atcuno
commented
7 years ago Hey lad,
These hits are likely the remnants of the Windows Defender signature database. When AV loads into memory it will also load its signature database in as well in order to have it available for scanning. This will leave many malicious looking artifacts in memory that aren't actually part of active malware infections.
We discuss many issues like this, and how to work around them in our memory forensics book: https://www.amazon.com/Art-Memory-Forensics-Detecting-Malware/dp/1118825098
I am going to close the ticket, but please let us know if you have any further issues.
lad101880
Hi,
I downloaded a copy of Windows 7 64 Enterprise edition from Microsoft Website (volume license). I installed it and after the installation I took a copy its memory if the installer is clean. I notice there was a mimikatz in the string using the tool strings. SO i decided to use the strings plugin in volatility and it should that the mimikatz is in FREE MEMORY. Does it mean that Microsoft installer is already infected? Has anyone from your team already noticed this? I hope there is an answer about this
First, I extracted memory (A.raw) on the machines: Command1: strings -o A.raw | grep imikat > mimikatz.txt Results: 25344300513 .\mimikatz.exe 26416362660 .\mimikatz.exe
Command2: volatility --profile=Win7SP0x64 -f A.mem strings -s mimikatz.txt Results: [FREE MEMORY] .\mimikatz.exe [FREE MEMORY] .\mimikatz.exe