Error -5640 in supR3HardenedWinReSpawn! (enmWhat=1)

Discussions related to using VirtualBox on Windows hosts.
Post Reply
kapila
Posts: 7
Joined: 28. Sep 2022, 10:48

Error -5640 in supR3HardenedWinReSpawn! (enmWhat=1)

Post by kapila »

Code: Select all

452c.2574: Log file opened: 6.1.38r153438 g_hStartupLog=0000000000000088 g_uNtVerCombined=0xa055f000
452c.2574: \SystemRoot\System32\ntdll.dll:
452c.2574:     CreationTime:    2022-09-14T12:09:50.041746800Z
452c.2574:     LastWriteTime:   2022-09-14T12:09:50.087656200Z
452c.2574:     ChangeTime:      2022-09-21T15:24:46.934233200Z
452c.2574:     FileAttributes:  0x20
452c.2574:     Size:            0x207df8
452c.2574:     NT Headers:      0xe0
452c.2574:     Timestamp:       0x57b668f2
452c.2574:     Machine:         0x8664 - amd64
452c.2574:     Timestamp:       0x57b668f2
452c.2574:     Image Version:   10.0
452c.2574:     SizeOfImage:     0x209000 (2134016)
452c.2574:     Resource Dir:    0x194000 LB 0x73528
452c.2574:     [Version info resource found at 0xd8! (ID/Name: 0x1; SubID/SubName: 0x409)]
452c.2574:     [Raw version resource data: 0x1940f0 LB 0x380, codepage 0x0 (reserved 0x0)]
452c.2574:     ProductName:     Microsoft® Windows® Operating System
452c.2574:     ProductVersion:  10.0.22000.918
452c.2574:     FileVersion:     10.0.22000.918 (WinBuild.160101.0800)
452c.2574:     FileDescription: NT Layer DLL
452c.2574: \SystemRoot\System32\kernel32.dll:
452c.2574:     CreationTime:    2022-06-22T11:13:06.603559500Z
452c.2574:     LastWriteTime:   2022-06-22T11:13:06.634789700Z
452c.2574:     ChangeTime:      2022-09-21T15:24:46.934233200Z
452c.2574:     FileAttributes:  0x20
452c.2574:     Size:            0xc0058
452c.2574:     NT Headers:      0xf8
452c.2574:     Timestamp:       0xafec8296
452c.2574:     Machine:         0x8664 - amd64
452c.2574:     Timestamp:       0xafec8296
452c.2574:     Image Version:   10.0
452c.2574:     SizeOfImage:     0xbd000 (774144)
452c.2574:     Resource Dir:    0xbb000 LB 0x520
452c.2574:     [Version info resource found at 0x90! (ID/Name: 0x1; SubID/SubName: 0x409)]
452c.2574:     [Raw version resource data: 0xbb0b0 LB 0x3a4, codepage 0x0 (reserved 0x0)]
452c.2574:     ProductName:     Microsoft® Windows® Operating System
452c.2574:     ProductVersion:  10.0.22000.708
452c.2574:     FileVersion:     10.0.22000.708 (WinBuild.160101.0800)
452c.2574:     FileDescription: Windows NT BASE API Client DLL
452c.2574: \SystemRoot\System32\KernelBase.dll:
452c.2574:     CreationTime:    2022-09-14T12:09:50.848339100Z
452c.2574:     LastWriteTime:   2022-09-14T12:09:50.964337800Z
452c.2574:     ChangeTime:      2022-09-21T15:24:46.934233200Z
452c.2574:     FileAttributes:  0x20
452c.2574:     Size:            0x3832e8
452c.2574:     NT Headers:      0xf8
452c.2574:     Timestamp:       0xb42fa627
452c.2574:     Machine:         0x8664 - amd64
452c.2574:     Timestamp:       0xb42fa627
452c.2574:     Image Version:   10.0
452c.2574:     SizeOfImage:     0x37c000 (3653632)
452c.2574:     Resource Dir:    0x34c000 LB 0x548
452c.2574:     [Version info resource found at 0x90! (ID/Name: 0x1; SubID/SubName: 0x409)]
452c.2574:     [Raw version resource data: 0x34c0b0 LB 0x3bc, codepage 0x0 (reserved 0x0)]
452c.2574:     ProductName:     Microsoft® Windows® Operating System
452c.2574:     ProductVersion:  10.0.22000.918
452c.2574:     FileVersion:     10.0.22000.918 (WinBuild.160101.0800)
452c.2574:     FileDescription: Windows NT BASE API Client DLL
452c.2574: \SystemRoot\System32\apisetschema.dll:
452c.2574:     CreationTime:    2021-06-05T12:04:59.928787900Z
452c.2574:     LastWriteTime:   2021-06-05T12:04:59.928787900Z
452c.2574:     ChangeTime:      2022-09-14T12:11:25.200780500Z
452c.2574:     FileAttributes:  0x20
452c.2574:     Size:            0x24150
452c.2574:     NT Headers:      0xc8
452c.2574:     Timestamp:       0x68d1dbaf
452c.2574:     Machine:         0x8664 - amd64
452c.2574:     Timestamp:       0x68d1dbaf
452c.2574:     Image Version:   10.0
452c.2574:     SizeOfImage:     0x23000 (143360)
452c.2574:     Resource Dir:    0x22000 LB 0x408
452c.2574:     [Version info resource found at 0x48! (ID/Name: 0x1; SubID/SubName: 0x409)]
452c.2574:     [Raw version resource data: 0x22060 LB 0x3a8, codepage 0x0 (reserved 0x0)]
452c.2574:     ProductName:     Microsoft® Windows® Operating System
452c.2574:     ProductVersion:  10.0.22000.1
452c.2574:     FileVersion:     10.0.22000.1 (WinBuild.160101.0800)
452c.2574:     FileDescription: ApiSet Schema DLL
452c.2574: NtOpenDirectoryObject failed on \Driver: 0xc0000022
452c.2574: supR3HardenedWinFindAdversaries: 0x0
452c.2574: supR3HardenedWinInitAppBin(0x0): '\Device\HarddiskVolume3\Program Files\Oracle\VirtualBox'
452c.2574: Calling main()
452c.2574: SUPR3HardenedMain: pszProgName=VirtualBoxVM fFlags=0x2
452c.2574: supR3HardenedWinInitAppBin(0x2): '\Device\HarddiskVolume3\Program Files\Oracle\VirtualBox'
452c.2574: SUPR3HardenedMain: Respawn #1
452c.2574: System32:  \Device\HarddiskVolume3\Windows\System32
452c.2574: WinSxS:    \Device\HarddiskVolume3\Windows\WinSxS
452c.2574: KnownDllPath: C:\Windows\System32
452c.2574: supR3HardenedWinInit: Performing a limited self purification...
452c.2574: supHardNtVpScanVirtualMemory: enmKind=SELF_PURIFICATION
452c.2574:  *0000000000000000-000000000061ffff 0x0001/0x0000 0x0000000
452c.2574:  *0000000000620000-0000000000620fff 0x0002/0x0002 0x0040000
452c.2574:   0000000000621000-000000000062ffff 0x0001/0x0000 0x0000000
452c.2574:  *0000000000630000-0000000000630fff 0x0002/0x0002 0x0040000
452c.2574:   0000000000631000-000000000063ffff 0x0001/0x0000 0x0000000
452c.2574:  *0000000000640000-000000000065efff 0x0002/0x0002 0x0040000
452c.2574:   000000000065f000-000000000065ffff 0x0001/0x0000 0x0000000
452c.2574:  *0000000000660000-0000000000718fff 0x0000/0x0004 0x0020000
452c.2574:   0000000000719000-000000000071bfff 0x0104/0x0004 0x0020000
452c.2574:   000000000071c000-000000000075ffff 0x0004/0x0004 0x0020000
452c.2574:  *0000000000760000-0000000000763fff 0x0002/0x0002 0x0040000
452c.2574:   0000000000764000-000000000076ffff 0x0001/0x0000 0x0000000
452c.2574:  *0000000000770000-0000000000771fff 0x0004/0x0004 0x0020000
452c.2574:   0000000000772000-000000000077ffff 0x0001/0x0000 0x0000000
452c.2574:  *0000000000780000-0000000000790fff 0x0002/0x0002 0x0040000
452c.2574:   0000000000791000-000000000079ffff 0x0001/0x0000 0x0000000
452c.2574:  *00000000007a0000-00000000007b0fff 0x0002/0x0002 0x0040000
452c.2574:   00000000007b1000-00000000007bffff 0x0001/0x0000 0x0000000
452c.2574:  *00000000007c0000-00000000007c2fff 0x0002/0x0002 0x0040000
452c.2574:   00000000007c3000-00000000007cffff 0x0001/0x0000 0x0000000
452c.2574:  *00000000007d0000-00000000007d0fff 0x0002/0x0002 0x0040000
452c.2574:   00000000007d1000-00000000007dffff 0x0001/0x0000 0x0000000
452c.2574:  *00000000007e0000-00000000007effff 0x0004/0x0004 0x0040000
452c.2574:  *00000000007f0000-00000000007f2fff 0x0002/0x0002 0x0040000
452c.2574:   00000000007f3000-00000000007fffff 0x0001/0x0000 0x0000000
452c.2574:  *0000000000800000-00000000009c8fff 0x0000/0x0004 0x0020000
452c.2574:   00000000009c9000-00000000009cbfff 0x0004/0x0004 0x0020000
452c.2574:   00000000009cc000-00000000009fffff 0x0000/0x0004 0x0020000
452c.2574:  *0000000000a00000-0000000000a00fff 0x0004/0x0004 0x0020000
452c.2574:   0000000000a01000-0000000000a31fff 0x0000/0x0004 0x0020000
452c.2574:   0000000000a32000-0000000000a3ffff 0x0001/0x0000 0x0000000
452c.2574:  *0000000000a40000-0000000000a50fff 0x0002/0x0002 0x0040000
452c.2574:   0000000000a51000-0000000000a5ffff 0x0001/0x0000 0x0000000
452c.2574:  *0000000000a60000-0000000000a70fff 0x0002/0x0002 0x0040000
452c.2574:   0000000000a71000-0000000000a7ffff 0x0001/0x0000 0x0000000
452c.2574:  *0000000000a80000-0000000000a89fff 0x0004/0x0004 0x0020000
452c.2574:   0000000000a8a000-0000000000b7ffff 0x0000/0x0004 0x0020000
452c.2574:  *0000000000b80000-0000000000c4dfff 0x0002/0x0002 0x0040000
452c.2574:   0000000000c4e000-0000000000c6ffff 0x0001/0x0000 0x0000000
452c.2574:  *0000000000c70000-0000000000c70fff 0x0004/0x0004 0x0020000
452c.2574:   0000000000c71000-0000000000c7ffff 0x0001/0x0000 0x0000000
452c.2574:  *0000000000c80000-0000000000c80fff 0x0002/0x0004 0x0020000
452c.2574:   0000000000c81000-0000000000c81fff 0x0020/0x0004 0x0020000 !!
452c.2574:   0000000000c82000-0000000000c8ffff 0x0001/0x0000 0x0000000
452c.2574:  *0000000000c90000-0000000000c90fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\umppc15610.dll
452c.2574: supHardNtVpScanVirtualMemory: Ignoring unknown mem at 0000000000c90000 LB 0x1000 (base 0000000000c90000) - 'umppc15610.dll'
452c.2574:   0000000000c91000-0000000000c9afff 0x0020/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\umppc15610.dll
452c.2574: supHardNtVpScanVirtualMemory: Ignoring unknown mem at 0000000000c91000 LB 0xa000 (base 0000000000c90000) - 'umppc15610.dll'
452c.2574:   0000000000c9b000-0000000000c9efff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\umppc15610.dll
452c.2574: supHardNtVpScanVirtualMemory: Ignoring unknown mem at 0000000000c9b000 LB 0x4000 (base 0000000000c90000) - 'umppc15610.dll'
452c.2574:   0000000000c9f000-0000000000ca0fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\umppc15610.dll
452c.2574: supHardNtVpScanVirtualMemory: Ignoring unknown mem at 0000000000c9f000 LB 0x2000 (base 0000000000c90000) - 'umppc15610.dll'
452c.2574:   0000000000ca1000-0000000000ca1fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\umppc15610.dll
452c.2574: supHardNtVpScanVirtualMemory: Ignoring unknown mem at 0000000000ca1000 LB 0x1000 (base 0000000000c90000) - 'umppc15610.dll'
452c.2574:   0000000000ca2000-0000000000ca3fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\umppc15610.dll
452c.2574: supHardNtVpScanVirtualMemory: Ignoring unknown mem at 0000000000ca2000 LB 0x2000 (base 0000000000c90000) - 'umppc15610.dll'
452c.2574:   0000000000ca4000-0000000000caffff 0x0001/0x0000 0x0000000
452c.2574:  *0000000000cb0000-0000000000cb1fff 0x0004/0x0004 0x0020000
452c.2574:   0000000000cb2000-0000000000ce1fff 0x0000/0x0004 0x0020000
452c.2574:   0000000000ce2000-0000000000d5ffff 0x0001/0x0000 0x0000000
452c.2574:  *0000000000d60000-0000000000d61fff 0x0004/0x0004 0x0020000
452c.2574:   0000000000d62000-0000000000d6ffff 0x0000/0x0004 0x0020000
452c.2574:   0000000000d70000-0000000000e2ffff 0x0001/0x0000 0x0000000
452c.2574:  *0000000000e30000-0000000000e3efff 0x0004/0x0004 0x0020000
452c.2574:   0000000000e3f000-0000000000e3ffff 0x0000/0x0004 0x0020000
452c.2574:  *0000000000e40000-0000000000e47fff 0x0000/0x0004 0x0020000
452c.2574:   0000000000e48000-0000000001051fff 0x0004/0x0004 0x0020000
452c.2574:   0000000001052000-0000000001052fff 0x0000/0x0004 0x0020000
452c.2574:   0000000001053000-000000000105ffff 0x0001/0x0000 0x0000000
452c.2574:  *0000000001060000-000000000108bfff 0x0004/0x0004 0x0020000
452c.2574:   000000000108c000-000000000115ffff 0x0000/0x0004 0x0020000
452c.2574:   0000000001160000-000000007ffdffff 0x0001/0x0000 0x0000000
452c.2574:  *000000007ffe0000-000000007ffe0fff 0x0002/0x0002 0x0020000
452c.2574:   000000007ffe1000-000000007ffeefff 0x0001/0x0000 0x0000000
452c.2574:  *000000007ffef000-000000007ffeffff 0x0002/0x0002 0x0020000
452c.2574:   000000007fff0000-00007ff43238ffff 0x0001/0x0000 0x0000000
452c.2574:  *00007ff432390000-00007ff432394fff 0x0002/0x0002 0x0040000
452c.2574:   00007ff432395000-00007ff43248ffff 0x0000/0x0002 0x0040000
452c.2574:  *00007ff432490000-00007ff5324affff 0x0000/0x0004 0x0020000
452c.2574:  *00007ff5324b0000-00007ff5344affff 0x0000/0x0004 0x0020000
452c.2574:   00007ff5344b0000-00007ff5344b0fff 0x0004/0x0004 0x0020000
452c.2574:   00007ff5344b1000-00007ff5344bffff 0x0001/0x0000 0x0000000
452c.2574:  *00007ff5344c0000-00007ff5344c0fff 0x0002/0x0002 0x0040000
452c.2574:   00007ff5344c1000-00007ff6de8affff 0x0001/0x0000 0x0000000
452c.2574:  *00007ff6de8b0000-00007ff6de8b0fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
452c.2574:   00007ff6de8b1000-00007ff6de928fff 0x0020/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
452c.2574:   00007ff6de929000-00007ff6de929fff 0x0080/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
452c.2574:   00007ff6de92a000-00007ff6de973fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
452c.2574:   00007ff6de974000-00007ff6de976fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
452c.2574:   00007ff6de977000-00007ff6de979fff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
452c.2574:   00007ff6de97a000-00007ff6de97cfff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
452c.2574:   00007ff6de97d000-00007ff6de97dfff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
452c.2574:   00007ff6de97e000-00007ff6de97ffff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
452c.2574:   00007ff6de980000-00007ff6de980fff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
452c.2574:   00007ff6de981000-00007ff6de9c9fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
452c.2574:   00007ff6de9ca000-00007ffc2c66ffff 0x0001/0x0000 0x0000000
452c.2574:  *00007ffc2c670000-00007ffc2c670fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\KernelBase.dll
452c.2574:   00007ffc2c671000-00007ffc2c7e8fff 0x0020/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\KernelBase.dll
452c.2574:   00007ffc2c7e9000-00007ffc2c99dfff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\KernelBase.dll
452c.2574:   00007ffc2c99e000-00007ffc2c9a2fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\KernelBase.dll
452c.2574:   00007ffc2c9a3000-00007ffc2c9ebfff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\KernelBase.dll
452c.2574:   00007ffc2c9ec000-00007ffc2de3ffff 0x0001/0x0000 0x0000000
452c.2574:  *00007ffc2de40000-00007ffc2de40fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\kernel32.dll
452c.2574:   00007ffc2de41000-00007ffc2debdfff 0x0020/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\kernel32.dll
452c.2574:   00007ffc2debe000-00007ffc2def1fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\kernel32.dll
452c.2574:   00007ffc2def2000-00007ffc2def2fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\kernel32.dll
452c.2574:   00007ffc2def3000-00007ffc2def3fff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\kernel32.dll
452c.2574:   00007ffc2def4000-00007ffc2defcfff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\kernel32.dll
452c.2574:   00007ffc2defd000-00007ffc2eddffff 0x0001/0x0000 0x0000000
452c.2574:  *00007ffc2ede0000-00007ffc2ede0fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
452c.2574:   00007ffc2ede1000-00007ffc2ef0bfff 0x0020/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
452c.2574:   00007ffc2ef0c000-00007ffc2ef53fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
452c.2574:   00007ffc2ef54000-00007ffc2ef54fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
452c.2574:   00007ffc2ef55000-00007ffc2ef56fff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
452c.2574:   00007ffc2ef57000-00007ffc2ef5ffff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
452c.2574:   00007ffc2ef60000-00007ffc2efe8fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
452c.2574:   00007ffc2efe9000-00007ffffffeffff 0x0001/0x0000 0x0000000
452c.2574: kernel32.dll: timestamp 0xafec8296 (rc=VINF_SUCCESS)
452c.2574: kernelbase.dll: timestamp 0xb42fa627 (rc=VINF_SUCCESS)
452c.2574: VirtualBoxVM.exe: timestamp 0x6310b1ca (rc=VINF_SUCCESS)
452c.2574: \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe: Signature #1/2: info status: 24202
452c.2574: '\Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe' has no imports
452c.2574: '\Device\HarddiskVolume3\Windows\System32\ntdll.dll' has no imports
452c.2574: ntdll.dll: Differences in section #1 (.text) between file and memory:
452c.2574:   00007ffc2ee83c53 / 0x00a3c53: b8 != e9
452c.2574:   00007ffc2ee83c54 / 0x00a3c54: 07 != dd
452c.2574:   00007ffc2ee83c55 / 0x00a3c55: 00 != 60
452c.2574:   00007ffc2ee83c56 / 0x00a3c56: 00 != 08
452c.2574:   00007ffc2ee83d13 / 0x00a3d13: b8 != e9
452c.2574:   00007ffc2ee83d14 / 0x00a3d14: 0d != 21
452c.2574:   00007ffc2ee83d15 / 0x00a3d15: 00 != 60
452c.2574:   00007ffc2ee83d16 / 0x00a3d16: 00 != 08
452c.2574:   00007ffc2ee83e73 / 0x00a3e73: b8 != e9
452c.2574:   00007ffc2ee83e74 / 0x00a3e74: 18 != c7
452c.2574:   00007ffc2ee83e75 / 0x00a3e75: 00 != 5e
452c.2574:   00007ffc2ee83e76 / 0x00a3e76: 00 != 08
452c.2574:   00007ffc2ee83ef3 / 0x00a3ef3: b8 != e9
452c.2574:   00007ffc2ee83ef4 / 0x00a3ef4: 1c != 40
452c.2574:   00007ffc2ee83ef5 / 0x00a3ef5: 00 != 5e
452c.2574:   00007ffc2ee83ef6 / 0x00a3ef6: 00 != 08
452c.2574:   00007ffc2ee84013 / 0x00a4013: b8 != e9
452c.2574:   00007ffc2ee84014 / 0x00a4014: 25 != 22
452c.2574:   00007ffc2ee84015 / 0x00a4015: 00 != 5d
452c.2574:   00007ffc2ee84016 / 0x00a4016: 00 != 08
452c.2574:   00007ffc2ee84073 / 0x00a4073: b8 != e9
452c.2574:   00007ffc2ee84074 / 0x00a4074: 28 != cd
452c.2574:   00007ffc2ee84075 / 0x00a4075: 00 != 5c
452c.2574:   00007ffc2ee84076 / 0x00a4076: 00 != 08
452c.2574:   00007ffc2ee840b3 / 0x00a40b3: b8 != e9
452c.2574:   00007ffc2ee840b4 / 0x00a40b4: 2a != 8c
452c.2574:   00007ffc2ee840b5 / 0x00a40b5: 00 != 5c
452c.2574:   00007ffc2ee840b6 / 0x00a40b6: 00 != 08
452c.2574:   00007ffc2ee842b3 / 0x00a42b3: b8 != e9
452c.2574:   00007ffc2ee842b4 / 0x00a42b4: 3a != 84
452c.2574:   00007ffc2ee842b5 / 0x00a42b5: 00 != 5a
452c.2574:   00007ffc2ee842b6 / 0x00a42b6: 00 != 08
452c.2574:   00007ffc2ee84353 / 0x00a4353: b8 != e9
452c.2574:   00007ffc2ee84354 / 0x00a4354: 3f != e5
452c.2574:   00007ffc2ee84355 / 0x00a4355: 00 != 59
452c.2574:   00007ffc2ee84356 / 0x00a4356: 00 != 08
452c.2574:   00007ffc2ee84413 / 0x00a4413: b8 != e9
452c.2574:   00007ffc2ee84414 / 0x00a4414: 45 != 1f
452c.2574:   00007ffc2ee84415 / 0x00a4415: 00 != 59
452c.2574:   00007ffc2ee84416 / 0x00a4416: 00 != 08
452c.2574:   00007ffc2ee84573 / 0x00a4573: b8 != e9
452c.2574:   00007ffc2ee84574 / 0x00a4574: 50 != c6
452c.2574:   00007ffc2ee84575 / 0x00a4575: 00 != 57
452c.2574:   00007ffc2ee84576 / 0x00a4576: 00 != 08
452c.2574:   00007ffc2ee845b3 / 0x00a45b3: b8 != e9
452c.2574:   00007ffc2ee845b4 / 0x00a45b4: 52 != 88
452c.2574:   00007ffc2ee845b5 / 0x00a45b5: 00 != 57
452c.2574:   00007ffc2ee845b6 / 0x00a45b6: 00 != 08
452c.2574:   00007ffc2ee84a23 / 0x00a4a23: b8 != e9
452c.2574:   00007ffc2ee84a24 / 0x00a4a24: 76 != 0b
452c.2574:   00007ffc2ee84a25 / 0x00a4a25: 00 != 53
452c.2574:   00007ffc2ee84a26 / 0x00a4a26: 00 != 08
452c.2574:   Restored 0x2000 bytes of original file content at 00007ffc2ee82c1e
452c.2574: ntdll.dll: Differences in section #1 (.text) between file and memory:
452c.2574:   00007ffc2ee85223 / 0x00a5223: b8 != e9
452c.2574:   00007ffc2ee85224 / 0x00a5224: b6 != 09
452c.2574:   00007ffc2ee85225 / 0x00a5225: 00 != 4b
452c.2574:   00007ffc2ee85226 / 0x00a5226: 00 != 08
452c.2574:   00007ffc2ee85a43 / 0x00a5a43: b8 != e9
452c.2574:   00007ffc2ee85a44 / 0x00a5a44: f7 != fb
452c.2574:   00007ffc2ee85a45 / 0x00a5a45: 00 != 42
452c.2574:   00007ffc2ee85a46 / 0x00a5a46: 00 != 08
452c.2574:   00007ffc2ee85ea3 / 0x00a5ea3: b8 != e9
452c.2574:   00007ffc2ee85ea4 / 0x00a5ea4: 1a != 8a
452c.2574:   00007ffc2ee85ea5 / 0x00a5ea5: 01 != 3e
452c.2574:   00007ffc2ee85ea6 / 0x00a5ea6: 00 != 08
452c.2574:   00007ffc2ee868e3 / 0x00a68e3: b8 != e9
452c.2574:   00007ffc2ee868e4 / 0x00a68e4: 6c != 4e
452c.2574:   00007ffc2ee868e5 / 0x00a68e5: 01 != 34
452c.2574:   00007ffc2ee868e6 / 0x00a68e6: 00 != 08
452c.2574:   00007ffc2ee86903 / 0x00a6903: b8 != e9
452c.2574:   00007ffc2ee86904 / 0x00a6904: 6d != 28
452c.2574:   00007ffc2ee86905 / 0x00a6905: 01 != 34
452c.2574:   00007ffc2ee86906 / 0x00a6906: 00 != 08
452c.2574:   Restored 0x2000 bytes of original file content at 00007ffc2ee84c1e
452c.2574: ntdll.dll: Differences in section #1 (.text) between file and memory:
452c.2574:   00007ffc2ee86de3 / 0x00a6de3: b8 != e9
452c.2574:   00007ffc2ee86de4 / 0x00a6de4: 94 != 5a
452c.2574:   00007ffc2ee86de5 / 0x00a6de5: 01 != 2f
452c.2574:   00007ffc2ee86de6 / 0x00a6de6: 00 != 08
452c.2574:   00007ffc2ee87443 / 0x00a7443: b8 != e9
452c.2574:   00007ffc2ee87444 / 0x00a7444: c7 != f9
452c.2574:   00007ffc2ee87445 / 0x00a7445: 01 != 28
452c.2574:   00007ffc2ee87446 / 0x00a7446: 00 != 08
452c.2574:   00007ffc2ee87643 / 0x00a7643: b8 != e9
452c.2574:   00007ffc2ee87644 / 0x00a7644: d7 != f3
452c.2574:   00007ffc2ee87645 / 0x00a7645: 01 != 26
452c.2574:   00007ffc2ee87646 / 0x00a7646: 00 != 08
452c.2574:   Restored 0xd82 bytes of original file content at 00007ffc2ee86c1e
452c.2574: ntdll.dll: Differences in section #1 (.text) between file and memory:
452c.2574:   00007ffc2ef09d30 / 0x0129d30: 00 != 51
452c.2574:   00007ffc2ef09d31 / 0x0129d31: 00 != 51
452c.2574:   00007ffc2ef09d32 / 0x0129d32: 00 != 51
452c.2574:   00007ffc2ef09d33 / 0x0129d33: 00 != 51
452c.2574:   00007ffc2ef09d34 / 0x0129d34: 00 != 51
452c.2574:   00007ffc2ef09d35 / 0x0129d35: 00 != 51
452c.2574:   00007ffc2ef09d36 / 0x0129d36: 00 != 51
452c.2574:   00007ffc2ef09d37 / 0x0129d37: 00 != 51
452c.2574:   00007ffc2ef09d38 / 0x0129d38: 00 != 51
452c.2574:   00007ffc2ef09d39 / 0x0129d39: 00 != 51
452c.2574:   00007ffc2ef09d3a / 0x0129d3a: 00 != 51
452c.2574:   00007ffc2ef09d3b / 0x0129d3b: 00 != 51
452c.2574:   00007ffc2ef09d3c / 0x0129d3c: 00 != 51
452c.2574:   00007ffc2ef09d3d / 0x0129d3d: 00 != 51
452c.2574:   00007ffc2ef09d3e / 0x0129d3e: 00 != 51
452c.2574:   00007ffc2ef09d3f / 0x0129d3f: 00 != 51
452c.2574:   00007ffc2ef09d40 / 0x0129d40: 00 != 51
452c.2574:   00007ffc2ef09d41 / 0x0129d41: 00 != 51
452c.2574:   00007ffc2ef09d42 / 0x0129d42: 00 != 51
452c.2574:   00007ffc2ef09d43 / 0x0129d43: 00 != 51
452c.2574:   00007ffc2ef09d44 / 0x0129d44: 00 != 51
452c.2574:   00007ffc2ef09d45 / 0x0129d45: 00 != ff
452c.2574:   00007ffc2ef09d46 / 0x0129d46: 00 != 25
452c.2574:   00007ffc2ef09d4b / 0x0129d4b: 00 != 70
452c.2574:   00007ffc2ef09d4c / 0x0129d4c: 00 != 90
452c.2574:   00007ffc2ef09d4d / 0x0129d4d: 00 != c9
452c.2574:   Restored 0x9d0 bytes of original file content at 00007ffc2ef09630
452c.2574: supR3HardenedWinInit: SUPHARDNTVPKIND_SELF_PURIFICATION_LIMITED -> VINF_SUCCESS, cFixes=4
452c.2574: \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe: Signature #1/2: info status: 24202
452c.2574: '\Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe' has no imports
452c.2574: supHardenedWinVerifyImageByHandle: -> 24202 (\Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe)
452c.2574: supR3HardNtEnableThreadCreationEx:
452c.2574: supR3HardNtDisableThreadCreation: pvLdrInitThunk=00007ffc2ee5ac10 pvNtTerminateThread=00007ffc2ee845d0
452c.2574: supR3HardenedWinDoReSpawn(1): New child 282c.17e4 [kernel32].
452c.2574: supR3HardNtChildGatherData: PebBaseAddress=0000000000ca0000 cbPeb=0x388
452c.2574: supR3HardNtPuChFindNtdll: uNtDllParentAddr=00007ffc2ede0000 uNtDllChildAddr=00007ffc2ede0000
452c.2574: supR3HardenedWinSetupChildInit: uLdrInitThunk=00007ffc2ee5ac10
452c.2574: supR3HardenedWinSetupChildInit: Initial context:
  rax=0000000000000000 rbx=0000000000000000 rcx=00007ff6de8b7900 rdx=0000000000ca0000
  rsi=0000000000000000 rdi=0000000000000000 r8 =0000000000000000 r9 =0000000000000000
  r10=0000000000000000 r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
  r14=0000000000000000 r15=0000000000000000  P1=0000000000000000  P2=0000000000000000
  rip=00007ffc2ede4830 rsp=0000000000bcff08 rbp=0000000000000000    ctxflags=0010001b
  cs=0033 ss=002b ds=0000 es=0000 fs=0000 gs=0000    eflags=00000200   mxcrx=00001f80
   P3=0000000000000000  P4=0000000000000000  P5=0000000000000000  P6=0000000000000000
  dr0=0000000000000000 dr1=0000000000000000 dr2=0000000000000000 dr3=0000000000000000
  dr6=0000000000000000 dr7=0000000000000000 vcr=0000000000000000 dcr=0000000000000000
  lbt=0000000000000000 lbf=0000000000000000 lxt=0000000000000000 lxf=0000000000000000
452c.2574: supR3HardenedWinSetupChildInit: Start child.
452c.2574: supR3HardNtChildWaitFor: Found expected request 0 (PurifyChildAndCloseHandles) after 0 ms.
452c.2574: supR3HardNtChildPurify: Startup delay kludge #1/0: 270 ms, 17 sleeps
452c.2574: supHardNtVpScanVirtualMemory: enmKind=CHILD_PURIFICATION
452c.2574:  *0000000000000000-0000000000a8ffff 0x0001/0x0000 0x0000000
452c.2574:  *0000000000a90000-0000000000aaffff 0x0004/0x0004 0x0020000
452c.2574:  *0000000000ab0000-0000000000acefff 0x0002/0x0002 0x0040000
452c.2574:   0000000000acf000-0000000000acffff 0x0001/0x0000 0x0000000
452c.2574:  *0000000000ad0000-0000000000bcafff 0x0000/0x0004 0x0020000
452c.2574:   0000000000bcb000-0000000000bcdfff 0x0104/0x0004 0x0020000
452c.2574:   0000000000bce000-0000000000bcffff 0x0004/0x0004 0x0020000
452c.2574:  *0000000000bd0000-0000000000bd3fff 0x0002/0x0002 0x0040000
452c.2574:   0000000000bd4000-0000000000bdffff 0x0001/0x0000 0x0000000
452c.2574:  *0000000000be0000-0000000000be1fff 0x0004/0x0004 0x0020000
452c.2574:   0000000000be2000-0000000000bfffff 0x0001/0x0000 0x0000000
452c.2574:  *0000000000c00000-0000000000c9ffff 0x0000/0x0004 0x0020000
452c.2574:   0000000000ca0000-0000000000ca2fff 0x0004/0x0004 0x0020000
452c.2574:   0000000000ca3000-0000000000dfffff 0x0000/0x0004 0x0020000
452c.2574:   0000000000e00000-000000007ffdffff 0x0001/0x0000 0x0000000
452c.2574:  *000000007ffe0000-000000007ffe0fff 0x0002/0x0002 0x0020000
452c.2574:   000000007ffe1000-000000007ffeefff 0x0001/0x0000 0x0000000
452c.2574:  *000000007ffef000-000000007ffeffff 0x0002/0x0002 0x0020000
452c.2574:   000000007fff0000-00007ff51285ffff 0x0001/0x0000 0x0000000
452c.2574:  *00007ff512860000-00007ff512860fff 0x0002/0x0002 0x0040000
452c.2574:   00007ff512861000-00007ff6de8affff 0x0001/0x0000 0x0000000
452c.2574:  *00007ff6de8b0000-00007ff6de8b0fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
452c.2574:   00007ff6de8b1000-00007ff6de928fff 0x0020/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
452c.2574:   00007ff6de929000-00007ff6de929fff 0x0080/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
452c.2574:   00007ff6de92a000-00007ff6de973fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
452c.2574:   00007ff6de974000-00007ff6de974fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
452c.2574:   00007ff6de975000-00007ff6de975fff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
452c.2574:   00007ff6de976000-00007ff6de97afff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
452c.2574:   00007ff6de97b000-00007ff6de97bfff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
452c.2574:   00007ff6de97c000-00007ff6de97cfff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
452c.2574:   00007ff6de97d000-00007ff6de980fff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
452c.2574:   00007ff6de981000-00007ff6de9c9fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
452c.2574:   00007ff6de9ca000-00007ffc2eddffff 0x0001/0x0000 0x0000000
452c.2574:  *00007ffc2ede0000-00007ffc2ede0fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
452c.2574:   00007ffc2ede1000-00007ffc2ef0bfff 0x0020/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
452c.2574:   00007ffc2ef0c000-00007ffc2ef53fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
452c.2574:   00007ffc2ef54000-00007ffc2ef5ffff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
452c.2574:   00007ffc2ef60000-00007ffc2ef6efff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
452c.2574:   00007ffc2ef6f000-00007ffc2ef6ffff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
452c.2574:   00007ffc2ef70000-00007ffc2ef72fff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
452c.2574:   00007ffc2ef73000-00007ffc2efe8fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume3\Windows\System32\ntdll.dll
452c.2574:   00007ffc2efe9000-00007ffffffeffff 0x0001/0x0000 0x0000000
452c.2574: supR3HardNtChildPurify: Done after 270 ms and 0 fixes (loop #0).
282c.17e4: Log file opened: 6.1.38r153438 g_hStartupLog=0000000000000004 g_uNtVerCombined=0xa055f000
282c.17e4: supR3HardenedVmProcessInit: uNtDllAddr=00007ffc2ede0000 g_uNtVerCombined=0xa055f000 (stack ~0000000000bcf988)
282c.17e4: ntdll.dll: timestamp 0x57b668f2 (rc=VINF_SUCCESS)
452c.2574: supR3HardNtEnableThreadCreationEx:
282c.17e4: New simple heap: #1 0000000000f00000 LB 0x800000 (for 2134016 allocation)
282c.17e4: supR3HardenedWinInitAppBin(0x0): '\Device\HarddiskVolume3\Program Files\Oracle\VirtualBox'
282c.17e4: System32:  \Device\HarddiskVolume3\Windows\System32
282c.17e4: WinSxS:    \Device\HarddiskVolume3\Windows\WinSxS
282c.17e4: KnownDllPath: C:\Windows\System32
282c.17e4: supR3HardenedVmProcessInit: Opening vboxsup stub...
282c.17e4: supR3HardenedVmProcessInit: Restoring LdrInitializeThunk...
282c.17e4: supR3HardenedVmProcessInit: Returning to LdrInitializeThunk...
282c.17e4: Registered Dll notification callback with NTDLL.
282c.17e4: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume3\Windows\System32\kernel32.dll)
282c.17e4: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume3\Windows\System32\kernel32.dll
282c.17e4: supR3HardenedMonitor_LdrLoadDll: pName=C:\Windows\System32\KERNEL32.DLL (Input=KERNEL32.DLL, rcNtResolve=0xc0150008) *pfFlags=0xffffffff pwszSearchPath=0000000000004001:<flags> [calling]
282c.17e4: supR3HardenedDllNotificationCallback: load   00007ffc2c670000 LB 0x0037c000 C:\Windows\System32\KERNELBASE.dll [fFlags=0x0]
282c.17e4: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume3\Windows\System32\KernelBase.dll)
282c.17e4: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume3\Windows\System32\KernelBase.dll
282c.17e4: supR3HardenedDllNotificationCallback: load   00007ffc2de40000 LB 0x000bd000 C:\Windows\System32\KERNEL32.DLL [fFlags=0x0]
282c.17e4: supR3HardenedScreenImage/LdrLoadDll: cache hit (VINF_SUCCESS) on \Device\HarddiskVolume3\Windows\System32\kernel32.dll [lacks WinVerifyTrust]
282c.17e4: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=00007ffc2de40000 'C:\Windows\System32\KERNEL32.DLL'
282c.17e4: supR3HardenedDllNotificationCallback: load   00007ff6de8b0000 LB 0x0011a000 C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe [fFlags=0x0]
282c.17e4: \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe: Signature #1/2: info status: 24202
282c.17e4: '\Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe' has no imports
282c.17e4: supHardenedWinVerifyImageByHandle: -> 24202 (\Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe)
282c.17e4: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
282c.17e4: supR3HardenedMonitor_KiUserApcDispatcher_C: pfnRoutine=00007ffc2ee11140 enmState=3 -> supR3HardenedWinDummyApcRoutine
282c.17e4: supR3HardenedWinDummyApcRoutine: pvArg1=ffffe6042d2319e0 pvArg2=0000000000000000 pvArg3=0000000000000000
282c.17e4: supR3HardenedMonitor_KiUserApcDispatcher_C: pfnRoutine=0000000001801000 enmState=3 -> supR3HardenedWinDummyApcRoutine
282c.17e4: supR3HardenedWinDummyApcRoutine: pvArg1=0000000001820000 pvArg2=ffffe6042475aa60 pvArg3=0000000001820000
282c.17e4: supR3HardNtDisableThreadCreation: pvLdrInitThunk=00007ffc2ee5ac10 pvNtTerminateThread=00007ffc2ee845d0
452c.2574: supR3HardNtChildWaitFor: Found expected request 1 (CloseEvents) after 94 ms.
282c.17e4: \SystemRoot\System32\ntdll.dll:
282c.17e4:     CreationTime:    2022-09-14T12:09:50.041746800Z
282c.17e4:     LastWriteTime:   2022-09-14T12:09:50.087656200Z
282c.17e4:     ChangeTime:      2022-09-21T15:24:46.934233200Z
282c.17e4:     FileAttributes:  0x20
282c.17e4:     Size:            0x207df8
282c.17e4:     NT Headers:      0xe0
282c.17e4:     Timestamp:       0x57b668f2
282c.17e4:     Machine:         0x8664 - amd64
282c.17e4:     Timestamp:       0x57b668f2
282c.17e4:     Image Version:   10.0
282c.17e4:     SizeOfImage:     0x209000 (2134016)
282c.17e4:     Resource Dir:    0x194000 LB 0x73528
282c.17e4:     [Version info resource found at 0xd8! (ID/Name: 0x1; SubID/SubName: 0x409)]
282c.17e4:     [Raw version resource data: 0x1940f0 LB 0x380, codepage 0x0 (reserved 0x0)]
282c.17e4:     ProductName:     Microsoft® Windows® Operating System
282c.17e4:     ProductVersion:  10.0.22000.918
282c.17e4:     FileVersion:     10.0.22000.918 (WinBuild.160101.0800)
282c.17e4:     FileDescription: NT Layer DLL
282c.17e4: \SystemRoot\System32\kernel32.dll:
282c.17e4:     CreationTime:    2022-06-22T11:13:06.603559500Z
282c.17e4:     LastWriteTime:   2022-06-22T11:13:06.634789700Z
282c.17e4:     ChangeTime:      2022-09-21T15:24:46.934233200Z
282c.17e4:     FileAttributes:  0x20
282c.17e4:     Size:            0xc0058
282c.17e4:     NT Headers:      0xf8
282c.17e4:     Timestamp:       0xafec8296
282c.17e4:     Machine:         0x8664 - amd64
282c.17e4:     Timestamp:       0xafec8296
282c.17e4:     Image Version:   10.0
282c.17e4:     SizeOfImage:     0xbd000 (774144)
282c.17e4:     Resource Dir:    0xbb000 LB 0x520
282c.17e4:     [Version info resource found at 0x90! (ID/Name: 0x1; SubID/SubName: 0x409)]
282c.17e4:     [Raw version resource data: 0xbb0b0 LB 0x3a4, codepage 0x0 (reserved 0x0)]
282c.17e4:     ProductName:     Microsoft® Windows® Operating System
282c.17e4:     ProductVersion:  10.0.22000.708
282c.17e4:     FileVersion:     10.0.22000.708 (WinBuild.160101.0800)
282c.17e4:     FileDescription: Windows NT BASE API Client DLL
282c.17e4: \SystemRoot\System32\KernelBase.dll:
282c.17e4:     CreationTime:    2022-09-14T12:09:50.848339100Z
282c.17e4:     LastWriteTime:   2022-09-14T12:09:50.964337800Z
282c.17e4:     ChangeTime:      2022-09-21T15:24:46.934233200Z
282c.17e4:     FileAttributes:  0x20
282c.17e4:     Size:            0x3832e8
282c.17e4:     NT Headers:      0xf8
282c.17e4:     Timestamp:       0xb42fa627
282c.17e4:     Machine:         0x8664 - amd64
282c.17e4:     Timestamp:       0xb42fa627
282c.17e4:     Image Version:   10.0
282c.17e4:     SizeOfImage:     0x37c000 (3653632)
282c.17e4:     Resource Dir:    0x34c000 LB 0x548
282c.17e4:     [Version info resource found at 0x90! (ID/Name: 0x1; SubID/SubName: 0x409)]
282c.17e4:     [Raw version resource data: 0x34c0b0 LB 0x3bc, codepage 0x0 (reserved 0x0)]
282c.17e4:     ProductName:     Microsoft® Windows® Operating System
282c.17e4:     ProductVersion:  10.0.22000.918
282c.17e4:     FileVersion:     10.0.22000.918 (WinBuild.160101.0800)
282c.17e4:     FileDescription: Windows NT BASE API Client DLL
282c.17e4: \SystemRoot\System32\apisetschema.dll:
282c.17e4:     CreationTime:    2021-06-05T12:04:59.928787900Z
282c.17e4:     LastWriteTime:   2021-06-05T12:04:59.928787900Z
282c.17e4:     ChangeTime:      2022-09-14T12:11:25.200780500Z
282c.17e4:     FileAttributes:  0x20
282c.17e4:     Size:            0x24150
282c.17e4:     NT Headers:      0xc8
282c.17e4:     Timestamp:       0x68d1dbaf
282c.17e4:     Machine:         0x8664 - amd64
282c.17e4:     Timestamp:       0x68d1dbaf
282c.17e4:     Image Version:   10.0
282c.17e4:     SizeOfImage:     0x23000 (143360)
282c.17e4:     Resource Dir:    0x22000 LB 0x408
282c.17e4:     [Version info resource found at 0x48! (ID/Name: 0x1; SubID/SubName: 0x409)]
282c.17e4:     [Raw version resource data: 0x22060 LB 0x3a8, codepage 0x0 (reserved 0x0)]
282c.17e4:     ProductName:     Microsoft® Windows® Operating System
282c.17e4:     ProductVersion:  10.0.22000.1
282c.17e4:     FileVersion:     10.0.22000.1 (WinBuild.160101.0800)
282c.17e4:     FileDescription: ApiSet Schema DLL
282c.17e4: NtOpenDirectoryObject failed on \Driver: 0xc0000022
282c.17e4: supR3HardenedWinFindAdversaries: 0x0
282c.17e4: supR3HardenedWinInitAppBin(0x0): '\Device\HarddiskVolume3\Program Files\Oracle\VirtualBox'
282c.17e4: Calling main()
282c.17e4: SUPR3HardenedMain: pszProgName=VirtualBoxVM fFlags=0x2
282c.17e4: supR3HardenedWinInitAppBin(0x2): '\Device\HarddiskVolume3\Program Files\Oracle\VirtualBox'
282c.4b04: \Device\HarddiskVolume3\Program Files\Manufacturer\Endpoint Agent\clpbm64.dll: Signature #1/2: info status: 24202
282c.4b04: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #0 'advapi32.dll'.
282c.4b04: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #1 'rpcrt4.dll'.
282c.4b04: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #2 'userenv.dll'.
282c.4b04: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #3 'secur32.dll'.
282c.4b04: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #4 'msvcp120.dll'.
282c.4b04: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #5 'user32.dll'.
282c.4b04: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #6 'ole32.dll'.
282c.4b04: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #7 'oleaut32.dll'.
282c.4b04: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #8 'msvcr120.dll'.
282c.4b04: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #10 'shell32.dll'.
282c.4b04: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #11 'shlwapi.dll'.
282c.4b04: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #12 'psapi.dll'.
282c.4b04: supHardenedWinVerifyImageByHandle: -> 24202 (\Device\HarddiskVolume3\Program Files\Manufacturer\Endpoint Agent\clpbm64.dll)
282c.4b04: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume3\Program Files\Manufacturer\Endpoint Agent\clpbm64.dll
282c.4b04: supR3HardenedWinVerifyCacheProcessImportTodos: Processing 'psapi.dll'...
282c.4b04: supR3HardenedWinVerifyCacheProcessImportTodos: 'psapi.dll' -> '\Device\HarddiskVolume3\Windows\System32\psapi.dll' [rcNtRedir=0xc0150008]
282c.4b04: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume3\Windows\System32\psapi.dll)
282c.4b04: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume3\Windows\System32\psapi.dll
282c.4b04: supR3HardenedWinVerifyCacheProcessImportTodos: Processing 'shlwapi.dll'...
282c.4b04: supR3HardenedWinVerifyCacheProcessImportTodos: 'shlwapi.dll' -> '\Device\HarddiskVolume3\Windows\System32\shlwapi.dll' [rcNtRedir=0xc0150008]
282c.4b04: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #1 'msvcrt.dll'.
282c.4b04: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume3\Windows\System32\shlwapi.dll)
282c.4b04: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume3\Windows\System32\shlwapi.dll
282c.4b04: supR3HardenedWinVerifyCacheProcessImportTodos: Processing 'shell32.dll'...
282c.4b04: supR3HardenedWinVerifyCacheProcessImportTodos: 'shell32.dll' -> '\Device\HarddiskVolume3\Windows\System32\shell32.dll' [rcNtRedir=0xc0150008]
282c.17e4: \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe: Signature #1/2: info status: 24202
282c.17e4: '\Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe' has no imports
282c.17e4: supHardenedWinVerifyImageByHandle: -> 24202 (\Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe)
282c.17e4: SUPR3HardenedMain: Respawn #2
282c.17e4: Error (rc=-5640):
282c.17e4: More than one thread in process
282c.17e4: Error -5640 in supR3HardenedWinReSpawn! (enmWhat=1)
282c.17e4: More than one thread in process
282c.17e4: supR3HardNtEnableThreadCreationEx:
282c.17e4: \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.dll: Signature #1/2: info status: 24202
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Error -5640 in supR3HardenedWinReSpawn! (enmWhat=1)

Post by scottgus1 »

Added code tags to cut down the wall of text.

Zipped logs fit, and can be posted using the forum's Upload Attachment tab on the first day first post.

Something is hacking your core Windows DLL's, but what is doing isn't apparent rom the log snippet you posted. Note that a complete log can be generated when all error and VM windows for the VM are closed.

Please try again with the hardening log, zipped & posted per above. We'll need to see the final lines' exit code.

Diagnosing VirtualBox Hardening Issues
kapila
Posts: 7
Joined: 28. Sep 2022, 10:48

Re: Error -5640 in supR3HardenedWinReSpawn! (enmWhat=1)

Post by kapila »

Attached the log
Attachments
VBoxHardening.zip
(13.23 KiB) Downloaded 8 times
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Error -5640 in supR3HardenedWinReSpawn! (enmWhat=1)

Post by scottgus1 »

Thanks for the log. The exit code is 1, and the error shown in the log is:
4d04.404c: Error -5640 in supR3HardenedWinReSpawn! (enmWhat=1)
4d04.404c: More than one thread in process
"More than one thread in process" is mentioned in the last paragraph here viewtopic.php?f=25&t=82106#p387190. The log does not show what the offending injected program is, you'll have to look over your installed apps to see what might be causing this.
kapila
Posts: 7
Joined: 28. Sep 2022, 10:48

Re: Error -5640 in supR3HardenedWinReSpawn! (enmWhat=1)

Post by kapila »

thanks for the feedback, I'm not sure that I can follow up the same you mentioned post. However I could able to install Fedora (Fedora-Workstation-Live-x86_64-36-1.5). but when I try to start next time from VB, again getting same error.

However, it's working after more tries
kapila
Posts: 7
Joined: 28. Sep 2022, 10:48

Re: Error -5640 in supR3HardenedWinReSpawn! (enmWhat=1)

Post by kapila »

Can anyone help to fix this issue? I tried Ubuntu but same issue is there.
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: Error -5640 in supR3HardenedWinReSpawn! (enmWhat=1)

Post by fth0 »

Your problem lies on the host side. For a test, uninstall the CrowdStrike Falcon (or similar) software and reboot the host. Does the issue persist?
kapila
Posts: 7
Joined: 28. Sep 2022, 10:48

Re: Error -5640 in supR3HardenedWinReSpawn! (enmWhat=1)

Post by kapila »

Can't find out such installation. Let me know from logs which software is exactly blocking this? Because this is my company laptop, if something is there, I can point them to do the needful
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Error -5640 in supR3HardenedWinReSpawn! (enmWhat=1)

Post by mpack »

As the hardening FAQ mentions, "more than one thread in process" is nearly always AV related, and it's usually some IT-provided Internet filtering feature: e.g. designed to stop employees watching porn or playing poker while on the office network.
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: Error -5640 in supR3HardenedWinReSpawn! (enmWhat=1)

Post by fth0 »

kapila wrote:Let me know from logs which software is exactly blocking this?
VBoxHardening.log file wrote:
\Device\HarddiskVolume3\Windows\System32\umppc15610.dll
Google "umppc", and you'll eventually discover CrowdStrike Falcon.
kapila
Posts: 7
Joined: 28. Sep 2022, 10:48

Re: Error -5640 in supR3HardenedWinReSpawn! (enmWhat=1)

Post by kapila »

But how it's sometimes working?
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: Error -5640 in supR3HardenedWinReSpawn! (enmWhat=1)

Post by fth0 »

I don't know. Technically speaking, at the time of the check the VirtualBoxVM process should be still single-threaded, and the presence of another thread indicates a situation not tolerated by VirtualBox. Most of the time, so-called security software is involved, and in your case one was detected.
kapila
Posts: 7
Joined: 28. Sep 2022, 10:48

Re: Error -5640 in supR3HardenedWinReSpawn! (enmWhat=1)

Post by kapila »

Thanks, I hope that it's with something wrong with company security software. I could be able to do all using vmware.
Post Reply