1
00:00:01,240 --> 00:00:06,760
So now in the Putin machine has reboot it and restarted.

2
00:00:07,850 --> 00:00:11,060
So you can gain a user name if you want

3
00:00:13,910 --> 00:00:15,440
and click on next.

4
00:00:17,500 --> 00:00:20,770
And I'm going to leave the bus with some blank.

5
00:00:21,820 --> 00:00:28,030
And yes, A, you keep your product key in there.

6
00:00:28,620 --> 00:00:29,620
And check this one.

7
00:00:30,670 --> 00:00:31,400
No, not active.

8
00:00:32,380 --> 00:00:33,520
And then click next.

9
00:00:34,300 --> 00:00:38,170
If you don't have any Perrucci, you can skip and do it later.

10
00:00:41,020 --> 00:00:45,520
So in this case here, we just skip this now and just click.

11
00:00:47,660 --> 00:00:53,240
Skip and then here click on Ask Me later.

12
00:00:53,750 --> 00:00:56,450
And here you can set your time zone if you want.

13
00:00:57,300 --> 00:00:58,310
You can click on the next.

14
00:00:59,790 --> 00:01:01,770
And musically, anything we do here.

15
00:01:03,590 --> 00:01:05,210
Just the whole neighborhood.

16
00:01:06,510 --> 00:01:14,820
Now you can install your guests issue CD to go up to the device here, and he said, guess Hadysh and

17
00:01:14,820 --> 00:01:15,120
CD.

18
00:01:18,740 --> 00:01:26,000
Next, open your computer and go to your computer and you get radiation CDs here.

19
00:01:26,840 --> 00:01:28,790
So double click on this to install.

20
00:01:30,260 --> 00:01:36,170
And select the proper one for your system, which is actually eighty six.

21
00:01:36,830 --> 00:01:45,290
So double click this one, click yes to run it next and click next.

22
00:01:47,310 --> 00:01:50,700
So Buffy's over here program Followill.

23
00:01:53,660 --> 00:01:54,890
A Kleenex.

24
00:02:01,060 --> 00:02:04,300
And check on these inbox and click install.

25
00:02:08,000 --> 00:02:14,600
And then click on reboot, now they finish, so you reboot the machine.

26
00:02:20,810 --> 00:02:26,390
Now you can go to full screen, you click on The View for screen.

27
00:02:33,440 --> 00:02:40,600
If your voting machine cannot go the full screen, then shut it down and then come down here.

28
00:02:40,930 --> 00:02:43,300
Selected click on settings.

29
00:02:44,330 --> 00:02:50,120
And then over here, salay display and increases to one, two, eight.

30
00:02:51,690 --> 00:02:53,220
OK, yeah, maximum.

31
00:02:53,820 --> 00:02:58,410
And then here, any 3D acceleration and hit, OK?

32
00:02:59,010 --> 00:02:59,120
Yeah.

33
00:03:01,160 --> 00:03:02,270
And then started again.

34
00:03:07,320 --> 00:03:09,240
Now you can go to full screen mode.

35
00:03:12,780 --> 00:03:21,090
And there you have it, if you want to restore back to windows, not just move your closer to the bottom

36
00:03:21,090 --> 00:03:23,400
of the screen and who day.

37
00:03:23,880 --> 00:03:27,750
And this bar will pop up and just click on this icon.

38
00:03:30,870 --> 00:03:39,300
Next to you and do we set up the shared folder so you can create a share for the first you go to your

39
00:03:39,660 --> 00:03:40,290
S.J.

40
00:03:41,290 --> 00:03:50,440
And then create a new fuda who we negotiate, our eimi or any other name you prefer.

41
00:03:51,280 --> 00:03:52,360
And then in here.

42
00:03:55,240 --> 00:03:59,820
Selling The Witcher Machine and Epling settings.

43
00:04:00,880 --> 00:04:10,360
And and the check for this one here at New Qet Fuda.

44
00:04:12,410 --> 00:04:14,930
And if only to select other.

45
00:04:17,030 --> 00:04:25,880
And going to see far, which you created a folder which you created this one click on select folder.

46
00:04:27,290 --> 00:04:31,590
So like Automan and click on Make Permanent.

47
00:04:32,680 --> 00:04:34,720
Click, OK, click OK again.

48
00:04:35,260 --> 00:04:36,430
And now go back here.

49
00:04:41,210 --> 00:04:49,070
Click on the file Explorer and you should be able to see or share for the memories as you drive.

50
00:04:49,880 --> 00:04:56,000
So this is where you can share files between your house and your guest operating system.

51
00:04:56,840 --> 00:05:04,190
So whatever you put in here will also be a in your host and vice versa.

52
00:05:05,420 --> 00:05:10,610
So now the next item is to disable windows.

53
00:05:13,780 --> 00:05:15,180
You say, well, we know Sandy.

54
00:05:19,420 --> 00:05:22,120
So to disable Windows beat.

55
00:05:30,970 --> 00:05:37,150
Search for Hamdy and click on the results.

56
00:05:37,420 --> 00:05:37,860
We got.

57
00:05:40,240 --> 00:05:42,700
And here, let me choose my settings.

58
00:05:43,730 --> 00:05:49,610
Select option, never find it and then click OK.

59
00:05:54,280 --> 00:06:01,510
Because those who detect new viruses and so on, so you don't want your windows to detect the virus

60
00:06:01,510 --> 00:06:02,620
or any idea analysis.

61
00:06:06,450 --> 00:06:15,990
So the next item will be disable Windows Defender, so to disable the just defender over here.

62
00:06:18,190 --> 00:06:25,540
You search for services, a mercy, click on services.

63
00:06:26,110 --> 00:06:28,840
We to defend these Windows antivirus.

64
00:06:35,910 --> 00:06:41,110
If you don't discipline, he will prevent you from analyzing Malaby.

65
00:06:43,050 --> 00:06:46,530
So scroll down and look for what we know so finger.

66
00:06:55,250 --> 00:06:59,270
Yeah, so I Reichling Union and select properties.

67
00:07:01,330 --> 00:07:08,560
At the moment, if is set to automatic, so we change it to December, please stop this.

68
00:07:09,250 --> 00:07:12,700
Stop the service and play.

69
00:07:14,610 --> 00:07:17,700
OK, so now you can be the defender disable.

70
00:07:21,170 --> 00:07:24,680
The next thing you want is to disable the Hynix extensions.

71
00:07:27,560 --> 00:07:35,840
So open your flight explorer, open any directory and that here.

72
00:07:37,790 --> 00:07:44,270
Said all options, said I can view and then downhere school going.

73
00:07:46,700 --> 00:07:50,990
And check these folks out, an extension for nonfat ice.

74
00:07:53,730 --> 00:07:58,470
So this one is disable hypertension.

75
00:07:59,290 --> 00:08:00,750
Sure, he didn't find food.

76
00:08:02,820 --> 00:08:06,930
So look for changes to any bill they show you didn't find food.

77
00:08:08,280 --> 00:08:15,840
So now you these two settings, you'll be able to see the file extensions click apply.

78
00:08:15,850 --> 00:08:21,010
OK, so now if you go to any folder.

79
00:08:22,470 --> 00:08:24,480
Yeah, file extension, you'll be visible.

80
00:08:30,130 --> 00:08:32,830
You can see the ICR invisible.

81
00:08:33,880 --> 00:08:38,870
This is important because Malaby sometimes muskies true time.

82
00:08:40,060 --> 00:08:44,170
It could be a file and even put PDF dicy.

83
00:08:44,590 --> 00:08:47,950
And because there is hidden you thought you said a --.

84
00:08:48,400 --> 00:08:54,130
He said commentary and also hidden files and not invisible.

85
00:08:54,160 --> 00:09:03,280
You only see hidden files because some malware Putin himself may a copy of examine some hidden file

86
00:09:03,280 --> 00:09:03,910
location.

87
00:09:04,450 --> 00:09:10,090
And if he's not to disable you, Beeble, he won't be able to see the Naheed in files.

88
00:09:12,860 --> 00:09:17,940
Next is to disable ESR, which stands for address space layout.

89
00:09:18,290 --> 00:09:27,350
Randomisation is a security feature that randomisation Mimmi addresses used by executable code, including

90
00:09:27,350 --> 00:09:33,110
Dal's, so that NBC had enough to analyze binary files.

91
00:09:34,160 --> 00:09:35,780
So you want to disable that.

92
00:09:35,780 --> 00:09:40,130
So it makes it easy for us to analyze binary files of the email.

93
00:09:41,720 --> 00:09:48,320
So to do that, to disable the open program called Registry Edit.

94
00:09:55,620 --> 00:09:58,470
And then we go to this location.

95
00:10:09,310 --> 00:10:16,930
Hishe, key and looking machine, so there are industries where Windows gives all these configurations.

96
00:10:17,680 --> 00:10:20,200
So, yes, open this and look for.

97
00:10:21,440 --> 00:10:21,980
Karen?

98
00:10:23,620 --> 00:10:24,490
The system.

99
00:10:27,020 --> 00:10:32,930
And then look for current control set, current controls set.

100
00:10:34,430 --> 00:10:35,630
And you look for control.

101
00:10:37,830 --> 00:10:39,270
Look for a session manager.

102
00:10:50,700 --> 00:11:01,230
And then the for memory management, memory management take on it and you say here we must act in new

103
00:11:01,680 --> 00:11:02,130
key.

104
00:11:05,650 --> 00:11:13,300
So just right click here and I knew and the key name is that it would be value.

105
00:11:16,940 --> 00:11:21,950
And give it a name of more immediacy.

106
00:11:23,870 --> 00:11:25,430
A default is zero.

107
00:11:25,460 --> 00:11:26,390
So that is why we won.

108
00:11:26,440 --> 00:11:28,640
So this tells me he not to move images.

109
00:11:29,150 --> 00:11:31,010
It means not to move the process.

110
00:11:31,310 --> 00:11:33,860
I mean, it's loaded into memory by men.

111
00:11:34,070 --> 00:11:37,310
Give his origin no specified entry point.

112
00:11:37,580 --> 00:11:40,070
And many programmer wrote he program.

113
00:11:41,150 --> 00:11:41,720
So that's it.

114
00:11:42,050 --> 00:11:43,540
So this this will disable.

115
00:11:43,580 --> 00:11:49,010
So now you need to restart, reboot your computer to have this take effect.

116
00:11:51,200 --> 00:11:53,360
The next thing is disable Windows Firewall.

117
00:11:53,780 --> 00:11:54,770
So right click here.

118
00:11:55,370 --> 00:12:00,740
Search for Windows Firewall or just type firewall.

119
00:12:02,120 --> 00:12:05,930
And so, like this one window is even the firewall.

120
00:12:08,780 --> 00:12:15,060
The reason is because if you want to analyze malware, malware typically will call the controller and

121
00:12:15,060 --> 00:12:19,100
command center code and try to connect to a server on the Internet.

122
00:12:19,550 --> 00:12:21,350
And you want to know where it goes.

123
00:12:21,830 --> 00:12:27,350
So you say do not turn Windows Defender firewall an off.

124
00:12:29,390 --> 00:12:33,410
And here, select enough from both click OK.

125
00:12:36,230 --> 00:12:38,540
He confirmed at least enough.

126
00:12:41,320 --> 00:12:43,390
Next on News Courier Snapshot.

127
00:12:45,070 --> 00:12:53,950
So to create a snapshot, you can go down to the bottom, hold your mouse here and go to a machine.

128
00:12:54,370 --> 00:12:56,590
So just hold a mouse head in bottom here.

129
00:12:56,890 --> 00:12:59,740
Select machine, take snapshot.

130
00:13:00,880 --> 00:13:08,350
And here you can see to if you want to do one, for example, in the month.

131
00:13:11,150 --> 00:13:21,440
And the day and see fresh install in the hear some description

132
00:13:24,050 --> 00:13:32,060
configured, click OK, and even create a snapshot of the state of the machine.

133
00:13:35,330 --> 00:13:38,300
If you want to restore, you have to be shaadi start first.

134
00:13:43,060 --> 00:13:43,600
Shut down.

135
00:13:47,110 --> 00:13:55,000
So after shutting down, you can see over here there is a list of all of these snapshots.

136
00:13:56,200 --> 00:14:01,660
So currently this is the official fresh install and he notices has changed.

137
00:14:02,260 --> 00:14:08,800
If you want to revert back to fresh, you start to select it and restore any issue.

138
00:14:08,800 --> 00:14:13,180
You uncheck this anklet and restore any respect to the previous state.

139
00:14:13,840 --> 00:14:20,260
As you can see from my earlier machines, so my machines has got multiple snapshots.

140
00:14:20,830 --> 00:14:26,610
And if I wanted to go back to an earlier snapshot, all I have to do is select the earlier snapshot,

141
00:14:26,950 --> 00:14:27,730
clean restore.

142
00:14:29,810 --> 00:14:37,970
So this is useful for analysts because every time you run the malware evil, corrupt your and registry

143
00:14:37,970 --> 00:14:45,440
and and other things, and you always want to restore back to the previous state and before the game

144
00:14:45,440 --> 00:14:46,640
was executed.

145
00:14:47,720 --> 00:14:57,020
And this is a workflow for every email that analyzes session and his remember to take a snapshot before

146
00:14:57,170 --> 00:15:03,740
you execute any m.v and restore it back when you had finished.

147
00:15:04,400 --> 00:15:05,400
That's awful.

148
00:15:05,690 --> 00:15:07,460
And just saying thank you for watching.