: 2020-05-26T09:00:47.491954900Z 397c.3980: FileAttributes: 0x20 397c.3980: Size: 0x1e7010 397c.3980: NT Headers: 0xe0 397c.3980: Timestamp: 0x5854f5da 397c.3980: Machine: 0x8664 - amd64 397c.3980: Timestamp: 0x5854f5da 397c.3980: Image Version: 10.0 397c.3980: SizeOfImage: 0x1ed000 (2019328) 397c.3980: Resource Dir: 0x17d000 LB 0x6eb48 397c.3980: [Version info resource found at 0xd8! (ID/Name: 0x1; SubID/SubName: 0x409)] 397c.3980: [Raw version resource data: 0x17d0f0 LB 0x380, codepage 0x0 (reserved 0x0)] 397c.3980: ProductName: Microsoft® Windows® Operating System 397c.3980: ProductVersion: 10.0.17763.1192 397c.3980: FileVersion: 10.0.17763.1192 (WinBuild.160101.0800) 397c.3980: FileDescription: NT Layer DLL 397c.3980: \SystemRoot\System32\kernel32.dll: 397c.3980: CreationTime: 2020-04-29T18:47:47.414874300Z 397c.3980: LastWriteTime: 2020-04-29T18:47:47.462833000Z 397c.3980: ChangeTime: 2020-05-26T07:49:56.708165800Z 397c.3980: FileAttributes: 0x20 397c.3980: Size: 0xb1390 397c.3980: NT Headers: 0xe8 397c.3980: Timestamp: 0x6314bdeb 397c.3980: Machine: 0x8664 - amd64 397c.3980: Timestamp: 0x6314bdeb 397c.3980: Image Version: 10.0 397c.3980: SizeOfImage: 0xb3000 (733184) 397c.3980: Resource Dir: 0xb1000 LB 0x520 397c.3980: [Version info resource found at 0x90! (ID/Name: 0x1; SubID/SubName: 0x409)] 397c.3980: [Raw version resource data: 0xb10b0 LB 0x3a4, codepage 0x0 (reserved 0x0)] 397c.3980: ProductName: Microsoft® Windows® Operating System 397c.3980: ProductVersion: 10.0.17763.1158 397c.3980: FileVersion: 10.0.17763.1158 (WinBuild.160101.0800) 397c.3980: FileDescription: Windows NT BASE API Client DLL 397c.3980: \SystemRoot\System32\KernelBase.dll: 397c.3980: CreationTime: 2020-05-26T07:46:58.687423000Z 397c.3980: LastWriteTime: 2020-05-26T07:46:58.795776700Z 397c.3980: ChangeTime: 2020-05-26T09:00:45.867071800Z 397c.3980: FileAttributes: 0x20 397c.3980: Size: 0x295510 397c.3980: NT Headers: 0x100 397c.3980: Timestamp: 0x7889407f 397c.3980: Machine: 0x8664 - amd64 397c.3980: Timestamp: 0x7889407f 397c.3980: Image Version: 10.0 397c.3980: SizeOfImage: 0x295000 (2707456) 397c.3980: Resource Dir: 0x271000 LB 0x548 397c.3980: [Version info resource found at 0x90! (ID/Name: 0x1; SubID/SubName: 0x409)] 397c.3980: [Raw version resource data: 0x2710b0 LB 0x3bc, codepage 0x0 (reserved 0x0)] 397c.3980: ProductName: Microsoft® Windows® Operating System 397c.3980: ProductVersion: 10.0.17763.1192 397c.3980: FileVersion: 10.0.17763.1192 (WinBuild.160101.0800) 397c.3980: FileDescription: Windows NT BASE API Client DLL 397c.3980: \SystemRoot\System32\apisetschema.dll: 397c.3980: CreationTime: 2018-09-15T07:28:25.403122600Z 397c.3980: LastWriteTime: 2018-09-15T07:28:25.403122600Z 397c.3980: ChangeTime: 2019-01-14T10:16:21.000579800Z 397c.3980: FileAttributes: 0x20 397c.3980: Size: 0x1c738 397c.3980: NT Headers: 0xd0 397c.3980: Timestamp: 0x33775897 397c.3980: Machine: 0x8664 - amd64 397c.3980: Timestamp: 0x33775897 397c.3980: Image Version: 10.0 397c.3980: SizeOfImage: 0x1d000 (118784) 397c.3980: Resource Dir: 0x1c000 LB 0x408 397c.3980: [Version info resource found at 0x48! (ID/Name: 0x1; SubID/SubName: 0x409)] 397c.3980: [Raw version resource data: 0x1c060 LB 0x3a8, codepage 0x0 (reserved 0x0)] 397c.3980: ProductName: Microsoft® Windows® Operating System 397c.3980: ProductVersion: 10.0.17763.1 397c.3980: FileVersion: 10.0.17763.1 (WinBuild.160101.0800) 397c.3980: FileDescription: ApiSet Schema DLL 397c.3980: NtOpenDirectoryObject failed on \Driver: 0xc0000022 397c.3980: supR3HardenedWinFindAdversaries: 0x40000 397c.3980: \SystemRoot\System32\drivers\SophosED.sys: 397c.3980: CreationTime: 2018-09-05T12:39:36.486269100Z 397c.3980: LastWriteTime: 2020-02-03T20:27:53.000000000Z 397c.3980: ChangeTime: 2020-04-27T12:47:41.839047600Z 397c.3980: FileAttributes: 0x20 397c.3980: Size: 0x10aae0 397c.3980: NT Headers: 0xf0 397c.3980: Timestamp: 0x5e384b3c 397c.3980: Machine: 0x8664 - amd64 397c.3980: Timestamp: 0x5e384b3c 397c.3980: Image Version: 10.0 397c.3980: SizeOfImage: 0x10c000 (1097728) 397c.3980: Resource Dir: 0x104000 LB 0x6740 397c.3980: [Version info resource found at 0x570! (ID/Name: 0x1; SubID/SubName: 0x409)] 397c.3980: [Raw version resource data: 0x104580 LB 0x4b8, codepage 0x0 (reserved 0x0)] 397c.3980: ProductName: Sophos Endpoint Defense 397c.3980: ProductVersion: 2.2.0 397c.3980: FileVersion: 2.2.0.3438 397c.3980: FileDescription: Sophos Endpoint Defense Mini-Filter Driver 397c.3980: supR3HardenedWinInitAppBin(0x0): '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox' 397c.3980: Calling main() 397c.3980: SUPR3HardenedMain: pszProgName=VirtualBoxVM fFlags=0x2 397c.3980: supR3HardenedWinInitAppBin(0x2): '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox' 397c.3980: SUPR3HardenedMain: Respawn #1 397c.3980: System32: \Device\HarddiskVolume2\Windows\System32 397c.3980: WinSxS: \Device\HarddiskVolume2\Windows\WinSxS 397c.3980: KnownDllPath: C:\WINDOWS\System32 397c.3980: supR3HardenedWinInit: Performing a limited self purification... 397c.3980: supHardNtVpScanVirtualMemory: enmKind=SELF_PURIFICATION 397c.3980: *0000000000000000-000000000099ffff 0x0001/0x0000 0x0000000 397c.3980: *00000000009a0000-00000000009affff 0x0004/0x0004 0x0040000 397c.3980: 00000000009b0000-00000000009bffff 0x0001/0x0000 0x0000000 397c.3980: *00000000009c0000-00000000009d9fff 0x0002/0x0002 0x0040000 397c.3980: 00000000009da000-00000000009dffff 0x0001/0x0000 0x0000000 397c.3980: *00000000009e0000-00000000009e3fff 0x0002/0x0002 0x0040000 397c.3980: 00000000009e4000-00000000009effff 0x0001/0x0000 0x0000000 397c.3980: *00000000009f0000-00000000009f1fff 0x0004/0x0004 0x0020000 397c.3980: 00000000009f2000-00000000009fffff 0x0001/0x0000 0x0000000 397c.3980: *0000000000a00000-0000000000ad9fff 0x0000/0x0004 0x0020000 397c.3980: 0000000000ada000-0000000000adcfff 0x0004/0x0004 0x0020000 397c.3980: 0000000000add000-0000000000bfffff 0x0000/0x0004 0x0020000 397c.3980: *0000000000c00000-0000000000cb0fff 0x0000/0x0004 0x0020000 397c.3980: 0000000000cb1000-0000000000cb3fff 0x0104/0x0004 0x0020000 397c.3980: 0000000000cb4000-0000000000cfffff 0x0004/0x0004 0x0020000 397c.3980: 0000000000d00000-0000000000d0ffff 0x0001/0x0000 0x0000000 397c.3980: *0000000000d10000-0000000000d11fff 0x0004/0x0004 0x0020000 397c.3980: 0000000000d12000-0000000000d41fff 0x0000/0x0004 0x0020000 397c.3980: 0000000000d42000-0000000000d7ffff 0x0001/0x0000 0x0000000 397c.3980: *0000000000d80000-0000000000e24fff 0x0004/0x0004 0x0020000 397c.3980: 0000000000e25000-0000000000e7ffff 0x0000/0x0004 0x0020000 397c.3980: *0000000000e80000-0000000000f44fff 0x0002/0x0002 0x0040000 397c.3980: 0000000000f45000-0000000000f4ffff 0x0001/0x0000 0x0000000 397c.3980: *0000000000f50000-0000000000f51fff 0x0004/0x0004 0x0020000 397c.3980: 0000000000f52000-0000000000f81fff 0x0000/0x0004 0x0020000 397c.3980: 0000000000f82000-0000000000faffff 0x0001/0x0000 0x0000000 397c.3980: *0000000000fb0000-00000000010affff 0x0004/0x0004 0x0020000 397c.3980: 00000000010b0000-000000000111ffff 0x0001/0x0000 0x0000000 397c.3980: *0000000001120000-000000000112efff 0x0004/0x0004 0x0020000 397c.3980: 000000000112f000-000000000112ffff 0x0000/0x0004 0x0020000 397c.3980: *0000000001130000-000000000113cfff 0x0000/0x0004 0x0020000 397c.3980: 000000000113d000-000000000132afff 0x0004/0x0004 0x0020000 397c.3980: 000000000132b000-000000000132bfff 0x0000/0x0004 0x0020000 397c.3980: 000000000132c000-000000000132ffff 0x0001/0x0000 0x0000000 397c.3980: *0000000001330000-000000000134cfff 0x0004/0x0004 0x0020000 397c.3980: 000000000134d000-000000000142ffff 0x0000/0x0004 0x0020000 397c.3980: 0000000001430000-000000007ffdffff 0x0001/0x0000 0x0000000 397c.3980: *000000007ffe0000-000000007ffe0fff 0x0002/0x0002 0x0020000 397c.3980: 000000007ffe1000-000000007ffe4fff 0x0001/0x0000 0x0000000 397c.3980: *000000007ffe5000-000000007ffe5fff 0x0002/0x0002 0x0020000 397c.3980: 000000007ffe6000-00007ff4cbc1ffff 0x0001/0x0000 0x0000000 397c.3980: *00007ff4cbc20000-00007ff4cbc24fff 0x0002/0x0002 0x0040000 397c.3980: 00007ff4cbc25000-00007ff4cbd1ffff 0x0000/0x0002 0x0040000 397c.3980: *00007ff4cbd20000-00007ff5cbd3ffff 0x0000/0x0004 0x0020000 397c.3980: *00007ff5cbd40000-00007ff5cdd3ffff 0x0000/0x0004 0x0020000 397c.3980: 00007ff5cdd40000-00007ff5cdd40fff 0x0004/0x0004 0x0020000 397c.3980: 00007ff5cdd41000-00007ff5cdd4ffff 0x0001/0x0000 0x0000000 397c.3980: *00007ff5cdd50000-00007ff5cdd50fff 0x0002/0x0002 0x0040000 397c.3980: 00007ff5cdd51000-00007ff5cdd5ffff 0x0001/0x0000 0x0000000 397c.3980: *00007ff5cdd60000-00007ff5cdd82fff 0x0002/0x0002 0x0040000 397c.3980: 00007ff5cdd83000-00007ff6a7ceffff 0x0001/0x0000 0x0000000 397c.3980: *00007ff6a7cf0000-00007ff6a7cf0fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe 397c.3980: 00007ff6a7cf1000-00007ff6a7d66fff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe 397c.3980: 00007ff6a7d67000-00007ff6a7d67fff 0x0080/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe 397c.3980: 00007ff6a7d68000-00007ff6a7daffff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe 397c.3980: 00007ff6a7db0000-00007ff6a7db2fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe 397c.3980: 00007ff6a7db3000-00007ff6a7db5fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe 397c.3980: 00007ff6a7db6000-00007ff6a7db8fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe 397c.3980: 00007ff6a7db9000-00007ff6a7db9fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe 397c.3980: 00007ff6a7dba000-00007ff6a7dbbfff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe 397c.3980: 00007ff6a7dbc000-00007ff6a7dbcfff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe 397c.3980: 00007ff6a7dbd000-00007ff6a7e05fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe 397c.3980: 00007ff6a7e06000-00007ffec8e2ffff 0x0001/0x0000 0x0000000 397c.3980: *00007ffec8e30000-00007ffec8e30fff 0x0020/0x0040 0x0020000 !! 397c.3980: 00007ffec8e31000-00007ffeee3cffff 0x0001/0x0000 0x0000000 397c.3980: *00007ffeee3d0000-00007ffeee3d0fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\hmpalert.dll 397c.3980: supHardNtVpScanVirtualMemory: Ignoring unknown mem at 00007ffeee3d0000 LB 0x1000 (base 00007ffeee3d0000) - 'hmpalert.dll' 397c.3980: 00007ffeee3d1000-00007ffeee48bfff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\hmpalert.dll 397c.3980: supHardNtVpScanVirtualMemory: Ignoring unknown mem at 00007ffeee3d1000 LB 0xbb000 (base 00007ffeee3d0000) - 'hmpalert.dll' 397c.3980: 00007ffeee48c000-00007ffeee4cafff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\hmpalert.dll 397c.3980: supHardNtVpScanVirtualMemory: Ignoring unknown mem at 00007ffeee48c000 LB 0x3f000 (base 00007ffeee3d0000) - 'hmpalert.dll' 397c.3980: 00007ffeee4cb000-00007ffeee4cbfff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\hmpalert.dll 397c.3980: supHardNtVpScanVirtualMemory: Ignoring unknown mem at 00007ffeee4cb000 LB 0x1000 (base 00007ffeee3d0000) - 'hmpalert.dll' 397c.3980: 00007ffeee4cc000-00007ffeee4ccfff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\hmpalert.dll 397c.3980: supHardNtVpScanVirtualMemory: Ignoring unknown mem at 00007ffeee4cc000 LB 0x1000 (base 00007ffeee3d0000) - 'hmpalert.dll' 397c.3980: 00007ffeee4cd000-00007ffeee4cffff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\hmpalert.dll 397c.3980: supHardNtVpScanVirtualMemory: Ignoring unknown mem at 00007ffeee4cd000 LB 0x3000 (base 00007ffeee3d0000) - 'hmpalert.dll' 397c.3980: 00007ffeee4d0000-00007ffeee4d3fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\hmpalert.dll 397c.3980: supHardNtVpScanVirtualMemory: Ignoring unknown mem at 00007ffeee4d0000 LB 0x4000 (base 00007ffeee3d0000) - 'hmpalert.dll' 397c.3980: 00007ffeee4d4000-00007ffeee4d4fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\hmpalert.dll 397c.3980: supHardNtVpScanVirtualMemory: Ignoring unknown mem at 00007ffeee4d4000 LB 0x1000 (base 00007ffeee3d0000) - 'hmpalert.dll' 397c.3980: 00007ffeee4d5000-00007ffeee4d5fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\hmpalert.dll 397c.3980: supHardNtVpScanVirtualMemory: Ignoring unknown mem at 00007ffeee4d5000 LB 0x1000 (base 00007ffeee3d0000) - 'hmpalert.dll' 397c.3980: 00007ffeee4d6000-00007ffeee4dbfff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\hmpalert.dll 397c.3980: supHardNtVpScanVirtualMemory: Ignoring unknown mem at 00007ffeee4d6000 LB 0x6000 (base 00007ffeee3d0000) - 'hmpalert.dll' 397c.3980: 00007ffeee4dc000-00007ffeee4f6fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\hmpalert.dll 397c.3980: supHardNtVpScanVirtualMemory: Ignoring unknown mem at 00007ffeee4dc000 LB 0x1b000 (base 00007ffeee3d0000) - 'hmpalert.dll' 397c.3980: 00007ffeee4f7000-00007ffefc75ffff 0x0001/0x0000 0x0000000 397c.3980: *00007ffefc760000-00007ffefc760fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\KernelBase.dll 397c.3980: 00007ffefc761000-00007ffefc864fff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\KernelBase.dll 397c.3980: 00007ffefc865000-00007ffefc9bbfff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\KernelBase.dll 397c.3980: 00007ffefc9bc000-00007ffefc9bffff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\KernelBase.dll 397c.3980: 00007ffefc9c0000-00007ffefc9c0fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\KernelBase.dll 397c.3980: 00007ffefc9c1000-00007ffefc9f4fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\KernelBase.dll 397c.3980: 00007ffefc9f5000-00007ffefcdeffff 0x0001/0x0000 0x0000000 397c.3980: *00007ffefcdf0000-00007ffefcdf0fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\kernel32.dll 397c.3980: 00007ffefcdf1000-00007ffefce66fff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\kernel32.dll 397c.3980: 00007ffefce67000-00007ffefce98fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\kernel32.dll 397c.3980: 00007ffefce99000-00007ffefce99fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\kernel32.dll 397c.3980: 00007ffefce9a000-00007ffefce9afff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\kernel32.dll 397c.3980: 00007ffefce9b000-00007ffefcea2fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\kernel32.dll 397c.3980: 00007ffefcea3000-00007ffeffbcffff 0x0001/0x0000 0x0000000 397c.3980: *00007ffeffbd0000-00007ffeffbd0fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 397c.3980: 00007ffeffbd1000-00007ffeffce7fff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 397c.3980: 00007ffeffce8000-00007ffeffd2efff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 397c.3980: 00007ffeffd2f000-00007ffeffd2ffff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 397c.3980: 00007ffeffd30000-00007ffeffd31fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 397c.3980: 00007ffeffd32000-00007ffeffd39fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 397c.3980: 00007ffeffd3a000-00007ffeffdbcfff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 397c.3980: 00007ffeffdbd000-00007ffffffeffff 0x0001/0x0000 0x0000000 397c.3980: kernel32.dll: timestamp 0x6314bdeb (rc=VINF_SUCCESS) 397c.3980: kernelbase.dll: timestamp 0x7889407f (rc=VINF_SUCCESS) 397c.3980: VirtualBoxVM.exe: timestamp 0x5ed9201b (rc=VINF_SUCCESS) 397c.3980: '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe' has no imports 397c.3980: '\Device\HarddiskVolume2\Windows\System32\ntdll.dll' has no imports 397c.3980: ntdll.dll: Differences in section #1 (.text) between file and memory: 397c.3980: 00007ffeffc157e0 / 0x00457e0: 48 != e9 397c.3980: 00007ffeffc157e1 / 0x00457e1: 89 != 2f 397c.3980: 00007ffeffc157e2 / 0x00457e2: 5c != b6 397c.3980: 00007ffeffc157e3 / 0x00457e3: 24 != 21 397c.3980: 00007ffeffc157e4 / 0x00457e4: 10 != c9 397c.3980: Restored 0x2000 bytes of original file content at 00007ffeffc15000 397c.3980: ntdll.dll: Differences in section #1 (.text) between file and memory: 397c.3980: 00007ffeffc27f50 / 0x0057f50: 48 != e9 397c.3980: 00007ffeffc27f51 / 0x0057f51: 89 != 43 397c.3980: 00007ffeffc27f52 / 0x0057f52: 5c != 90 397c.3980: 00007ffeffc27f53 / 0x0057f53: 24 != 20 397c.3980: 00007ffeffc27f54 / 0x0057f54: 08 != c9 397c.3980: Restored 0x2000 bytes of original file content at 00007ffeffc27000 397c.3980: ntdll.dll: Differences in section #1 (.text) between file and memory: 397c.3980: 00007ffeffc6fa50 / 0x009fa50: 4c != e9 397c.3980: 00007ffeffc6fa51 / 0x009fa51: 8b != 01 397c.3980: 00007ffeffc6fa52 / 0x009fa52: d1 != 15 397c.3980: 00007ffeffc6fa53 / 0x009fa53: b8 != 1c 397c.3980: 00007ffeffc6fa54 / 0x009fa54: 18 != c9 397c.3980: 00007ffeffc6fb10 / 0x009fb10: 4c != e9 397c.3980: 00007ffeffc6fb11 / 0x009fb11: 8b != 01 397c.3980: 00007ffeffc6fb12 / 0x009fb12: d1 != 14 397c.3980: 00007ffeffc6fb13 / 0x009fb13: b8 != 1c 397c.3980: 00007ffeffc6fb14 / 0x009fb14: 1e != c9 397c.3980: 00007ffeffc6fc50 / 0x009fc50: 4c != e9 397c.3980: 00007ffeffc6fc51 / 0x009fc51: 8b != 41 397c.3980: 00007ffeffc6fc52 / 0x009fc52: d1 != 12 397c.3980: 00007ffeffc6fc53 / 0x009fc53: b8 != 1c 397c.3980: 00007ffeffc6fc54 / 0x009fc54: 28 != c9 397c.3980: 00007ffeffc6fc90 / 0x009fc90: 4c != e9 397c.3980: 00007ffeffc6fc91 / 0x009fc91: 8b != c1 397c.3980: 00007ffeffc6fc92 / 0x009fc92: d1 != 11 397c.3980: 00007ffeffc6fc93 / 0x009fc93: b8 != 1c 397c.3980: 00007ffeffc6fc94 / 0x009fc94: 2a != c9 397c.3980: 00007ffeffc70150 / 0x00a0150: 4c != e9 397c.3980: 00007ffeffc70151 / 0x00a0151: 8b != 81 397c.3980: 00007ffeffc70152 / 0x00a0152: d1 != 0d 397c.3980: 00007ffeffc70153 / 0x00a0153: b8 != 1c 397c.3980: 00007ffeffc70154 / 0x00a0154: 50 != c9 397c.3980: 00007ffeffc70620 / 0x00a0620: 4c != e9 397c.3980: 00007ffeffc70621 / 0x00a0621: 8b != 31 397c.3980: 00007ffeffc70622 / 0x00a0622: d1 != 07 397c.3980: 00007ffeffc70623 / 0x00a0623: b8 != 1c 397c.3980: 00007ffeffc70624 / 0x00a0624: 77 != c9 397c.3980: Restored 0x2000 bytes of original file content at 00007ffeffc6f66e 397c.3980: ntdll.dll: Differences in section #1 (.text) between file and memory: 397c.3980: 00007ffeffc727c0 / 0x00a27c0: 4c != e9 397c.3980: 00007ffeffc727c1 / 0x00a27c1: 8b != 11 397c.3980: 00007ffeffc727c2 / 0x00a27c2: d1 != e6 397c.3980: 00007ffeffc727c3 / 0x00a27c3: b8 != 1b 397c.3980: 00007ffeffc727c4 / 0x00a27c4: 84 != c9 397c.3980: 00007ffeffc73080 / 0x00a3080: 4c != e9 397c.3980: 00007ffeffc73081 / 0x00a3081: 8b != 51 397c.3980: 00007ffeffc73082 / 0x00a3082: d1 != df 397c.3980: 00007ffeffc73083 / 0x00a3083: b8 != 1b 397c.3980: 00007ffeffc73084 / 0x00a3084: ca != c9 397c.3980: Restored 0x1d12 bytes of original file content at 00007ffeffc7166e 397c.3980: kernelbase.dll: Differences in section #1 (.text) between file and memory: 397c.3980: 00007ffefc7a6740 / 0x0046740: 40 != e9 397c.3980: 00007ffefc7a6741 / 0x0046741: 53 != 4f 397c.3980: 00007ffefc7a6742 / 0x0046742: 56 != a6 397c.3980: 00007ffefc7a6743 / 0x0046743: 57 != 68 397c.3980: 00007ffefc7a6744 / 0x0046744: 41 != cc 397c.3980: Restored 0x2000 bytes of original file content at 00007ffefc7a5000 397c.3980: supR3HardenedWinInit: SUPHARDNTVPKIND_SELF_PURIFICATION_LIMITED -> VINF_SUCCESS, cFixes=5 397c.3980: '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe' has no imports 397c.3980: supHardenedWinVerifyImageByHandle: -> 24202 (\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe) 397c.3980: supR3HardNtEnableThreadCreationEx: 397c.3980: supR3HardNtDisableThreadCreation: pvLdrInitThunk=00007ffeffc45660 pvNtTerminateThread=00007ffeffc701b0 397c.3980: supR3HardenedWinDoReSpawn(1): New child 39b8.39bc [kernel32]. 397c.3980: supR3HardNtChildGatherData: PebBaseAddress=00000000003f3000 cbPeb=0x388 397c.3980: supR3HardNtPuChFindNtdll: uNtDllParentAddr=00007ffeffbd0000 uNtDllChildAddr=00007ffeffbd0000 397c.3980: supR3HardenedWinSetupChildInit: uLdrInitThunk=00007ffeffc45660 397c.3980: supR3HardenedWinSetupChildInit: Initial context: rax=0000000000000000 rbx=0000000000000000 rcx=00007ff6a7cf7900 rdx=00000000003f3000 rsi=0000000000000000 rdi=0000000000000000 r8 =0000000000000000 r9 =0000000000000000 r10=0000000000000000 r11=0000000000000000 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 P1=0000000000000000 P2=0000000000000000 rip=00007ffeffc3a250 rsp=00000000004fffb8 rbp=0000000000000000 ctxflags=0010001b cs=0033 ss=002b ds=0000 es=0000 fs=0000 gs=0000 eflags=00000200 mxcrx=00001f80 P3=0000000000000000 P4=0000000000000000 P5=0000000000000000 P6=0000000000000000 dr0=0000000000000000 dr1=0000000000000000 dr2=0000000000000000 dr3=0000000000000000 dr6=0000000000000000 dr7=0000000000000000 vcr=0000000000000000 dcr=0000000000000000 lbt=0000000000000000 lbf=0000000000000000 lxt=0000000000000000 lxf=0000000000000000 397c.3980: supR3HardenedWinSetupChildInit: Start child. 397c.3980: supR3HardNtChildWaitFor: Found expected request 0 (PurifyChildAndCloseHandles) after 0 ms. 397c.3980: supR3HardNtChildPurify: Startup delay kludge #1/0: 517 ms, 30 sleeps 397c.3980: supHardNtVpScanVirtualMemory: enmKind=CHILD_PURIFICATION 397c.3980: *0000000000000000-00000000000dffff 0x0001/0x0000 0x0000000 397c.3980: *00000000000e0000-00000000000fffff 0x0004/0x0004 0x0020000 397c.3980: *0000000000100000-0000000000119fff 0x0002/0x0002 0x0040000 397c.3980: 000000000011a000-000000000011ffff 0x0001/0x0000 0x0000000 397c.3980: *0000000000120000-0000000000123fff 0x0002/0x0002 0x0040000 397c.3980: 0000000000124000-000000000012ffff 0x0001/0x0000 0x0000000 397c.3980: *0000000000130000-0000000000131fff 0x0004/0x0004 0x0020000 397c.3980: 0000000000132000-000000000013ffff 0x0001/0x0000 0x0000000 397c.3980: *0000000000140000-0000000000140fff 0x0040/0x0040 0x0020000 !! 397c.3980: supHardNtVpFreeOrReplacePrivateExecMemory: Freeing exec mem at 0000000000140000 (LB 0x1000, 0000000000140000 LB 0x1000) 397c.3980: 000000000134d280/0000: 70 63 c1 ff fe 7f 00 00-10 00 00 00 00 00 00 00 pc.............. 000000000134d290/0010: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 000000000134d2a0/0020: 40 00 40 00 00 00 00 00-40 00 14 00 00 00 00 00 @.@.....@....... 000000000134d2b0/0030: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 000000000134d2c0/0040: 43 00 3a 00 5c 00 57 00-69 00 6e 00 64 00 6f 00 C.:.\.W.i.n.d.o. 000000000134d2d0/0050: 77 00 73 00 5c 00 73 00-79 00 73 00 74 00 65 00 w.s.\.s.y.s.t.e. 000000000134d2e0/0060: 6d 00 33 00 32 00 5c 00-68 00 6d 00 70 00 61 00 m.3.2.\.h.m.p.a. 000000000134d2f0/0070: 6c 00 65 00 72 00 74 00-2e 00 64 00 6c 00 6c 00 l.e.r.t...d.l.l. 000000000134d300/0080: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ **************** **** 000000000134d370/00f0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 397c.3980: 000000000134d380/0000: 90 50 51 52 53 41 50 41-51 56 57 48 81 ec 88 00 .PQRSAPAQVWH.... 000000000134d390/0010: 00 00 90 90 90 e8 db 00-00 00 74 08 e9 b5 00 00 ..........t..... 000000000134d3a0/0020: 00 90 90 90 48 83 c9 ff-48 ba 00 00 14 00 00 00 ....H...H....... 000000000134d3b0/0030: 00 00 49 b8 08 00 14 00-00 00 00 00 49 b9 40 00 ..I.........I.@. 000000000134d3c0/0040: 00 00 00 00 00 00 48 8d-44 24 78 48 89 44 24 20 ......H.D$xH.D$ 000000000134d3d0/0050: 48 b8 50 01 c7 ff fe 7f-00 00 ff d0 48 be 00 03 H.P.........H... 000000000134d3e0/0060: 14 00 00 00 00 00 48 bf-70 63 c1 ff fe 7f 00 00 ......H.pc...... 000000000134d3f0/0070: 48 ad 48 ab 90 ad 90 ab-48 83 c9 ff 48 ba 00 00 H.H.....H...H... 000000000134d400/0080: 14 00 00 00 00 00 49 b8-08 00 14 00 00 00 00 00 ......I......... 000000000134d410/0090: 49 b9 20 00 00 00 00 00-00 00 48 8d 44 24 78 48 I. .......H.D$xH 000000000134d420/00a0: 89 44 24 20 48 b8 50 01-c7 ff fe 7f 00 00 ff d0 .D$ H.P......... 000000000134d430/00b0: 48 31 c9 48 31 d2 49 b8-20 00 14 00 00 00 00 00 H1.H1.I. ....... 000000000134d440/00c0: 49 b9 10 00 14 00 00 00-00 00 48 b8 e0 57 c1 ff I.........H..W.. 000000000134d450/00d0: fe 7f 00 00 ff d0 48 81-c4 88 00 00 00 5f 5e 41 ......H......_^A 000000000134d460/00e0: 59 41 58 5b 5a 59 48 b8-00 03 14 00 00 00 00 00 YAX[ZYH......... 000000000134d470/00f0: 48 87 04 24 c3 48 85 c9-74 0c e8 08 00 00 00 90 H..$.H..t....... 397c.3980: 000000000134d480/0000: 90 90 90 90 90 90 c3 48-8b 11 48 81 fa 18 00 1a .......H..H..... 000000000134d490/0010: 00 75 31 48 8b 51 08 8b-52 0c 81 fa 33 00 32 00 .u1H.Q..R...3.2. 000000000134d4a0/0020: 75 22 eb 1d 48 8b 11 48-81 fa 18 00 1a 00 75 14 u"..H..H......u. 000000000134d4b0/0030: 48 8b 51 08 8b 52 0c 81-fa 65 00 72 00 75 05 eb H.Q..R...e.r.u.. 000000000134d4c0/0040: 00 31 db c3 31 db ff cb-c3 00 00 00 00 00 00 00 .1..1........... 000000000134d4d0/0050: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ **************** **** 000000000134d570/00f0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 397c.3980: 000000000134d580/0000: 40 55 53 56 57 41 56 41-57 48 8d 6c 24 88 50 48 @USVWAVAWH.l$.PH 000000000134d590/0010: b8 7e 63 c1 ff fe 7f 00-00 48 87 04 24 c3 00 00 .~c......H..$... 000000000134d5a0/0020: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ **************** **** 000000000134d670/00f0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 397c.3980: 000000000134e180/0000: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ **************** **** 000000000134e270/00f0: 7d 57 c4 ff fe 7f 00 00-00 00 00 00 48 4d 50 41 }W..........HMPA 397c.3980: supHardNtVpFreeOrReplacePrivateExecMemory: Free attempt #1 succeeded: 0x0 [0000000000140000/0000000000140000 LB 0/0x1000] 397c.3980: supHardNtVpFreeOrReplacePrivateExecMemory: QVM after free 0: [0000000000000000]/0000000000140000 LB 0xc0000 s=0x10000 ap=0x0 rp=0x00000000000001 397c.3980: 0000000000141000-00000000001fffff 0x0001/0x0000 0x0000000 397c.3980: *0000000000200000-00000000003f2fff 0x0000/0x0004 0x0020000 397c.3980: 00000000003f3000-00000000003f5fff 0x0004/0x0004 0x0020000 397c.3980: 00000000003f6000-00000000003fffff 0x0000/0x0004 0x0020000 397c.3980: *0000000000400000-00000000004fafff 0x0000/0x0004 0x0020000 397c.3980: 00000000004fb000-00000000004fdfff 0x0104/0x0004 0x0020000 397c.3980: 00000000004fe000-00000000004fffff 0x0004/0x0004 0x0020000 397c.3980: 0000000000500000-000000007ffdffff 0x0001/0x0000 0x0000000 397c.3980: *000000007ffe0000-000000007ffe0fff 0x0002/0x0002 0x0020000 397c.3980: 000000007ffe1000-000000007ffe4fff 0x0001/0x0000 0x0000000 397c.3980: *000000007ffe5000-000000007ffe5fff 0x0002/0x0002 0x0020000 397c.3980: 000000007ffe6000-00007ff5fe72ffff 0x0001/0x0000 0x0000000 397c.3980: *00007ff5fe730000-00007ff5fe730fff 0x0002/0x0002 0x0040000 397c.3980: 00007ff5fe731000-00007ff5fe73ffff 0x0001/0x0000 0x0000000 397c.3980: *00007ff5fe740000-00007ff5fe762fff 0x0002/0x0002 0x0040000 397c.3980: 00007ff5fe763000-00007ff6a7ceffff 0x0001/0x0000 0x0000000 397c.3980: *00007ff6a7cf0000-00007ff6a7cf0fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe 397c.3980: 00007ff6a7cf1000-00007ff6a7d66fff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe 397c.3980: 00007ff6a7d67000-00007ff6a7d67fff 0x0080/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe 397c.3980: 00007ff6a7d68000-00007ff6a7daffff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe 397c.3980: 00007ff6a7db0000-00007ff6a7db0fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe 397c.3980: 00007ff6a7db1000-00007ff6a7db1fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe 397c.3980: 00007ff6a7db2000-00007ff6a7db6fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe 397c.3980: 00007ff6a7db7000-00007ff6a7db7fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe 397c.3980: 00007ff6a7db8000-00007ff6a7db8fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe 397c.3980: 00007ff6a7db9000-00007ff6a7dbcfff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe 397c.3980: 00007ff6a7dbd000-00007ff6a7e05fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe 397c.3980: 00007ff6a7e06000-00007ffeffbcffff 0x0001/0x0000 0x0000000 397c.3980: *00007ffeffbd0000-00007ffeffbd0fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 397c.3980: 00007ffeffbd1000-00007ffeffc15fff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 397c.3980: 00007ffeffc16000-00007ffeffc16fff 0x0040/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 397c.3980: 00007ffeffc17000-00007ffeffce7fff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 397c.3980: 00007ffeffce8000-00007ffeffd2efff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 397c.3980: 00007ffeffd2f000-00007ffeffd39fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 397c.3980: 00007ffeffd3a000-00007ffeffd47fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 397c.3980: 00007ffeffd48000-00007ffeffd48fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 397c.3980: 00007ffeffd49000-00007ffeffd4bfff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 397c.3980: 00007ffeffd4c000-00007ffeffdbcfff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 397c.3980: 00007ffeffdbd000-00007ffffffeffff 0x0001/0x0000 0x0000000 397c.3980: ntdll.dll: Differences in section #1 (.text) between file and memory: 397c.3980: 00007ffeffc16370 / 0x0046370: 40 != 48 397c.3980: 00007ffeffc16371 / 0x0046371: 55 != b8 397c.3980: 00007ffeffc16372 / 0x0046372: 53 != 00 397c.3980: 00007ffeffc16373 / 0x0046373: 56 != 01 397c.3980: 00007ffeffc16374 / 0x0046374: 57 != 14 397c.3980: 00007ffeffc16375 / 0x0046375: 41 != 00 397c.3980: 00007ffeffc16376 / 0x0046376: 56 != 00 397c.3980: 00007ffeffc16377 / 0x0046377: 41 != 00 397c.3980: 00007ffeffc16378 / 0x0046378: 57 != 00 397c.3980: 00007ffeffc16379 / 0x0046379: 48 != 00 397c.3980: 00007ffeffc1637a / 0x004637a: 8d != ff 397c.3980: 00007ffeffc1637b / 0x004637b: 6c != e0 397c.3980: Restored 0x2000 bytes of original file content at 00007ffeffc15000 397c.3980: supR3HardNtChildPurify: cFixes=2 g_fSupAdversaries=0x40000 397c.3980: supR3HardNtChildPurify: Startup delay kludge #1/1: 518 ms, 30 sleeps 397c.3980: supHardNtVpScanVirtualMemory: enmKind=CHILD_PURIFICATION 397c.3980: *0000000000000000-00000000000dffff 0x0001/0x0000 0x0000000 397c.3980: *00000000000e0000-00000000000fffff 0x0004/0x0004 0x0020000 397c.3980: *0000000000100000-0000000000119fff 0x0002/0x0002 0x0040000 397c.3980: 000000000011a000-000000000011ffff 0x0001/0x0000 0x0000000 397c.3980: *0000000000120000-0000000000123fff 0x0002/0x0002 0x0040000 397c.3980: 0000000000124000-000000000012ffff 0x0001/0x0000 0x0000000 397c.3980: *0000000000130000-0000000000131fff 0x0004/0x0004 0x0020000 397c.3980: 0000000000132000-00000000001fffff 0x0001/0x0000 0x0000000 397c.3980: *0000000000200000-00000000003f2fff 0x0000/0x0004 0x0020000 397c.3980: 00000000003f3000-00000000003f5fff 0x0004/0x0004 0x0020000 397c.3980: 00000000003f6000-00000000003fffff 0x0000/0x0004 0x0020000 397c.3980: *0000000000400000-00000000004fafff 0x0000/0x0004 0x0020000 397c.3980: 00000000004fb000-00000000004fdfff 0x0104/0x0004 0x0020000 397c.3980: 00000000004fe000-00000000004fffff 0x0004/0x0004 0x0020000 397c.3980: 0000000000500000-000000007ffdffff 0x0001/0x0000 0x0000000 397c.3980: *000000007ffe0000-000000007ffe0fff 0x0002/0x0002 0x0020000 397c.3980: 000000007ffe1000-000000007ffe4fff 0x0001/0x0000 0x0000000 397c.3980: *000000007ffe5000-000000007ffe5fff 0x0002/0x0002 0x0020000 397c.3980: 000000007ffe6000-00007ff5fe72ffff 0x0001/0x0000 0x0000000 397c.3980: *00007ff5fe730000-00007ff5fe730fff 0x0002/0x0002 0x0040000 397c.3980: 00007ff5fe731000-00007ff5fe73ffff 0x0001/0x0000 0x0000000 397c.3980: *00007ff5fe740000-00007ff5fe762fff 0x0002/0x0002 0x0040000 397c.3980: 00007ff5fe763000-00007ff6a7ceffff 0x0001/0x0000 0x0000000 397c.3980: *00007ff6a7cf0000-00007ff6a7cf0fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe 397c.3980: 00007ff6a7cf1000-00007ff6a7d66fff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe 397c.3980: 00007ff6a7d67000-00007ff6a7d67fff 0x0040/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe 397c.3980: 00007ff6a7d68000-00007ff6a7daffff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe 397c.3980: 00007ff6a7db0000-00007ff6a7dbcfff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe 397c.3980: 00007ff6a7dbd000-00007ff6a7e05fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe 397c.3980: 00007ff6a7e06000-00007ffeffbcffff 0x0001/0x0000 0x0000000 397c.3980: *00007ffeffbd0000-00007ffeffbd0fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 397c.3980: 00007ffeffbd1000-00007ffeffce7fff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 397c.3980: 00007ffeffce8000-00007ffeffd2efff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 397c.3980: 00007ffeffd2f000-00007ffeffd32fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 397c.3980: 00007ffeffd33000-00007ffeffd39fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 397c.3980: 00007ffeffd3a000-00007ffeffd47fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 397c.3980: 00007ffeffd48000-00007ffeffd48fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 397c.3980: 00007ffeffd49000-00007ffeffd4bfff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 397c.3980: 00007ffeffd4c000-00007ffeffdbcfff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 397c.3980: 00007ffeffdbd000-00007ffffffeffff 0x0001/0x0000 0x0000000 397c.3980: supR3HardNtChildPurify: Done after 1035 ms and 2 fixes (loop #1). 39b8.39bc: Log file opened: 6.1.10r138449 g_hStartupLog=0000000000000004 g_uNtVerCombined=0xa0456300 39b8.39bc: supR3HardenedVmProcessInit: uNtDllAddr=00007ffeffbd0000 g_uNtVerCombined=0xa0456300 (stack ~00000000004ffa48) 39b8.39bc: ntdll.dll: timestamp 0x5854f5da (rc=VINF_SUCCESS) 39b8.39bc: New simple heap: #1 0000000000600000 LB 0x400000 (for 2019328 allocation) 397c.3980: supR3HardNtEnableThreadCreationEx: 39b8.39bc: supR3HardenedWinInitAppBin(0x0): '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox' 39b8.39bc: System32: \Device\HarddiskVolume2\Windows\System32 39b8.39bc: WinSxS: \Device\HarddiskVolume2\Windows\WinSxS 39b8.39bc: KnownDllPath: C:\WINDOWS\System32 39b8.39bc: supR3HardenedVmProcessInit: Opening vboxdrv stub... 39b8.39bc: supR3HardenedWinReadErrorInfoDevice: 'ntdll.dll: 11 differences between 0xa34e2 and 0xa34ec in #1 (.text), first: 8b != b8' 39b8.39bc: Error -5600 in supR3HardenedWinReSpawn! (enmWhat=3) 39b8.39bc: NtCreateFile(\Device\VBoxDrvStub) failed: Unknown Status -5600 (0xffffea20) (rcNt=0xe986ea20) VBoxDrvStub error: ntdll.dll: 11 differences between 0xa34e2 and 0xa34ec in #1 (.text), first: 8b != b8 397c.3980: supR3HardenedWinCheckChild: enmRequest=2 rc=-5600 enmWhat=3 supR3HardenedWinReSpawn: NtCreateFile(\Device\VBoxDrvStub) failed: Unknown Status -5600 (0xffffea20) (rcNt=0xe986ea20) VBoxDrvStub error: ntdll.dll: 11 differences between 0xa34e2 and 0xa34ec in #1 (.text), first: 8b != b8 39b8.39bc: KiUserExceptionDispatcher: 0xc0000005 (0000000000000001, 0000000000000024) @ 00007ffeffc1df33 (flags=0x0) rax=ffffffffffffffff rbx=00007ffeffd352a0 rcx=0000000000000000 rdx=ffffffffffffffff rsi=00007ffeffd34ee0 rdi=0000000000000000 r8 =00000000fffffffa r9 =00000000ffffea00 r10=0000000000000000 r11=00000000004f92e0 r12=0000000000000000 r13=ffffffffffffffff r14=00000000003f4000 r15=0000000000000000 P1=0000000000000000 P2=0000000000000000 rip=00007ffeffc1df33 rsp=00000000004f91e0 rbp=0000000000000001 ctxflags=0010005f cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b eflags=00010213 mxcrx=00001f80 P3=0000000000000000 P4=0000000000000000 P5=00000000004fac40 P6=0000000000000003 dr0=0000000000000000 dr1=0000000000000000 dr2=0000000000000000 dr3=0000000000000000 dr6=0000000000000000 dr7=0000000000000000 vcr=00000000004f9078 dcr=000000000000000a lbt=0000000000000000 lbf=0000000000000000 lxt=0000000000000000 lxf=0000000000000000 397c.3980: Error -5600 in supR3HardenedWinReSpawn! (enmWhat=3) 397c.3980: NtCreateFile(\Device\VBoxDrvStub) failed: Unknown Status -5600 (0xffffea20) (rcNt=0xe986ea20) VBoxDrvStub error: ntdll.dll: 11 differences between 0xa34e2 and 0xa34ec in #1 (.text), first: 8b != b8