WEBVTT 00:01.440 --> 00:09.450 A review of the result from a variety of sources has indicated that the process of 1956 and the associated 00:09.450 --> 00:16.530 executable reader cell that has the process either 228 suspected of containing malware. 00:16.530 --> 00:24.780 So hands up reader as and while the data thus far is very useful, is often necessary to obtain confirmation 00:24.780 --> 00:29.550 from external sources that the executable in question is malicious. 00:29.670 --> 00:36.990 So this can include something as simple as checking the hash of the executable against third party sources 00:36.990 --> 00:42.660 all the way to forwarding the executable to a malware in reversing engineering team. 00:42.780 --> 00:50.190 So to cure the executable from the memory image, utilize the process process. 00:50.190 --> 00:52.980 This means process and dump means dump here. 00:52.980 --> 00:57.600 So you're going to use we're going to use the process dump plugin. 00:57.600 --> 01:04.330 And yeah, it's actually syntax and volatility is pretty much the same as the previous dump processes, 01:04.690 --> 01:07.600 which is the following command here. 01:07.600 --> 01:10.360 As you can see here is the same actually. 01:10.360 --> 01:12.010 So we're not going to choose another. 01:13.590 --> 01:13.920 Here. 01:15.280 --> 01:17.430 I want to see another list here. 01:17.850 --> 01:22.860 So in this case, we're going to just list the. 01:23.100 --> 01:23.760 Okay. 01:25.580 --> 01:26.210 Uh, list. 01:27.770 --> 01:28.060 List. 01:28.070 --> 01:28.580 Yeah. 01:29.050 --> 01:30.470 Uh, list. 01:31.430 --> 01:32.150 As you can see. 01:32.180 --> 01:32.780 Oops. 01:32.810 --> 01:33.500 Why? 01:35.780 --> 01:37.970 Oh, yeah, that's because of this. 01:43.850 --> 01:50.450 And as you can see, the reader is 228 one, the 1956. 01:50.870 --> 01:53.290 And yeah, it's dump it. 01:54.230 --> 01:55.250 Dump it here. 01:59.580 --> 02:03.200 So clear here. 02:03.210 --> 02:09.570 We're going to use the proc TAM process stamp P or proc. 02:10.260 --> 02:13.110 Proc dump. 02:15.000 --> 02:15.630 Yeah. 02:16.690 --> 02:18.220 The dumpster is the same. 02:18.250 --> 02:26.440 The process virtual memory is same, but the process we're going to also dump the executable like the 02:26.440 --> 02:27.460 explorer.exe. 02:28.210 --> 02:34.720 But now in this case, we're going to just dump the reader SSL that that's the main malware, the main 02:34.720 --> 02:36.850 executable that containing malware here. 02:37.510 --> 02:38.170 Okay. 02:38.170 --> 02:40.390 So in there. 02:42.620 --> 02:43.160 Okay. 02:43.160 --> 02:48.740 As you can see, executable 228 dot x is dumped named reader.sl. 02:49.040 --> 02:52.670 And yeah, let's open this up here. 02:52.700 --> 02:54.800 Desktop volatility. 02:54.860 --> 02:55.880 Volatility. 02:56.150 --> 02:56.720 Yeah. 02:56.720 --> 02:58.550 Let's see what's what's in here. 02:58.790 --> 03:00.740 Executable dump is dumped here. 03:00.740 --> 03:02.450 And let's change the numbers. 03:02.450 --> 03:04.850 So change the name. 03:05.010 --> 03:05.180 Okay. 03:05.220 --> 03:07.730 0010001. 03:07.730 --> 03:08.510 Here. 03:09.050 --> 03:10.700 Um, like, name it. 03:11.900 --> 03:12.870 Read, Russell. 03:14.210 --> 03:15.250 Reader sl. 03:16.290 --> 03:16.740 Thump. 03:19.020 --> 03:21.540 Okay, this is reader dump Excel file. 03:22.380 --> 03:23.010 So. 03:23.010 --> 03:25.230 So make sure that you don't open this file. 03:25.280 --> 03:30.330 You don't want to, like, infect your computer with these files, but they're actually pretty like 03:30.330 --> 03:32.310 old Malwares. 03:32.340 --> 03:35.220 It's probably your antivirus program, Will. 03:36.270 --> 03:37.050 Notify it. 03:37.050 --> 03:42.810 Or, uh, probably these malwares will not work on the Windows 10 or newer versions because they are 03:42.840 --> 03:45.360 written for the Windows XP Service Pack two. 03:45.780 --> 03:49.920 Let's make sure, like, uh, who wants to get their PC infected? 03:50.370 --> 03:53.640 So, as you can see, we check the folder we have. 03:53.640 --> 03:56.760 Like, we dumped the dump. 03:56.790 --> 03:58.590 We dumped the executable. 03:59.580 --> 04:00.210 Uh, yeah. 04:00.210 --> 04:04.500 We dump the Explorer dot exe and reader dump malicious. 04:04.500 --> 04:09.690 As you can see, this is pretty big file because we dumped the whole Explorer file. 04:09.690 --> 04:15.690 And inside this explorer, there is a little, uh, little dump here, But I just wanted to. 04:15.720 --> 04:20.010 But we actually can also use the dump. 04:20.190 --> 04:21.360 Uh, no, we don't want to. 04:22.080 --> 04:22.180 We. 04:22.310 --> 04:24.690 We want to do the. 04:27.010 --> 04:27.310 Now. 04:27.310 --> 04:27.940 It's okay. 04:28.450 --> 04:33.700 Yeah, we don't have to because we already dumped the Explorer dot exe here. 04:33.940 --> 04:41.650 So once the files have been acquired here, they can be analyzed for malware either by the incident 04:41.650 --> 04:44.740 response team or through a separate malware analysis team. 04:44.740 --> 04:51.460 So these files will make up a significant portion of the analysis in previous in actually in next lectures. 04:51.460 --> 04:59.380 So in next lecture we're going to do an analysis files for further investigation investigation and Yeah. 05:01.250 --> 05:05.320 I'm gonna in next lecture, we're going to analyze these files. 05:05.330 --> 05:06.650 So that's it. 05:06.650 --> 05:07.850 About this section. 05:08.030 --> 05:10.790 This you are successfully complete this section. 05:11.060 --> 05:16.550 Actually I'm going to day after this lecture, you're going to have a practice test which you can test 05:16.550 --> 05:17.540 your practices. 05:17.750 --> 05:20.990 It's going to probably have ten questions or more. 05:21.290 --> 05:26.570 So if you like this course, make sure, like, uh, give the reviews. 05:26.750 --> 05:29.960 And I, I it's like it will make me happy. 05:30.290 --> 05:32.030 So thank you for watching. 05:32.030 --> 05:37.610 And yeah, in next lecture, we're going to analyze these files or yeah, we can actually, uh, do 05:37.610 --> 05:39.830 more acquisition process. 05:39.830 --> 05:43.760 But in next lecture, mainly in next section, we're going to analyze these files. 05:43.760 --> 05:44.990 So good bye.