We need to execute malware, so we take advantage of VM Snapshot features.
We can use these tools:
- Process Monitor, or procmon, is an advanced monitoring tool for Windows that provides a way to monitor certain registry, file system, network, process, and thread activity
- It works with filters usually
process name is 
- the icons in the top right corner are dynamic filters, that can isolate specific behaviors like Registry, network or something else
- very interesting: WriteFile or RegSetValue entries
- It works with filters usually
- Process Explorer it is like task manager over steroids, it has the capability to show DLLs and verify if a certain file is what we think it is (like verifying fingerprints with the official microsoft DLLs)
- RegShot: you take snapshot of the register, run a malware, then compare the new registry items with the first snapshot, to find out if malware has done something strange
- FakeNet: it fakes your network, therefore you should be able to see all the requests that are made from applications
- Netcat: the usual tool to listen for incoming connections, syntax after running fakenet is
netcat -l -p 80/443 - Wireshark: just start to capture packets, then right click on the interesting one and “follow stream”
- ApateDNS: to check if malware performs DNS Queryies