| 10 | | |
| 11 | | VBoxHardening.log |
| 12 | | 3058.3b14: Log file opened: 5.1.22r115126 g_hStartupLog=0000000000000058 g_uNtVerCombined=0xa0295a00 |
| 13 | | 3058.3b14: \SystemRoot\System32\ntdll.dll: |
| 14 | | 3058.3b14: CreationTime: 2017-03-23T11:58:31.877923500Z |
| 15 | | 3058.3b14: LastWriteTime: 2016-10-25T09:41:10.545861300Z |
| 16 | | 3058.3b14: ChangeTime: 2017-03-23T13:58:40.040817900Z |
| 17 | | 3058.3b14: FileAttributes: 0x20 |
| 18 | | 3058.3b14: Size: 0x1bc248 |
| 19 | | 3058.3b14: NT Headers: 0xe0 |
| 20 | | 3058.3b14: Timestamp: 0x580ee321 |
| 21 | | 3058.3b14: Machine: 0x8664 - amd64 |
| 22 | | 3058.3b14: Timestamp: 0x580ee321 |
| 23 | | 3058.3b14: Image Version: 10.0 |
| 24 | | 3058.3b14: SizeOfImage: 0x1c1000 (1839104) |
| 25 | | 3058.3b14: Resource Dir: 0x159000 LB 0x66218 |
| 26 | | 3058.3b14: [Version info resource found at 0xd8! (ID/Name: 0x1; SubID/SubName: 0x409)] |
| 27 | | 3058.3b14: [Raw version resource data: 0x1590f0 LB 0x390, codepage 0x0 (reserved 0x0)] |
| 28 | | 3058.3b14: ProductName: Microsoft® Windows® Operating System |
| 29 | | 3058.3b14: ProductVersion: 10.0.10586.672 |
| 30 | | 3058.3b14: FileVersion: 10.0.10586.672 (th2_release_sec.161024-1825) |
| 31 | | 3058.3b14: FileDescription: NT Layer DLL |
| 32 | | 3058.3b14: \SystemRoot\System32\kernel32.dll: |
| 33 | | 3058.3b14: CreationTime: 2017-03-23T11:57:47.269024600Z |
| 34 | | 3058.3b14: LastWriteTime: 2016-09-07T05:39:18.648308100Z |
| 35 | | 3058.3b14: ChangeTime: 2017-03-23T13:58:30.134550000Z |
| 36 | | 3058.3b14: FileAttributes: 0x20 |
| 37 | | 3058.3b14: Size: 0xac428 |
| 38 | | 3058.3b14: NT Headers: 0xf0 |
| 39 | | 3058.3b14: Timestamp: 0x57cf97d5 |
| 40 | | 3058.3b14: Machine: 0x8664 - amd64 |
| 41 | | 3058.3b14: Timestamp: 0x57cf97d5 |
| 42 | | 3058.3b14: Image Version: 10.0 |
| 43 | | 3058.3b14: SizeOfImage: 0xad000 (708608) |
| 44 | | 3058.3b14: Resource Dir: 0xab000 LB 0x528 |
| 45 | | 3058.3b14: [Version info resource found at 0x90! (ID/Name: 0x1; SubID/SubName: 0x409)] |
| 46 | | 3058.3b14: [Raw version resource data: 0xab0b0 LB 0x3ac, codepage 0x0 (reserved 0x0)] |
| 47 | | 3058.3b14: ProductName: Microsoft® Windows® Operating System |
| 48 | | 3058.3b14: ProductVersion: 10.0.10586.589 |
| 49 | | 3058.3b14: FileVersion: 10.0.10586.589 (th2_release.160906-1759) |
| 50 | | 3058.3b14: FileDescription: Windows NT BASE API Client DLL |
| 51 | | 3058.3b14: \SystemRoot\System32\KernelBase.dll: |
| 52 | | 3058.3b14: CreationTime: 2017-03-23T11:59:45.048244800Z |
| 53 | | 3058.3b14: LastWriteTime: 2017-03-04T08:13:23.756197200Z |
| 54 | | 3058.3b14: ChangeTime: 2017-03-23T13:58:38.275189500Z |
| 55 | | 3058.3b14: FileAttributes: 0x20 |
| 56 | | 3058.3b14: Size: 0x1e7c08 |
| 57 | | 3058.3b14: NT Headers: 0xf0 |
| 58 | | 3058.3b14: Timestamp: 0x58ba4019 |
| 59 | | 3058.3b14: Machine: 0x8664 - amd64 |
| 60 | | 3058.3b14: Timestamp: 0x58ba4019 |
| 61 | | 3058.3b14: Image Version: 10.0 |
| 62 | | 3058.3b14: SizeOfImage: 0x1e8000 (1998848) |
| 63 | | 3058.3b14: Resource Dir: 0x1d1000 LB 0x540 |
| 64 | | 3058.3b14: [Version info resource found at 0x90! (ID/Name: 0x1; SubID/SubName: 0x409)] |
| 65 | | 3058.3b14: [Raw version resource data: 0x1d10b0 LB 0x3c4, codepage 0x0 (reserved 0x0)] |
| 66 | | 3058.3b14: ProductName: Microsoft® Windows® Operating System |
| 67 | | 3058.3b14: ProductVersion: 10.0.10586.839 |
| 68 | | 3058.3b14: FileVersion: 10.0.10586.839 (th2_release.170303-1605) |
| 69 | | 3058.3b14: FileDescription: Windows NT BASE API Client DLL |
| 70 | | 3058.3b14: \SystemRoot\System32\apisetschema.dll: |
| 71 | | 3058.3b14: CreationTime: 2015-10-30T07:17:57.502957900Z |
| 72 | | 3058.3b14: LastWriteTime: 2015-10-30T07:17:57.502957900Z |
| 73 | | 3058.3b14: ChangeTime: 2017-03-22T15:02:37.830590200Z |
| 74 | | 3058.3b14: FileAttributes: 0x20 |
| 75 | | 3058.3b14: Size: 0x16d60 |
| 76 | | 3058.3b14: NT Headers: 0xc8 |
| 77 | | 3058.3b14: Timestamp: 0x5632d94c |
| 78 | | 3058.3b14: Machine: 0x8664 - amd64 |
| 79 | | 3058.3b14: Timestamp: 0x5632d94c |
| 80 | | 3058.3b14: Image Version: 10.0 |
| 81 | | 3058.3b14: SizeOfImage: 0x18000 (98304) |
| 82 | | 3058.3b14: Resource Dir: 0x17000 LB 0x400 |
| 83 | | 3058.3b14: [Version info resource found at 0x48! (ID/Name: 0x1; SubID/SubName: 0x409)] |
| 84 | | 3058.3b14: [Raw version resource data: 0x17060 LB 0x3a0, codepage 0x0 (reserved 0x0)] |
| 85 | | 3058.3b14: ProductName: Microsoft® Windows® Operating System |
| 86 | | 3058.3b14: ProductVersion: 10.0.10586.0 |
| 87 | | 3058.3b14: FileVersion: 10.0.10586.0 (th2_release.151029-1700) |
| 88 | | 3058.3b14: FileDescription: ApiSet Schema DLL |
| 89 | | 3058.3b14: NtOpenDirectoryObject failed on \Driver: 0xc0000022 |
| 90 | | 3058.3b14: supR3HardenedWinFindAdversaries: 0x2040 |
| 91 | | 3058.3b14: \SystemRoot\System32\drivers\kl1.sys: |
| 92 | | 3058.3b14: CreationTime: 2016-09-30T23:26:00.000000000Z |
| 93 | | 3058.3b14: LastWriteTime: 2016-09-30T23:26:00.000000000Z |
| 94 | | 3058.3b14: ChangeTime: 2017-05-16T14:10:25.306400500Z |
| 95 | | 3058.3b14: FileAttributes: 0x20 |
| 96 | | 3058.3b14: Size: 0x875a8 |
| 97 | | 3058.3b14: NT Headers: 0xe8 |
| 98 | | 3058.3b14: Timestamp: 0x56fe83ac |
| 99 | | 3058.3b14: Machine: 0x8664 - amd64 |
| 100 | | 3058.3b14: Timestamp: 0x56fe83ac |
| 101 | | 3058.3b14: Image Version: 0.0 |
| 102 | | 3058.3b14: SizeOfImage: 0x709000 (7376896) |
| 103 | | 3058.3b14: Resource Dir: 0x707000 LB 0x448 |
| 104 | | 3058.3b14: [Version info resource found at 0x48! (ID/Name: 0x1; SubID/SubName: 0x419)] |
| 105 | | 3058.3b14: [Raw version resource data: 0x707060 LB 0x3e4, codepage 0x0 (reserved 0x0)] |
| 106 | | 3058.3b14: ProductName: Kaspersky Anti-Virus |
| 107 | | 3058.3b14: ProductVersion: 6.0.1.990 |
| 108 | | 3058.3b14: FileVersion: 6.8.0.67 |
| 109 | | 3058.3b14: FileDescription: Kaspersky Unified Driver |
| 110 | | 3058.3b14: \SystemRoot\System32\drivers\klflt.sys: |
| 111 | | 3058.3b14: CreationTime: 2017-05-16T14:10:07.441578000Z |
| 112 | | 3058.3b14: LastWriteTime: 2017-03-10T12:55:16.000000000Z |
| 113 | | 3058.3b14: ChangeTime: 2017-05-16T14:10:10.124569700Z |
| 114 | | 3058.3b14: FileAttributes: 0x20 |
| 115 | | 3058.3b14: Size: 0x306e0 |
| 116 | | 3058.3b14: NT Headers: 0x108 |
| 117 | | 3058.3b14: Timestamp: 0x58500f78 |
| 118 | | 3058.3b14: Machine: 0x8664 - amd64 |
| 119 | | 3058.3b14: Timestamp: 0x58500f78 |
| 120 | | 3058.3b14: Image Version: 6.2 |
| 121 | | 3058.3b14: SizeOfImage: 0x3d000 (249856) |
| 122 | | 3058.3b14: Resource Dir: 0x3b000 LB 0x418 |
| 123 | | 3058.3b14: [Version info resource found at 0x48! (ID/Name: 0x1; SubID/SubName: 0x409)] |
| 124 | | 3058.3b14: [Raw version resource data: 0x3b060 LB 0x3b8, codepage 0x0 (reserved 0x0)] |
| 125 | | 3058.3b14: ProductName: System Interceptors PDK |
| 126 | | 3058.3b14: ProductVersion: 12.3.26.0 |
| 127 | | 3058.3b14: FileVersion: 12.3.26.0 |
| 128 | | 3058.3b14: FileDescription: Filter Core [fre_win8_x64] |
| 129 | | 3058.3b14: \SystemRoot\System32\drivers\klif.sys: |
| 130 | | 3058.3b14: CreationTime: 2017-05-16T14:10:07.446084700Z |
| 131 | | 3058.3b14: LastWriteTime: 2017-03-10T12:55:18.000000000Z |
| 132 | | 3058.3b14: ChangeTime: 2017-05-16T14:10:10.121565500Z |
| 133 | | 3058.3b14: FileAttributes: 0x20 |
| 134 | | 3058.3b14: Size: 0x1030e0 |
| 135 | | 3058.3b14: NT Headers: 0x118 |
| 136 | | 3058.3b14: Timestamp: 0x58be8d89 |
| 137 | | 3058.3b14: Machine: 0x8664 - amd64 |
| 138 | | 3058.3b14: Timestamp: 0x58be8d89 |
| 139 | | 3058.3b14: Image Version: 6.2 |
| 140 | | 3058.3b14: SizeOfImage: 0x107000 (1077248) |
| 141 | | 3058.3b14: Resource Dir: 0x104000 LB 0x1fe8 |
| 142 | | 3058.3b14: [Version info resource found at 0x150! (ID/Name: 0x1; SubID/SubName: 0x409)] |
| 143 | | 3058.3b14: [Raw version resource data: 0x104618 LB 0x3d8, codepage 0x0 (reserved 0x0)] |
| 144 | | 3058.3b14: ProductName: System Interceptors PDK |
| 145 | | 3058.3b14: ProductVersion: 12.2.116.0 |
| 146 | | 3058.3b14: FileVersion: 12.2.116.0 |
| 147 | | 3058.3b14: FileDescription: Core System Interceptors [fre_win8_x64] |
| 148 | | 3058.3b14: \SystemRoot\System32\drivers\klim6.sys: |
| 149 | | 3058.3b14: CreationTime: 2016-09-30T23:31:28.000000000Z |
| 150 | | 3058.3b14: LastWriteTime: 2016-09-30T23:31:28.000000000Z |
| 151 | | 3058.3b14: ChangeTime: 2017-05-16T14:10:26.074471500Z |
| 152 | | 3058.3b14: FileAttributes: 0x20 |
| 153 | | 3058.3b14: Size: 0xc358 |
| 154 | | 3058.3b14: NT Headers: 0x100 |
| 155 | | 3058.3b14: Timestamp: 0x57bc2881 |
| 156 | | 3058.3b14: Machine: 0x8664 - amd64 |
| 157 | | 3058.3b14: Timestamp: 0x57bc2881 |
| 158 | | 3058.3b14: Image Version: 6.2 |
| 159 | | 3058.3b14: SizeOfImage: 0xc000 (49152) |
| 160 | | 3058.3b14: Resource Dir: 0xa000 LB 0x430 |
| 161 | | 3058.3b14: [Version info resource found at 0x48! (ID/Name: 0x1; SubID/SubName: 0x409)] |
| 162 | | 3058.3b14: [Raw version resource data: 0xa060 LB 0x3cc, codepage 0x0 (reserved 0x0)] |
| 163 | | 3058.3b14: ProductName: System Interceptors PDK |
| 164 | | 3058.3b14: ProductVersion: 13.0.0.5 |
| 165 | | 3058.3b14: FileVersion: 13.0.0.5 |
| 166 | | 3058.3b14: FileDescription: Packet Network Filter [fre_win8_x64] |
| 167 | | 3058.3b14: \SystemRoot\System32\drivers\kneps.sys: |
| 168 | | 3058.3b14: CreationTime: 2016-10-09T03:56:32.000000000Z |
| 169 | | 3058.3b14: LastWriteTime: 2016-10-09T03:56:32.000000000Z |
| 170 | | 3058.3b14: ChangeTime: 2017-05-16T14:10:25.390000500Z |
| 171 | | 3058.3b14: FileAttributes: 0x20 |
| 172 | | 3058.3b14: Size: 0x31050 |
| 173 | | 3058.3b14: NT Headers: 0x108 |
| 174 | | 3058.3b14: Timestamp: 0x57c93a6b |
| 175 | | 3058.3b14: Machine: 0x8664 - amd64 |
| 176 | | 3058.3b14: Timestamp: 0x57c93a6b |
| 177 | | 3058.3b14: Image Version: 5.2 |
| 178 | | 3058.3b14: SizeOfImage: 0x2e000 (188416) |
| 179 | | 3058.3b14: Resource Dir: 0x2c000 LB 0x428 |
| 180 | | 3058.3b14: [Version info resource found at 0x48! (ID/Name: 0x1; SubID/SubName: 0x409)] |
| 181 | | 3058.3b14: [Raw version resource data: 0x2c060 LB 0x3c4, codepage 0x0 (reserved 0x0)] |
| 182 | | 3058.3b14: ProductName: System Interceptors PDK |
| 183 | | 3058.3b14: ProductVersion: 13.0.0.6 |
| 184 | | 3058.3b14: FileVersion: 13.0.0.6 |
| 185 | | 3058.3b14: FileDescription: Network Processor [fre_wnet_x64] |
| 186 | | 3058.3b14: \SystemRoot\System32\drivers\dgmaster.sys: |
| 187 | | 3058.3b14: CreationTime: 2017-03-23T11:10:47.143393600Z |
| 188 | | 3058.3b14: LastWriteTime: 2016-06-13T09:34:32.000000000Z |
| 189 | | 3058.3b14: ChangeTime: 2017-03-23T11:10:47.174643600Z |
| 190 | | 3058.3b14: FileAttributes: 0x20 |
| 191 | | 3058.3b14: Size: 0x23cd50 |
| 192 | | 3058.3b14: NT Headers: 0x108 |
| 193 | | 3058.3b14: Timestamp: 0x575ee065 |
| 194 | | 3058.3b14: Machine: 0x8664 - amd64 |
| 195 | | 3058.3b14: Timestamp: 0x575ee065 |
| 196 | | 3058.3b14: Image Version: 6.3 |
| 197 | | 3058.3b14: SizeOfImage: 0x2f4000 (3096576) |
| 198 | | 3058.3b14: Resource Dir: 0x2b4000 LB 0x35f48 |
| 199 | | 3058.3b14: [Version info resource found at 0x270! (ID/Name: 0x1; SubID/SubName: 0x409)] |
| 200 | | 3058.3b14: [Raw version resource data: 0x2e9c30 LB 0x318, codepage 0x0 (reserved 0x0)] |
| 201 | | 3058.3b14: ProductName: Digital Guardian |
| 202 | | 3058.3b14: ProductVersion: 7.0 |
| 203 | | 3058.3b14: FileVersion: 7.2.0.0141 |
| 204 | | 3058.3b14: FileDescription: Digital Guardian Agent Master |
| 205 | | 3058.3b14: supR3HardenedWinInitAppBin(0x0): '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox' |
| 206 | | 3058.3b14: Calling main() |
| 207 | | 3058.3b14: SUPR3HardenedMain: pszProgName=VirtualBox fFlags=0x2 |
| 208 | | 3058.3b14: supR3HardenedWinInitAppBin(0x2): '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox' |
| 209 | | 3058.3b14: SUPR3HardenedMain: Respawn #1 |
| 210 | | 3058.3b14: System32: \Device\HarddiskVolume2\Windows\System32 |
| 211 | | 3058.3b14: WinSxS: \Device\HarddiskVolume2\Windows\WinSxS |
| 212 | | 3058.3b14: KnownDllPath: C:\Windows\system32 |
| 213 | | 3058.3b14: '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe' has no imports |
| 214 | | 3058.3b14: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe) |
| 215 | | 3058.3b14: supR3HardNtEnableThreadCreation: |
| 216 | | 3058.3b14: supR3HardNtDisableThreadCreation: pvLdrInitThunk=00007ff97c9f6d50 pvNtTerminateThread=00007ff97ca25b20 |
| 217 | | 3058.3b14: supR3HardenedWinDoReSpawn(1): New child 2aec.3a38 [kernel32]. |
| 218 | | 3058.3b14: supR3HardNtChildGatherData: PebBaseAddress=000000000042c000 cbPeb=0x388 |
| 219 | | 3058.3b14: supR3HardNtPuChFindNtdll: uNtDllParentAddr=00007ff97c980000 uNtDllChildAddr=00007ff97c980000 |
| 220 | | 3058.3b14: supR3HardenedWinSetupChildInit: uLdrInitThunk=00007ff97c9f6d50 |
| 221 | | 3058.3b14: supR3HardenedWinSetupChildInit: Start child. |
| 222 | | 3058.3b14: supR3HardNtChildWaitFor: Found expected request 0 (PurifyChildAndCloseHandles) after 1 ms. |
| 223 | | 3058.3b14: supR3HardNtChildPurify: Startup delay kludge #1/0: 517 ms, 59 sleeps |
| 224 | | 3058.3b14: supHardNtVpScanVirtualMemory: enmKind=CHILD_PURIFICATION |
| 225 | | 3058.3b14: *0000000000000000-00000000002bffff 0x0001/0x0000 0x0000000 |
| 226 | | 3058.3b14: *00000000002c0000-00000000002dffff 0x0004/0x0004 0x0020000 |
| 227 | | 3058.3b14: *00000000002e0000-00000000002f4fff 0x0002/0x0002 0x0040000 |
| 228 | | 3058.3b14: 00000000002f5000-00000000002fffff 0x0001/0x0000 0x0000000 |
| 229 | | 3058.3b14: *0000000000300000-00000000003fafff 0x0000/0x0004 0x0020000 |
| 230 | | 3058.3b14: 00000000003fb000-00000000003fdfff 0x0104/0x0004 0x0020000 |
| 231 | | 3058.3b14: 00000000003fe000-00000000003fffff 0x0004/0x0004 0x0020000 |
| 232 | | 3058.3b14: *0000000000400000-000000000042bfff 0x0000/0x0004 0x0020000 |
| 233 | | 3058.3b14: 000000000042c000-000000000042efff 0x0004/0x0004 0x0020000 |
| 234 | | 3058.3b14: 000000000042f000-00000000005fffff 0x0000/0x0004 0x0020000 |
| 235 | | 3058.3b14: *0000000000600000-0000000000603fff 0x0002/0x0002 0x0040000 |
| 236 | | 3058.3b14: 0000000000604000-000000000060ffff 0x0001/0x0000 0x0000000 |
| 237 | | 3058.3b14: *0000000000610000-0000000000611fff 0x0004/0x0004 0x0020000 |
| 238 | | 3058.3b14: 0000000000612000-0000000001fcffff 0x0001/0x0000 0x0000000 |
| 239 | | 3058.3b14: *0000000001fd0000-0000000001fd0fff 0x0002/0x0002 0x0020000 |
| 240 | | 3058.3b14: 0000000001fd1000-0000000001fdffff 0x0001/0x0000 0x0000000 |
| 241 | | 3058.3b14: *0000000001fe0000-0000000001fe0fff 0x0010/0x0010 0x0020000 !! |
| 242 | | 3058.3b14: supHardNtVpFreeOrReplacePrivateExecMemory: Replacing exec mem at 0000000001fe0000 (LB 0x1000, 0000000001fe0000 LB 0x1000) |
| 243 | | 3058.3b14: supHardNtVpFreeOrReplacePrivateExecMemory: Free attempt #1 succeeded: 0x0 [0000000001fe0000/0000000001fe0000 LB 0/0x1000] |
| 244 | | 3058.3b14: supHardNtVpFreeOrReplacePrivateExecMemory: QVM after free 0: [0000000000000000]/0000000001fe0000 LB 0x10000 s=0x10000 ap=0x0 rp=0x8a211a7200000001 |
| 245 | | 3058.3b14: Error (rc=-5673): |
| 246 | | 3058.3b14: NtAllocateVirtualMemory (0000000001fe0000 LB 0x1000) failed with rcNt=0xc0000018 allocating replacement memory for working around buggy protection software. See VBoxStartup.log for more details |
| 247 | | 3058.3b14: Error (rc=-5645): |
| 248 | | 3058.3b14: Too many virtual memory regions. |
| 249 | | |
| 250 | | 3058.3b14: Error (rc=-5673): |
| 251 | | 3058.3b14: supHardenedWinVerifyProcess failed with Unknown Status -5673 (0xffffe9d7): NtAllocateVirtualMemory (0000000001fe0000 LB 0x1000) failed with rcNt=0xc0000018 allocating replacement memory for working around buggy protection software. See VBoxStartup.log for more details |
| 252 | | [rc=-5645] Too many virtual memory regions. |
| 253 | | 3058.3b14: Error -5673 in supR3HardNtChildPurify! (enmWhat=5) |
| 254 | | 3058.3b14: supHardenedWinVerifyProcess failed with Unknown Status -5673 (0xffffe9d7): NtAllocateVirtualMemory (0000000001fe0000 LB 0x1000) failed with rcNt=0xc0000018 allocating replacement memory for working around buggy protection software. See VBoxStartup.log for more details |
| 255 | | [rc=-5645] Too many virtual memory regions. |
| 256 | | 3058.3b14: supR3HardNtEnableThreadCreation: |
| 257 | | |
| 258 | | |
| | 11 | (removed pasted VBoxHardening.log) |