1
00:00:05,880 --> 00:00:12,060
Identifying the registry entry for gastropod and running processes that are related to the malware required

2
00:00:12,390 --> 00:00:12,930
Toombs.

3
00:00:13,920 --> 00:00:17,820
There are existing tools that we can use to extract these objects.

4
00:00:18,690 --> 00:00:26,760
There are two analyses, ones we shall consider analysis after the malware has been executed, and this

5
00:00:26,760 --> 00:00:30,050
is before the malware executes signs.

6
00:00:30,060 --> 00:00:33,480
Our aim for this chapter is to extract components.

7
00:00:33,670 --> 00:00:38,280
We will discuss the tools that can help us find suspected false.

8
00:00:39,150 --> 00:00:45,300
Analysis tools that are used after we have extracted our suspected malware will be discussed in the

9
00:00:45,300 --> 00:00:47,790
future lectures of discourse.

10
00:00:50,030 --> 00:00:56,210
When a system has already been compromised, the analyst now will need to use the tool that can identify

11
00:00:56,210 --> 00:00:57,320
suspected FIES.

12
00:00:58,310 --> 00:01:06,920
Each suspected file will be analyzed further to start off, we can identify it is based on preexistence,

13
00:01:08,180 --> 00:01:15,170
at least on our processes and their respective file information to form the list of known sort of persistent

14
00:01:15,170 --> 00:01:15,640
paths.

15
00:01:15,950 --> 00:01:18,590
Look for entries containing file parts.

16
00:01:19,600 --> 00:01:28,690
Three executives suspected for the abuse, this may require pre existing tools from Microsoft Windows,

17
00:01:29,200 --> 00:01:36,220
such as the Registry Ed Brigaded or regulatory tool to search the register.

18
00:01:36,610 --> 00:01:43,030
You can also use the command line for accessing the registry and market that XM as seen in the following

19
00:01:43,030 --> 00:01:43,630
screenshot.

20
00:01:49,690 --> 00:01:58,600
Task manager, task engineer to lead standard processes, Windows Explorer, Explorer or command prompt

21
00:01:59,170 --> 00:02:04,060
known as seemed to traverse directories and retrieve the files.

22
00:02:04,640 --> 00:02:11,060
However, there are also Third-Party tools that we can use that can help us at least unsuspected files.

23
00:02:11,740 --> 00:02:16,390
We will briefly discuss operations and process explorers.

24
00:02:17,810 --> 00:02:24,440
They start, at least we saw earlier in this election, Coleman's registry entries, their jobs and

25
00:02:24,440 --> 00:02:25,370
file location.

26
00:02:26,780 --> 00:02:34,070
The bottom line is that these two converts, all of Duse, including other areas we have not discussed,

27
00:02:35,240 --> 00:02:42,050
such as Microsoft Office, Adams codecs and printer monitors, as can be seen in the following screenshot.

28
00:02:46,490 --> 00:02:55,370
There are 32 bit, 64 bit versions of adherence to the significant shows, all possible triggers for

29
00:02:55,370 --> 00:03:04,010
an exit poll, which was based on the research of CS internals, autres, discretional, categorize

30
00:03:04,010 --> 00:03:11,930
each other to run entry, shows a description of each entry and indicates the five had related to the

31
00:03:12,320 --> 00:03:15,350
entry as forgivers engineers.

32
00:03:15,710 --> 00:03:21,830
Identification of a suspected fires can be determined by having knowledge of what fires are common to

33
00:03:21,830 --> 00:03:29,870
start to the startup prior to the system getting compromised continuous practice on experience and will

34
00:03:29,870 --> 00:03:35,570
make the reverse engineer easily identify which are good or suspected excludable files.

35
00:03:37,660 --> 00:03:44,680
The process explorer, in a sense, the person's explorer tool is similar to the task manager as demonstrated

36
00:03:44,680 --> 00:03:45,970
in the following screenshot.

37
00:03:46,970 --> 00:03:53,030
The advantage of this tool is that it can show more information about the process itself, such as how

38
00:03:53,030 --> 00:03:59,540
it was run, including the parameters we use and when it's out-of-stock location as can be seen in the

39
00:03:59,540 --> 00:04:01,510
following example, crucial.

40
00:04:02,720 --> 00:04:10,280
In addition, the process explorer has tools to send it via photo ID shows a list of strings identified

41
00:04:10,280 --> 00:04:16,150
from its image and then trade associated with it from a reverse point of view.

42
00:04:16,700 --> 00:04:18,470
I'll use the information here.

43
00:04:18,470 --> 00:04:20,030
Is there a common line usage?

44
00:04:20,360 --> 00:04:29,390
And also that location we to is an online service that scans as submitted files or URLs using multiple

45
00:04:29,390 --> 00:04:32,630
security software as demonstrated in the following screenshot.