Hello colleagues,
I am running Windows 10 Professional Edition build 18363 (64-bit) using Boot Camp on a MacBook Pro ("Laptop").
After wiping the Windows partition and installing Windows 10 Pro, I installed Immunet's CLAM AV software.
I then used Magnet Forensics' RAM capture tool to dump the 16GB of RAM on my Laptop as a .RAW file.
I used OSForensics to extract all strings from the .RAW file and came accross the below string:
TO DECRYPT FILES\r\nNobody can help you - even don't try\r\nWe can help to solve this task for $120 via wire transfer\r\nBancos.XQ.\r\nSilly_P2P.H\r\nAAnderson\r\nchatwnd.sendfile\r\nmsgplus.scriptfilespath\r\nwhatislove.zip
QUESTION:
Is the aforementioned string referencing "Silly_P2P.H" and the ransom ware language the direct result of Microsoft Defender and/or the Immunet CLAM AV antivirus software, or is my MacBook Pro potentially infected by malware? I have been informed that "whatislove.zip" is a common keylogger delivery file name.
Neither Microsoft Defender nor the Immunet antivirus software are generating any warnings on my MacBook.
Before wiping my MacBook's Windows partition and reinstalling Windows, I had definitely used the same MacBook to perform forensic analysis of an E01 forensic image of a different laptop in which not only the aforementioned Silly_P2P reference appears in the pagefile.sys but also many other references to malware.
So basically I am trying to determine if my MacBook has been infected as a direct result of analyzing another computer infected by the Silly_P2P/Stuxnet worm malware, or, if Microsoft Defender and/or Immunet CLAM AV generates references to Silly_P2P in a given computer's RAM.
Ketchup or Blood?
Thoughts and advice please.
