 I have an interesting malware sample here. It's interesting because it's easy to do dynamic analysis of its memory. So look at the strings in memory, look at and do a dump. Let me show you. So this is the sample, it's an executable. I'll make a copy like this and let's execute it. You see it elevates and it has a digital signature. Now this, let me move this to the side and we get an error. My connection to server error. It's not able to connect to its CNC server. Now the interesting thing now is that this malware is actually still running so the process still exists. So we can look now at memory easily with process explorer from sysinternal. So let me run this. I also elevate it otherwise it will not be able to look into the process. So let me point to this process and here we have malware and I can look at the properties. In the properties I can go to the string tab and here you have all the strings that are found in the file which is obfuscated. But here you also have all the strings that you can find in memory. Here the strings are no longer obfuscated. So for example if I search for .ru I will find here two domains. While if I search for this in the file itself I will not find it. I find another one but I did not find the one we found in memory. You can also save the strings to disk like this. Let's put it on the desktop and then you have a file here with all the strings. This was one thing looking at the strings. You can also make a memory dump. By right clicking here you can say create mini-dump or create full-dump. Here let me also put it on the desktop like this. So now here we have a dump which we could for example analyze with the debugger or also just look for strings into it. Let me close this because there is just one more thing that I want to show you. We can do with sysinternal tools also very simple. So I click OK here, the sample terminates and it also erases itself. malware.exe is no longer present. How did this happen? Let me show you. I'm going to run Procmon from sysinternal like this. It's running here and now again I make a copy and I execute it. So it elevates, it initializes, we get an error, click OK. And after a couple of seconds the exe will disappear like this. So now we can stop Procmon like this. Now if we go into tools, process tree, we will see a tree of all processes that run on this machine. If we go down here we can see malware that started malware and it also starts command exe with a timeout. If we look at command.exe you can see here the command. So command.exe is passed an argument timeout tree and after that a delete of the file itself. So what's happening here, the malware launches this command with a timeout of 3 seconds and then it will delete the file. And when the command is launched the malware stops executing and that's how the malware can delete itself from disk. Now if you have this process tree view, we can select here the malware, right click OK and say add process and children to include filter. And when we do this, the filter only selects the processes of malware and its children that it launched. And by doing so we can again go into tools and then for example look at the file activity. And here you can see all the file activity for the malware and its trial processes but not of any other. And here write bytes, if we sort this we see that this process has not and its children has not written anything to disk. We can look at network activity, here is the activity we see. So we don't see that Russian domain and registry 2 you can again sort on writes and here you can see that there were writes to the registry. And if we take a closer look you can see that it may changes to the internet settings. We can for example select this one here and then we have a filter here of all the commands. Write set value here and a D word was written with value 1. This is a quick overview how you can exploit this malware that face to function how you can exploit it to easily dump its memory, look at strings and also see its activity with the process monitor.