Ticket #13949: VBoxStartup.log

2b2c.20e8: Log file opened: 4.3.24r98716 g_hStartupLog=0000000000000028 g_uNtVerCombined=0x611db110
2b2c.20e8: \SystemRoot\System32\ntdll.dll:
2b2c.20e8:     CreationTime:    2013-11-15T07:43:29.515072300Z
2b2c.20e8:     LastWriteTime:   2013-08-29T02:16:35.515578900Z
2b2c.20e8:     ChangeTime:      2013-11-15T10:28:25.401792300Z
2b2c.20e8:     FileAttributes:  0x20
2b2c.20e8:     Size:            0x1a6dc0
2b2c.20e8:     NT Headers:      0xe0
2b2c.20e8:     Timestamp:       0x521eaf24
2b2c.20e8:     Machine:         0x8664 - amd64
2b2c.20e8:     Timestamp:       0x521eaf24
2b2c.20e8:     Image Version:   6.1
2b2c.20e8:     SizeOfImage:     0x1a9000 (1740800)
2b2c.20e8:     Resource Dir:    0x151000 LB 0x560d8
2b2c.20e8:     ProductName:     Microsoft® Windows® Operating System
2b2c.20e8:     ProductVersion:  6.1.7601.18247
2b2c.20e8:     FileVersion:     6.1.7601.18247 (win7sp1_gdr.130828-1532)
2b2c.20e8:     FileDescription: NT Layer DLL
2b2c.20e8: \SystemRoot\System32\kernel32.dll:
2b2c.20e8:     CreationTime:    2014-04-16T05:04:33.563177300Z
2b2c.20e8:     LastWriteTime:   2014-03-04T09:44:00.336000000Z
2b2c.20e8:     ChangeTime:      2014-04-16T05:24:46.753957400Z
2b2c.20e8:     FileAttributes:  0x20
2b2c.20e8:     Size:            0x11c000
2b2c.20e8:     NT Headers:      0xe8
2b2c.20e8:     Timestamp:       0x5315a059
2b2c.20e8:     Machine:         0x8664 - amd64
2b2c.20e8:     Timestamp:       0x5315a059
2b2c.20e8:     Image Version:   6.1
2b2c.20e8:     SizeOfImage:     0x11f000 (1175552)
2b2c.20e8:     Resource Dir:    0x116000 LB 0x528
2b2c.20e8:     ProductName:     Microsoft® Windows® Operating System
2b2c.20e8:     ProductVersion:  6.1.7601.18409
2b2c.20e8:     FileVersion:     6.1.7601.18409 (win7sp1_gdr.140303-2144)
2b2c.20e8:     FileDescription: Windows NT BASE API Client DLL
2b2c.20e8: \SystemRoot\System32\KernelBase.dll:
2b2c.20e8:     CreationTime:    2014-05-19T05:17:31.014644800Z
2b2c.20e8:     LastWriteTime:   2014-03-04T09:44:00.336000000Z
2b2c.20e8:     ChangeTime:      2014-05-19T05:32:40.719677400Z
2b2c.20e8:     FileAttributes:  0x20
2b2c.20e8:     Size:            0x67c00
2b2c.20e8:     NT Headers:      0xe8
2b2c.20e8:     Timestamp:       0x5315a05a
2b2c.20e8:     Machine:         0x8664 - amd64
2b2c.20e8:     Timestamp:       0x5315a05a
2b2c.20e8:     Image Version:   6.1
2b2c.20e8:     SizeOfImage:     0x6c000 (442368)
2b2c.20e8:     Resource Dir:    0x6a000 LB 0x530
2b2c.20e8:     ProductName:     Microsoft® Windows® Operating System
2b2c.20e8:     ProductVersion:  6.1.7601.18409
2b2c.20e8:     FileVersion:     6.1.7601.18409 (win7sp1_gdr.140303-2144)
2b2c.20e8:     FileDescription: Windows NT BASE API Client DLL
2b2c.20e8: \SystemRoot\System32\apisetschema.dll:
2b2c.20e8:     CreationTime:    2013-09-12T05:14:17.940756300Z
2b2c.20e8:     LastWriteTime:   2013-08-02T02:12:20.275000000Z
2b2c.20e8:     ChangeTime:      2013-09-12T05:45:38.834941500Z
2b2c.20e8:     FileAttributes:  0x20
2b2c.20e8:     Size:            0x1a00
2b2c.20e8:     NT Headers:      0xc0
2b2c.20e8:     Timestamp:       0x51fb15ca
2b2c.20e8:     Machine:         0x8664 - amd64
2b2c.20e8:     Timestamp:       0x51fb15ca
2b2c.20e8:     Image Version:   6.1
2b2c.20e8:     SizeOfImage:     0x50000 (327680)
2b2c.20e8:     Resource Dir:    0x30000 LB 0x3f8
2b2c.20e8:     ProductName:     Microsoft® Windows® Operating System
2b2c.20e8:     ProductVersion:  6.1.7601.18229
2b2c.20e8:     FileVersion:     6.1.7601.18229 (win7sp1_gdr.130801-1533)
2b2c.20e8:     FileDescription: ApiSet Schema DLL
2b2c.20e8: Found driver SysPlant (0x1)
2b2c.20e8: Found driver SymNetS (0x2)
2b2c.20e8: Found driver SRTSPX (0x2)
2b2c.20e8: Found driver SymEvent (0x2)
2b2c.20e8: Found driver SymIRON (0x2)
2b2c.20e8: supR3HardenedWinFindAdversaries: 0x3
2b2c.20e8: \SystemRoot\System32\drivers\SysPlant.sys:
2b2c.20e8:     CreationTime:    2015-02-12T15:13:16.924536700Z
2b2c.20e8:     LastWriteTime:   2015-02-12T15:13:16.928536700Z
2b2c.20e8:     ChangeTime:      2015-02-12T15:13:16.928536700Z
2b2c.20e8:     FileAttributes:  0x20
2b2c.20e8:     Size:            0x26f40
2b2c.20e8:     NT Headers:      0x100
2b2c.20e8:     Timestamp:       0x5413cb4e
2b2c.20e8:     Machine:         0x8664 - amd64
2b2c.20e8:     Timestamp:       0x5413cb4e
2b2c.20e8:     Image Version:   5.0
2b2c.20e8:     SizeOfImage:     0x2d000 (184320)
2b2c.20e8:     Resource Dir:    0x2b000 LB 0x498
2b2c.20e8:     ProductName:     Symantec CMC Firewall
2b2c.20e8:     ProductVersion:  12.1.5337.5000
2b2c.20e8:     FileVersion:     12.1.5337.5000
2b2c.20e8:     FileDescription: Symantec CMC Firewall SysPlant
2b2c.20e8: \SystemRoot\System32\sysfer.dll:
2b2c.20e8:     CreationTime:    2015-02-12T15:13:16.788536700Z
2b2c.20e8:     LastWriteTime:   2015-02-12T15:13:16.792536700Z
2b2c.20e8:     ChangeTime:      2015-02-12T15:13:16.792536700Z
2b2c.20e8:     FileAttributes:  0x20
2b2c.20e8:     Size:            0x70f60
2b2c.20e8:     NT Headers:      0xe8
2b2c.20e8:     Timestamp:       0x5413cb55
2b2c.20e8:     Machine:         0x8664 - amd64
2b2c.20e8:     Timestamp:       0x5413cb55
2b2c.20e8:     Image Version:   0.0
2b2c.20e8:     SizeOfImage:     0x88000 (557056)
2b2c.20e8:     Resource Dir:    0x86000 LB 0x630
2b2c.20e8:     ProductName:     Symantec CMC Firewall
2b2c.20e8:     ProductVersion:  12.1.5337.5000
2b2c.20e8:     FileVersion:     12.1.5337.5000
2b2c.20e8:     FileDescription: Symantec CMC Firewall sysfer
2b2c.20e8: \SystemRoot\System32\drivers\symevent64x86.sys:
2b2c.20e8:     CreationTime:    2015-02-12T15:17:09.408536700Z
2b2c.20e8:     LastWriteTime:   2015-02-12T15:17:09.057536700Z
2b2c.20e8:     ChangeTime:      2015-02-12T15:17:09.057536700Z
2b2c.20e8:     FileAttributes:  0x20
2b2c.20e8:     Size:            0x2b658
2b2c.20e8:     NT Headers:      0xe8
2b2c.20e8:     Timestamp:       0x51f32ff2
2b2c.20e8:     Machine:         0x8664 - amd64
2b2c.20e8:     Timestamp:       0x51f32ff2
2b2c.20e8:     Image Version:   6.0
2b2c.20e8:     SizeOfImage:     0x38000 (229376)
2b2c.20e8:     Resource Dir:    0x36000 LB 0x3c8
2b2c.20e8:     ProductName:     SYMEVENT
2b2c.20e8:     ProductVersion:  12.9.5.2
2b2c.20e8:     FileVersion:     12.9.5.2
2b2c.20e8:     FileDescription: Symantec Event Library
2b2c.20e8: Calling main()
2b2c.20e8: SUPR3HardenedMain: pszProgName=VirtualBox fFlags=0x2
2b2c.20e8: SUPR3HardenedMain: Respawn #1
2b2c.20e8: System32:  \Device\HarddiskVolume2\Windows\System32
2b2c.20e8: WinSxS:    \Device\HarddiskVolume2\Windows\winsxs
2b2c.20e8: KnownDllPath: C:\Windows\system32
2b2c.20e8: '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe' has no imports
2b2c.20e8: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe)
2b2c.20e8: supR3HardNtEnableThreadCreation:
2b2c.20e8: supR3HardNtDisableThreadCreation: pvLdrInitThunk=0000000076d5c340 pvNtTerminateThread=0000000076d817e0
2b2c.20e8: supR3HardenedWinDoReSpawn(1): New child 1b64.2a9c [kernel32].
2b2c.20e8: supR3HardNtChildGatherData: PebBaseAddress=000007fffffdf000 cbPeb=0x380
2b2c.20e8: supR3HardNtPuChFindNtdll: uNtDllParentAddr=0000000076d30000 uNtDllChildAddr=0000000076d30000
2b2c.20e8: supR3HardenedWinSetupChildInit: uLdrInitThunk=0000000076d5c340
2b2c.20e8: supR3HardenedWinSetupChildInit: Start child.
2b2c.20e8: supR3HardNtChildWaitFor: Found expected request 0 (PurifyChildAndCloseHandles) after 10 ms.
2b2c.20e8: supR3HardNtChildPurify: Startup delay kludge #1/0: 513 ms, 64 sleeps
2b2c.20e8: supHardNtVpScanVirtualMemory: enmKind=CHILD_PURIFICATION
2b2c.20e8:  *0000000000000000-fffffffffffeffff 0x0001/0x0000 0x0000000
2b2c.20e8:  *0000000000010000-fffffffffffeffff 0x0004/0x0004 0x0020000
2b2c.20e8:  *0000000000030000-000000000002bfff 0x0002/0x0002 0x0040000
2b2c.20e8:   0000000000034000-0000000000027fff 0x0001/0x0000 0x0000000
2b2c.20e8:  *0000000000040000-000000000003efff 0x0004/0x0004 0x0020000
2b2c.20e8:   0000000000041000-fffffffffffe1fff 0x0001/0x0000 0x0000000
2b2c.20e8:  *00000000000a0000-fffffffffffa3fff 0x0000/0x0004 0x0020000
2b2c.20e8:   000000000019c000-0000000000198fff 0x0104/0x0004 0x0020000
2b2c.20e8:   000000000019f000-000000000019dfff 0x0004/0x0004 0x0020000
2b2c.20e8:   00000000001a0000-ffffffff8960ffff 0x0001/0x0000 0x0000000
2b2c.20e8:  *0000000076d30000-0000000076d2efff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume2\Windows\System32\ntdll.dll
2b2c.20e8:   0000000076d31000-0000000076c2efff 0x0020/0x0080 0x1000000  \Device\HarddiskVolume2\Windows\System32\ntdll.dll
2b2c.20e8:   0000000076e33000-0000000076e03fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume2\Windows\System32\ntdll.dll
2b2c.20e8:   0000000076e62000-0000000076e59fff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume2\Windows\System32\ntdll.dll
2b2c.20e8:   0000000076e6a000-0000000076e68fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume2\Windows\System32\ntdll.dll
2b2c.20e8:   0000000076e6b000-0000000076e67fff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume2\Windows\System32\ntdll.dll
2b2c.20e8:   0000000076e6e000-0000000076e02fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume2\Windows\System32\ntdll.dll
2b2c.20e8:   0000000076ed9000-000000006edd1fff 0x0001/0x0000 0x0000000
2b2c.20e8:  *000000007efe0000-000000007dfdffff 0x0000/0x0002 0x0020000
2b2c.20e8:  *000000007ffe0000-000000007ffdefff 0x0002/0x0002 0x0020000
2b2c.20e8:   000000007ffe1000-000000007ffd1fff 0x0000/0x0002 0x0020000
2b2c.20e8:   000000007fff0000-000000007ffcffff 0x0001/0x0000 0x0000000
2b2c.20e8:  *0000000080010000-000000008000efff 0x0040/0x0040 0x0020000 !!
2b2c.20e8: supHardNtVpScanVirtualMemory: Freeing exec mem at 0000000080010000 (0000000080010000 LB 0x1000)
2b2c.20e8:   0000000080011000-ffffffffc0431fff 0x0001/0x0000 0x0000000
2b2c.20e8:  *000000013fbf0000-000000013fbeefff 0x0040/0x0080 0x1000000  \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
2b2c.20e8:   000000013fbf1000-000000013fb6cfff 0x0020/0x0080 0x1000000  \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
2b2c.20e8:   000000013fc75000-000000013fc73fff 0x0080/0x0080 0x1000000  \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
2b2c.20e8:   000000013fc76000-000000013fc38fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
2b2c.20e8:   000000013fcb3000-000000013fcb1fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
2b2c.20e8:   000000013fcb4000-000000013fcb2fff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
2b2c.20e8:   000000013fcb5000-000000013fcb2fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
2b2c.20e8:   000000013fcb7000-000000013fcb5fff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
2b2c.20e8:   000000013fcb8000-000000013fcb6fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
2b2c.20e8:   000000013fcb9000-000000013fcb4fff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
2b2c.20e8:   000000013fcbd000-000000013fc83fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
2b2c.20e8:   000000013fcf6000-000000013fcebfff 0x0001/0x0000 0x0000000
2b2c.20e8:  *000000013fd00000-000000013fcfefff 0x0040/0x0040 0x0020000 !!
2b2c.20e8: supHardNtVpScanVirtualMemory: Freeing exec mem at 000000013fd00000 (000000013fd00000 LB 0x1000)
2b2c.20e8:   000000013fd01000-00000000ffa01fff 0x0001/0x0000 0x0000000
2b2c.20e8:  *0000000180000000-000000017fffefff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume2\Program Files (x86)\DeviceLock\DeviceLock Agent\DLDrvUserMode64.dll
2b2c.20e8: supHardNtVpScanVirtualMemory: Unmapping image mem at 0000000180000000 (0000000180000000 LB 0x1000) - 'DLDrvUserMode64.dll'
2b2c.20e8:   0000000180001000-000000017fff1fff 0x0001/0x0000 0x0000000
2b2c.20e8:  *0000000180010000-000000018000efff 0x0040/0x0040 0x0020000 !!
2b2c.20e8: supHardNtVpScanVirtualMemory: Freeing exec mem at 0000000180010000 (0000000180010000 LB 0x1000)
2b2c.20e8:   0000000180011000-fffff80400fd1fff 0x0001/0x0000 0x0000000
2b2c.20e8:  *000007feff050000-000007feff04efff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume2\Windows\System32\apisetschema.dll
2b2c.20e8:   000007feff051000-000007fdfe0f1fff 0x0001/0x0000 0x0000000
2b2c.20e8:  *000007fffffb0000-000007fffff8cfff 0x0002/0x0002 0x0040000
2b2c.20e8:   000007fffffd3000-000007fffffc8fff 0x0001/0x0000 0x0000000
2b2c.20e8:  *000007fffffdd000-000007fffffdafff 0x0004/0x0004 0x0020000
2b2c.20e8:  *000007fffffdf000-000007fffffddfff 0x0004/0x0004 0x0020000
2b2c.20e8:  *000007fffffe0000-000007fffffcffff 0x0001/0x0002 0x0020000
2b2c.20e8: apisetschema.dll: timestamp 0x51fb15ca (rc=VINF_SUCCESS)
2b2c.20e8: VirtualBox.exe: timestamp 0x54f47197 (rc=VINF_SUCCESS)
2b2c.20e8: '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe' has no imports
2b2c.20e8: VirtualBox.exe: Differences in section #0 (headers) between file and memory:
2b2c.20e8:   000000013fbf016a / 0x000016a: 00 != 11
2b2c.20e8:   000000013fbf016c / 0x000016c: 00 != cc
2b2c.20e8:   000000013fbf016d / 0x000016d: 00 != 01
2b2c.20e8:   000000013fbf01c0 / 0x00001c0: 00 != cc
2b2c.20e8:   000000013fbf01c1 / 0x00001c1: 00 != 01
2b2c.20e8:   000000013fbf01c2 / 0x00001c2: 00 != 11
2b2c.20e8:   000000013fbf01c4 / 0x00001c4: 00 != 20
2b2c.20e8:   Restored 0x400 bytes of original file content at 000000013fbf0000
2b2c.20e8: '\Device\HarddiskVolume2\Windows\System32\apisetschema.dll' has no imports
2b2c.20e8: '\Device\HarddiskVolume2\Windows\System32\ntdll.dll' has no imports
2b2c.20e8: ntdll.dll: Differences in section #1 (.text) between file and memory:
2b2c.20e8:   0000000076d48610 / 0x0018610: 48 != e9
2b2c.20e8:   0000000076d48611 / 0x0018611: 89 != 68
2b2c.20e8:   0000000076d48612 / 0x0018612: 54 != 7e
2b2c.20e8:   0000000076d48613 / 0x0018613: 24 != 2c
2b2c.20e8:   0000000076d48614 / 0x0018614: 10 != 09
2b2c.20e8:   Restored 0x2000 bytes of original file content at 0000000076d47000
2b2c.20e8: ntdll.dll: Differences in section #1 (.text) between file and memory:
2b2c.20e8:   0000000076d49580 / 0x0019580: ff != e9
2b2c.20e8:   0000000076d49581 / 0x0019581: f5 != db
2b2c.20e8:   0000000076d49582 / 0x0019582: 41 != 6d
2b2c.20e8:   0000000076d49583 / 0x0019583: 54 != 2c
2b2c.20e8:   0000000076d49584 / 0x0019584: 41 != 09
2b2c.20e8:   0000000076d49585 / 0x0019585: 55 != 90
2b2c.20e8:   Restored 0x2000 bytes of original file content at 0000000076d49000
2b2c.20e8: ntdll.dll: Differences in section #1 (.text) between file and memory:
2b2c.20e8:   0000000076d57ac0 / 0x0027ac0: 48 != e9
2b2c.20e8:   0000000076d57ac1 / 0x0027ac1: 89 != 62
2b2c.20e8:   0000000076d57ac2 / 0x0027ac2: 5c != 8b
2b2c.20e8:   0000000076d57ac3 / 0x0027ac3: 24 != 2b
2b2c.20e8:   0000000076d57ac4 / 0x0027ac4: 10 != 09
2b2c.20e8:   Restored 0x2000 bytes of original file content at 0000000076d57000
2b2c.20e8: ntdll.dll: Differences in section #1 (.text) between file and memory:
2b2c.20e8:   0000000076d81222 / 0x0051222: 48 != e9
2b2c.20e8:   0000000076d81223 / 0x0051223: 85 != e3
2b2c.20e8:   0000000076d81224 / 0x0051224: c0 != f2
2b2c.20e8:   0000000076d81225 / 0x0051225: 74 != 28
2b2c.20e8:   0000000076d81226 / 0x0051226: 0f != 09
2b2c.20e8:   0000000076d81430 / 0x0051430: 4c != e9
2b2c.20e8:   0000000076d81431 / 0x0051431: 8b != 7b
2b2c.20e8:   0000000076d81432 / 0x0051432: d1 != ed
2b2c.20e8:   0000000076d81433 / 0x0051433: b8 != 28
2b2c.20e8:   0000000076d81434 / 0x0051434: 15 != 09
2b2c.20e8:   0000000076d81435 / 0x0051435: 00 != 90
2b2c.20e8:   0000000076d81436 / 0x0051436: 00 != 90
2b2c.20e8:   0000000076d81437 / 0x0051437: 00 != 90
2b2c.20e8:   0000000076d81530 / 0x0051530: 4c != e9
2b2c.20e8:   0000000076d81531 / 0x0051531: 8b != cb
2b2c.20e8:   0000000076d81532 / 0x0051532: d1 != ea
2b2c.20e8:   0000000076d81533 / 0x0051533: b8 != 28
2b2c.20e8:   0000000076d81534 / 0x0051534: 25 != 09
2b2c.20e8:   0000000076d81535 / 0x0051535: 00 != 90
2b2c.20e8:   0000000076d81536 / 0x0051536: 00 != 90
2b2c.20e8:   0000000076d81537 / 0x0051537: 00 != 90
2b2c.20e8:   0000000076d81550 / 0x0051550: 4c != e9
2b2c.20e8:   0000000076d81551 / 0x0051551: 8b != 7b
2b2c.20e8:   0000000076d81552 / 0x0051552: d1 != ed
2b2c.20e8:   0000000076d81553 / 0x0051553: b8 != 28
2b2c.20e8:   0000000076d81554 / 0x0051554: 27 != 09
2b2c.20e8:   0000000076d81555 / 0x0051555: 00 != 90
2b2c.20e8:   0000000076d81556 / 0x0051556: 00 != 90
2b2c.20e8:   0000000076d81557 / 0x0051557: 00 != 90
2b2c.20e8:   0000000076d81650 / 0x0051650: 4c != e9
2b2c.20e8:   0000000076d81651 / 0x0051651: 8b != eb
2b2c.20e8:   0000000076d81652 / 0x0051652: d1 != eb
2b2c.20e8:   0000000076d81653 / 0x0051653: b8 != 28
2b2c.20e8:   0000000076d81654 / 0x0051654: 37 != 09
2b2c.20e8:   0000000076d81655 / 0x0051655: 00 != 90
2b2c.20e8:   0000000076d81656 / 0x0051656: 00 != 90
2b2c.20e8:   0000000076d81657 / 0x0051657: 00 != 90
2b2c.20e8:   0000000076d81750 / 0x0051750: 4c != e9
2b2c.20e8:   0000000076d81751 / 0x0051751: 8b != 3b
2b2c.20e8:   0000000076d81752 / 0x0051752: d1 != e9
2b2c.20e8:   0000000076d81753 / 0x0051753: b8 != 28
2b2c.20e8:   0000000076d81754 / 0x0051754: 47 != 09
2b2c.20e8:   0000000076d81755 / 0x0051755: 00 != 90
2b2c.20e8:   0000000076d81756 / 0x0051756: 00 != 90
2b2c.20e8:   0000000076d81757 / 0x0051757: 00 != 90
2b2c.20e8:   0000000076d817b0 / 0x00517b0: 4c != e9
2b2c.20e8:   0000000076d817b1 / 0x00517b1: 8b != 6b
2b2c.20e8:   0000000076d817b2 / 0x00517b2: d1 != e9
2b2c.20e8:   0000000076d817b3 / 0x00517b3: b8 != 28
2b2c.20e8:   0000000076d817b4 / 0x00517b4: 4d != 09
2b2c.20e8:   0000000076d817b5 / 0x00517b5: 00 != 90
2b2c.20e8:   0000000076d817b6 / 0x00517b6: 00 != 90
2b2c.20e8:   0000000076d817b7 / 0x00517b7: 00 != 90
2b2c.20e8:   0000000076d820a0 / 0x00520a0: 4c != e9
2b2c.20e8:   0000000076d820a1 / 0x00520a1: 8b != f2
2b2c.20e8:   0000000076d820a2 / 0x00520a2: d1 != e4
2b2c.20e8:   0000000076d820a3 / 0x00520a3: b8 != 28
2b2c.20e8:   0000000076d820a4 / 0x00520a4: dc != 09
2b2c.20e8:   0000000076d820a5 / 0x00520a5: 00 != 90
2b2c.20e8:   0000000076d820a6 / 0x00520a6: 00 != 90
2b2c.20e8:   0000000076d820a7 / 0x00520a7: 00 != 90
2b2c.20e8:   Restored 0x2000 bytes of original file content at 0000000076d8034e
2b2c.20e8: ntdll.dll: Differences in section #1 (.text) between file and memory:
2b2c.20e8:   0000000076dfe030 / 0x00ce030: 48 != e9
2b2c.20e8:   0000000076dfe031 / 0x00ce031: 81 != b9
2b2c.20e8:   0000000076dfe032 / 0x00ce032: ec != 23
2b2c.20e8:   0000000076dfe033 / 0x00ce033: 08 != 21
2b2c.20e8:   0000000076dfe034 / 0x00ce034: 05 != 09
2b2c.20e8:   0000000076dfe035 / 0x00ce035: 00 != 90
2b2c.20e8:   0000000076dfe036 / 0x00ce036: 00 != 90
2b2c.20e8:   Restored 0x2000 bytes of original file content at 0000000076dfc34e
2b2c.20e8: supR3HardNtChildPurify: cFixes=9 g_fSupAdversaries=0x3 cPatchCount=0
2b2c.20e8: supR3HardNtChildPurify: Startup delay kludge #1/1: 520 ms, 65 sleeps
2b2c.20e8: supHardNtVpScanVirtualMemory: enmKind=CHILD_PURIFICATION
2b2c.20e8:  *0000000000000000-fffffffffffeffff 0x0001/0x0000 0x0000000
2b2c.20e8:  *0000000000010000-fffffffffffeffff 0x0004/0x0004 0x0020000
2b2c.20e8:  *0000000000030000-000000000002bfff 0x0002/0x0002 0x0040000
2b2c.20e8:   0000000000034000-0000000000027fff 0x0001/0x0000 0x0000000
2b2c.20e8:  *0000000000040000-000000000003efff 0x0004/0x0004 0x0020000
2b2c.20e8:   0000000000041000-fffffffffffe1fff 0x0001/0x0000 0x0000000
2b2c.20e8:  *00000000000a0000-fffffffffffa3fff 0x0000/0x0004 0x0020000
2b2c.20e8:   000000000019c000-0000000000198fff 0x0104/0x0004 0x0020000
2b2c.20e8:   000000000019f000-000000000019dfff 0x0004/0x0004 0x0020000
2b2c.20e8:   00000000001a0000-ffffffff8960ffff 0x0001/0x0000 0x0000000
2b2c.20e8:  *0000000076d30000-0000000076d2efff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume2\Windows\System32\ntdll.dll
2b2c.20e8:   0000000076d31000-0000000076c2efff 0x0020/0x0080 0x1000000  \Device\HarddiskVolume2\Windows\System32\ntdll.dll
2b2c.20e8:   0000000076e33000-0000000076e03fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume2\Windows\System32\ntdll.dll
2b2c.20e8:   0000000076e62000-0000000076e59fff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume2\Windows\System32\ntdll.dll
2b2c.20e8:   0000000076e6a000-0000000076e68fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume2\Windows\System32\ntdll.dll
2b2c.20e8:   0000000076e6b000-0000000076e69fff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume2\Windows\System32\ntdll.dll
2b2c.20e8:   0000000076e6c000-0000000076e69fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume2\Windows\System32\ntdll.dll
2b2c.20e8:   0000000076e6e000-0000000076e02fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume2\Windows\System32\ntdll.dll
2b2c.20e8:   0000000076ed9000-000000006edd1fff 0x0001/0x0000 0x0000000
2b2c.20e8:  *000000007efe0000-000000007dfdffff 0x0000/0x0002 0x0020000
2b2c.20e8:  *000000007ffe0000-000000007ffdefff 0x0002/0x0002 0x0020000
2b2c.20e8:   000000007ffe1000-000000007ffd1fff 0x0000/0x0002 0x0020000
2b2c.20e8:   000000007fff0000-ffffffffc03effff 0x0001/0x0000 0x0000000
2b2c.20e8:  *000000013fbf0000-000000013fbeefff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
2b2c.20e8:   000000013fbf1000-000000013fb6cfff 0x0020/0x0080 0x1000000  \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
2b2c.20e8:   000000013fc75000-000000013fc73fff 0x0040/0x0080 0x1000000  \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
2b2c.20e8:   000000013fc76000-000000013fc38fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
2b2c.20e8:   000000013fcb3000-000000013fca8fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
2b2c.20e8:   000000013fcbd000-000000013fc83fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
2b2c.20e8:   000000013fcf6000-fffff8038099bfff 0x0001/0x0000 0x0000000
2b2c.20e8:  *000007feff050000-000007feff04efff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume2\Windows\System32\apisetschema.dll
2b2c.20e8:   000007feff051000-000007fdfe0f1fff 0x0001/0x0000 0x0000000
2b2c.20e8:  *000007fffffb0000-000007fffff8cfff 0x0002/0x0002 0x0040000
2b2c.20e8:   000007fffffd3000-000007fffffc8fff 0x0001/0x0000 0x0000000
2b2c.20e8:  *000007fffffdd000-000007fffffdafff 0x0004/0x0004 0x0020000
2b2c.20e8:  *000007fffffdf000-000007fffffddfff 0x0004/0x0004 0x0020000
2b2c.20e8:  *000007fffffe0000-000007fffffcffff 0x0001/0x0002 0x0020000
2b2c.20e8: supR3HardNtChildPurify: Done after 1070 ms and 9 fixes (loop #1).
2b2c.20e8: supR3HardNtEnableThreadCreation:
1b64.2a9c: Log file opened: 4.3.24r98716 g_hStartupLog=0000000000000004 g_uNtVerCombined=0x611db110
1b64.2a9c: supR3HardenedVmProcessInit: uNtDllAddr=0000000076d30000
1b64.2a9c: ntdll.dll: timestamp 0x521eaf24 (rc=VINF_SUCCESS)
1b64.2a9c: New simple heap: #1 00000000002a0000 LB 0x400000 (for 1740800 allocation)
1b64.2a9c: System32:  \Device\HarddiskVolume2\Windows\System32
1b64.2a9c: WinSxS:    \Device\HarddiskVolume2\Windows\winsxs
1b64.2a9c: KnownDllPath: C:\Windows\system32
1b64.2a9c: supR3HardenedVmProcessInit: Opening vboxdrv stub...
1b64.2a9c: supR3HardenedVmProcessInit: Restoring LdrInitializeThunk...
1b64.2a9c: supR3HardenedVmProcessInit: Returning to LdrInitializeThunk...
1b64.2a9c: Registered Dll notification callback with NTDLL.
1b64.2a9c: supHardenedWinVerifyImageByHandle: -> 22900 (\Device\HarddiskVolume2\Windows\System32\kernel32.dll)
1b64.2a9c: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume2\Windows\System32\kernel32.dll
1b64.2a9c: supR3HardenedMonitor_LdrLoadDll: pName=C:\Windows\system32\kernel32.dll (Input=kernel32.dll, rcNtResolve=0xc0150008) *pfFlags=0xffffffff pwszSearchPath=0000000000000000:<flags> [calling]
1b64.2a9c: supR3HardenedScreenImage/NtCreateSection: cache hit (Unknown Status 22900 (0x5974)) on \Device\HarddiskVolume2\Windows\System32\kernel32.dll [lacks WinVerifyTrust]
1b64.2a9c: supR3HardenedDllNotificationCallback: load   0000000076b10000 LB 0x0011f000 C:\Windows\system32\kernel32.dll [fFlags=0x0]
1b64.2a9c: supR3HardenedScreenImage/LdrLoadDll: cache hit (Unknown Status 22900 (0x5974)) on \Device\HarddiskVolume2\Windows\System32\kernel32.dll [lacks WinVerifyTrust]
1b64.2a9c: supR3HardenedDllNotificationCallback: load   000007fefcb30000 LB 0x0006c000 C:\Windows\system32\KERNELBASE.dll [fFlags=0x0]
1b64.2a9c: supHardenedWinVerifyImageByHandle: -> 22900 (\Device\HarddiskVolume2\Windows\System32\KernelBase.dll)
1b64.2a9c: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume2\Windows\System32\KernelBase.dll
1b64.2a9c: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=0000000076b10000 'C:\Windows\system32\kernel32.dll'
1b64.2a9c: supR3HardNtDisableThreadCreation: pvLdrInitThunk=0000000076d5c340 pvNtTerminateThread=0000000076d817e0
2b2c.20e8: supR3HardNtChildWaitFor: Found expected request 1 (CloseEvents) after 39 ms.
1b64.2a9c: \SystemRoot\System32\ntdll.dll:
1b64.2a9c:     CreationTime:    2013-11-15T07:43:29.515072300Z
1b64.2a9c:     LastWriteTime:   2013-08-29T02:16:35.515578900Z
1b64.2a9c:     ChangeTime:      2013-11-15T10:28:25.401792300Z
1b64.2a9c:     FileAttributes:  0x20
1b64.2a9c:     Size:            0x1a6dc0
1b64.2a9c:     NT Headers:      0xe0
1b64.2a9c:     Timestamp:       0x521eaf24
1b64.2a9c:     Machine:         0x8664 - amd64
1b64.2a9c:     Timestamp:       0x521eaf24
1b64.2a9c:     Image Version:   6.1
1b64.2a9c:     SizeOfImage:     0x1a9000 (1740800)
1b64.2a9c:     Resource Dir:    0x151000 LB 0x560d8
1b64.2a9c:     ProductName:     Microsoft® Windows® Operating System
1b64.2a9c:     ProductVersion:  6.1.7601.18247
1b64.2a9c:     FileVersion:     6.1.7601.18247 (win7sp1_gdr.130828-1532)
1b64.2a9c:     FileDescription: NT Layer DLL
1b64.2a9c: \SystemRoot\System32\kernel32.dll:
1b64.2a9c:     CreationTime:    2014-04-16T05:04:33.563177300Z
1b64.2a9c:     LastWriteTime:   2014-03-04T09:44:00.336000000Z
1b64.2a9c:     ChangeTime:      2014-04-16T05:24:46.753957400Z
1b64.2a9c:     FileAttributes:  0x20
1b64.2a9c:     Size:            0x11c000
1b64.2a9c:     NT Headers:      0xe8
1b64.2a9c:     Timestamp:       0x5315a059
1b64.2a9c:     Machine:         0x8664 - amd64
1b64.2a9c:     Timestamp:       0x5315a059
1b64.2a9c:     Image Version:   6.1
1b64.2a9c:     SizeOfImage:     0x11f000 (1175552)
1b64.2a9c:     Resource Dir:    0x116000 LB 0x528
1b64.2a9c:     ProductName:     Microsoft® Windows® Operating System
1b64.2a9c:     ProductVersion:  6.1.7601.18409
1b64.2a9c:     FileVersion:     6.1.7601.18409 (win7sp1_gdr.140303-2144)
1b64.2a9c:     FileDescription: Windows NT BASE API Client DLL
1b64.2a9c: \SystemRoot\System32\KernelBase.dll:
1b64.2a9c:     CreationTime:    2014-05-19T05:17:31.014644800Z
1b64.2a9c:     LastWriteTime:   2014-03-04T09:44:00.336000000Z
1b64.2a9c:     ChangeTime:      2014-05-19T05:32:40.719677400Z
1b64.2a9c:     FileAttributes:  0x20
1b64.2a9c:     Size:            0x67c00
1b64.2a9c:     NT Headers:      0xe8
1b64.2a9c:     Timestamp:       0x5315a05a
1b64.2a9c:     Machine:         0x8664 - amd64
1b64.2a9c:     Timestamp:       0x5315a05a
1b64.2a9c:     Image Version:   6.1
1b64.2a9c:     SizeOfImage:     0x6c000 (442368)
1b64.2a9c:     Resource Dir:    0x6a000 LB 0x530
1b64.2a9c:     ProductName:     Microsoft® Windows® Operating System
1b64.2a9c:     ProductVersion:  6.1.7601.18409
1b64.2a9c:     FileVersion:     6.1.7601.18409 (win7sp1_gdr.140303-2144)
1b64.2a9c:     FileDescription: Windows NT BASE API Client DLL
1b64.2a9c: \SystemRoot\System32\apisetschema.dll:
1b64.2a9c:     CreationTime:    2013-09-12T05:14:17.940756300Z
1b64.2a9c:     LastWriteTime:   2013-08-02T02:12:20.275000000Z
1b64.2a9c:     ChangeTime:      2013-09-12T05:45:38.834941500Z
1b64.2a9c:     FileAttributes:  0x20
1b64.2a9c:     Size:            0x1a00
1b64.2a9c:     NT Headers:      0xc0
1b64.2a9c:     Timestamp:       0x51fb15ca
1b64.2a9c:     Machine:         0x8664 - amd64
1b64.2a9c:     Timestamp:       0x51fb15ca
1b64.2a9c:     Image Version:   6.1
1b64.2a9c:     SizeOfImage:     0x50000 (327680)
1b64.2a9c:     Resource Dir:    0x30000 LB 0x3f8
1b64.2a9c:     ProductName:     Microsoft® Windows® Operating System
1b64.2a9c:     ProductVersion:  6.1.7601.18229
1b64.2a9c:     FileVersion:     6.1.7601.18229 (win7sp1_gdr.130801-1533)
1b64.2a9c:     FileDescription: ApiSet Schema DLL
1b64.2a9c: Found driver SysPlant (0x1)
1b64.2a9c: Found driver SymNetS (0x2)
1b64.2a9c: Found driver SRTSPX (0x2)
1b64.2a9c: Found driver SymEvent (0x2)
1b64.2a9c: Found driver SymIRON (0x2)
1b64.2a9c: supR3HardenedWinFindAdversaries: 0x3
1b64.2a9c: \SystemRoot\System32\drivers\SysPlant.sys:
1b64.2a9c:     CreationTime:    2015-02-12T15:13:16.924536700Z
1b64.2a9c:     LastWriteTime:   2015-02-12T15:13:16.928536700Z
1b64.2a9c:     ChangeTime:      2015-02-12T15:13:16.928536700Z
1b64.2a9c:     FileAttributes:  0x20
1b64.2a9c:     Size:            0x26f40
1b64.2a9c:     NT Headers:      0x100
1b64.2a9c:     Timestamp:       0x5413cb4e
1b64.2a9c:     Machine:         0x8664 - amd64
1b64.2a9c:     Timestamp:       0x5413cb4e
1b64.2a9c:     Image Version:   5.0
1b64.2a9c:     SizeOfImage:     0x2d000 (184320)
1b64.2a9c:     Resource Dir:    0x2b000 LB 0x498
1b64.2a9c:     ProductName:     Symantec CMC Firewall
1b64.2a9c:     ProductVersion:  12.1.5337.5000
1b64.2a9c:     FileVersion:     12.1.5337.5000
1b64.2a9c:     FileDescription: Symantec CMC Firewall SysPlant
1b64.2a9c: \SystemRoot\System32\sysfer.dll:
1b64.2a9c:     CreationTime:    2015-02-12T15:13:16.788536700Z
1b64.2a9c:     LastWriteTime:   2015-02-12T15:13:16.792536700Z
1b64.2a9c:     ChangeTime:      2015-02-12T15:13:16.792536700Z
1b64.2a9c:     FileAttributes:  0x20
1b64.2a9c:     Size:            0x70f60
1b64.2a9c:     NT Headers:      0xe8
1b64.2a9c:     Timestamp:       0x5413cb55
1b64.2a9c:     Machine:         0x8664 - amd64
1b64.2a9c:     Timestamp:       0x5413cb55
1b64.2a9c:     Image Version:   0.0
1b64.2a9c:     SizeOfImage:     0x88000 (557056)
1b64.2a9c:     Resource Dir:    0x86000 LB 0x630
1b64.2a9c:     ProductName:     Symantec CMC Firewall
1b64.2a9c:     ProductVersion:  12.1.5337.5000
1b64.2a9c:     FileVersion:     12.1.5337.5000
1b64.2a9c:     FileDescription: Symantec CMC Firewall sysfer
1b64.2a9c: \SystemRoot\System32\drivers\symevent64x86.sys:
1b64.2a9c:     CreationTime:    2015-02-12T15:17:09.408536700Z
1b64.2a9c:     LastWriteTime:   2015-02-12T15:17:09.057536700Z
1b64.2a9c:     ChangeTime:      2015-02-12T15:17:09.057536700Z
1b64.2a9c:     FileAttributes:  0x20
1b64.2a9c:     Size:            0x2b658
1b64.2a9c:     NT Headers:      0xe8
1b64.2a9c:     Timestamp:       0x51f32ff2
1b64.2a9c:     Machine:         0x8664 - amd64
1b64.2a9c:     Timestamp:       0x51f32ff2
1b64.2a9c:     Image Version:   6.0
1b64.2a9c:     SizeOfImage:     0x38000 (229376)
1b64.2a9c:     Resource Dir:    0x36000 LB 0x3c8
1b64.2a9c:     ProductName:     SYMEVENT
1b64.2a9c:     ProductVersion:  12.9.5.2
1b64.2a9c:     FileVersion:     12.9.5.2
1b64.2a9c:     FileDescription: Symantec Event Library
1b64.2a9c: Calling main()
1b64.2a9c: SUPR3HardenedMain: pszProgName=VirtualBox fFlags=0x2
1b64.2a9c: '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe' has no imports
1b64.2a9c: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe)
1b64.2a9c: SUPR3HardenedMain: Respawn #2
1b64.2a9c: supR3HardNtEnableThreadCreation:
1b64.2a9c: supHardenedWinVerifyImageByHandle: -> 22900 (\Device\HarddiskVolume2\Windows\System32\apphelp.dll)
1b64.2a9c: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume2\Windows\System32\apphelp.dll
1b64.2a9c: supR3HardenedMonitor_LdrLoadDll: pName=C:\Windows\system32\apphelp.dll (rcNtResolve=0xc0150008) *pfFlags=0xffffffff pwszSearchPath=0000000000000000:<flags> [calling]
1b64.2a9c: supR3HardenedScreenImage/NtCreateSection: cache hit (Unknown Status 22900 (0x5974)) on \Device\HarddiskVolume2\Windows\System32\apphelp.dll [lacks WinVerifyTrust]
1b64.2a9c: supR3HardenedDllNotificationCallback: load   000007fefc8f0000 LB 0x00057000 C:\Windows\system32\apphelp.dll [fFlags=0x0]
1b64.2a9c: supR3HardenedScreenImage/LdrLoadDll: cache hit (Unknown Status 22900 (0x5974)) on \Device\HarddiskVolume2\Windows\System32\apphelp.dll [lacks WinVerifyTrust]
1b64.2a9c: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=000007fefc8f0000 'C:\Windows\system32\apphelp.dll'
1b64.2a9c: supR3HardNtDisableThreadCreation: pvLdrInitThunk=0000000076d5c340 pvNtTerminateThread=0000000076d817e0
1b64.2a9c: supR3HardenedWinDoReSpawn(2): New child 2be8.2a50 [kernel32].
1b64.2a9c: supR3HardNtChildGatherData: PebBaseAddress=000007fffffd6000 cbPeb=0x380
1b64.2a9c: supR3HardNtPuChFindNtdll: uNtDllParentAddr=0000000076d30000 uNtDllChildAddr=0000000076d30000
1b64.2a9c: supR3HardenedWinSetupChildInit: uLdrInitThunk=0000000076d5c340
1b64.2a9c: supR3HardenedWinSetupChildInit: Start child.
1b64.2a9c: supR3HardNtChildWaitFor: Found expected request 0 (PurifyChildAndCloseHandles) after 10 ms.
1b64.2a9c: supR3HardNtChildPurify: Startup delay kludge #1/0: 520 ms, 65 sleeps
1b64.2a9c: supHardNtVpScanVirtualMemory: enmKind=CHILD_PURIFICATION
1b64.2a9c:  *0000000000000000-fffffffffffeffff 0x0001/0x0000 0x0000000
1b64.2a9c:  *0000000000010000-fffffffffffeffff 0x0004/0x0004 0x0020000
1b64.2a9c:  *0000000000030000-000000000002bfff 0x0002/0x0002 0x0040000
1b64.2a9c:   0000000000034000-0000000000027fff 0x0001/0x0000 0x0000000
1b64.2a9c:  *0000000000040000-000000000003efff 0x0004/0x0004 0x0020000
1b64.2a9c:   0000000000041000-ffffffffffeb1fff 0x0001/0x0000 0x0000000
1b64.2a9c:  *00000000001d0000-00000000000d3fff 0x0000/0x0004 0x0020000
1b64.2a9c:   00000000002cc000-00000000002c8fff 0x0104/0x0004 0x0020000
1b64.2a9c:   00000000002cf000-00000000002cdfff 0x0004/0x0004 0x0020000
1b64.2a9c:   00000000002d0000-ffffffff8986ffff 0x0001/0x0000 0x0000000
1b64.2a9c:  *0000000076d30000-0000000076d2efff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume2\Windows\System32\ntdll.dll
1b64.2a9c:   0000000076d31000-0000000076c2efff 0x0020/0x0080 0x1000000  \Device\HarddiskVolume2\Windows\System32\ntdll.dll
1b64.2a9c:   0000000076e33000-0000000076e03fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume2\Windows\System32\ntdll.dll
1b64.2a9c:   0000000076e62000-0000000076e59fff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume2\Windows\System32\ntdll.dll
1b64.2a9c:   0000000076e6a000-0000000076e68fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume2\Windows\System32\ntdll.dll
1b64.2a9c:   0000000076e6b000-0000000076e67fff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume2\Windows\System32\ntdll.dll
1b64.2a9c:   0000000076e6e000-0000000076e02fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume2\Windows\System32\ntdll.dll
1b64.2a9c:   0000000076ed9000-000000006edd1fff 0x0001/0x0000 0x0000000
1b64.2a9c:  *000000007efe0000-000000007dfdffff 0x0000/0x0002 0x0020000
1b64.2a9c:  *000000007ffe0000-000000007ffdefff 0x0002/0x0002 0x0020000
1b64.2a9c:   000000007ffe1000-000000007ffd1fff 0x0000/0x0002 0x0020000
1b64.2a9c:   000000007fff0000-000000007ffcffff 0x0001/0x0000 0x0000000
1b64.2a9c:  *0000000080010000-000000008000efff 0x0040/0x0040 0x0020000 !!
1b64.2a9c: supHardNtVpScanVirtualMemory: Freeing exec mem at 0000000080010000 (0000000080010000 LB 0x1000)
1b64.2a9c:   0000000080011000-ffffffffc0431fff 0x0001/0x0000 0x0000000
1b64.2a9c:  *000000013fbf0000-000000013fbeefff 0x0040/0x0080 0x1000000  \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
1b64.2a9c:   000000013fbf1000-000000013fb6cfff 0x0020/0x0080 0x1000000  \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
1b64.2a9c:   000000013fc75000-000000013fc73fff 0x0080/0x0080 0x1000000  \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
1b64.2a9c:   000000013fc76000-000000013fc38fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
1b64.2a9c:   000000013fcb3000-000000013fcb1fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
1b64.2a9c:   000000013fcb4000-000000013fcb2fff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
1b64.2a9c:   000000013fcb5000-000000013fcb2fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
1b64.2a9c:   000000013fcb7000-000000013fcb5fff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
1b64.2a9c:   000000013fcb8000-000000013fcb6fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
1b64.2a9c:   000000013fcb9000-000000013fcb4fff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
1b64.2a9c:   000000013fcbd000-000000013fc83fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
1b64.2a9c:   000000013fcf6000-000000013fcebfff 0x0001/0x0000 0x0000000
1b64.2a9c:  *000000013fd00000-000000013fcfefff 0x0040/0x0040 0x0020000 !!
1b64.2a9c: supHardNtVpScanVirtualMemory: Freeing exec mem at 000000013fd00000 (000000013fd00000 LB 0x1000)
1b64.2a9c:   000000013fd01000-00000000ffa01fff 0x0001/0x0000 0x0000000
1b64.2a9c:  *0000000180000000-000000017fffefff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume2\Program Files (x86)\DeviceLock\DeviceLock Agent\DLDrvUserMode64.dll
1b64.2a9c: supHardNtVpScanVirtualMemory: Unmapping image mem at 0000000180000000 (0000000180000000 LB 0x1000) - 'DLDrvUserMode64.dll'
1b64.2a9c:   0000000180001000-000000017fff1fff 0x0001/0x0000 0x0000000
1b64.2a9c:  *0000000180010000-000000018000efff 0x0040/0x0040 0x0020000 !!
1b64.2a9c: supHardNtVpScanVirtualMemory: Freeing exec mem at 0000000180010000 (0000000180010000 LB 0x1000)
1b64.2a9c:   0000000180011000-fffff80400fd1fff 0x0001/0x0000 0x0000000
1b64.2a9c:  *000007feff050000-000007feff04efff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume2\Windows\System32\apisetschema.dll
1b64.2a9c:   000007feff051000-000007fdfe0f1fff 0x0001/0x0000 0x0000000
1b64.2a9c:  *000007fffffb0000-000007fffff8cfff 0x0002/0x0002 0x0040000
1b64.2a9c:   000007fffffd3000-000007fffffcffff 0x0001/0x0000 0x0000000
1b64.2a9c:  *000007fffffd6000-000007fffffd4fff 0x0004/0x0004 0x0020000
1b64.2a9c:   000007fffffd7000-000007fffffcffff 0x0001/0x0000 0x0000000
1b64.2a9c:  *000007fffffde000-000007fffffdbfff 0x0004/0x0004 0x0020000
1b64.2a9c:  *000007fffffe0000-000007fffffcffff 0x0001/0x0002 0x0020000
1b64.2a9c: apisetschema.dll: timestamp 0x51fb15ca (rc=VINF_SUCCESS)
1b64.2a9c: VirtualBox.exe: timestamp 0x54f47197 (rc=VINF_SUCCESS)
1b64.2a9c: '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe' has no imports
1b64.2a9c: VirtualBox.exe: Differences in section #0 (headers) between file and memory:
1b64.2a9c:   000000013fbf016a / 0x000016a: 00 != 11
1b64.2a9c:   000000013fbf016c / 0x000016c: 00 != cc
1b64.2a9c:   000000013fbf016d / 0x000016d: 00 != 01
1b64.2a9c:   000000013fbf01c0 / 0x00001c0: 00 != cc
1b64.2a9c:   000000013fbf01c1 / 0x00001c1: 00 != 01
1b64.2a9c:   000000013fbf01c2 / 0x00001c2: 00 != 11
1b64.2a9c:   000000013fbf01c4 / 0x00001c4: 00 != 20
1b64.2a9c:   Restored 0x400 bytes of original file content at 000000013fbf0000
1b64.2a9c: '\Device\HarddiskVolume2\Windows\System32\apisetschema.dll' has no imports
1b64.2a9c: '\Device\HarddiskVolume2\Windows\System32\ntdll.dll' has no imports
1b64.2a9c: ntdll.dll: Differences in section #1 (.text) between file and memory:
1b64.2a9c:   0000000076d48610 / 0x0018610: 48 != e9
1b64.2a9c:   0000000076d48611 / 0x0018611: 89 != 68
1b64.2a9c:   0000000076d48612 / 0x0018612: 54 != 7e
1b64.2a9c:   0000000076d48613 / 0x0018613: 24 != 2c
1b64.2a9c:   0000000076d48614 / 0x0018614: 10 != 09
1b64.2a9c:   Restored 0x2000 bytes of original file content at 0000000076d47000
1b64.2a9c: ntdll.dll: Differences in section #1 (.text) between file and memory:
1b64.2a9c:   0000000076d49580 / 0x0019580: ff != e9
1b64.2a9c:   0000000076d49581 / 0x0019581: f5 != db
1b64.2a9c:   0000000076d49582 / 0x0019582: 41 != 6d
1b64.2a9c:   0000000076d49583 / 0x0019583: 54 != 2c
1b64.2a9c:   0000000076d49584 / 0x0019584: 41 != 09
1b64.2a9c:   0000000076d49585 / 0x0019585: 55 != 90
1b64.2a9c:   Restored 0x2000 bytes of original file content at 0000000076d49000
1b64.2a9c: ntdll.dll: Differences in section #1 (.text) between file and memory:
1b64.2a9c:   0000000076d57ac0 / 0x0027ac0: 48 != e9
1b64.2a9c:   0000000076d57ac1 / 0x0027ac1: 89 != 62
1b64.2a9c:   0000000076d57ac2 / 0x0027ac2: 5c != 8b
1b64.2a9c:   0000000076d57ac3 / 0x0027ac3: 24 != 2b
1b64.2a9c:   0000000076d57ac4 / 0x0027ac4: 10 != 09
1b64.2a9c:   Restored 0x2000 bytes of original file content at 0000000076d57000
1b64.2a9c: ntdll.dll: Differences in section #1 (.text) between file and memory:
1b64.2a9c:   0000000076d81222 / 0x0051222: 48 != e9
1b64.2a9c:   0000000076d81223 / 0x0051223: 85 != e3
1b64.2a9c:   0000000076d81224 / 0x0051224: c0 != f2
1b64.2a9c:   0000000076d81225 / 0x0051225: 74 != 28
1b64.2a9c:   0000000076d81226 / 0x0051226: 0f != 09
1b64.2a9c:   0000000076d81430 / 0x0051430: 4c != e9
1b64.2a9c:   0000000076d81431 / 0x0051431: 8b != 7b
1b64.2a9c:   0000000076d81432 / 0x0051432: d1 != ed
1b64.2a9c:   0000000076d81433 / 0x0051433: b8 != 28
1b64.2a9c:   0000000076d81434 / 0x0051434: 15 != 09
1b64.2a9c:   0000000076d81435 / 0x0051435: 00 != 90
1b64.2a9c:   0000000076d81436 / 0x0051436: 00 != 90
1b64.2a9c:   0000000076d81437 / 0x0051437: 00 != 90
1b64.2a9c:   0000000076d81530 / 0x0051530: 4c != e9
1b64.2a9c:   0000000076d81531 / 0x0051531: 8b != cb
1b64.2a9c:   0000000076d81532 / 0x0051532: d1 != ea
1b64.2a9c:   0000000076d81533 / 0x0051533: b8 != 28
1b64.2a9c:   0000000076d81534 / 0x0051534: 25 != 09
1b64.2a9c:   0000000076d81535 / 0x0051535: 00 != 90
1b64.2a9c:   0000000076d81536 / 0x0051536: 00 != 90
1b64.2a9c:   0000000076d81537 / 0x0051537: 00 != 90
1b64.2a9c:   0000000076d81550 / 0x0051550: 4c != e9
1b64.2a9c:   0000000076d81551 / 0x0051551: 8b != 7b
1b64.2a9c:   0000000076d81552 / 0x0051552: d1 != ed
1b64.2a9c:   0000000076d81553 / 0x0051553: b8 != 28
1b64.2a9c:   0000000076d81554 / 0x0051554: 27 != 09
1b64.2a9c:   0000000076d81555 / 0x0051555: 00 != 90
1b64.2a9c:   0000000076d81556 / 0x0051556: 00 != 90
1b64.2a9c:   0000000076d81557 / 0x0051557: 00 != 90
1b64.2a9c:   0000000076d81650 / 0x0051650: 4c != e9
1b64.2a9c:   0000000076d81651 / 0x0051651: 8b != eb
1b64.2a9c:   0000000076d81652 / 0x0051652: d1 != eb
1b64.2a9c:   0000000076d81653 / 0x0051653: b8 != 28
1b64.2a9c:   0000000076d81654 / 0x0051654: 37 != 09
1b64.2a9c:   0000000076d81655 / 0x0051655: 00 != 90
1b64.2a9c:   0000000076d81656 / 0x0051656: 00 != 90
1b64.2a9c:   0000000076d81657 / 0x0051657: 00 != 90
1b64.2a9c:   0000000076d81750 / 0x0051750: 4c != e9
1b64.2a9c:   0000000076d81751 / 0x0051751: 8b != 3b
1b64.2a9c:   0000000076d81752 / 0x0051752: d1 != e9
1b64.2a9c:   0000000076d81753 / 0x0051753: b8 != 28
1b64.2a9c:   0000000076d81754 / 0x0051754: 47 != 09
1b64.2a9c:   0000000076d81755 / 0x0051755: 00 != 90
1b64.2a9c:   0000000076d81756 / 0x0051756: 00 != 90
1b64.2a9c:   0000000076d81757 / 0x0051757: 00 != 90
1b64.2a9c:   0000000076d817b0 / 0x00517b0: 4c != e9
1b64.2a9c:   0000000076d817b1 / 0x00517b1: 8b != 6b
1b64.2a9c:   0000000076d817b2 / 0x00517b2: d1 != e9
1b64.2a9c:   0000000076d817b3 / 0x00517b3: b8 != 28
1b64.2a9c:   0000000076d817b4 / 0x00517b4: 4d != 09
1b64.2a9c:   0000000076d817b5 / 0x00517b5: 00 != 90
1b64.2a9c:   0000000076d817b6 / 0x00517b6: 00 != 90
1b64.2a9c:   0000000076d817b7 / 0x00517b7: 00 != 90
1b64.2a9c:   0000000076d820a0 / 0x00520a0: 4c != e9
1b64.2a9c:   0000000076d820a1 / 0x00520a1: 8b != f2
1b64.2a9c:   0000000076d820a2 / 0x00520a2: d1 != e4
1b64.2a9c:   0000000076d820a3 / 0x00520a3: b8 != 28
1b64.2a9c:   0000000076d820a4 / 0x00520a4: dc != 09
1b64.2a9c:   0000000076d820a5 / 0x00520a5: 00 != 90
1b64.2a9c:   0000000076d820a6 / 0x00520a6: 00 != 90
1b64.2a9c:   0000000076d820a7 / 0x00520a7: 00 != 90
1b64.2a9c:   Restored 0x2000 bytes of original file content at 0000000076d8034e
1b64.2a9c: ntdll.dll: Differences in section #1 (.text) between file and memory:
1b64.2a9c:   0000000076dfe030 / 0x00ce030: 48 != e9
1b64.2a9c:   0000000076dfe031 / 0x00ce031: 81 != b9
1b64.2a9c:   0000000076dfe032 / 0x00ce032: ec != 23
1b64.2a9c:   0000000076dfe033 / 0x00ce033: 08 != 21
1b64.2a9c:   0000000076dfe034 / 0x00ce034: 05 != 09
1b64.2a9c:   0000000076dfe035 / 0x00ce035: 00 != 90
1b64.2a9c:   0000000076dfe036 / 0x00ce036: 00 != 90
1b64.2a9c:   Restored 0x2000 bytes of original file content at 0000000076dfc34e
1b64.2a9c: supR3HardNtChildPurify: cFixes=9 g_fSupAdversaries=0x3 cPatchCount=0
1b64.2a9c: supR3HardNtChildPurify: Startup delay kludge #1/1: 520 ms, 65 sleeps
1b64.2a9c: supHardNtVpScanVirtualMemory: enmKind=CHILD_PURIFICATION
1b64.2a9c:  *0000000000000000-fffffffffffeffff 0x0001/0x0000 0x0000000
1b64.2a9c:  *0000000000010000-fffffffffffeffff 0x0004/0x0004 0x0020000
1b64.2a9c:  *0000000000030000-000000000002bfff 0x0002/0x0002 0x0040000
1b64.2a9c:   0000000000034000-0000000000027fff 0x0001/0x0000 0x0000000
1b64.2a9c:  *0000000000040000-000000000003efff 0x0004/0x0004 0x0020000
1b64.2a9c:   0000000000041000-ffffffffffeb1fff 0x0001/0x0000 0x0000000
1b64.2a9c:  *00000000001d0000-00000000000d3fff 0x0000/0x0004 0x0020000
1b64.2a9c:   00000000002cc000-00000000002c8fff 0x0104/0x0004 0x0020000
1b64.2a9c:   00000000002cf000-00000000002cdfff 0x0004/0x0004 0x0020000
1b64.2a9c:   00000000002d0000-ffffffff8986ffff 0x0001/0x0000 0x0000000
1b64.2a9c:  *0000000076d30000-0000000076d2efff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume2\Windows\System32\ntdll.dll
1b64.2a9c:   0000000076d31000-0000000076c2efff 0x0020/0x0080 0x1000000  \Device\HarddiskVolume2\Windows\System32\ntdll.dll
1b64.2a9c:   0000000076e33000-0000000076e03fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume2\Windows\System32\ntdll.dll
1b64.2a9c:   0000000076e62000-0000000076e59fff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume2\Windows\System32\ntdll.dll
1b64.2a9c:   0000000076e6a000-0000000076e68fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume2\Windows\System32\ntdll.dll
1b64.2a9c:   0000000076e6b000-0000000076e69fff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume2\Windows\System32\ntdll.dll
1b64.2a9c:   0000000076e6c000-0000000076e69fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume2\Windows\System32\ntdll.dll
1b64.2a9c:   0000000076e6e000-0000000076e02fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume2\Windows\System32\ntdll.dll
1b64.2a9c:   0000000076ed9000-000000006edd1fff 0x0001/0x0000 0x0000000
1b64.2a9c:  *000000007efe0000-000000007dfdffff 0x0000/0x0002 0x0020000
1b64.2a9c:  *000000007ffe0000-000000007ffdefff 0x0002/0x0002 0x0020000
1b64.2a9c:   000000007ffe1000-000000007ffd1fff 0x0000/0x0002 0x0020000
1b64.2a9c:   000000007fff0000-ffffffffc03effff 0x0001/0x0000 0x0000000
1b64.2a9c:  *000000013fbf0000-000000013fbeefff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
1b64.2a9c:   000000013fbf1000-000000013fb6cfff 0x0020/0x0080 0x1000000  \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
1b64.2a9c:   000000013fc75000-000000013fc73fff 0x0040/0x0080 0x1000000  \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
1b64.2a9c:   000000013fc76000-000000013fc38fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
1b64.2a9c:   000000013fcb3000-000000013fca8fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
1b64.2a9c:   000000013fcbd000-000000013fc83fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
1b64.2a9c:   000000013fcf6000-fffff8038099bfff 0x0001/0x0000 0x0000000
1b64.2a9c:  *000007feff050000-000007feff04efff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume2\Windows\System32\apisetschema.dll
1b64.2a9c:   000007feff051000-000007fdfe0f1fff 0x0001/0x0000 0x0000000
1b64.2a9c:  *000007fffffb0000-000007fffff8cfff 0x0002/0x0002 0x0040000
1b64.2a9c:   000007fffffd3000-000007fffffcffff 0x0001/0x0000 0x0000000
1b64.2a9c:  *000007fffffd6000-000007fffffd4fff 0x0004/0x0004 0x0020000
1b64.2a9c:   000007fffffd7000-000007fffffcffff 0x0001/0x0000 0x0000000
1b64.2a9c:  *000007fffffde000-000007fffffdbfff 0x0004/0x0004 0x0020000
1b64.2a9c:  *000007fffffe0000-000007fffffcffff 0x0001/0x0002 0x0020000
1b64.2a9c: supR3HardNtChildPurify: Done after 1080 ms and 9 fixes (loop #1).
1b64.2a9c: supR3HardenedEarlyCompact: Removed heap 1 (0x000000002a0000 LB 0x400000)
1b64.2a9c: supR3HardNtEnableThreadCreation:
2be8.2a50: Log file opened: 4.3.24r98716 g_hStartupLog=0000000000000004 g_uNtVerCombined=0x611db110
2be8.2a50: supR3HardenedVmProcessInit: uNtDllAddr=0000000076d30000
2be8.2a50: ntdll.dll: timestamp 0x521eaf24 (rc=VINF_SUCCESS)
2be8.2a50: New simple heap: #1 00000000002d0000 LB 0x400000 (for 1740800 allocation)
2be8.2a50: System32:  \Device\HarddiskVolume2\Windows\System32
2be8.2a50: WinSxS:    \Device\HarddiskVolume2\Windows\winsxs
2be8.2a50: KnownDllPath: C:\Windows\system32
2be8.2a50: supR3HardenedVmProcessInit: Opening vboxdrv...
2be8.2a50: supR3HardenedVmProcessInit: Restoring LdrInitializeThunk...
2be8.2a50: supR3HardenedVmProcessInit: Returning to LdrInitializeThunk...
2be8.2a50: Registered Dll notification callback with NTDLL.
2be8.2a50: supHardenedWinVerifyImageByHandle: -> 22900 (\Device\HarddiskVolume2\Windows\System32\kernel32.dll)
2be8.2a50: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume2\Windows\System32\kernel32.dll
2be8.2a50: supR3HardenedMonitor_LdrLoadDll: pName=C:\Windows\system32\kernel32.dll (Input=kernel32.dll, rcNtResolve=0xc0150008) *pfFlags=0xffffffff pwszSearchPath=0000000000000000:<flags> [calling]
2be8.2a50: supR3HardenedScreenImage/NtCreateSection: cache hit (Unknown Status 22900 (0x5974)) on \Device\HarddiskVolume2\Windows\System32\kernel32.dll [lacks WinVerifyTrust]
2be8.2a50: supR3HardenedDllNotificationCallback: load   0000000076b10000 LB 0x0011f000 C:\Windows\system32\kernel32.dll [fFlags=0x0]
2be8.2a50: supR3HardenedScreenImage/LdrLoadDll: cache hit (Unknown Status 22900 (0x5974)) on \Device\HarddiskVolume2\Windows\System32\kernel32.dll [lacks WinVerifyTrust]
2be8.2a50: supR3HardenedDllNotificationCallback: load   000007fefcb30000 LB 0x0006c000 C:\Windows\system32\KERNELBASE.dll [fFlags=0x0]
2be8.2a50: supHardenedWinVerifyImageByHandle: -> 22900 (\Device\HarddiskVolume2\Windows\System32\KernelBase.dll)
2be8.2a50: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume2\Windows\System32\KernelBase.dll
2be8.2a50: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=0000000076b10000 'C:\Windows\system32\kernel32.dll'
2be8.2a50: supR3HardNtDisableThreadCreation: pvLdrInitThunk=0000000076d5c340 pvNtTerminateThread=0000000076d817e0
1b64.2a9c: supR3HardNtChildWaitFor: Found expected request 1 (CloseEvents) after 49 ms.
2be8.2a50: \SystemRoot\System32\ntdll.dll:
2be8.2a50:     CreationTime:    2013-11-15T07:43:29.515072300Z
2be8.2a50:     LastWriteTime:   2013-08-29T02:16:35.515578900Z
2be8.2a50:     ChangeTime:      2013-11-15T10:28:25.401792300Z
2be8.2a50:     FileAttributes:  0x20
2be8.2a50:     Size:            0x1a6dc0
2be8.2a50:     NT Headers:      0xe0
2be8.2a50:     Timestamp:       0x521eaf24
2be8.2a50:     Machine:         0x8664 - amd64
2be8.2a50:     Timestamp:       0x521eaf24
2be8.2a50:     Image Version:   6.1
2be8.2a50:     SizeOfImage:     0x1a9000 (1740800)
2be8.2a50:     Resource Dir:    0x151000 LB 0x560d8
2be8.2a50:     ProductName:     Microsoft® Windows® Operating System
2be8.2a50:     ProductVersion:  6.1.7601.18247
2be8.2a50:     FileVersion:     6.1.7601.18247 (win7sp1_gdr.130828-1532)
2be8.2a50:     FileDescription: NT Layer DLL
2be8.2a50: \SystemRoot\System32\kernel32.dll:
2be8.2a50:     CreationTime:    2014-04-16T05:04:33.563177300Z
2be8.2a50:     LastWriteTime:   2014-03-04T09:44:00.336000000Z
2be8.2a50:     ChangeTime:      2014-04-16T05:24:46.753957400Z
2be8.2a50:     FileAttributes:  0x20
2be8.2a50:     Size:            0x11c000
2be8.2a50:     NT Headers:      0xe8
2be8.2a50:     Timestamp:       0x5315a059
2be8.2a50:     Machine:         0x8664 - amd64
2be8.2a50:     Timestamp:       0x5315a059
2be8.2a50:     Image Version:   6.1
2be8.2a50:     SizeOfImage:     0x11f000 (1175552)
2be8.2a50:     Resource Dir:    0x116000 LB 0x528
2be8.2a50:     ProductName:     Microsoft® Windows® Operating System
2be8.2a50:     ProductVersion:  6.1.7601.18409
2be8.2a50:     FileVersion:     6.1.7601.18409 (win7sp1_gdr.140303-2144)
2be8.2a50:     FileDescription: Windows NT BASE API Client DLL
2be8.2a50: \SystemRoot\System32\KernelBase.dll:
2be8.2a50:     CreationTime:    2014-05-19T05:17:31.014644800Z
2be8.2a50:     LastWriteTime:   2014-03-04T09:44:00.336000000Z
2be8.2a50:     ChangeTime:      2014-05-19T05:32:40.719677400Z
2be8.2a50:     FileAttributes:  0x20
2be8.2a50:     Size:            0x67c00
2be8.2a50:     NT Headers:      0xe8
2be8.2a50:     Timestamp:       0x5315a05a
2be8.2a50:     Machine:         0x8664 - amd64
2be8.2a50:     Timestamp:       0x5315a05a
2be8.2a50:     Image Version:   6.1
2be8.2a50:     SizeOfImage:     0x6c000 (442368)
2be8.2a50:     Resource Dir:    0x6a000 LB 0x530
2be8.2a50:     ProductName:     Microsoft® Windows® Operating System
2be8.2a50:     ProductVersion:  6.1.7601.18409
2be8.2a50:     FileVersion:     6.1.7601.18409 (win7sp1_gdr.140303-2144)
2be8.2a50:     FileDescription: Windows NT BASE API Client DLL
2be8.2a50: \SystemRoot\System32\apisetschema.dll:
2be8.2a50:     CreationTime:    2013-09-12T05:14:17.940756300Z
2be8.2a50:     LastWriteTime:   2013-08-02T02:12:20.275000000Z
2be8.2a50:     ChangeTime:      2013-09-12T05:45:38.834941500Z
2be8.2a50:     FileAttributes:  0x20
2be8.2a50:     Size:            0x1a00
2be8.2a50:     NT Headers:      0xc0
2be8.2a50:     Timestamp:       0x51fb15ca
2be8.2a50:     Machine:         0x8664 - amd64
2be8.2a50:     Timestamp:       0x51fb15ca
2be8.2a50:     Image Version:   6.1
2be8.2a50:     SizeOfImage:     0x50000 (327680)
2be8.2a50:     Resource Dir:    0x30000 LB 0x3f8
2be8.2a50:     ProductName:     Microsoft® Windows® Operating System
2be8.2a50:     ProductVersion:  6.1.7601.18229
2be8.2a50:     FileVersion:     6.1.7601.18229 (win7sp1_gdr.130801-1533)
2be8.2a50:     FileDescription: ApiSet Schema DLL
2be8.2a50: Found driver SysPlant (0x1)
2be8.2a50: Found driver SymNetS (0x2)
2be8.2a50: Found driver SRTSPX (0x2)
2be8.2a50: Found driver SymEvent (0x2)
2be8.2a50: Found driver SymIRON (0x2)
2be8.2a50: supR3HardenedWinFindAdversaries: 0x3
2be8.2a50: \SystemRoot\System32\drivers\SysPlant.sys:
2be8.2a50:     CreationTime:    2015-02-12T15:13:16.924536700Z
2be8.2a50:     LastWriteTime:   2015-02-12T15:13:16.928536700Z
2be8.2a50:     ChangeTime:      2015-02-12T15:13:16.928536700Z
2be8.2a50:     FileAttributes:  0x20
2be8.2a50:     Size:            0x26f40
2be8.2a50:     NT Headers:      0x100
2be8.2a50:     Timestamp:       0x5413cb4e
2be8.2a50:     Machine:         0x8664 - amd64
2be8.2a50:     Timestamp:       0x5413cb4e
2be8.2a50:     Image Version:   5.0
2be8.2a50:     SizeOfImage:     0x2d000 (184320)
2be8.2a50:     Resource Dir:    0x2b000 LB 0x498
2be8.2a50:     ProductName:     Symantec CMC Firewall
2be8.2a50:     ProductVersion:  12.1.5337.5000
2be8.2a50:     FileVersion:     12.1.5337.5000
2be8.2a50:     FileDescription: Symantec CMC Firewall SysPlant
2be8.2a50: \SystemRoot\System32\sysfer.dll:
2be8.2a50:     CreationTime:    2015-02-12T15:13:16.788536700Z
2be8.2a50:     LastWriteTime:   2015-02-12T15:13:16.792536700Z
2be8.2a50:     ChangeTime:      2015-02-12T15:13:16.792536700Z
2be8.2a50:     FileAttributes:  0x20
2be8.2a50:     Size:            0x70f60
2be8.2a50:     NT Headers:      0xe8
2be8.2a50:     Timestamp:       0x5413cb55
2be8.2a50:     Machine:         0x8664 - amd64
2be8.2a50:     Timestamp:       0x5413cb55
2be8.2a50:     Image Version:   0.0
2be8.2a50:     SizeOfImage:     0x88000 (557056)
2be8.2a50:     Resource Dir:    0x86000 LB 0x630
2be8.2a50:     ProductName:     Symantec CMC Firewall
2be8.2a50:     ProductVersion:  12.1.5337.5000
2be8.2a50:     FileVersion:     12.1.5337.5000
2be8.2a50:     FileDescription: Symantec CMC Firewall sysfer
2be8.2a50: \SystemRoot\System32\drivers\symevent64x86.sys:
2be8.2a50:     CreationTime:    2015-02-12T15:17:09.408536700Z
2be8.2a50:     LastWriteTime:   2015-02-12T15:17:09.057536700Z
2be8.2a50:     ChangeTime:      2015-02-12T15:17:09.057536700Z
2be8.2a50:     FileAttributes:  0x20
2be8.2a50:     Size:            0x2b658
2be8.2a50:     NT Headers:      0xe8
2be8.2a50:     Timestamp:       0x51f32ff2
2be8.2a50:     Machine:         0x8664 - amd64
2be8.2a50:     Timestamp:       0x51f32ff2
2be8.2a50:     Image Version:   6.0
2be8.2a50:     SizeOfImage:     0x38000 (229376)
2be8.2a50:     Resource Dir:    0x36000 LB 0x3c8
2be8.2a50:     ProductName:     SYMEVENT
2be8.2a50:     ProductVersion:  12.9.5.2
2be8.2a50:     FileVersion:     12.9.5.2
2be8.2a50:     FileDescription: Symantec Event Library
2be8.2a50: Calling main()
2be8.2a50: SUPR3HardenedMain: pszProgName=VirtualBox fFlags=0x2
2be8.2a50: '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe' has no imports
2be8.2a50: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe)
2be8.2a50: SUPR3HardenedMain: Final process, opening VBoxDrv...
2be8.2a50: supR3HardenedEarlyCompact: Removed heap 1 (0x000000002d0000 LB 0x400000)
2be8.2a50: supR3HardNtEnableThreadCreation:
2be8.2a50: supHardenedWinVerifyImageByHandle: -> 22900 (\Device\HarddiskVolume2\Windows\System32\apphelp.dll)
2be8.2a50: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume2\Windows\System32\apphelp.dll
2be8.2a50: supR3HardenedMonitor_LdrLoadDll: pName=C:\Windows\system32\apphelp.dll (rcNtResolve=0xc0150008) *pfFlags=0xffffffff pwszSearchPath=0000000000000000:<flags> [calling]
2be8.2a50: supR3HardenedScreenImage/NtCreateSection: cache hit (Unknown Status 22900 (0x5974)) on \Device\HarddiskVolume2\Windows\System32\apphelp.dll [lacks WinVerifyTrust]
2be8.2a50: supR3HardenedDllNotificationCallback: load   000007fefc8f0000 LB 0x00057000 C:\Windows\system32\apphelp.dll [fFlags=0x0]
2be8.2a50: supR3HardenedScreenImage/LdrLoadDll: cache hit (Unknown Status 22900 (0x5974)) on \Device\HarddiskVolume2\Windows\System32\apphelp.dll [lacks WinVerifyTrust]
2be8.2a50: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=000007fefc8f0000 'C:\Windows\system32\apphelp.dll'
1b64.2a9c: supR3HardNtChildWaitFor[2]: Quitting: ExitCode=0xc0000005 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 1886 ms, the end);
2b2c.20e8: supR3HardNtChildWaitFor[1]: Quitting: ExitCode=0xc0000005 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 3041 ms, the end);