◈ Path Bundle

Windows Malware

From malware static triage to x64dbg unpacking, anti-debugging bypass, process injection and hollowing analysis, C2 configuration extraction, and MITRE ATT&CK-mapped DFIR reports — all in isolated FLARE-VM labs with professional-grade tooling.

Save 79 EUR

Lab tools you will use

FLARE-VMEnvironmentx64dbgDebuggerScyllaHideLab toolPE-StudioStatic analysisProcmonMonitoringProcess ExplorerMonitoringCAPADetectionYARADetectionFakeNet-NGNetworkWiresharkNetworkFLARE-VMEnvironmentx64dbgDebuggerScyllaHideLab toolPE-StudioStatic analysisProcmonMonitoringProcess ExplorerMonitoringCAPADetectionYARADetectionFakeNet-NGNetworkWiresharkNetwork
AutorunsPersistenceDIEStatic analysisFLOSSStringsScyllaUnpackingPE-sieveDetectionHollowsHunterLab toolCyberChefDecoderSysmonLab toolSigmaDetectionAutorunsPersistenceDIEStatic analysisFLOSSStringsScyllaUnpackingPE-sieveDetectionHollowsHunterLab toolCyberChefDecoderSysmonLab toolSigmaDetection

Courses Included

◎ BEGINNER500 XPAudio:ES

Windows Malware Beginner

Master the fundamentals of Windows malware analysis: static triage, dynamic execution, C2 detection, persistence hunting, and MITRE ATT&CK mapping in a guided FLARE-VM lab environment.

1 guided lab14h of content
▲ INTERMEDIATE750 XPAudio:ES

Windows Malware Intermediate

Intermediate Windows malware analysis: bypass anti-debug and sandbox evasion, manually unpack binaries with x64dbg and ScyllaHide, detect process injection and hollowing, extract C2 configs, and deliver DFIR reports.

2 guided labs16h of content

Why Choose the Full Pack?

Get the Beginner + Intermediate courses bundled together and unlock exclusive extras.

Beginner + Intermediate courses (30h of content)
All 4 guided labs with isolated VMs
All per-module + certification exams
2 HTK certificates (Beginner + Intermediate)
Extra consolidation lab
Lifetime access + priority support
Access to the HTK community
199278
Save 79
Join Waitlist →

Your Learning Roadmap

Each phase maps to a course module. Scroll to assemble your full progression — from beginner fundamentals to intermediate mastery.

1

Phase 1

Beginner

Introduction to Malware & Analysis Environments

Start your windows malware journey with Windows Malware Beginner.

  • Malware taxonomy by capability: ransomware, stealers, RATs, loaders, bots
  • Anatomy of a modern infection chain: dropper → loader → payload → persistence → C2
  • Professional analysis workflow: static triage → dynamic execution → correlation → documentation
2

Phase 2

Beginner

Initial Static Analysis

  • Analyzing samples without execution: PE structure, sections, entropy, imports, resources, and strings
  • Early detection of packing and obfuscation with DIE, PEStudio, and PEview
  • Extracting stable IOCs: hashes, domains, file paths, mutexes, configuration artifacts
3

Phase 3

Beginner

Basic Dynamic Analysis

  • Controlled execution workflow: snapshot → monitors → execute → filter → export → rollback
  • Process and thread observation with Procmon and Process Explorer
  • Filesystem, registry, and network monitoring (DNS, HTTP, beaconing, C2 patterns)
4

Phase 4

Beginner

C2 Communication & Basic Persistence

  • Command and Control fundamentals: protocols, beaconing patterns, periodicity, and telemetry
  • Reading HTTP/HTTPS and DNS traffic in malware context with Wireshark and FakeNet-NG
  • Windows persistence mechanisms: Run keys, Startup folder, ASEPs, scheduled tasks, services
5

Phase 5

Beginner

End-to-End Lab Case + MITRE ATT&CK Mapping

  • MITRE ATT&CK for analysts: behavior language, not ID memorization
  • Guided end-to-end case: static triage → dynamic analysis → IOC extraction → ATT&CK mapping
  • Mapping 2–4 real techniques with concrete evidence
6

Phase 6

Intermediate

Packing, Obfuscation, and Anti-Analysis Techniques

Advance into complex scenarios with Windows Malware Intermediate.

  • Packing fundamentals: stub + payload architecture, entropy analysis with DIE and PEStudio (7.8/8 entropy as packing indicator), UPX and custom packer identification
  • Disabling ASLR for controlled analysis: dynamic-base PE flag, BCD edit and CFF Explorer techniques
  • String obfuscation: XOR, RC4, and base64 encoding chains — decoding with FLOSS and CyberChef recipes
7

Phase 7

Intermediate

Manual Unpacking with x64dbg and Scylla

  • Packed binary identification: DIE + PEStudio entropy analysis, imported function count as a packing signal
  • EP vs OEP: understanding the packer stub execution flow and tail jump patterns (jmp rax, push+ret, call-return sequences)
  • x64dbg unpacking workflow: load sample → set breakpoints on VirtualAlloc/VirtualProtect → trace stub execution → reach OEP
8

Phase 8

Intermediate

Process Injection and Process Hollowing Analysis

  • Classic shellcode injection: OpenProcess → VirtualAllocEx → WriteProcessMemory → CreateRemoteThread — step-by-step trace in x64dbg
  • Private executable memory as key forensic artifact: no module name, RX/RWX permissions — identification in Process Explorer and Process Hacker
  • DLL injection via LoadLibrary: detecting Load Image events in Procmon, confirming the module list in Process Explorer
9

Phase 9

Intermediate

C2 Traffic Analysis and Configuration Extraction

  • Beaconing patterns: periodicity and jitter analysis (Cobalt Strike default 60s, Meterpreter 5s) — visualizing timing anomalies with Wireshark IO Graph
  • HTTP C2 indicators: consistent URI paths (gate.php patterns), user-agent spoofing, base64-encoded POST body, content-length consistency
  • HTTPS C2 analysis: SNI extraction, self-signed certificate detection, JA3/JA3S fingerprinting, short-validity and no-SAN flags
10

Phase 10

Intermediate

End-to-End Case Study — From Sample to DFIR Report

  • Full analyst pipeline: SHA256 → VirusTotal → static triage (DIE, PEStudio, FLOSS, CAPA) → unpacking (x64dbg + ScyllaHide + Scylla) → dynamic analysis (FakeNet-NG, Procmon, Process Explorer) → injection detection (PE-sieve) → Wireshark C2 analysis → CyberChef config decoding → MITRE mapping → IOC report
  • Guided case study: UPX-packed loader → anti-debug bypass with ScyllaHide → OEP identification → Scylla dump + IAT fix → process injection into Notepad.exe (T1055) → registry persistence via HKCU Run key (T1547.001) → C2 beacon with gate.php, POST, base64 body, 30s + jitter → JSON config extraction (C2 URL, user-agent, campaign ID, mutex name)
  • DFIR report structure: executive summary, MITRE ATT&CK TTP table with forensic evidence, IOC list (hashes, domains, IPs, file paths, registry keys, mutex names, network patterns), and defensive recommendations