i was browsing the web after trying to diagnose a flash drive not being recognized, when windows defender (of all things) (dont have MBAM premium) caught some malware. after a scam with malwarebytes, well, ill show you the logs.
Log File: 716586a2-865c-11e9-acd4-00ffe6bad8d1.json
-Software Information-
Version: 3.7.1.2839
Components Version: 1.0.586
Update Package Version: 1.0.10890
License: Free
-System Information-
OS: Windows 10 (Build 17763.503)
CPU: x64
File System: NTFS
User: CHRISTIANS-ABSO\chris
-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 340797
Threats Detected: 5
Threats Quarantined: 5
Time Elapsed: 14 min, 9 sec
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
-Scan Details-
Process: 0
(No malicious items detected)
Module: 0
(No malicious items detected)
Registry Key: 0
(No malicious items detected)
Registry Value: 1
Hijack.ShellA.Gen, HKU\S-1-5-21-1013403379-1972433991-2537096884-1001\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|SHELL, No Action By User, [6376], [187664],1.0.10890
Registry Data: 0
(No malicious items detected)
Data Stream: 0
(No malicious items detected)
Folder: 1
Trojan.StolenData, C:\USERS\CHRIS\APPDATA\ROAMING\DCLOGS, No Action By User, [3609], [250094],1.0.10890
File: 3
Trojan.StolenData, C:\USERS\CHRIS\APPDATA\ROAMING\DCLOGS\2019-06-03-2.dc, No Action By User, [3609], [250094],1.0.10890
PUP.Optional.Conduit, C:\USERS\CHRIS\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\WTR8M8IT.DEFAULT\PREFS.JS, No Action By User, [208], [301520],1.0.10890
MachineLearning/Anomalous.96%, C:\USERS\CHRIS\APPDATA\ROAMING\S1V6BWX0A8CBFXYS\RICZBDZBBGKY.EXE, No Action By User, [0], [392687],1.0.10890
Physical Sector: 0
(No malicious items detected)
WMI: 0
(No malicious items detected)
(end)
here is what the keylogger had got on me, too bad they wont get any passwords as i keep mine stored away.
:: Update (8:04:35 PM)
:: EaseUS Windows Data Recovery Software - Mozilla Firefox (8:04:41 PM)
[<-]lo
:: Mozilla Firefox (8:06:36 PM)
twi
:: Aleis_M_Alpto on Twitter: "I pay 35€ for this. And it's half of what we are supposed to be receiving.… " - Mozilla Firefox (8:07:50 PM)
relatable, only move the decimal point to make it 1.107, we spu[<-][<-][<-]supposed to get 10 [<-], welcome to c[<-]rur[<-]al [<-][<-][<-]ral canada *****ing hell
:: Mozilla Firefox (8:08:00 PM) [at this time i find out about the malware]
trojan.stolenDATA
:: Server Not Found - Mozilla Firefox (8:11:00 PM)
[<-]to[<-][<-][<-]win34[<-]2/5[<-]64 troka[<-][<-]h[<-]jan.stolendata
my password t[<-]for twiiter: usr[<-]ername: *****youhe[<-]ackers69420
password: if you [<-][<-][<-][<-][<-][<-]fyouthoughtiwasthisstupidyou [<-]areretarded
:: @Stone_Shovel - Discord (8:18:53 PM)
holy ***** i download a program to try to fix a flashd [<-][<-] drive, find out its actually a *****ing [<-][<-][<-][<-][<-][<-][<-][<-][<-][<-][<-][<-][<-][<-][<-][<-][<-][<-][<-][<-][<-] had a keylogger hidden in it, hijack.shell.a [<-], and a [<-][<-]some machine learning bus[<-][<-][<-]***** on it. if windows defene[<-]der was [<-]nt there i couldve gotten ***** stolen
:: Clipboard Change : size = 6 Bytes (8:18:53 PM)
cyr666
:: Cortana (8:19:55 PM)
instagram
:: Instagram (8:20:10 PM)
it started logging immediately after i installed the software, and from the tab of the url i was in, it was the official site. it is still logging, but it isnt getting anything useful for now.