2b2c.20e8: Log file opened: 4.3.24r98716 g_hStartupLog=0000000000000028 g_uNtVerCombined=0x611db110 2b2c.20e8: \SystemRoot\System32\ntdll.dll: 2b2c.20e8: CreationTime: 2013-11-15T07:43:29.515072300Z 2b2c.20e8: LastWriteTime: 2013-08-29T02:16:35.515578900Z 2b2c.20e8: ChangeTime: 2013-11-15T10:28:25.401792300Z 2b2c.20e8: FileAttributes: 0x20 2b2c.20e8: Size: 0x1a6dc0 2b2c.20e8: NT Headers: 0xe0 2b2c.20e8: Timestamp: 0x521eaf24 2b2c.20e8: Machine: 0x8664 - amd64 2b2c.20e8: Timestamp: 0x521eaf24 2b2c.20e8: Image Version: 6.1 2b2c.20e8: SizeOfImage: 0x1a9000 (1740800) 2b2c.20e8: Resource Dir: 0x151000 LB 0x560d8 2b2c.20e8: ProductName: Microsoft® Windows® Operating System 2b2c.20e8: ProductVersion: 6.1.7601.18247 2b2c.20e8: FileVersion: 6.1.7601.18247 (win7sp1_gdr.130828-1532) 2b2c.20e8: FileDescription: NT Layer DLL 2b2c.20e8: \SystemRoot\System32\kernel32.dll: 2b2c.20e8: CreationTime: 2014-04-16T05:04:33.563177300Z 2b2c.20e8: LastWriteTime: 2014-03-04T09:44:00.336000000Z 2b2c.20e8: ChangeTime: 2014-04-16T05:24:46.753957400Z 2b2c.20e8: FileAttributes: 0x20 2b2c.20e8: Size: 0x11c000 2b2c.20e8: NT Headers: 0xe8 2b2c.20e8: Timestamp: 0x5315a059 2b2c.20e8: Machine: 0x8664 - amd64 2b2c.20e8: Timestamp: 0x5315a059 2b2c.20e8: Image Version: 6.1 2b2c.20e8: SizeOfImage: 0x11f000 (1175552) 2b2c.20e8: Resource Dir: 0x116000 LB 0x528 2b2c.20e8: ProductName: Microsoft® Windows® Operating System 2b2c.20e8: ProductVersion: 6.1.7601.18409 2b2c.20e8: FileVersion: 6.1.7601.18409 (win7sp1_gdr.140303-2144) 2b2c.20e8: FileDescription: Windows NT BASE API Client DLL 2b2c.20e8: \SystemRoot\System32\KernelBase.dll: 2b2c.20e8: CreationTime: 2014-05-19T05:17:31.014644800Z 2b2c.20e8: LastWriteTime: 2014-03-04T09:44:00.336000000Z 2b2c.20e8: ChangeTime: 2014-05-19T05:32:40.719677400Z 2b2c.20e8: FileAttributes: 0x20 2b2c.20e8: Size: 0x67c00 2b2c.20e8: NT Headers: 0xe8 2b2c.20e8: Timestamp: 0x5315a05a 2b2c.20e8: Machine: 0x8664 - amd64 2b2c.20e8: Timestamp: 0x5315a05a 2b2c.20e8: Image Version: 6.1 2b2c.20e8: SizeOfImage: 0x6c000 (442368) 2b2c.20e8: Resource Dir: 0x6a000 LB 0x530 2b2c.20e8: ProductName: Microsoft® Windows® Operating System 2b2c.20e8: ProductVersion: 6.1.7601.18409 2b2c.20e8: FileVersion: 6.1.7601.18409 (win7sp1_gdr.140303-2144) 2b2c.20e8: FileDescription: Windows NT BASE API Client DLL 2b2c.20e8: \SystemRoot\System32\apisetschema.dll: 2b2c.20e8: CreationTime: 2013-09-12T05:14:17.940756300Z 2b2c.20e8: LastWriteTime: 2013-08-02T02:12:20.275000000Z 2b2c.20e8: ChangeTime: 2013-09-12T05:45:38.834941500Z 2b2c.20e8: FileAttributes: 0x20 2b2c.20e8: Size: 0x1a00 2b2c.20e8: NT Headers: 0xc0 2b2c.20e8: Timestamp: 0x51fb15ca 2b2c.20e8: Machine: 0x8664 - amd64 2b2c.20e8: Timestamp: 0x51fb15ca 2b2c.20e8: Image Version: 6.1 2b2c.20e8: SizeOfImage: 0x50000 (327680) 2b2c.20e8: Resource Dir: 0x30000 LB 0x3f8 2b2c.20e8: ProductName: Microsoft® Windows® Operating System 2b2c.20e8: ProductVersion: 6.1.7601.18229 2b2c.20e8: FileVersion: 6.1.7601.18229 (win7sp1_gdr.130801-1533) 2b2c.20e8: FileDescription: ApiSet Schema DLL 2b2c.20e8: Found driver SysPlant (0x1) 2b2c.20e8: Found driver SymNetS (0x2) 2b2c.20e8: Found driver SRTSPX (0x2) 2b2c.20e8: Found driver SymEvent (0x2) 2b2c.20e8: Found driver SymIRON (0x2) 2b2c.20e8: supR3HardenedWinFindAdversaries: 0x3 2b2c.20e8: \SystemRoot\System32\drivers\SysPlant.sys: 2b2c.20e8: CreationTime: 2015-02-12T15:13:16.924536700Z 2b2c.20e8: LastWriteTime: 2015-02-12T15:13:16.928536700Z 2b2c.20e8: ChangeTime: 2015-02-12T15:13:16.928536700Z 2b2c.20e8: FileAttributes: 0x20 2b2c.20e8: Size: 0x26f40 2b2c.20e8: NT Headers: 0x100 2b2c.20e8: Timestamp: 0x5413cb4e 2b2c.20e8: Machine: 0x8664 - amd64 2b2c.20e8: Timestamp: 0x5413cb4e 2b2c.20e8: Image Version: 5.0 2b2c.20e8: SizeOfImage: 0x2d000 (184320) 2b2c.20e8: Resource Dir: 0x2b000 LB 0x498 2b2c.20e8: ProductName: Symantec CMC Firewall 2b2c.20e8: ProductVersion: 12.1.5337.5000 2b2c.20e8: FileVersion: 12.1.5337.5000 2b2c.20e8: FileDescription: Symantec CMC Firewall SysPlant 2b2c.20e8: \SystemRoot\System32\sysfer.dll: 2b2c.20e8: CreationTime: 2015-02-12T15:13:16.788536700Z 2b2c.20e8: LastWriteTime: 2015-02-12T15:13:16.792536700Z 2b2c.20e8: ChangeTime: 2015-02-12T15:13:16.792536700Z 2b2c.20e8: FileAttributes: 0x20 2b2c.20e8: Size: 0x70f60 2b2c.20e8: NT Headers: 0xe8 2b2c.20e8: Timestamp: 0x5413cb55 2b2c.20e8: Machine: 0x8664 - amd64 2b2c.20e8: Timestamp: 0x5413cb55 2b2c.20e8: Image Version: 0.0 2b2c.20e8: SizeOfImage: 0x88000 (557056) 2b2c.20e8: Resource Dir: 0x86000 LB 0x630 2b2c.20e8: ProductName: Symantec CMC Firewall 2b2c.20e8: ProductVersion: 12.1.5337.5000 2b2c.20e8: FileVersion: 12.1.5337.5000 2b2c.20e8: FileDescription: Symantec CMC Firewall sysfer 2b2c.20e8: \SystemRoot\System32\drivers\symevent64x86.sys: 2b2c.20e8: CreationTime: 2015-02-12T15:17:09.408536700Z 2b2c.20e8: LastWriteTime: 2015-02-12T15:17:09.057536700Z 2b2c.20e8: ChangeTime: 2015-02-12T15:17:09.057536700Z 2b2c.20e8: FileAttributes: 0x20 2b2c.20e8: Size: 0x2b658 2b2c.20e8: NT Headers: 0xe8 2b2c.20e8: Timestamp: 0x51f32ff2 2b2c.20e8: Machine: 0x8664 - amd64 2b2c.20e8: Timestamp: 0x51f32ff2 2b2c.20e8: Image Version: 6.0 2b2c.20e8: SizeOfImage: 0x38000 (229376) 2b2c.20e8: Resource Dir: 0x36000 LB 0x3c8 2b2c.20e8: ProductName: SYMEVENT 2b2c.20e8: ProductVersion: 12.9.5.2 2b2c.20e8: FileVersion: 12.9.5.2 2b2c.20e8: FileDescription: Symantec Event Library 2b2c.20e8: Calling main() 2b2c.20e8: SUPR3HardenedMain: pszProgName=VirtualBox fFlags=0x2 2b2c.20e8: SUPR3HardenedMain: Respawn #1 2b2c.20e8: System32: \Device\HarddiskVolume2\Windows\System32 2b2c.20e8: WinSxS: \Device\HarddiskVolume2\Windows\winsxs 2b2c.20e8: KnownDllPath: C:\Windows\system32 2b2c.20e8: '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe' has no imports 2b2c.20e8: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe) 2b2c.20e8: supR3HardNtEnableThreadCreation: 2b2c.20e8: supR3HardNtDisableThreadCreation: pvLdrInitThunk=0000000076d5c340 pvNtTerminateThread=0000000076d817e0 2b2c.20e8: supR3HardenedWinDoReSpawn(1): New child 1b64.2a9c [kernel32]. 2b2c.20e8: supR3HardNtChildGatherData: PebBaseAddress=000007fffffdf000 cbPeb=0x380 2b2c.20e8: supR3HardNtPuChFindNtdll: uNtDllParentAddr=0000000076d30000 uNtDllChildAddr=0000000076d30000 2b2c.20e8: supR3HardenedWinSetupChildInit: uLdrInitThunk=0000000076d5c340 2b2c.20e8: supR3HardenedWinSetupChildInit: Start child. 2b2c.20e8: supR3HardNtChildWaitFor: Found expected request 0 (PurifyChildAndCloseHandles) after 10 ms. 2b2c.20e8: supR3HardNtChildPurify: Startup delay kludge #1/0: 513 ms, 64 sleeps 2b2c.20e8: supHardNtVpScanVirtualMemory: enmKind=CHILD_PURIFICATION 2b2c.20e8: *0000000000000000-fffffffffffeffff 0x0001/0x0000 0x0000000 2b2c.20e8: *0000000000010000-fffffffffffeffff 0x0004/0x0004 0x0020000 2b2c.20e8: *0000000000030000-000000000002bfff 0x0002/0x0002 0x0040000 2b2c.20e8: 0000000000034000-0000000000027fff 0x0001/0x0000 0x0000000 2b2c.20e8: *0000000000040000-000000000003efff 0x0004/0x0004 0x0020000 2b2c.20e8: 0000000000041000-fffffffffffe1fff 0x0001/0x0000 0x0000000 2b2c.20e8: *00000000000a0000-fffffffffffa3fff 0x0000/0x0004 0x0020000 2b2c.20e8: 000000000019c000-0000000000198fff 0x0104/0x0004 0x0020000 2b2c.20e8: 000000000019f000-000000000019dfff 0x0004/0x0004 0x0020000 2b2c.20e8: 00000000001a0000-ffffffff8960ffff 0x0001/0x0000 0x0000000 2b2c.20e8: *0000000076d30000-0000000076d2efff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 2b2c.20e8: 0000000076d31000-0000000076c2efff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 2b2c.20e8: 0000000076e33000-0000000076e03fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 2b2c.20e8: 0000000076e62000-0000000076e59fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 2b2c.20e8: 0000000076e6a000-0000000076e68fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 2b2c.20e8: 0000000076e6b000-0000000076e67fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 2b2c.20e8: 0000000076e6e000-0000000076e02fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 2b2c.20e8: 0000000076ed9000-000000006edd1fff 0x0001/0x0000 0x0000000 2b2c.20e8: *000000007efe0000-000000007dfdffff 0x0000/0x0002 0x0020000 2b2c.20e8: *000000007ffe0000-000000007ffdefff 0x0002/0x0002 0x0020000 2b2c.20e8: 000000007ffe1000-000000007ffd1fff 0x0000/0x0002 0x0020000 2b2c.20e8: 000000007fff0000-000000007ffcffff 0x0001/0x0000 0x0000000 2b2c.20e8: *0000000080010000-000000008000efff 0x0040/0x0040 0x0020000 !! 2b2c.20e8: supHardNtVpScanVirtualMemory: Freeing exec mem at 0000000080010000 (0000000080010000 LB 0x1000) 2b2c.20e8: 0000000080011000-ffffffffc0431fff 0x0001/0x0000 0x0000000 2b2c.20e8: *000000013fbf0000-000000013fbeefff 0x0040/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe 2b2c.20e8: 000000013fbf1000-000000013fb6cfff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe 2b2c.20e8: 000000013fc75000-000000013fc73fff 0x0080/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe 2b2c.20e8: 000000013fc76000-000000013fc38fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe 2b2c.20e8: 000000013fcb3000-000000013fcb1fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe 2b2c.20e8: 000000013fcb4000-000000013fcb2fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe 2b2c.20e8: 000000013fcb5000-000000013fcb2fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe 2b2c.20e8: 000000013fcb7000-000000013fcb5fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe 2b2c.20e8: 000000013fcb8000-000000013fcb6fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe 2b2c.20e8: 000000013fcb9000-000000013fcb4fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe 2b2c.20e8: 000000013fcbd000-000000013fc83fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe 2b2c.20e8: 000000013fcf6000-000000013fcebfff 0x0001/0x0000 0x0000000 2b2c.20e8: *000000013fd00000-000000013fcfefff 0x0040/0x0040 0x0020000 !! 2b2c.20e8: supHardNtVpScanVirtualMemory: Freeing exec mem at 000000013fd00000 (000000013fd00000 LB 0x1000) 2b2c.20e8: 000000013fd01000-00000000ffa01fff 0x0001/0x0000 0x0000000 2b2c.20e8: *0000000180000000-000000017fffefff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files (x86)\DeviceLock\DeviceLock Agent\DLDrvUserMode64.dll 2b2c.20e8: supHardNtVpScanVirtualMemory: Unmapping image mem at 0000000180000000 (0000000180000000 LB 0x1000) - 'DLDrvUserMode64.dll' 2b2c.20e8: 0000000180001000-000000017fff1fff 0x0001/0x0000 0x0000000 2b2c.20e8: *0000000180010000-000000018000efff 0x0040/0x0040 0x0020000 !! 2b2c.20e8: supHardNtVpScanVirtualMemory: Freeing exec mem at 0000000180010000 (0000000180010000 LB 0x1000) 2b2c.20e8: 0000000180011000-fffff80400fd1fff 0x0001/0x0000 0x0000000 2b2c.20e8: *000007feff050000-000007feff04efff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\apisetschema.dll 2b2c.20e8: 000007feff051000-000007fdfe0f1fff 0x0001/0x0000 0x0000000 2b2c.20e8: *000007fffffb0000-000007fffff8cfff 0x0002/0x0002 0x0040000 2b2c.20e8: 000007fffffd3000-000007fffffc8fff 0x0001/0x0000 0x0000000 2b2c.20e8: *000007fffffdd000-000007fffffdafff 0x0004/0x0004 0x0020000 2b2c.20e8: *000007fffffdf000-000007fffffddfff 0x0004/0x0004 0x0020000 2b2c.20e8: *000007fffffe0000-000007fffffcffff 0x0001/0x0002 0x0020000 2b2c.20e8: apisetschema.dll: timestamp 0x51fb15ca (rc=VINF_SUCCESS) 2b2c.20e8: VirtualBox.exe: timestamp 0x54f47197 (rc=VINF_SUCCESS) 2b2c.20e8: '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe' has no imports 2b2c.20e8: VirtualBox.exe: Differences in section #0 (headers) between file and memory: 2b2c.20e8: 000000013fbf016a / 0x000016a: 00 != 11 2b2c.20e8: 000000013fbf016c / 0x000016c: 00 != cc 2b2c.20e8: 000000013fbf016d / 0x000016d: 00 != 01 2b2c.20e8: 000000013fbf01c0 / 0x00001c0: 00 != cc 2b2c.20e8: 000000013fbf01c1 / 0x00001c1: 00 != 01 2b2c.20e8: 000000013fbf01c2 / 0x00001c2: 00 != 11 2b2c.20e8: 000000013fbf01c4 / 0x00001c4: 00 != 20 2b2c.20e8: Restored 0x400 bytes of original file content at 000000013fbf0000 2b2c.20e8: '\Device\HarddiskVolume2\Windows\System32\apisetschema.dll' has no imports 2b2c.20e8: '\Device\HarddiskVolume2\Windows\System32\ntdll.dll' has no imports 2b2c.20e8: ntdll.dll: Differences in section #1 (.text) between file and memory: 2b2c.20e8: 0000000076d48610 / 0x0018610: 48 != e9 2b2c.20e8: 0000000076d48611 / 0x0018611: 89 != 68 2b2c.20e8: 0000000076d48612 / 0x0018612: 54 != 7e 2b2c.20e8: 0000000076d48613 / 0x0018613: 24 != 2c 2b2c.20e8: 0000000076d48614 / 0x0018614: 10 != 09 2b2c.20e8: Restored 0x2000 bytes of original file content at 0000000076d47000 2b2c.20e8: ntdll.dll: Differences in section #1 (.text) between file and memory: 2b2c.20e8: 0000000076d49580 / 0x0019580: ff != e9 2b2c.20e8: 0000000076d49581 / 0x0019581: f5 != db 2b2c.20e8: 0000000076d49582 / 0x0019582: 41 != 6d 2b2c.20e8: 0000000076d49583 / 0x0019583: 54 != 2c 2b2c.20e8: 0000000076d49584 / 0x0019584: 41 != 09 2b2c.20e8: 0000000076d49585 / 0x0019585: 55 != 90 2b2c.20e8: Restored 0x2000 bytes of original file content at 0000000076d49000 2b2c.20e8: ntdll.dll: Differences in section #1 (.text) between file and memory: 2b2c.20e8: 0000000076d57ac0 / 0x0027ac0: 48 != e9 2b2c.20e8: 0000000076d57ac1 / 0x0027ac1: 89 != 62 2b2c.20e8: 0000000076d57ac2 / 0x0027ac2: 5c != 8b 2b2c.20e8: 0000000076d57ac3 / 0x0027ac3: 24 != 2b 2b2c.20e8: 0000000076d57ac4 / 0x0027ac4: 10 != 09 2b2c.20e8: Restored 0x2000 bytes of original file content at 0000000076d57000 2b2c.20e8: ntdll.dll: Differences in section #1 (.text) between file and memory: 2b2c.20e8: 0000000076d81222 / 0x0051222: 48 != e9 2b2c.20e8: 0000000076d81223 / 0x0051223: 85 != e3 2b2c.20e8: 0000000076d81224 / 0x0051224: c0 != f2 2b2c.20e8: 0000000076d81225 / 0x0051225: 74 != 28 2b2c.20e8: 0000000076d81226 / 0x0051226: 0f != 09 2b2c.20e8: 0000000076d81430 / 0x0051430: 4c != e9 2b2c.20e8: 0000000076d81431 / 0x0051431: 8b != 7b 2b2c.20e8: 0000000076d81432 / 0x0051432: d1 != ed 2b2c.20e8: 0000000076d81433 / 0x0051433: b8 != 28 2b2c.20e8: 0000000076d81434 / 0x0051434: 15 != 09 2b2c.20e8: 0000000076d81435 / 0x0051435: 00 != 90 2b2c.20e8: 0000000076d81436 / 0x0051436: 00 != 90 2b2c.20e8: 0000000076d81437 / 0x0051437: 00 != 90 2b2c.20e8: 0000000076d81530 / 0x0051530: 4c != e9 2b2c.20e8: 0000000076d81531 / 0x0051531: 8b != cb 2b2c.20e8: 0000000076d81532 / 0x0051532: d1 != ea 2b2c.20e8: 0000000076d81533 / 0x0051533: b8 != 28 2b2c.20e8: 0000000076d81534 / 0x0051534: 25 != 09 2b2c.20e8: 0000000076d81535 / 0x0051535: 00 != 90 2b2c.20e8: 0000000076d81536 / 0x0051536: 00 != 90 2b2c.20e8: 0000000076d81537 / 0x0051537: 00 != 90 2b2c.20e8: 0000000076d81550 / 0x0051550: 4c != e9 2b2c.20e8: 0000000076d81551 / 0x0051551: 8b != 7b 2b2c.20e8: 0000000076d81552 / 0x0051552: d1 != ed 2b2c.20e8: 0000000076d81553 / 0x0051553: b8 != 28 2b2c.20e8: 0000000076d81554 / 0x0051554: 27 != 09 2b2c.20e8: 0000000076d81555 / 0x0051555: 00 != 90 2b2c.20e8: 0000000076d81556 / 0x0051556: 00 != 90 2b2c.20e8: 0000000076d81557 / 0x0051557: 00 != 90 2b2c.20e8: 0000000076d81650 / 0x0051650: 4c != e9 2b2c.20e8: 0000000076d81651 / 0x0051651: 8b != eb 2b2c.20e8: 0000000076d81652 / 0x0051652: d1 != eb 2b2c.20e8: 0000000076d81653 / 0x0051653: b8 != 28 2b2c.20e8: 0000000076d81654 / 0x0051654: 37 != 09 2b2c.20e8: 0000000076d81655 / 0x0051655: 00 != 90 2b2c.20e8: 0000000076d81656 / 0x0051656: 00 != 90 2b2c.20e8: 0000000076d81657 / 0x0051657: 00 != 90 2b2c.20e8: 0000000076d81750 / 0x0051750: 4c != e9 2b2c.20e8: 0000000076d81751 / 0x0051751: 8b != 3b 2b2c.20e8: 0000000076d81752 / 0x0051752: d1 != e9 2b2c.20e8: 0000000076d81753 / 0x0051753: b8 != 28 2b2c.20e8: 0000000076d81754 / 0x0051754: 47 != 09 2b2c.20e8: 0000000076d81755 / 0x0051755: 00 != 90 2b2c.20e8: 0000000076d81756 / 0x0051756: 00 != 90 2b2c.20e8: 0000000076d81757 / 0x0051757: 00 != 90 2b2c.20e8: 0000000076d817b0 / 0x00517b0: 4c != e9 2b2c.20e8: 0000000076d817b1 / 0x00517b1: 8b != 6b 2b2c.20e8: 0000000076d817b2 / 0x00517b2: d1 != e9 2b2c.20e8: 0000000076d817b3 / 0x00517b3: b8 != 28 2b2c.20e8: 0000000076d817b4 / 0x00517b4: 4d != 09 2b2c.20e8: 0000000076d817b5 / 0x00517b5: 00 != 90 2b2c.20e8: 0000000076d817b6 / 0x00517b6: 00 != 90 2b2c.20e8: 0000000076d817b7 / 0x00517b7: 00 != 90 2b2c.20e8: 0000000076d820a0 / 0x00520a0: 4c != e9 2b2c.20e8: 0000000076d820a1 / 0x00520a1: 8b != f2 2b2c.20e8: 0000000076d820a2 / 0x00520a2: d1 != e4 2b2c.20e8: 0000000076d820a3 / 0x00520a3: b8 != 28 2b2c.20e8: 0000000076d820a4 / 0x00520a4: dc != 09 2b2c.20e8: 0000000076d820a5 / 0x00520a5: 00 != 90 2b2c.20e8: 0000000076d820a6 / 0x00520a6: 00 != 90 2b2c.20e8: 0000000076d820a7 / 0x00520a7: 00 != 90 2b2c.20e8: Restored 0x2000 bytes of original file content at 0000000076d8034e 2b2c.20e8: ntdll.dll: Differences in section #1 (.text) between file and memory: 2b2c.20e8: 0000000076dfe030 / 0x00ce030: 48 != e9 2b2c.20e8: 0000000076dfe031 / 0x00ce031: 81 != b9 2b2c.20e8: 0000000076dfe032 / 0x00ce032: ec != 23 2b2c.20e8: 0000000076dfe033 / 0x00ce033: 08 != 21 2b2c.20e8: 0000000076dfe034 / 0x00ce034: 05 != 09 2b2c.20e8: 0000000076dfe035 / 0x00ce035: 00 != 90 2b2c.20e8: 0000000076dfe036 / 0x00ce036: 00 != 90 2b2c.20e8: Restored 0x2000 bytes of original file content at 0000000076dfc34e 2b2c.20e8: supR3HardNtChildPurify: cFixes=9 g_fSupAdversaries=0x3 cPatchCount=0 2b2c.20e8: supR3HardNtChildPurify: Startup delay kludge #1/1: 520 ms, 65 sleeps 2b2c.20e8: supHardNtVpScanVirtualMemory: enmKind=CHILD_PURIFICATION 2b2c.20e8: *0000000000000000-fffffffffffeffff 0x0001/0x0000 0x0000000 2b2c.20e8: *0000000000010000-fffffffffffeffff 0x0004/0x0004 0x0020000 2b2c.20e8: *0000000000030000-000000000002bfff 0x0002/0x0002 0x0040000 2b2c.20e8: 0000000000034000-0000000000027fff 0x0001/0x0000 0x0000000 2b2c.20e8: *0000000000040000-000000000003efff 0x0004/0x0004 0x0020000 2b2c.20e8: 0000000000041000-fffffffffffe1fff 0x0001/0x0000 0x0000000 2b2c.20e8: *00000000000a0000-fffffffffffa3fff 0x0000/0x0004 0x0020000 2b2c.20e8: 000000000019c000-0000000000198fff 0x0104/0x0004 0x0020000 2b2c.20e8: 000000000019f000-000000000019dfff 0x0004/0x0004 0x0020000 2b2c.20e8: 00000000001a0000-ffffffff8960ffff 0x0001/0x0000 0x0000000 2b2c.20e8: *0000000076d30000-0000000076d2efff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 2b2c.20e8: 0000000076d31000-0000000076c2efff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 2b2c.20e8: 0000000076e33000-0000000076e03fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 2b2c.20e8: 0000000076e62000-0000000076e59fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 2b2c.20e8: 0000000076e6a000-0000000076e68fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 2b2c.20e8: 0000000076e6b000-0000000076e69fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 2b2c.20e8: 0000000076e6c000-0000000076e69fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 2b2c.20e8: 0000000076e6e000-0000000076e02fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 2b2c.20e8: 0000000076ed9000-000000006edd1fff 0x0001/0x0000 0x0000000 2b2c.20e8: *000000007efe0000-000000007dfdffff 0x0000/0x0002 0x0020000 2b2c.20e8: *000000007ffe0000-000000007ffdefff 0x0002/0x0002 0x0020000 2b2c.20e8: 000000007ffe1000-000000007ffd1fff 0x0000/0x0002 0x0020000 2b2c.20e8: 000000007fff0000-ffffffffc03effff 0x0001/0x0000 0x0000000 2b2c.20e8: *000000013fbf0000-000000013fbeefff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe 2b2c.20e8: 000000013fbf1000-000000013fb6cfff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe 2b2c.20e8: 000000013fc75000-000000013fc73fff 0x0040/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe 2b2c.20e8: 000000013fc76000-000000013fc38fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe 2b2c.20e8: 000000013fcb3000-000000013fca8fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe 2b2c.20e8: 000000013fcbd000-000000013fc83fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe 2b2c.20e8: 000000013fcf6000-fffff8038099bfff 0x0001/0x0000 0x0000000 2b2c.20e8: *000007feff050000-000007feff04efff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\apisetschema.dll 2b2c.20e8: 000007feff051000-000007fdfe0f1fff 0x0001/0x0000 0x0000000 2b2c.20e8: *000007fffffb0000-000007fffff8cfff 0x0002/0x0002 0x0040000 2b2c.20e8: 000007fffffd3000-000007fffffc8fff 0x0001/0x0000 0x0000000 2b2c.20e8: *000007fffffdd000-000007fffffdafff 0x0004/0x0004 0x0020000 2b2c.20e8: *000007fffffdf000-000007fffffddfff 0x0004/0x0004 0x0020000 2b2c.20e8: *000007fffffe0000-000007fffffcffff 0x0001/0x0002 0x0020000 2b2c.20e8: supR3HardNtChildPurify: Done after 1070 ms and 9 fixes (loop #1). 2b2c.20e8: supR3HardNtEnableThreadCreation: 1b64.2a9c: Log file opened: 4.3.24r98716 g_hStartupLog=0000000000000004 g_uNtVerCombined=0x611db110 1b64.2a9c: supR3HardenedVmProcessInit: uNtDllAddr=0000000076d30000 1b64.2a9c: ntdll.dll: timestamp 0x521eaf24 (rc=VINF_SUCCESS) 1b64.2a9c: New simple heap: #1 00000000002a0000 LB 0x400000 (for 1740800 allocation) 1b64.2a9c: System32: \Device\HarddiskVolume2\Windows\System32 1b64.2a9c: WinSxS: \Device\HarddiskVolume2\Windows\winsxs 1b64.2a9c: KnownDllPath: C:\Windows\system32 1b64.2a9c: supR3HardenedVmProcessInit: Opening vboxdrv stub... 1b64.2a9c: supR3HardenedVmProcessInit: Restoring LdrInitializeThunk... 1b64.2a9c: supR3HardenedVmProcessInit: Returning to LdrInitializeThunk... 1b64.2a9c: Registered Dll notification callback with NTDLL. 1b64.2a9c: supHardenedWinVerifyImageByHandle: -> 22900 (\Device\HarddiskVolume2\Windows\System32\kernel32.dll) 1b64.2a9c: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume2\Windows\System32\kernel32.dll 1b64.2a9c: supR3HardenedMonitor_LdrLoadDll: pName=C:\Windows\system32\kernel32.dll (Input=kernel32.dll, rcNtResolve=0xc0150008) *pfFlags=0xffffffff pwszSearchPath=0000000000000000: [calling] 1b64.2a9c: supR3HardenedScreenImage/NtCreateSection: cache hit (Unknown Status 22900 (0x5974)) on \Device\HarddiskVolume2\Windows\System32\kernel32.dll [lacks WinVerifyTrust] 1b64.2a9c: supR3HardenedDllNotificationCallback: load 0000000076b10000 LB 0x0011f000 C:\Windows\system32\kernel32.dll [fFlags=0x0] 1b64.2a9c: supR3HardenedScreenImage/LdrLoadDll: cache hit (Unknown Status 22900 (0x5974)) on \Device\HarddiskVolume2\Windows\System32\kernel32.dll [lacks WinVerifyTrust] 1b64.2a9c: supR3HardenedDllNotificationCallback: load 000007fefcb30000 LB 0x0006c000 C:\Windows\system32\KERNELBASE.dll [fFlags=0x0] 1b64.2a9c: supHardenedWinVerifyImageByHandle: -> 22900 (\Device\HarddiskVolume2\Windows\System32\KernelBase.dll) 1b64.2a9c: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume2\Windows\System32\KernelBase.dll 1b64.2a9c: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=0000000076b10000 'C:\Windows\system32\kernel32.dll' 1b64.2a9c: supR3HardNtDisableThreadCreation: pvLdrInitThunk=0000000076d5c340 pvNtTerminateThread=0000000076d817e0 2b2c.20e8: supR3HardNtChildWaitFor: Found expected request 1 (CloseEvents) after 39 ms. 1b64.2a9c: \SystemRoot\System32\ntdll.dll: 1b64.2a9c: CreationTime: 2013-11-15T07:43:29.515072300Z 1b64.2a9c: LastWriteTime: 2013-08-29T02:16:35.515578900Z 1b64.2a9c: ChangeTime: 2013-11-15T10:28:25.401792300Z 1b64.2a9c: FileAttributes: 0x20 1b64.2a9c: Size: 0x1a6dc0 1b64.2a9c: NT Headers: 0xe0 1b64.2a9c: Timestamp: 0x521eaf24 1b64.2a9c: Machine: 0x8664 - amd64 1b64.2a9c: Timestamp: 0x521eaf24 1b64.2a9c: Image Version: 6.1 1b64.2a9c: SizeOfImage: 0x1a9000 (1740800) 1b64.2a9c: Resource Dir: 0x151000 LB 0x560d8 1b64.2a9c: ProductName: Microsoft® Windows® Operating System 1b64.2a9c: ProductVersion: 6.1.7601.18247 1b64.2a9c: FileVersion: 6.1.7601.18247 (win7sp1_gdr.130828-1532) 1b64.2a9c: FileDescription: NT Layer DLL 1b64.2a9c: \SystemRoot\System32\kernel32.dll: 1b64.2a9c: CreationTime: 2014-04-16T05:04:33.563177300Z 1b64.2a9c: LastWriteTime: 2014-03-04T09:44:00.336000000Z 1b64.2a9c: ChangeTime: 2014-04-16T05:24:46.753957400Z 1b64.2a9c: FileAttributes: 0x20 1b64.2a9c: Size: 0x11c000 1b64.2a9c: NT Headers: 0xe8 1b64.2a9c: Timestamp: 0x5315a059 1b64.2a9c: Machine: 0x8664 - amd64 1b64.2a9c: Timestamp: 0x5315a059 1b64.2a9c: Image Version: 6.1 1b64.2a9c: SizeOfImage: 0x11f000 (1175552) 1b64.2a9c: Resource Dir: 0x116000 LB 0x528 1b64.2a9c: ProductName: Microsoft® Windows® Operating System 1b64.2a9c: ProductVersion: 6.1.7601.18409 1b64.2a9c: FileVersion: 6.1.7601.18409 (win7sp1_gdr.140303-2144) 1b64.2a9c: FileDescription: Windows NT BASE API Client DLL 1b64.2a9c: \SystemRoot\System32\KernelBase.dll: 1b64.2a9c: CreationTime: 2014-05-19T05:17:31.014644800Z 1b64.2a9c: LastWriteTime: 2014-03-04T09:44:00.336000000Z 1b64.2a9c: ChangeTime: 2014-05-19T05:32:40.719677400Z 1b64.2a9c: FileAttributes: 0x20 1b64.2a9c: Size: 0x67c00 1b64.2a9c: NT Headers: 0xe8 1b64.2a9c: Timestamp: 0x5315a05a 1b64.2a9c: Machine: 0x8664 - amd64 1b64.2a9c: Timestamp: 0x5315a05a 1b64.2a9c: Image Version: 6.1 1b64.2a9c: SizeOfImage: 0x6c000 (442368) 1b64.2a9c: Resource Dir: 0x6a000 LB 0x530 1b64.2a9c: ProductName: Microsoft® Windows® Operating System 1b64.2a9c: ProductVersion: 6.1.7601.18409 1b64.2a9c: FileVersion: 6.1.7601.18409 (win7sp1_gdr.140303-2144) 1b64.2a9c: FileDescription: Windows NT BASE API Client DLL 1b64.2a9c: \SystemRoot\System32\apisetschema.dll: 1b64.2a9c: CreationTime: 2013-09-12T05:14:17.940756300Z 1b64.2a9c: LastWriteTime: 2013-08-02T02:12:20.275000000Z 1b64.2a9c: ChangeTime: 2013-09-12T05:45:38.834941500Z 1b64.2a9c: FileAttributes: 0x20 1b64.2a9c: Size: 0x1a00 1b64.2a9c: NT Headers: 0xc0 1b64.2a9c: Timestamp: 0x51fb15ca 1b64.2a9c: Machine: 0x8664 - amd64 1b64.2a9c: Timestamp: 0x51fb15ca 1b64.2a9c: Image Version: 6.1 1b64.2a9c: SizeOfImage: 0x50000 (327680) 1b64.2a9c: Resource Dir: 0x30000 LB 0x3f8 1b64.2a9c: ProductName: Microsoft® Windows® Operating System 1b64.2a9c: ProductVersion: 6.1.7601.18229 1b64.2a9c: FileVersion: 6.1.7601.18229 (win7sp1_gdr.130801-1533) 1b64.2a9c: FileDescription: ApiSet Schema DLL 1b64.2a9c: Found driver SysPlant (0x1) 1b64.2a9c: Found driver SymNetS (0x2) 1b64.2a9c: Found driver SRTSPX (0x2) 1b64.2a9c: Found driver SymEvent (0x2) 1b64.2a9c: Found driver SymIRON (0x2) 1b64.2a9c: supR3HardenedWinFindAdversaries: 0x3 1b64.2a9c: \SystemRoot\System32\drivers\SysPlant.sys: 1b64.2a9c: CreationTime: 2015-02-12T15:13:16.924536700Z 1b64.2a9c: LastWriteTime: 2015-02-12T15:13:16.928536700Z 1b64.2a9c: ChangeTime: 2015-02-12T15:13:16.928536700Z 1b64.2a9c: FileAttributes: 0x20 1b64.2a9c: Size: 0x26f40 1b64.2a9c: NT Headers: 0x100 1b64.2a9c: Timestamp: 0x5413cb4e 1b64.2a9c: Machine: 0x8664 - amd64 1b64.2a9c: Timestamp: 0x5413cb4e 1b64.2a9c: Image Version: 5.0 1b64.2a9c: SizeOfImage: 0x2d000 (184320) 1b64.2a9c: Resource Dir: 0x2b000 LB 0x498 1b64.2a9c: ProductName: Symantec CMC Firewall 1b64.2a9c: ProductVersion: 12.1.5337.5000 1b64.2a9c: FileVersion: 12.1.5337.5000 1b64.2a9c: FileDescription: Symantec CMC Firewall SysPlant 1b64.2a9c: \SystemRoot\System32\sysfer.dll: 1b64.2a9c: CreationTime: 2015-02-12T15:13:16.788536700Z 1b64.2a9c: LastWriteTime: 2015-02-12T15:13:16.792536700Z 1b64.2a9c: ChangeTime: 2015-02-12T15:13:16.792536700Z 1b64.2a9c: FileAttributes: 0x20 1b64.2a9c: Size: 0x70f60 1b64.2a9c: NT Headers: 0xe8 1b64.2a9c: Timestamp: 0x5413cb55 1b64.2a9c: Machine: 0x8664 - amd64 1b64.2a9c: Timestamp: 0x5413cb55 1b64.2a9c: Image Version: 0.0 1b64.2a9c: SizeOfImage: 0x88000 (557056) 1b64.2a9c: Resource Dir: 0x86000 LB 0x630 1b64.2a9c: ProductName: Symantec CMC Firewall 1b64.2a9c: ProductVersion: 12.1.5337.5000 1b64.2a9c: FileVersion: 12.1.5337.5000 1b64.2a9c: FileDescription: Symantec CMC Firewall sysfer 1b64.2a9c: \SystemRoot\System32\drivers\symevent64x86.sys: 1b64.2a9c: CreationTime: 2015-02-12T15:17:09.408536700Z 1b64.2a9c: LastWriteTime: 2015-02-12T15:17:09.057536700Z 1b64.2a9c: ChangeTime: 2015-02-12T15:17:09.057536700Z 1b64.2a9c: FileAttributes: 0x20 1b64.2a9c: Size: 0x2b658 1b64.2a9c: NT Headers: 0xe8 1b64.2a9c: Timestamp: 0x51f32ff2 1b64.2a9c: Machine: 0x8664 - amd64 1b64.2a9c: Timestamp: 0x51f32ff2 1b64.2a9c: Image Version: 6.0 1b64.2a9c: SizeOfImage: 0x38000 (229376) 1b64.2a9c: Resource Dir: 0x36000 LB 0x3c8 1b64.2a9c: ProductName: SYMEVENT 1b64.2a9c: ProductVersion: 12.9.5.2 1b64.2a9c: FileVersion: 12.9.5.2 1b64.2a9c: FileDescription: Symantec Event Library 1b64.2a9c: Calling main() 1b64.2a9c: SUPR3HardenedMain: pszProgName=VirtualBox fFlags=0x2 1b64.2a9c: '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe' has no imports 1b64.2a9c: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe) 1b64.2a9c: SUPR3HardenedMain: Respawn #2 1b64.2a9c: supR3HardNtEnableThreadCreation: 1b64.2a9c: supHardenedWinVerifyImageByHandle: -> 22900 (\Device\HarddiskVolume2\Windows\System32\apphelp.dll) 1b64.2a9c: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume2\Windows\System32\apphelp.dll 1b64.2a9c: supR3HardenedMonitor_LdrLoadDll: pName=C:\Windows\system32\apphelp.dll (rcNtResolve=0xc0150008) *pfFlags=0xffffffff pwszSearchPath=0000000000000000: [calling] 1b64.2a9c: supR3HardenedScreenImage/NtCreateSection: cache hit (Unknown Status 22900 (0x5974)) on \Device\HarddiskVolume2\Windows\System32\apphelp.dll [lacks WinVerifyTrust] 1b64.2a9c: supR3HardenedDllNotificationCallback: load 000007fefc8f0000 LB 0x00057000 C:\Windows\system32\apphelp.dll [fFlags=0x0] 1b64.2a9c: supR3HardenedScreenImage/LdrLoadDll: cache hit (Unknown Status 22900 (0x5974)) on \Device\HarddiskVolume2\Windows\System32\apphelp.dll [lacks WinVerifyTrust] 1b64.2a9c: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=000007fefc8f0000 'C:\Windows\system32\apphelp.dll' 1b64.2a9c: supR3HardNtDisableThreadCreation: pvLdrInitThunk=0000000076d5c340 pvNtTerminateThread=0000000076d817e0 1b64.2a9c: supR3HardenedWinDoReSpawn(2): New child 2be8.2a50 [kernel32]. 1b64.2a9c: supR3HardNtChildGatherData: PebBaseAddress=000007fffffd6000 cbPeb=0x380 1b64.2a9c: supR3HardNtPuChFindNtdll: uNtDllParentAddr=0000000076d30000 uNtDllChildAddr=0000000076d30000 1b64.2a9c: supR3HardenedWinSetupChildInit: uLdrInitThunk=0000000076d5c340 1b64.2a9c: supR3HardenedWinSetupChildInit: Start child. 1b64.2a9c: supR3HardNtChildWaitFor: Found expected request 0 (PurifyChildAndCloseHandles) after 10 ms. 1b64.2a9c: supR3HardNtChildPurify: Startup delay kludge #1/0: 520 ms, 65 sleeps 1b64.2a9c: supHardNtVpScanVirtualMemory: enmKind=CHILD_PURIFICATION 1b64.2a9c: *0000000000000000-fffffffffffeffff 0x0001/0x0000 0x0000000 1b64.2a9c: *0000000000010000-fffffffffffeffff 0x0004/0x0004 0x0020000 1b64.2a9c: *0000000000030000-000000000002bfff 0x0002/0x0002 0x0040000 1b64.2a9c: 0000000000034000-0000000000027fff 0x0001/0x0000 0x0000000 1b64.2a9c: *0000000000040000-000000000003efff 0x0004/0x0004 0x0020000 1b64.2a9c: 0000000000041000-ffffffffffeb1fff 0x0001/0x0000 0x0000000 1b64.2a9c: *00000000001d0000-00000000000d3fff 0x0000/0x0004 0x0020000 1b64.2a9c: 00000000002cc000-00000000002c8fff 0x0104/0x0004 0x0020000 1b64.2a9c: 00000000002cf000-00000000002cdfff 0x0004/0x0004 0x0020000 1b64.2a9c: 00000000002d0000-ffffffff8986ffff 0x0001/0x0000 0x0000000 1b64.2a9c: *0000000076d30000-0000000076d2efff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 1b64.2a9c: 0000000076d31000-0000000076c2efff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 1b64.2a9c: 0000000076e33000-0000000076e03fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 1b64.2a9c: 0000000076e62000-0000000076e59fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 1b64.2a9c: 0000000076e6a000-0000000076e68fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 1b64.2a9c: 0000000076e6b000-0000000076e67fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 1b64.2a9c: 0000000076e6e000-0000000076e02fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 1b64.2a9c: 0000000076ed9000-000000006edd1fff 0x0001/0x0000 0x0000000 1b64.2a9c: *000000007efe0000-000000007dfdffff 0x0000/0x0002 0x0020000 1b64.2a9c: *000000007ffe0000-000000007ffdefff 0x0002/0x0002 0x0020000 1b64.2a9c: 000000007ffe1000-000000007ffd1fff 0x0000/0x0002 0x0020000 1b64.2a9c: 000000007fff0000-000000007ffcffff 0x0001/0x0000 0x0000000 1b64.2a9c: *0000000080010000-000000008000efff 0x0040/0x0040 0x0020000 !! 1b64.2a9c: supHardNtVpScanVirtualMemory: Freeing exec mem at 0000000080010000 (0000000080010000 LB 0x1000) 1b64.2a9c: 0000000080011000-ffffffffc0431fff 0x0001/0x0000 0x0000000 1b64.2a9c: *000000013fbf0000-000000013fbeefff 0x0040/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe 1b64.2a9c: 000000013fbf1000-000000013fb6cfff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe 1b64.2a9c: 000000013fc75000-000000013fc73fff 0x0080/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe 1b64.2a9c: 000000013fc76000-000000013fc38fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe 1b64.2a9c: 000000013fcb3000-000000013fcb1fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe 1b64.2a9c: 000000013fcb4000-000000013fcb2fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe 1b64.2a9c: 000000013fcb5000-000000013fcb2fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe 1b64.2a9c: 000000013fcb7000-000000013fcb5fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe 1b64.2a9c: 000000013fcb8000-000000013fcb6fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe 1b64.2a9c: 000000013fcb9000-000000013fcb4fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe 1b64.2a9c: 000000013fcbd000-000000013fc83fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe 1b64.2a9c: 000000013fcf6000-000000013fcebfff 0x0001/0x0000 0x0000000 1b64.2a9c: *000000013fd00000-000000013fcfefff 0x0040/0x0040 0x0020000 !! 1b64.2a9c: supHardNtVpScanVirtualMemory: Freeing exec mem at 000000013fd00000 (000000013fd00000 LB 0x1000) 1b64.2a9c: 000000013fd01000-00000000ffa01fff 0x0001/0x0000 0x0000000 1b64.2a9c: *0000000180000000-000000017fffefff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files (x86)\DeviceLock\DeviceLock Agent\DLDrvUserMode64.dll 1b64.2a9c: supHardNtVpScanVirtualMemory: Unmapping image mem at 0000000180000000 (0000000180000000 LB 0x1000) - 'DLDrvUserMode64.dll' 1b64.2a9c: 0000000180001000-000000017fff1fff 0x0001/0x0000 0x0000000 1b64.2a9c: *0000000180010000-000000018000efff 0x0040/0x0040 0x0020000 !! 1b64.2a9c: supHardNtVpScanVirtualMemory: Freeing exec mem at 0000000180010000 (0000000180010000 LB 0x1000) 1b64.2a9c: 0000000180011000-fffff80400fd1fff 0x0001/0x0000 0x0000000 1b64.2a9c: *000007feff050000-000007feff04efff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\apisetschema.dll 1b64.2a9c: 000007feff051000-000007fdfe0f1fff 0x0001/0x0000 0x0000000 1b64.2a9c: *000007fffffb0000-000007fffff8cfff 0x0002/0x0002 0x0040000 1b64.2a9c: 000007fffffd3000-000007fffffcffff 0x0001/0x0000 0x0000000 1b64.2a9c: *000007fffffd6000-000007fffffd4fff 0x0004/0x0004 0x0020000 1b64.2a9c: 000007fffffd7000-000007fffffcffff 0x0001/0x0000 0x0000000 1b64.2a9c: *000007fffffde000-000007fffffdbfff 0x0004/0x0004 0x0020000 1b64.2a9c: *000007fffffe0000-000007fffffcffff 0x0001/0x0002 0x0020000 1b64.2a9c: apisetschema.dll: timestamp 0x51fb15ca (rc=VINF_SUCCESS) 1b64.2a9c: VirtualBox.exe: timestamp 0x54f47197 (rc=VINF_SUCCESS) 1b64.2a9c: '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe' has no imports 1b64.2a9c: VirtualBox.exe: Differences in section #0 (headers) between file and memory: 1b64.2a9c: 000000013fbf016a / 0x000016a: 00 != 11 1b64.2a9c: 000000013fbf016c / 0x000016c: 00 != cc 1b64.2a9c: 000000013fbf016d / 0x000016d: 00 != 01 1b64.2a9c: 000000013fbf01c0 / 0x00001c0: 00 != cc 1b64.2a9c: 000000013fbf01c1 / 0x00001c1: 00 != 01 1b64.2a9c: 000000013fbf01c2 / 0x00001c2: 00 != 11 1b64.2a9c: 000000013fbf01c4 / 0x00001c4: 00 != 20 1b64.2a9c: Restored 0x400 bytes of original file content at 000000013fbf0000 1b64.2a9c: '\Device\HarddiskVolume2\Windows\System32\apisetschema.dll' has no imports 1b64.2a9c: '\Device\HarddiskVolume2\Windows\System32\ntdll.dll' has no imports 1b64.2a9c: ntdll.dll: Differences in section #1 (.text) between file and memory: 1b64.2a9c: 0000000076d48610 / 0x0018610: 48 != e9 1b64.2a9c: 0000000076d48611 / 0x0018611: 89 != 68 1b64.2a9c: 0000000076d48612 / 0x0018612: 54 != 7e 1b64.2a9c: 0000000076d48613 / 0x0018613: 24 != 2c 1b64.2a9c: 0000000076d48614 / 0x0018614: 10 != 09 1b64.2a9c: Restored 0x2000 bytes of original file content at 0000000076d47000 1b64.2a9c: ntdll.dll: Differences in section #1 (.text) between file and memory: 1b64.2a9c: 0000000076d49580 / 0x0019580: ff != e9 1b64.2a9c: 0000000076d49581 / 0x0019581: f5 != db 1b64.2a9c: 0000000076d49582 / 0x0019582: 41 != 6d 1b64.2a9c: 0000000076d49583 / 0x0019583: 54 != 2c 1b64.2a9c: 0000000076d49584 / 0x0019584: 41 != 09 1b64.2a9c: 0000000076d49585 / 0x0019585: 55 != 90 1b64.2a9c: Restored 0x2000 bytes of original file content at 0000000076d49000 1b64.2a9c: ntdll.dll: Differences in section #1 (.text) between file and memory: 1b64.2a9c: 0000000076d57ac0 / 0x0027ac0: 48 != e9 1b64.2a9c: 0000000076d57ac1 / 0x0027ac1: 89 != 62 1b64.2a9c: 0000000076d57ac2 / 0x0027ac2: 5c != 8b 1b64.2a9c: 0000000076d57ac3 / 0x0027ac3: 24 != 2b 1b64.2a9c: 0000000076d57ac4 / 0x0027ac4: 10 != 09 1b64.2a9c: Restored 0x2000 bytes of original file content at 0000000076d57000 1b64.2a9c: ntdll.dll: Differences in section #1 (.text) between file and memory: 1b64.2a9c: 0000000076d81222 / 0x0051222: 48 != e9 1b64.2a9c: 0000000076d81223 / 0x0051223: 85 != e3 1b64.2a9c: 0000000076d81224 / 0x0051224: c0 != f2 1b64.2a9c: 0000000076d81225 / 0x0051225: 74 != 28 1b64.2a9c: 0000000076d81226 / 0x0051226: 0f != 09 1b64.2a9c: 0000000076d81430 / 0x0051430: 4c != e9 1b64.2a9c: 0000000076d81431 / 0x0051431: 8b != 7b 1b64.2a9c: 0000000076d81432 / 0x0051432: d1 != ed 1b64.2a9c: 0000000076d81433 / 0x0051433: b8 != 28 1b64.2a9c: 0000000076d81434 / 0x0051434: 15 != 09 1b64.2a9c: 0000000076d81435 / 0x0051435: 00 != 90 1b64.2a9c: 0000000076d81436 / 0x0051436: 00 != 90 1b64.2a9c: 0000000076d81437 / 0x0051437: 00 != 90 1b64.2a9c: 0000000076d81530 / 0x0051530: 4c != e9 1b64.2a9c: 0000000076d81531 / 0x0051531: 8b != cb 1b64.2a9c: 0000000076d81532 / 0x0051532: d1 != ea 1b64.2a9c: 0000000076d81533 / 0x0051533: b8 != 28 1b64.2a9c: 0000000076d81534 / 0x0051534: 25 != 09 1b64.2a9c: 0000000076d81535 / 0x0051535: 00 != 90 1b64.2a9c: 0000000076d81536 / 0x0051536: 00 != 90 1b64.2a9c: 0000000076d81537 / 0x0051537: 00 != 90 1b64.2a9c: 0000000076d81550 / 0x0051550: 4c != e9 1b64.2a9c: 0000000076d81551 / 0x0051551: 8b != 7b 1b64.2a9c: 0000000076d81552 / 0x0051552: d1 != ed 1b64.2a9c: 0000000076d81553 / 0x0051553: b8 != 28 1b64.2a9c: 0000000076d81554 / 0x0051554: 27 != 09 1b64.2a9c: 0000000076d81555 / 0x0051555: 00 != 90 1b64.2a9c: 0000000076d81556 / 0x0051556: 00 != 90 1b64.2a9c: 0000000076d81557 / 0x0051557: 00 != 90 1b64.2a9c: 0000000076d81650 / 0x0051650: 4c != e9 1b64.2a9c: 0000000076d81651 / 0x0051651: 8b != eb 1b64.2a9c: 0000000076d81652 / 0x0051652: d1 != eb 1b64.2a9c: 0000000076d81653 / 0x0051653: b8 != 28 1b64.2a9c: 0000000076d81654 / 0x0051654: 37 != 09 1b64.2a9c: 0000000076d81655 / 0x0051655: 00 != 90 1b64.2a9c: 0000000076d81656 / 0x0051656: 00 != 90 1b64.2a9c: 0000000076d81657 / 0x0051657: 00 != 90 1b64.2a9c: 0000000076d81750 / 0x0051750: 4c != e9 1b64.2a9c: 0000000076d81751 / 0x0051751: 8b != 3b 1b64.2a9c: 0000000076d81752 / 0x0051752: d1 != e9 1b64.2a9c: 0000000076d81753 / 0x0051753: b8 != 28 1b64.2a9c: 0000000076d81754 / 0x0051754: 47 != 09 1b64.2a9c: 0000000076d81755 / 0x0051755: 00 != 90 1b64.2a9c: 0000000076d81756 / 0x0051756: 00 != 90 1b64.2a9c: 0000000076d81757 / 0x0051757: 00 != 90 1b64.2a9c: 0000000076d817b0 / 0x00517b0: 4c != e9 1b64.2a9c: 0000000076d817b1 / 0x00517b1: 8b != 6b 1b64.2a9c: 0000000076d817b2 / 0x00517b2: d1 != e9 1b64.2a9c: 0000000076d817b3 / 0x00517b3: b8 != 28 1b64.2a9c: 0000000076d817b4 / 0x00517b4: 4d != 09 1b64.2a9c: 0000000076d817b5 / 0x00517b5: 00 != 90 1b64.2a9c: 0000000076d817b6 / 0x00517b6: 00 != 90 1b64.2a9c: 0000000076d817b7 / 0x00517b7: 00 != 90 1b64.2a9c: 0000000076d820a0 / 0x00520a0: 4c != e9 1b64.2a9c: 0000000076d820a1 / 0x00520a1: 8b != f2 1b64.2a9c: 0000000076d820a2 / 0x00520a2: d1 != e4 1b64.2a9c: 0000000076d820a3 / 0x00520a3: b8 != 28 1b64.2a9c: 0000000076d820a4 / 0x00520a4: dc != 09 1b64.2a9c: 0000000076d820a5 / 0x00520a5: 00 != 90 1b64.2a9c: 0000000076d820a6 / 0x00520a6: 00 != 90 1b64.2a9c: 0000000076d820a7 / 0x00520a7: 00 != 90 1b64.2a9c: Restored 0x2000 bytes of original file content at 0000000076d8034e 1b64.2a9c: ntdll.dll: Differences in section #1 (.text) between file and memory: 1b64.2a9c: 0000000076dfe030 / 0x00ce030: 48 != e9 1b64.2a9c: 0000000076dfe031 / 0x00ce031: 81 != b9 1b64.2a9c: 0000000076dfe032 / 0x00ce032: ec != 23 1b64.2a9c: 0000000076dfe033 / 0x00ce033: 08 != 21 1b64.2a9c: 0000000076dfe034 / 0x00ce034: 05 != 09 1b64.2a9c: 0000000076dfe035 / 0x00ce035: 00 != 90 1b64.2a9c: 0000000076dfe036 / 0x00ce036: 00 != 90 1b64.2a9c: Restored 0x2000 bytes of original file content at 0000000076dfc34e 1b64.2a9c: supR3HardNtChildPurify: cFixes=9 g_fSupAdversaries=0x3 cPatchCount=0 1b64.2a9c: supR3HardNtChildPurify: Startup delay kludge #1/1: 520 ms, 65 sleeps 1b64.2a9c: supHardNtVpScanVirtualMemory: enmKind=CHILD_PURIFICATION 1b64.2a9c: *0000000000000000-fffffffffffeffff 0x0001/0x0000 0x0000000 1b64.2a9c: *0000000000010000-fffffffffffeffff 0x0004/0x0004 0x0020000 1b64.2a9c: *0000000000030000-000000000002bfff 0x0002/0x0002 0x0040000 1b64.2a9c: 0000000000034000-0000000000027fff 0x0001/0x0000 0x0000000 1b64.2a9c: *0000000000040000-000000000003efff 0x0004/0x0004 0x0020000 1b64.2a9c: 0000000000041000-ffffffffffeb1fff 0x0001/0x0000 0x0000000 1b64.2a9c: *00000000001d0000-00000000000d3fff 0x0000/0x0004 0x0020000 1b64.2a9c: 00000000002cc000-00000000002c8fff 0x0104/0x0004 0x0020000 1b64.2a9c: 00000000002cf000-00000000002cdfff 0x0004/0x0004 0x0020000 1b64.2a9c: 00000000002d0000-ffffffff8986ffff 0x0001/0x0000 0x0000000 1b64.2a9c: *0000000076d30000-0000000076d2efff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 1b64.2a9c: 0000000076d31000-0000000076c2efff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 1b64.2a9c: 0000000076e33000-0000000076e03fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 1b64.2a9c: 0000000076e62000-0000000076e59fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 1b64.2a9c: 0000000076e6a000-0000000076e68fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 1b64.2a9c: 0000000076e6b000-0000000076e69fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 1b64.2a9c: 0000000076e6c000-0000000076e69fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 1b64.2a9c: 0000000076e6e000-0000000076e02fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll 1b64.2a9c: 0000000076ed9000-000000006edd1fff 0x0001/0x0000 0x0000000 1b64.2a9c: *000000007efe0000-000000007dfdffff 0x0000/0x0002 0x0020000 1b64.2a9c: *000000007ffe0000-000000007ffdefff 0x0002/0x0002 0x0020000 1b64.2a9c: 000000007ffe1000-000000007ffd1fff 0x0000/0x0002 0x0020000 1b64.2a9c: 000000007fff0000-ffffffffc03effff 0x0001/0x0000 0x0000000 1b64.2a9c: *000000013fbf0000-000000013fbeefff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe 1b64.2a9c: 000000013fbf1000-000000013fb6cfff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe 1b64.2a9c: 000000013fc75000-000000013fc73fff 0x0040/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe 1b64.2a9c: 000000013fc76000-000000013fc38fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe 1b64.2a9c: 000000013fcb3000-000000013fca8fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe 1b64.2a9c: 000000013fcbd000-000000013fc83fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe 1b64.2a9c: 000000013fcf6000-fffff8038099bfff 0x0001/0x0000 0x0000000 1b64.2a9c: *000007feff050000-000007feff04efff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\apisetschema.dll 1b64.2a9c: 000007feff051000-000007fdfe0f1fff 0x0001/0x0000 0x0000000 1b64.2a9c: *000007fffffb0000-000007fffff8cfff 0x0002/0x0002 0x0040000 1b64.2a9c: 000007fffffd3000-000007fffffcffff 0x0001/0x0000 0x0000000 1b64.2a9c: *000007fffffd6000-000007fffffd4fff 0x0004/0x0004 0x0020000 1b64.2a9c: 000007fffffd7000-000007fffffcffff 0x0001/0x0000 0x0000000 1b64.2a9c: *000007fffffde000-000007fffffdbfff 0x0004/0x0004 0x0020000 1b64.2a9c: *000007fffffe0000-000007fffffcffff 0x0001/0x0002 0x0020000 1b64.2a9c: supR3HardNtChildPurify: Done after 1080 ms and 9 fixes (loop #1). 1b64.2a9c: supR3HardenedEarlyCompact: Removed heap 1 (0x000000002a0000 LB 0x400000) 1b64.2a9c: supR3HardNtEnableThreadCreation: 2be8.2a50: Log file opened: 4.3.24r98716 g_hStartupLog=0000000000000004 g_uNtVerCombined=0x611db110 2be8.2a50: supR3HardenedVmProcessInit: uNtDllAddr=0000000076d30000 2be8.2a50: ntdll.dll: timestamp 0x521eaf24 (rc=VINF_SUCCESS) 2be8.2a50: New simple heap: #1 00000000002d0000 LB 0x400000 (for 1740800 allocation) 2be8.2a50: System32: \Device\HarddiskVolume2\Windows\System32 2be8.2a50: WinSxS: \Device\HarddiskVolume2\Windows\winsxs 2be8.2a50: KnownDllPath: C:\Windows\system32 2be8.2a50: supR3HardenedVmProcessInit: Opening vboxdrv... 2be8.2a50: supR3HardenedVmProcessInit: Restoring LdrInitializeThunk... 2be8.2a50: supR3HardenedVmProcessInit: Returning to LdrInitializeThunk... 2be8.2a50: Registered Dll notification callback with NTDLL. 2be8.2a50: supHardenedWinVerifyImageByHandle: -> 22900 (\Device\HarddiskVolume2\Windows\System32\kernel32.dll) 2be8.2a50: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume2\Windows\System32\kernel32.dll 2be8.2a50: supR3HardenedMonitor_LdrLoadDll: pName=C:\Windows\system32\kernel32.dll (Input=kernel32.dll, rcNtResolve=0xc0150008) *pfFlags=0xffffffff pwszSearchPath=0000000000000000: [calling] 2be8.2a50: supR3HardenedScreenImage/NtCreateSection: cache hit (Unknown Status 22900 (0x5974)) on \Device\HarddiskVolume2\Windows\System32\kernel32.dll [lacks WinVerifyTrust] 2be8.2a50: supR3HardenedDllNotificationCallback: load 0000000076b10000 LB 0x0011f000 C:\Windows\system32\kernel32.dll [fFlags=0x0] 2be8.2a50: supR3HardenedScreenImage/LdrLoadDll: cache hit (Unknown Status 22900 (0x5974)) on \Device\HarddiskVolume2\Windows\System32\kernel32.dll [lacks WinVerifyTrust] 2be8.2a50: supR3HardenedDllNotificationCallback: load 000007fefcb30000 LB 0x0006c000 C:\Windows\system32\KERNELBASE.dll [fFlags=0x0] 2be8.2a50: supHardenedWinVerifyImageByHandle: -> 22900 (\Device\HarddiskVolume2\Windows\System32\KernelBase.dll) 2be8.2a50: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume2\Windows\System32\KernelBase.dll 2be8.2a50: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=0000000076b10000 'C:\Windows\system32\kernel32.dll' 2be8.2a50: supR3HardNtDisableThreadCreation: pvLdrInitThunk=0000000076d5c340 pvNtTerminateThread=0000000076d817e0 1b64.2a9c: supR3HardNtChildWaitFor: Found expected request 1 (CloseEvents) after 49 ms. 2be8.2a50: \SystemRoot\System32\ntdll.dll: 2be8.2a50: CreationTime: 2013-11-15T07:43:29.515072300Z 2be8.2a50: LastWriteTime: 2013-08-29T02:16:35.515578900Z 2be8.2a50: ChangeTime: 2013-11-15T10:28:25.401792300Z 2be8.2a50: FileAttributes: 0x20 2be8.2a50: Size: 0x1a6dc0 2be8.2a50: NT Headers: 0xe0 2be8.2a50: Timestamp: 0x521eaf24 2be8.2a50: Machine: 0x8664 - amd64 2be8.2a50: Timestamp: 0x521eaf24 2be8.2a50: Image Version: 6.1 2be8.2a50: SizeOfImage: 0x1a9000 (1740800) 2be8.2a50: Resource Dir: 0x151000 LB 0x560d8 2be8.2a50: ProductName: Microsoft® Windows® Operating System 2be8.2a50: ProductVersion: 6.1.7601.18247 2be8.2a50: FileVersion: 6.1.7601.18247 (win7sp1_gdr.130828-1532) 2be8.2a50: FileDescription: NT Layer DLL 2be8.2a50: \SystemRoot\System32\kernel32.dll: 2be8.2a50: CreationTime: 2014-04-16T05:04:33.563177300Z 2be8.2a50: LastWriteTime: 2014-03-04T09:44:00.336000000Z 2be8.2a50: ChangeTime: 2014-04-16T05:24:46.753957400Z 2be8.2a50: FileAttributes: 0x20 2be8.2a50: Size: 0x11c000 2be8.2a50: NT Headers: 0xe8 2be8.2a50: Timestamp: 0x5315a059 2be8.2a50: Machine: 0x8664 - amd64 2be8.2a50: Timestamp: 0x5315a059 2be8.2a50: Image Version: 6.1 2be8.2a50: SizeOfImage: 0x11f000 (1175552) 2be8.2a50: Resource Dir: 0x116000 LB 0x528 2be8.2a50: ProductName: Microsoft® Windows® Operating System 2be8.2a50: ProductVersion: 6.1.7601.18409 2be8.2a50: FileVersion: 6.1.7601.18409 (win7sp1_gdr.140303-2144) 2be8.2a50: FileDescription: Windows NT BASE API Client DLL 2be8.2a50: \SystemRoot\System32\KernelBase.dll: 2be8.2a50: CreationTime: 2014-05-19T05:17:31.014644800Z 2be8.2a50: LastWriteTime: 2014-03-04T09:44:00.336000000Z 2be8.2a50: ChangeTime: 2014-05-19T05:32:40.719677400Z 2be8.2a50: FileAttributes: 0x20 2be8.2a50: Size: 0x67c00 2be8.2a50: NT Headers: 0xe8 2be8.2a50: Timestamp: 0x5315a05a 2be8.2a50: Machine: 0x8664 - amd64 2be8.2a50: Timestamp: 0x5315a05a 2be8.2a50: Image Version: 6.1 2be8.2a50: SizeOfImage: 0x6c000 (442368) 2be8.2a50: Resource Dir: 0x6a000 LB 0x530 2be8.2a50: ProductName: Microsoft® Windows® Operating System 2be8.2a50: ProductVersion: 6.1.7601.18409 2be8.2a50: FileVersion: 6.1.7601.18409 (win7sp1_gdr.140303-2144) 2be8.2a50: FileDescription: Windows NT BASE API Client DLL 2be8.2a50: \SystemRoot\System32\apisetschema.dll: 2be8.2a50: CreationTime: 2013-09-12T05:14:17.940756300Z 2be8.2a50: LastWriteTime: 2013-08-02T02:12:20.275000000Z 2be8.2a50: ChangeTime: 2013-09-12T05:45:38.834941500Z 2be8.2a50: FileAttributes: 0x20 2be8.2a50: Size: 0x1a00 2be8.2a50: NT Headers: 0xc0 2be8.2a50: Timestamp: 0x51fb15ca 2be8.2a50: Machine: 0x8664 - amd64 2be8.2a50: Timestamp: 0x51fb15ca 2be8.2a50: Image Version: 6.1 2be8.2a50: SizeOfImage: 0x50000 (327680) 2be8.2a50: Resource Dir: 0x30000 LB 0x3f8 2be8.2a50: ProductName: Microsoft® Windows® Operating System 2be8.2a50: ProductVersion: 6.1.7601.18229 2be8.2a50: FileVersion: 6.1.7601.18229 (win7sp1_gdr.130801-1533) 2be8.2a50: FileDescription: ApiSet Schema DLL 2be8.2a50: Found driver SysPlant (0x1) 2be8.2a50: Found driver SymNetS (0x2) 2be8.2a50: Found driver SRTSPX (0x2) 2be8.2a50: Found driver SymEvent (0x2) 2be8.2a50: Found driver SymIRON (0x2) 2be8.2a50: supR3HardenedWinFindAdversaries: 0x3 2be8.2a50: \SystemRoot\System32\drivers\SysPlant.sys: 2be8.2a50: CreationTime: 2015-02-12T15:13:16.924536700Z 2be8.2a50: LastWriteTime: 2015-02-12T15:13:16.928536700Z 2be8.2a50: ChangeTime: 2015-02-12T15:13:16.928536700Z 2be8.2a50: FileAttributes: 0x20 2be8.2a50: Size: 0x26f40 2be8.2a50: NT Headers: 0x100 2be8.2a50: Timestamp: 0x5413cb4e 2be8.2a50: Machine: 0x8664 - amd64 2be8.2a50: Timestamp: 0x5413cb4e 2be8.2a50: Image Version: 5.0 2be8.2a50: SizeOfImage: 0x2d000 (184320) 2be8.2a50: Resource Dir: 0x2b000 LB 0x498 2be8.2a50: ProductName: Symantec CMC Firewall 2be8.2a50: ProductVersion: 12.1.5337.5000 2be8.2a50: FileVersion: 12.1.5337.5000 2be8.2a50: FileDescription: Symantec CMC Firewall SysPlant 2be8.2a50: \SystemRoot\System32\sysfer.dll: 2be8.2a50: CreationTime: 2015-02-12T15:13:16.788536700Z 2be8.2a50: LastWriteTime: 2015-02-12T15:13:16.792536700Z 2be8.2a50: ChangeTime: 2015-02-12T15:13:16.792536700Z 2be8.2a50: FileAttributes: 0x20 2be8.2a50: Size: 0x70f60 2be8.2a50: NT Headers: 0xe8 2be8.2a50: Timestamp: 0x5413cb55 2be8.2a50: Machine: 0x8664 - amd64 2be8.2a50: Timestamp: 0x5413cb55 2be8.2a50: Image Version: 0.0 2be8.2a50: SizeOfImage: 0x88000 (557056) 2be8.2a50: Resource Dir: 0x86000 LB 0x630 2be8.2a50: ProductName: Symantec CMC Firewall 2be8.2a50: ProductVersion: 12.1.5337.5000 2be8.2a50: FileVersion: 12.1.5337.5000 2be8.2a50: FileDescription: Symantec CMC Firewall sysfer 2be8.2a50: \SystemRoot\System32\drivers\symevent64x86.sys: 2be8.2a50: CreationTime: 2015-02-12T15:17:09.408536700Z 2be8.2a50: LastWriteTime: 2015-02-12T15:17:09.057536700Z 2be8.2a50: ChangeTime: 2015-02-12T15:17:09.057536700Z 2be8.2a50: FileAttributes: 0x20 2be8.2a50: Size: 0x2b658 2be8.2a50: NT Headers: 0xe8 2be8.2a50: Timestamp: 0x51f32ff2 2be8.2a50: Machine: 0x8664 - amd64 2be8.2a50: Timestamp: 0x51f32ff2 2be8.2a50: Image Version: 6.0 2be8.2a50: SizeOfImage: 0x38000 (229376) 2be8.2a50: Resource Dir: 0x36000 LB 0x3c8 2be8.2a50: ProductName: SYMEVENT 2be8.2a50: ProductVersion: 12.9.5.2 2be8.2a50: FileVersion: 12.9.5.2 2be8.2a50: FileDescription: Symantec Event Library 2be8.2a50: Calling main() 2be8.2a50: SUPR3HardenedMain: pszProgName=VirtualBox fFlags=0x2 2be8.2a50: '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe' has no imports 2be8.2a50: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe) 2be8.2a50: SUPR3HardenedMain: Final process, opening VBoxDrv... 2be8.2a50: supR3HardenedEarlyCompact: Removed heap 1 (0x000000002d0000 LB 0x400000) 2be8.2a50: supR3HardNtEnableThreadCreation: 2be8.2a50: supHardenedWinVerifyImageByHandle: -> 22900 (\Device\HarddiskVolume2\Windows\System32\apphelp.dll) 2be8.2a50: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume2\Windows\System32\apphelp.dll 2be8.2a50: supR3HardenedMonitor_LdrLoadDll: pName=C:\Windows\system32\apphelp.dll (rcNtResolve=0xc0150008) *pfFlags=0xffffffff pwszSearchPath=0000000000000000: [calling] 2be8.2a50: supR3HardenedScreenImage/NtCreateSection: cache hit (Unknown Status 22900 (0x5974)) on \Device\HarddiskVolume2\Windows\System32\apphelp.dll [lacks WinVerifyTrust] 2be8.2a50: supR3HardenedDllNotificationCallback: load 000007fefc8f0000 LB 0x00057000 C:\Windows\system32\apphelp.dll [fFlags=0x0] 2be8.2a50: supR3HardenedScreenImage/LdrLoadDll: cache hit (Unknown Status 22900 (0x5974)) on \Device\HarddiskVolume2\Windows\System32\apphelp.dll [lacks WinVerifyTrust] 2be8.2a50: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=000007fefc8f0000 'C:\Windows\system32\apphelp.dll' 1b64.2a9c: supR3HardNtChildWaitFor[2]: Quitting: ExitCode=0xc0000005 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 1886 ms, the end); 2b2c.20e8: supR3HardNtChildWaitFor[1]: Quitting: ExitCode=0xc0000005 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 3041 ms, the end);