Konstantin Yudin,
Preventive Protection event: Inject to protected/system process id: 7781, timestamp: 16:30:43.910, type: PsInject (43), flags: 1 (wait: 1) sid: S-1-5-21-2443128806-2598492710-3175407268-1000, cid: 8004/8008:\Device\HarddiskVolume2\Program Files (x86)\Babylon\Babylon-Pro\BabylonHelper64.exe context: start addr: 0x13f3079b8, image: 0x13f300000:\Device\HarddiskVolume2\Program Files (x86)\Babylon\Babylon-Pro\BabylonHelper64.exe hips: type: 18, action: deny [5] curdir: C:\Windows\system32\, cmd: "C:\Program Files (x86)\Babylon\Babylon-Pro\BabylonHelper64.exe" -Embedding fileinfo: size: 151560, easize: 39, attr: 0x20, buildtime: 17.12.2017 14:52:48.000, ctime: 17.12.2017 14:53:10.000, atime: 09.01.2020 09:48:57.564, mtime: 17.12.2017 14:53:10.000, descr: Babylon Support for 64-bit OS, ver: 11.0.0.26, company: Babylon Software Ltd., oname: BabylonHelper.exe signer: C=IL|ST=Tel Aviv|L=Or Yehuda|O=Babylon Software|CN=Babylon Software, timestamp: 17.12.2017 14:53:07.000, thumbprint: 66f99e57de9bd9a531d7406c02e0ab1f9996dcf6 file sha1: 334dad9472bc71b7abfa95a762916392230966a1 file sha256: 0e1bc4c5a1ddce51b0798edd5b2d6ec2fee1b6189cca31a4ce5f9fe6e77a4d51 status: signed, pe64, new_pe, db_cert_grey / signed / unknown / unknown / grey inject: CreateThread [3], flags: 0x40, start addr: 0x76e05fc0, addr: 0x0, param: 0x5a60000, len: 0, target: bitness: 64, init: 1, image: \Device\HarddiskVolume2\Program Files\Mozilla Firefox\firefox.exe:7856 fileinfo: size: 567496, easize: 0, attr: 0x20, buildtime: 08.01.2020 01:04:47.000, ctime: 31.10.2019 21:20:28.615, atime: 08.01.2020 19:36:15.940, mtime: 08.01.2020 19:36:15.943, descr: Firefox, ver: 72.0.1, company: Mozilla Corporation, oname: firefox.exe signer: C=US|ST=California|L=Mountain View|O=Mozilla Corporation|OU=Release Engineering|CN=Mozilla Corporation, timestamp: 08.01.2020 01:30:16.000, thumbprint: 74b2e146a82f2b71f8eb4b13ebbb6f951757d8c2 file sha1: 704d5d7a43739f456d21e1a9b651f44c16d1e73b file sha256: 75b7a0d3a21800555e12f393c23ce18d5705ddae271347639b7b8daaca19c480 status: db_cert_white_list, signed, pe64, db_cert_protected / signed / unknown / unknown / white inject attrib: call kernel32.dll!LoadLibraryW loaded image: \Device\HarddiskVolume2\Program Files (x86)\Babylon\Babylon-Pro\Captlib64.dll fileinfo: size: 265224, easize: 39, attr: 0x20, buildtime: 17.12.2017 14:52:48.000, ctime: 17.12.2017 14:53:10.000, atime: 09.01.2020 09:48:57.814, mtime: 17.12.2017 14:53:10.000, descr: Babylon Information Tool, ver: 11.0.0.26, company: Babylon Software Ltd., oname: captlib signer: C=IL|ST=Tel Aviv|L=Or Yehuda|O=Babylon Software|CN=Babylon Software, timestamp: 17.12.2017 14:53:09.000, thumbprint: 66f99e57de9bd9a531d7406c02e0ab1f9996dcf6 file sha1: dda9da081a8e922a0396ba2a1b3abedc9949eca9 file sha256: 3c82510b4388d653240a500f0daa08614d1b13c8bcd7deeb4990c5641a6a883b status: signed, pe64, new_pe, dll, db_cert_grey / signed / unknown / unknown / grey threat: DPH:Trojan.Inject.3.64 ==> send user blocked alert path: \Device\HarddiskVolume2\Program Files (x86)\Babylon\Babylon-Pro\Captlib64.dll ==> denied access to file path: \Device\HarddiskVolume2\Program Files (x86)\Babylon\Babylon-Pro\Captlib64.dll ==> quarantined disinfect: \Device\HarddiskVolume2\Program Files (x86)\Babylon\Babylon-Pro\Captlib64.dll ==> quarantined, reboot required [1000008] analyze object behavior and find traces: can't find traces for object: \Device\HarddiskVolume2\Program Files (x86)\Babylon\Babylon-Pro\Captlib64.dll threat: DPH:Trojan.Inject.3.64 ==> sended user virus found alert path: \Device\HarddiskVolume2\Program Files (x86)\Babylon\Babylon-Pro\BabylonHelper64.exe ==> denied access to file process: \Device\HarddiskVolume2\Program Files (x86)\Babylon\Babylon-Pro\BabylonHelper64.exe:8004 ==> suspended all threads in process path: \Device\HarddiskVolume2\Program Files (x86)\Babylon\Babylon-Pro\BabylonHelper64.exe ==> quarantined send driver event reply for unblock process ==> success process: \Device\HarddiskVolume2\Program Files (x86)\Babylon\Babylon-Pro\BabylonHelper64.exe:8004 ==> terminated disinfect: \Device\HarddiskVolume2\Program Files (x86)\Babylon\Babylon-Pro\BabylonHelper64.exe ==> quarantined [8] analyze object behavior and find traces: can't find traces for object: \Device\HarddiskVolume2\Program Files (x86)\Babylon\Babylon-Pro\BabylonHelper64.exe threat: DPH:Trojan.Inject.3.64 ==> sended user virus found alert id: 7781 ==> denied [5], time: 504253.841775 ms
Neutralized object: \Device\HarddiskVolume2\Program Files (x86)\Babylon\Babylon-Pro\BabylonHelper64.exe - quarantined [threat name: DPH:Trojan.Inject.3.64, action: 3, type: 0, ret: 8, time: 102768.241020 ms] Object information: fileinfo: size: 151560, easize: 39, attr: 0x20, buildtime: 17.12.2017 14:52:48.000, ctime: 17.12.2017 14:53:10.000, atime: 09.01.2020 09:48:57.564, mtime: 17.12.2017 14:53:10.000, descr: Babylon Support for 64-bit OS, ver: 11.0.0.26, company: Babylon Software Ltd., oname: BabylonHelper.exe signer: C=IL|ST=Tel Aviv|L=Or Yehuda|O=Babylon Software|CN=Babylon Software, timestamp: 17.12.2017 14:53:07.000, thumbprint: 66f99e57de9bd9a531d7406c02e0ab1f9996dcf6 file sha1: 334dad9472bc71b7abfa95a762916392230966a1 file sha256: 0e1bc4c5a1ddce51b0798edd5b2d6ec2fee1b6189cca31a4ce5f9fe6e77a4d51 status: signed, pe64, new_pe, db_cert_grey / signed / unknown / unknown / grey
Сообщение было изменено ЛСергей: 11 Январь 2020 - 00:04