Windows Malware Intermediate
Hands-on Windows malware analysis at intermediate level: bypass anti-debugging and sandbox evasion with ScyllaHide, manually unpack protected binaries with x64dbg, detect process injection and process hollowing, extract C2 configurations from live traffic, and deliver professional DFIR reports with MITRE ATT&CK TTPs, IOCs, and detection rules.
14-day money-back guarantee · No subscription · Lifetime access
Preview the student experience
No login · Free interactive demo
- Access to all course videos and materials
- Unlimited guided lab access with auto-validated flags
- HTK Certificate upon completion
- Lifetime course access with future updates
- Flexible, self-paced learning schedule
- 30-day satisfaction guarantee
2
⬡ 2 guided lab
Isolated VM environment
16h
Of content
Videos + practice + exams
5
Modules
Progressive difficulty
2–4h
Per lab session
Unlimited restarts
Lab tools you will use
Before you start — quick answers
Course Syllabus
5 course syllabus · 16h of content
What you will learn
- Identify and bypass anti-debugging tricks (IsDebuggerPresent, PEB flags, RDTSC timing) using ScyllaHide and manual conditional-jump patching
- Manually unpack UPX and custom-packed binaries with x64dbg: locate the OEP via tail-jump patterns, dump the image, and reconstruct the IAT with Scylla
- Detect and confirm shellcode injection, DLL injection, and process hollowing using PE-sieve, HollowsHunter, and Process Explorer forensic evidence
- Analyze C2 traffic in Wireshark (beaconing, JA3 fingerprinting, fast-flux DNS, DGA) and extract encrypted configuration blobs using CyberChef
- Deliver a professional DFIR report with MITRE ATT&CK TTP table, full IOC list, and YARA/Sigma/Sysmon detection rules
Hands-on Lab
Analyze two advanced malware samples in an isolated FLARE-VM lab. In the first lab, bypass anti-debugging tricks (IsDebuggerPresent, PEB NtGlobalFlag, timing attacks with RDTSC) using ScyllaHide, locate the OEP in a packed binary via tail-jump patterns, dump the unpacked image with Scylla, and reconstruct the IAT for clean static re-analysis. In the second lab, a multi-stage sample performs process hollowing over a benign Windows process — confirm the injection with PE-sieve and HollowsHunter, capture the C2 beacon in Wireshark, decode the encrypted configuration blob using CyberChef (base64 + XOR pipeline), and deliver a final DFIR report with MITRE ATT&CK TTPs (T1055, T1573, T1547), a full IOC list, and a Sysmon detection rule.
Requirements
- ·Modern web browser
- ·Stable internet connection
- ·No local installation required
- ·Basic technical English recommended
Frequently Asked Questions
Complete answers about this course, labs, certificates, and refunds
Windows Malware Beginner
Not ready for intermediate yet? Windows Malware Beginner covers the foundational skills and guided labs you need before tackling the advanced material.
Build real Windows Malware skills
Get hands-on with real Windows Malware scenarios, professional-grade tools, and validated flag objectives. No prior experience needed.
