1fc0.2238: Log file opened: 5.1.8r111374 g_hStartupLog=0000000000000038 g_uNtVerCombined=0x611db110 1fc0.2238: \SystemRoot\System32\ntdll.dll: 1fc0.2238: CreationTime: 2016-11-09T07:14:11.341752600Z 1fc0.2238: LastWriteTime: 2016-10-07T15:35:29.838228900Z 1fc0.2238: ChangeTime: 2016-11-10T02:16:26.245331000Z 1fc0.2238: FileAttributes: 0x20 1fc0.2238: Size: 0x1a7100 1fc0.2238: NT Headers: 0xe0 1fc0.2238: Timestamp: 0x57f7c06e 1fc0.2238: Machine: 0x8664 - amd64 1fc0.2238: Timestamp: 0x57f7c06e 1fc0.2238: Image Version: 6.1 1fc0.2238: SizeOfImage: 0x1aa000 (1744896) 1fc0.2238: Resource Dir: 0x14e000 LB 0x5a028 1fc0.2238: ProductName: Microsoft® Windows® Operating System 1fc0.2238: ProductVersion: 6.1.7601.23569 1fc0.2238: FileVersion: 6.1.7601.23569 (win7sp1_ldr.161007-0600) 1fc0.2238: FileDescription: NT Layer DLL 1fc0.2238: \SystemRoot\System32\kernel32.dll: 1fc0.2238: CreationTime: 2016-11-09T07:14:06.927252600Z 1fc0.2238: LastWriteTime: 2016-10-07T15:32:25.787000000Z 1fc0.2238: ChangeTime: 2016-11-10T02:16:27.602287400Z 1fc0.2238: FileAttributes: 0x20 1fc0.2238: Size: 0x11c000 1fc0.2238: NT Headers: 0xe0 1fc0.2238: Timestamp: 0x57f7c0b3 1fc0.2238: Machine: 0x8664 - amd64 1fc0.2238: Timestamp: 0x57f7c0b3 1fc0.2238: Image Version: 6.1 1fc0.2238: SizeOfImage: 0x11f000 (1175552) 1fc0.2238: Resource Dir: 0x116000 LB 0x528 1fc0.2238: ProductName: Microsoft® Windows® Operating System 1fc0.2238: ProductVersion: 6.1.7601.23569 1fc0.2238: FileVersion: 6.1.7601.23569 (win7sp1_ldr.161007-0600) 1fc0.2238: FileDescription: Windows NT BASE API Client DLL 1fc0.2238: \SystemRoot\System32\KernelBase.dll: 1fc0.2238: CreationTime: 2016-11-09T07:14:06.771252600Z 1fc0.2238: LastWriteTime: 2016-10-07T15:32:25.802000000Z 1fc0.2238: ChangeTime: 2016-11-10T02:16:27.571093000Z 1fc0.2238: FileAttributes: 0x20 1fc0.2238: Size: 0x66800 1fc0.2238: NT Headers: 0xe8 1fc0.2238: Timestamp: 0x57f7c0b4 1fc0.2238: Machine: 0x8664 - amd64 1fc0.2238: Timestamp: 0x57f7c0b4 1fc0.2238: Image Version: 6.1 1fc0.2238: SizeOfImage: 0x6a000 (434176) 1fc0.2238: Resource Dir: 0x68000 LB 0x530 1fc0.2238: ProductName: Microsoft® Windows® Operating System 1fc0.2238: ProductVersion: 6.1.7601.23569 1fc0.2238: FileVersion: 6.1.7601.23569 (win7sp1_ldr.161007-0600) 1fc0.2238: FileDescription: Windows NT BASE API Client DLL 1fc0.2238: \SystemRoot\System32\apisetschema.dll: 1fc0.2238: CreationTime: 2016-11-09T07:14:06.183252600Z 1fc0.2238: LastWriteTime: 2016-10-07T15:32:20.717000000Z 1fc0.2238: ChangeTime: 2016-11-10T02:16:26.182942200Z 1fc0.2238: FileAttributes: 0x20 1fc0.2238: Size: 0x1a00 1fc0.2238: NT Headers: 0xc0 1fc0.2238: Timestamp: 0x57f7c04d 1fc0.2238: Machine: 0x8664 - amd64 1fc0.2238: Timestamp: 0x57f7c04d 1fc0.2238: Image Version: 6.1 1fc0.2238: SizeOfImage: 0x50000 (327680) 1fc0.2238: Resource Dir: 0x30000 LB 0x3f8 1fc0.2238: ProductName: Microsoft® Windows® Operating System 1fc0.2238: ProductVersion: 6.1.7601.23569 1fc0.2238: FileVersion: 6.1.7601.23569 (win7sp1_ldr.161007-0600) 1fc0.2238: FileDescription: ApiSet Schema DLL 1fc0.2238: NtOpenDirectoryObject failed on \Driver: 0xc0000022 1fc0.2238: supR3HardenedWinFindAdversaries: 0x0 1fc0.2238: supR3HardenedWinInitAppBin(0x0): '\Device\HarddiskVolume5\Program Files\Oracle\VirtualBox' 1fc0.2238: Calling main() 1fc0.2238: SUPR3HardenedMain: pszProgName=VirtualBox fFlags=0x2 1fc0.2238: supR3HardenedWinInitAppBin(0x2): '\Device\HarddiskVolume5\Program Files\Oracle\VirtualBox' 1fc0.2238: SUPR3HardenedMain: Respawn #1 1fc0.2238: System32: \Device\HarddiskVolume5\Windows\System32 1fc0.2238: WinSxS: \Device\HarddiskVolume5\Windows\winsxs 1fc0.2238: KnownDllPath: C:\Windows\system32 1fc0.2238: '\Device\HarddiskVolume5\Program Files\Oracle\VirtualBox\VirtualBox.exe' has no imports 1fc0.2238: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume5\Program Files\Oracle\VirtualBox\VirtualBox.exe) 1fc0.2238: supR3HardNtEnableThreadCreation: 1fc0.2238: supR3HardNtDisableThreadCreation: pvLdrInitThunk=000000007763a360 pvNtTerminateThread=000000007765c260 1fc0.2238: supR3HardenedWinDoReSpawn(1): New child 9f0.2110 [kernel32]. 1fc0.2238: supR3HardNtChildGatherData: PebBaseAddress=000007fffffdb000 cbPeb=0x380 1fc0.2238: supR3HardNtPuChFindNtdll: uNtDllParentAddr=0000000077610000 uNtDllChildAddr=0000000077610000 1fc0.2238: supR3HardenedWinSetupChildInit: uLdrInitThunk=000000007763a360 1fc0.2238: supR3HardenedWinSetupChildInit: Start child. 1fc0.2238: supR3HardNtChildWaitFor: Found expected request 0 (PurifyChildAndCloseHandles) after 0 ms. 1fc0.2238: supR3HardNtChildPurify: Startup delay kludge #1/0: 265 ms, 17 sleeps 1fc0.2238: supHardNtVpScanVirtualMemory: enmKind=CHILD_PURIFICATION 1fc0.2238: *0000000000000000-fffffffffffeffff 0x0001/0x0000 0x0000000 1fc0.2238: *0000000000010000-fffffffffffeffff 0x0004/0x0004 0x0020000 1fc0.2238: *0000000000030000-000000000002bfff 0x0002/0x0002 0x0040000 1fc0.2238: 0000000000034000-0000000000027fff 0x0001/0x0000 0x0000000 1fc0.2238: *0000000000040000-000000000003efff 0x0004/0x0004 0x0020000 1fc0.2238: 0000000000041000-fffffffffffb1fff 0x0001/0x0000 0x0000000 1fc0.2238: *00000000000d0000-fffffffffffd3fff 0x0000/0x0004 0x0020000 1fc0.2238: 00000000001cc000-00000000001c9fff 0x0104/0x0004 0x0020000 1fc0.2238: 00000000001ce000-00000000001cbfff 0x0004/0x0004 0x0020000 1fc0.2238: 00000000001d0000-fffffffff299ffff 0x0001/0x0000 0x0000000 1fc0.2238: *000000000da00000-000000000d9fefff 0x0020/0x0040 0x0020000 !! 1fc0.2238: supHardNtVpFreeOrReplacePrivateExecMemory: Freeing exec mem at 000000000da00000 (LB 0x1000, 000000000da00000 LB 0x1000) 1fc0.2238: supHardNtVpFreeOrReplacePrivateExecMemory: Free attempt #1 succeeded: 0x0 [000000000da00000/000000000da00000 LB 0/0x1000] 1fc0.2238: supHardNtVpFreeOrReplacePrivateExecMemory: QVM after free 0: [0000000000000000]/000000000da00000 LB 0x69c10000 s=0x10000 ap=0x0 rp=0x00000000000001 1fc0.2238: 000000000da01000-ffffffffa3df1fff 0x0001/0x0000 0x0000000 1fc0.2238: *0000000077610000-0000000077610fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume5\Windows\System32\ntdll.dll 1fc0.2238: 0000000077611000-000000007770dfff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume5\Windows\System32\ntdll.dll 1fc0.2238: 000000007770e000-000000007773cfff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume5\Windows\System32\ntdll.dll 1fc0.2238: 000000007773d000-0000000077746fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume5\Windows\System32\ntdll.dll 1fc0.2238: 0000000077747000-0000000077747fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume5\Windows\System32\ntdll.dll 1fc0.2238: 0000000077748000-000000007774afff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume5\Windows\System32\ntdll.dll 1fc0.2238: 000000007774b000-00000000777b9fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume5\Windows\System32\ntdll.dll 1fc0.2238: 00000000777ba000-000000006ff93fff 0x0001/0x0000 0x0000000 1fc0.2238: *000000007efe0000-000000007dfdffff 0x0000/0x0002 0x0020000 1fc0.2238: *000000007ffe0000-000000007ffdefff 0x0002/0x0002 0x0020000 1fc0.2238: 000000007ffe1000-000000007ffd1fff 0x0000/0x0002 0x0020000 1fc0.2238: 000000007fff0000-ffffffffc0edffff 0x0001/0x0000 0x0000000 1fc0.2238: *000000013f100000-000000013f100fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume5\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE 1fc0.2238: 000000013f101000-000000013f16ffff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume5\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE 1fc0.2238: 000000013f170000-000000013f170fff 0x0080/0x0080 0x1000000 \Device\HarddiskVolume5\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE 1fc0.2238: 000000013f171000-000000013f1b5fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume5\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE 1fc0.2238: 000000013f1b6000-000000013f1b6fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume5\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE 1fc0.2238: 000000013f1b7000-000000013f1b7fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume5\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE 1fc0.2238: 000000013f1b8000-000000013f1bcfff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume5\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE 1fc0.2238: 000000013f1bd000-000000013f1bdfff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume5\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE 1fc0.2238: 000000013f1be000-000000013f1befff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume5\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE 1fc0.2238: 000000013f1bf000-000000013f1c2fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume5\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE 1fc0.2238: 000000013f1c3000-000000013f20afff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume5\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE 1fc0.2238: 000000013f20b000-fffff8037eae5fff 0x0001/0x0000 0x0000000 1fc0.2238: *000007feff930000-000007feff930fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume5\Windows\System32\apisetschema.dll 1fc0.2238: 000007feff931000-000007fdff2b1fff 0x0001/0x0000 0x0000000 1fc0.2238: *000007fffffb0000-000007fffff8cfff 0x0002/0x0002 0x0040000 1fc0.2238: 000007fffffd3000-000007fffffcafff 0x0001/0x0000 0x0000000 1fc0.2238: *000007fffffdb000-000007fffffd9fff 0x0004/0x0004 0x0020000 1fc0.2238: 000007fffffdc000-000007fffffd9fff 0x0001/0x0000 0x0000000 1fc0.2238: *000007fffffde000-000007fffffdbfff 0x0004/0x0004 0x0020000 1fc0.2238: *000007fffffe0000-000007fffffcffff 0x0001/0x0002 0x0020000 1fc0.2238: apisetschema.dll: timestamp 0x57f7c04d (rc=VINF_SUCCESS) 1fc0.2238: VirtualBox.exe: timestamp 0x58062715 (rc=VINF_SUCCESS) 1fc0.2238: '\Device\HarddiskVolume5\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE' has no imports 1fc0.2238: VirtualBox.exe: Differences in section #0 (headers) between file and memory: 1fc0.2238: 000000013f10001c / 0x000001c: 00 != df 1fc0.2238: 000000013f10001d / 0x000001d: 00 != df 1fc0.2238: 000000013f10001e / 0x000001e: 00 != df 1fc0.2238: 000000013f10001f / 0x000001f: 00 != df 1fc0.2238: 000000013f100020 / 0x0000020: 68 != 01 1fc0.2238: 000000013f100021 / 0x0000021: 74 != 00 1fc0.2238: 000000013f100022 / 0x0000022: 74 != 00 1fc0.2238: 000000013f100023 / 0x0000023: 70 != 00 1fc0.2238: Restored 0x400 bytes of original file content at 000000013f100000 1fc0.2238: VirtualBox.exe: Differences in section #1 (.text) between file and memory: 1fc0.2238: 000000013f107490 / 0x0007490: 40 != 48 1fc0.2238: 000000013f107491 / 0x0007491: 53 != b8 1fc0.2238: 000000013f107492 / 0x0007492: 48 != 00 1fc0.2238: 000000013f107493 / 0x0007493: 81 != 00 1fc0.2238: 000000013f107494 / 0x0007494: ec != a0 1fc0.2238: 000000013f107495 / 0x0007495: 50 != 0d 1fc0.2238: 000000013f107496 / 0x0007496: 08 != 00 1fc0.2238: 000000013f107499 / 0x0007499: ff != 00 1fc0.2238: 000000013f10749a / 0x000749a: 05 != ff 1fc0.2238: 000000013f10749b / 0x000749b: 99 != e0 1fc0.2238: Restored 0x2000 bytes of original file content at 000000013f107000 1fc0.2238: '\Device\HarddiskVolume5\Windows\System32\apisetschema.dll' has no imports 1fc0.2238: '\Device\HarddiskVolume5\Windows\System32\ntdll.dll' has no imports 1fc0.2238: supR3HardNtChildPurify: cFixes=3 g_fSupAdversaries=0x80000000 cPatchCount=0 1fc0.2238: supR3HardNtChildPurify: Startup delay kludge #1/1: 520 ms, 65 sleeps 1fc0.2238: supHardNtVpScanVirtualMemory: enmKind=CHILD_PURIFICATION 1fc0.2238: *0000000000000000-fffffffffffeffff 0x0001/0x0000 0x0000000 1fc0.2238: *0000000000010000-fffffffffffeffff 0x0004/0x0004 0x0020000 1fc0.2238: *0000000000030000-000000000002bfff 0x0002/0x0002 0x0040000 1fc0.2238: 0000000000034000-0000000000027fff 0x0001/0x0000 0x0000000 1fc0.2238: *0000000000040000-000000000003efff 0x0004/0x0004 0x0020000 1fc0.2238: 0000000000041000-fffffffffffb1fff 0x0001/0x0000 0x0000000 1fc0.2238: *00000000000d0000-fffffffffffd3fff 0x0000/0x0004 0x0020000 1fc0.2238: 00000000001cc000-00000000001c9fff 0x0104/0x0004 0x0020000 1fc0.2238: 00000000001ce000-00000000001cbfff 0x0004/0x0004 0x0020000 1fc0.2238: 00000000001d0000-ffffffff88d8ffff 0x0001/0x0000 0x0000000 1fc0.2238: *0000000077610000-0000000077610fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume5\Windows\System32\ntdll.dll 1fc0.2238: 0000000077611000-000000007770dfff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume5\Windows\System32\ntdll.dll 1fc0.2238: 000000007770e000-000000007773cfff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume5\Windows\System32\ntdll.dll 1fc0.2238: 000000007773d000-0000000077746fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume5\Windows\System32\ntdll.dll 1fc0.2238: 0000000077747000-0000000077747fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume5\Windows\System32\ntdll.dll 1fc0.2238: 0000000077748000-0000000077748fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume5\Windows\System32\ntdll.dll 1fc0.2238: 0000000077749000-000000007774afff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume5\Windows\System32\ntdll.dll 1fc0.2238: 000000007774b000-00000000777b9fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume5\Windows\System32\ntdll.dll 1fc0.2238: 00000000777ba000-000000006ff93fff 0x0001/0x0000 0x0000000 1fc0.2238: *000000007efe0000-000000007dfdffff 0x0000/0x0002 0x0020000 1fc0.2238: *000000007ffe0000-000000007ffdefff 0x0002/0x0002 0x0020000 1fc0.2238: 000000007ffe1000-000000007ffd1fff 0x0000/0x0002 0x0020000 1fc0.2238: 000000007fff0000-ffffffffc0edffff 0x0001/0x0000 0x0000000 1fc0.2238: *000000013f100000-000000013f100fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume5\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE 1fc0.2238: 000000013f101000-000000013f16ffff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume5\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE 1fc0.2238: 000000013f170000-000000013f170fff 0x0040/0x0080 0x1000000 \Device\HarddiskVolume5\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE 1fc0.2238: 000000013f171000-000000013f1b5fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume5\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE 1fc0.2238: 000000013f1b6000-000000013f1c2fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume5\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE 1fc0.2238: 000000013f1c3000-000000013f20afff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume5\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE 1fc0.2238: 000000013f20b000-fffff8037eae5fff 0x0001/0x0000 0x0000000 1fc0.2238: *000007feff930000-000007feff930fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume5\Windows\System32\apisetschema.dll 1fc0.2238: 000007feff931000-000007fdff2b1fff 0x0001/0x0000 0x0000000 1fc0.2238: *000007fffffb0000-000007fffff8cfff 0x0002/0x0002 0x0040000 1fc0.2238: 000007fffffd3000-000007fffffcafff 0x0001/0x0000 0x0000000 1fc0.2238: *000007fffffdb000-000007fffffd9fff 0x0004/0x0004 0x0020000 1fc0.2238: 000007fffffdc000-000007fffffd9fff 0x0001/0x0000 0x0000000 1fc0.2238: *000007fffffde000-000007fffffdbfff 0x0004/0x0004 0x0020000 1fc0.2238: *000007fffffe0000-000007fffffcffff 0x0001/0x0002 0x0020000 1fc0.2238: supR3HardNtChildPurify: Done after 880 ms and 3 fixes (loop #1). 1fc0.2238: supR3HardNtEnableThreadCreation: 9f0.2110: Log file opened: 5.1.8r111374 g_hStartupLog=0000000000000004 g_uNtVerCombined=0x611db100 9f0.2110: supR3HardenedVmProcessInit: uNtDllAddr=0000000077610000 g_uNtVerCombined=0x611db100 9f0.2110: ntdll.dll: timestamp 0x57f7c06e (rc=VINF_SUCCESS) 9f0.2110: New simple heap: #1 00000000002d0000 LB 0x400000 (for 1744896 allocation) 9f0.2110: supR3HardenedWinInitAppBin(0x0): '\Device\HarddiskVolume5\PROGRA~1\Oracle\VIRTUA~1' 9f0.2110: System32: \Device\HarddiskVolume5\Windows\System32 9f0.2110: WinSxS: \Device\HarddiskVolume5\Windows\winsxs 9f0.2110: KnownDllPath: C:\Windows\system32 9f0.2110: supR3HardenedVmProcessInit: Opening vboxdrv stub... 9f0.2110: supR3HardenedWinReadErrorInfoDevice: 'Unknown image file \Device\HarddiskVolume5\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE at 000000013f100000.' 9f0.2110: Error -5633 in supR3HardenedWinReSpawn! (enmWhat=3) 9f0.2110: NtCreateFile(\Device\VBoxDrvStub) failed: Unknown Status -5633 (0xffffe9ff) (rcNt=0xe986e9ff) VBoxDrvStub error: Unknown image file \Device\HarddiskVolume5\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE at 000000013f100000. 1fc0.2238: supR3HardenedWinCheckChild: enmRequest=2 rc=-5633 enmWhat=3 supR3HardenedWinReSpawn: NtCreateFile(\Device\VBoxDrvStub) failed: Unknown Status -5633 (0xffffe9ff) (rcNt=0xe986e9ff) VBoxDrvStub error: Unknown image file \Device\HarddiskVolume5\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE at 000000013f100000. 1fc0.2238: Error -5633 in supR3HardenedWinReSpawn! (enmWhat=3) 1fc0.2238: NtCreateFile(\Device\VBoxDrvStub) failed: Unknown Status -5633 (0xffffe9ff) (rcNt=0xe986e9ff) VBoxDrvStub error: Unknown image file \Device\HarddiskVolume5\PROGRA~1\Oracle\VIRTUA~1\VIRTUA~1.EXE at 000000013f100000.