Cheatsheet: Windows Malware Analysis and Reversing



When doing an analysis or investigation on a malware, what is the important things to solve or to answer in analysing the malware?

This checklist may help us to determine what is the goal when we’re doing a malware analysis on a malware, so it can avoid us from reversing/analysing part of the malicious code that does not important to our investigation or maybe a rabbit hole.

Important findings

  1. IOCs (Hash, domain, IP)
  2. Commands
  3. Dropped files
  4. Network communication
  5. Registry modify/add/delete
  6. TTPs
  7. Encryption/Decryption routines
  8. Folder, file access
  9. Malware Anti-analysis
  10. Hardcoded values / strings
  11. Common WinAPI
  12. Shellcode
  13. Encrypted strings

Flow of analysis

  1. Retrieve samples
  2. OSINT samples and reports
  3. Automate analysis
  4. Maldoc or Fileless analysis
  5. Static analysis
  6. Behavior analysis
  7. Reverse engineering

Sample sources

  1. From client
  2. Internet
    • VirusTotal
    • MalwareBazaar
    • Github
    • Malshare
  3. Honeypot
  4. Internal DB
  5. DFIR activities

OSINT samples, reports, analysis

  1. Hash lookups
    • VirusTotal
    • Any.Run
    • Tri.age
    • HybridAnalysis
    • JoeSandbox
    • Metadefender
  2. Take a look of analysis result
  3. IOC network analysis and C2 Hunting
    • AbuseIPBD
    • Censys
    • Passive DNS via VT
    • Shodan
    • FOFA
    • Validin
    • URLhaus
    • AlienVault
  4. Github search
  5. Google search
  6. Twitter search

Automate and AV Analysis

Online Sandboxes

  1. Any.Run
  2. VirusTotal
  3. Tri.age
  4. Threatbook
  6. FileScan
  7. HybridAnalysis
  8. Intezer
  9. JoeSandbox
  10. Metadefender

Local Sandboxes and AV scanner

  1. CAPE
  2. Saferwall
  3. MultiAV

Note: Analyze all the findings and get the context of the malware before proceed reverse engineering.

Maldoc Analysis

Refer: Maldoc Cheatsheet

Fileless Analysis

  1. Read the code
  2. Beautify
  3. Deobfuscate
    • PSUnveil
    • Manual
  4. CMDWatcher
  5. Refer Behavior analysis

Static Analysis

Tool activity Description
file Determines the file type of a file.
TRiD File identification tool using a database of file signatures.
Exiftool Tool for reading, writing, and editing metadata in various file types.
DIE (Detect It Easy) Detects and identifies packer, compiler, and other characteristics of executable files.
EXEinfoPE Analyzes and detects various properties of PE (Portable Executable) files.
PEStudio Analyzes PE files to identify anomalies, suspicious patterns, and potential malware indicators.
PEBear Analyzes PE files and extracts information about their structure, sections, imports, and more.
CAPA Analyzes malware behavior and identifies code patterns using static analysis techniques.
Floss Extracts strings from malware samples and analyzes their behavior.
strings -a Extracts printable strings from binary files, including malware samples.
xorsearch Searches for XOR-encoded strings in binary files.
base64dump Decodes and extracts base64-encoded strings from binary files.
Resource Hacker Views, modifies, adds, and deletes resources in Windows executables.
SSDeep can help in classifying and categorizing malware samples based on similarities in their content

Behavior Analysis

Analysis consist of:

  1. Process monitoring include command executed
  2. Network monitoring
  3. File system monitoring
  4. Registry monitoring
  5. Logging and detection
  6. WinAPI monitoring

Behavior analysis Tools

All-in-One Process Monitoring Network Monitoring File System Monitoring Registry Monitoring
ProcMon Process Hacker ProcessHacker ProcMon Regshot
SysAnalyzer Process Explorer TCPView ProcDot  
  CMDWatcher FakeNet DirWatch  
  ProcWatch Wireshark    
  HollowsHunter Fiddler    
  PECapture TCPDump    
Logging and Detection API Monitoring
Sysmon APIMonitor
Powershell APILogger

Reverse Engineering

It’s really subjective while perform reverse engineering, and the approach might different with other people. This list is most of the activities I did when performing reverse engineering:

IDA pro

  1. Find Main function
  2. Strings reference
  3. Decompile
  4. Watch Graph View
  5. Relabel function name
  6. Insert comments
  7. Focus on WinAPIs
  8. Always research and refer API documentation
  9. Research hardcoded strings
  10. List function names
  11. Pull Lumina
  12. Ask ChatGPT if stuck
  13. Run Flare CAPA Explorer plugin
  14. Run IDAClu
  15. Run IDA-names
  16. Run FindCrypt
  17. Run AntiVM
  18. Run AntiDebugSeeker
  19. Rebase segment based on debugger
  20. Github/GitLab research on unique function
  21. Search for unique hex value on the internet


  1. Debugging the malware with context
  2. Breakpoint on interesting function
  3. Breakpoint on unpack stuff, such as VirtualAlloc
  4. Dump unpack stuff
  5. Dump shellcode stuff
  6. Watch return value of function
  7. Enable ScyillaHide
  8. Use graph view
  9. Find strings reference
  10. Use xAnalyzer
  11. Setting the events to Break on what? The most important is “Entry Breakpoint”
  12. Add Exception filters = 00000000-FFFFFFFF
  13. Follow in dump, memory
  14. Watch call stack
  15. Watch Threads
  16. Watch Handles
  17. Use RunDLL32 command for DLL file instead of DLL loader by 32dbg
  18. Supply parameter if the malware need param
  19. Research WinAPI param and return value
  20. Watch function input (param) and output (return value on EAX)
  21. Disable ASLR
  22. Self injection, use process hacker to dump the process instead of a memory region.

Using API hooking to analyze malware by breakpoint them blindly:

# Typically for unpacking
bp VirtualAlloc
bp VirtualProtect

# AntiDebug
bp IsDebuggerPresent

# Enum process
bp CreateToolhelp32Snapshot
bp Process32First
bp Process32Next

# Check file what file being written
bp CreateFileW
bp CreateFileA

# Execute unpacked code
bp CreateProcessInternalW
bp NtWriteVirtualMemory
bp NtResumeThread
bp CreateRemoteThread
bp CreateThread

# API Hashing
bp GetProcAddress
bp LoadLibraryA

# OR debug on any interesting API!

Assembly fastcall calling convention

# x86
push eax
push ebx
call function_name

# x64
mov rsp+value, eax
mov r9d, dword ptr [rsp+value]
mov r8d, dword ptr [rsp+value]
mov rdx, dword ptr [rsp+value]
mov rcx, dword ptr [rsp+value]
call function_name

Abnormal prologue

# Fake return
push 0xAddress

push 0xAddressShellcode

# Unexpected Jump
mov ecx, 0xAddressShellcode
jmp 0xAddress

push ecx

# Suspicious jump
mov ecx, 0xAddress
jmp ecx

WinAPI in Malware

Usage of API is not necessarily a malware behavior. We need to analyze:

  1. Context of the usage
  2. Parameters supplied to the API
  3. Sets of API used in sequence

Common operations

File operations Registry operations Processes and Threads Windows Services Mutexes
CreateFile RegCreateKey CreateProcess OpenSCManager CreateMutex
WriteFile RegDeleteKey ExitProcess CreateService OpenMutex
ReadFile RegSetValue CreateRemoteThread OpenService  
SetFilePointer RegOpenKey CreateThread ChangeServiceConfig2W  
DeleteFile RegGetValue GetThreadContext StartService  
CloseFile   SetThreadContext    
MoveFile   TerminateProcess    
GetTempPath   CreateProcessInternalW    


WinAPI Function Description
SetWindowsHookEx Installs a hook procedure that monitors key presses.
GetAsyncKeyState Retrieves the current state of the specified virtual key.
GetKeyState Retrieves the status of the specified virtual key.
GetKeyboardState Retrieves the status of all virtual keys.
GetForegroundWindow Retrieves a handle to the foreground window.
GetWindowText Retrieves the text of the specified window’s title bar.
GetKeyNameText Retrieves the text description of a key.
GetKeyboardLayout Retrieves the active input locale identifier (formerly called the keyboard layout).

Backdoor connection

WinAPI Function Description
WSAStartup Initiates the use of the Winsock DLL by a process.
socket Creates a socket that is bound to a specific transport service provider.
bind Associates a local address with a socket.
listen Places a socket in a state where it is listening for an incoming connection.
accept Accepts a connection on a socket.
connect Attempts to make a connection to another socket.
send Sends data on a connected socket.
recv Receives data from a connected socket.
read Reads data from a file descriptor.
write Writes data to a file descriptor.
shutdown Disables sends or receives on a socket.
closesocket Closes an existing socket.
WSACleanup Terminates use of the Winsock DLL.
InternetOpen Initializes an application’s use of the WinINet functions.
InternetConnect Initiates a connection to the specified URL.
InternetOpenUrl Opens a URL on the internet.
InternetReadFile Reads data from a handle opened by the InternetOpenUrl or InternetConnect function.
InternetCloseHandle Closes a single Internet handle.
WinHttpOpen Initializes the use of WinHTTP functions.
WinHttpConnect Connects to an HTTP server.
WinHttpOpenRequest Initializes an HTTP request handle.
WinHttpSendRequest Sends the specified request to the HTTP server.
WinHttpReceiveResponse Waits to receive the response to the HTTP request.
WinHttpQueryDataAvailable Retrieves the amount of data available to be read by a specified request.
WinHttpReadData Reads data from a specified request.
WinHttpCloseHandle Closes an open handle.

Process Injection APIs

DLL Injection PE Injection Reflective Injection
OpenProcess OpenThread CreateFileMapping
VirtualAllocEx SuspendThread Nt/MapViewOfFile
WriteProcessMemory VirtualAllocEx memcpy
CreateRemoteThread WriteProcessMemory Nt/MapViewOfSection
NtCreateThread SetThreatContext CreateThread
RtlCreateUserThread ResumeThread NtQueueApcThread
  NtResumeThread CreateRemoteThread
APC Injection Hollowing/Process Replacement AtomBombing
SleepEx CreateProcess GlobalGetAtomName
SignalObjectAndWait NtQueryProcessInformation NtQueueApcThread
MsgWaitForMultipleObjectsEx Zw/NtUnmapViewOfSection GlobalAddAtom
WaitForMultipleObjectsEx VirtualAllocEx GlobalGetAtomName
WaitForSingleObjectEx WriteProcessMemory QueueUserAPC
Process32First GetModuleHandle  
Process32Next WriteProcessMemory  
Thread32First GetThreadContext  
Thread32Next ResumeThread  
Process Doppelgänging Hooking Injection Propagate Injection Extra Windows Memory Injection
CreateTransaction LoadLibraryW FindWindow FindWindowsA
CreateFileTransaction GetProcAdress FindWindowEx GetWindowThreadProcessId
NtCreateSection SetWindowsHookEx GetProp OpenProcess
NtCreateProcessEx PostThreadMessage OpenProcess VirtualAllocEx
NtQueryInformationProcess   GetProp WriteProcessMemory
NtCreateThreadEx   SendNotify SetWindowLongPtrA
RollbackTransaction   VirtualAllocEx ReadProcessMemory

Process Hooking

WinAPI Function Description
SetWindowsHookEx Installs an application-defined hook procedure into a hook chain.
UnhookWindowsHookEx Removes a hook procedure installed in a hook chain by the SetWindowsHookEx function.
GetWindowLongPtr Retrieves information about the specified window.
SetWindowLongPtr Changes an attribute of the specified window.
SetWindowsHookEx Installs an application-defined hook procedure into a hook chain.
CallNextHookEx Passes the hook information to the next hook procedure in the current hook chain.
WinAPI Function Description
LoadResource Retrieves a handle that can be used to obtain a pointer to the first byte of the specified resource in memory.
FindResource Determines the location of a resource with the specified type and name in the specified module.
SizeofResource Retrieves the size, in bytes, of the specified resource.
LockResource Retrieves a pointer to the specified resource in memory.
EnumResourceTypes Enumerates all resource types within a binary module.
EnumResourceNames Enumerates all resource names of a specified type within a binary module.
EnumResourceLanguages Enumerates all the language identifiers for the resources of a specified type within a binary module.


WinAPI Function Description
EnumProcesses Enumerates all processes currently running on the system.
EnumProcessModules Enumerates all modules (DLLs) loaded into a specified process.
CreateToolhelp32Snapshot Creates a snapshot of the system, including all processes, threads, and modules.
Process32First Retrieves information about the first process encountered in a system snapshot taken with CreateToolhelp32Snapshot.
Process32Next Retrieves information about the next process encountered in a system snapshot taken with CreateToolhelp32Snapshot.
Module32First Retrieves information about the first module associated with a process in a system snapshot taken with CreateToolhelp32Snapshot.
Module32Next Retrieves information about the next module associated with a process in a system snapshot taken with CreateToolhelp32Snapshot.
EnumWindows Enumerates all top-level windows on the screen by passing the handle to each window, in turn, to an application-defined callback function.
FindWindow Retrieves the handle to the top-level window whose class name and window name match the specified strings.
FindWindowEx Retrieves the handle to a window whose class name and window name match the specified strings. The function searches child windows, beginning with the one following the specified child window.
EnumDesktopWindows Enumerates all top-level windows associated with the specified desktop.
RegEnumKey Enumerates the subkeys of the specified open registry key.
RegEnumValue Enumerates the values for the specified open registry key.
NetShareEnum Retrieves information about all shared resources on a server.
NetServerEnum Retrieves information about all servers of the specified type that are visible in a domain or workgroup.

Unpacking API

Unpacking API Description
CreateProcessInternalW Creates a new process for unpacking the packed executable.
VirtualAlloc or VirtualAllocEx Allocates memory for the unpacked code and data.
VirtualProtect or ZwProtectVirtualMemory Changes the protection of a region of memory, often used for code injection.
WriteProcessMemory or NtWriteProcessMemory Writes data to the memory of another process.
ResumeThread or NtResumeThread Resumes the execution of a suspended thread.
CryptDecrypt or RtlDecompressBuffer Decrypts or decompresses packed data.
NtCreateSection + MapViewOfSection or ZwMapViewOfSection Creates a section object and maps a view of a section into the address space of a process.
UnmapViewOfSection or ZwUnmapViewOfSection Unmaps a mapped view of a section from the address space of a process.
NtWriteVirtualMemory Writes data to the memory of a specified process.
NtReadVirtualMemory Reads data from the memory of a specified process.
NtMapViewOfSection Maps a view of a section of a file into the address space of a process.


Anti-debug Description
IsDebuggerPresent Checks if the current process is being debugged.
CheckRemoteDebuggerPresent Checks if a remote process is being debugged.
NtQueryInformationProcess Retrieves information about a process, including debug flags.
OutputDebugString Sends a string to the debugger for display.
BeingDebuggeed in PEB Checks if the process is being debugged by inspecting the Process Environment Block (PEB).
Check ProcessHeap flag Checks the Process Heap flags for signs of a debugger.
NtGlobalFlag Retrieves the global debug flag for the current process.
LookupPrivilegeValue Retrieves the locally unique identifier (LUID) for a privilege.
BlockInput Blocks keyboard and mouse input to the system.

WinAPI research

Anti Analysis

Unpacking stuff

Detecting packed malware

  1. Signatures: Using tools such as PEID
  2. Strings: Lack of strings in the malware
  3. Imports: Lack of imports functions
  4. Sections: Weird section names such as UPX
  5. Entropy: Higher entropy indicates data in the malware is encrypted
  6. Raw/Virtual sizes: Difference between raw and virtual size indicate packed

Methods to unpack

  1. Statically: Reverse engineering entire unpacking routine. Useless.
  2. Dynamically: Using debugger and put breakpoint on common unpacking functions such as VirtualAlloc, VirtualProtect and etc.
  3. Automated:, pe-sieve, mal_unpack, sandboxes.

Unpacking tools

Fixing dumped PE from memory

  1. Section alignment
    • Using hex editor to adjust the file by checking the sections header and repair it
  2. Unmapping
    • All the current address is based on memory
    • Make Raw Address same as Virtual Address
    • Fix Raw Size (Raw Addr section above - Raw Addr section below)
    • Fix Virtual Size by copy the fixed Raw size
  3. Rebase address
    • Edit Image Base based on the base address when dumping the PE

Before unpacked executable execute (ref: FOR710)

Numerous initialization activities must take place to prepare an executable for actual execution. This is the key activities to load an executable after unpacking:

  • Confirm the file is a Windows executable
  • Resolve critical APIs
  • Map the executable into memory
  • Load imported DLLs
  • Resolve imported functions
  • Apply relocations, if necessary
  • Update section permissions, if necessary
  • Identify the entry point (EP) for execution
  • Execute code beginning at the EP

PEB Walk

The Process Environment Block (PEB) is a data structure in memory that contains information about the running process, including:

  • Loaded modules
  • If the process is being debugged
  • Process parameters (e.g., current directory or command line)

Shellcode accesses the PEB to:

  1. Enumerate DLLs loaded in memory
  2. Access each DLL’s exported functions
  3. Resolve Windows API addresses

In disassembler, you’ll see the code will perform this instrucitons to retrieve the PEB address:



PUSH 30h
PEB Walking Description
ZwQueryInformationProcess Retrieves information about a specified process, such as its Process Environment Block (PEB).
NtQueryInformationProcess Retrieves information about a specified process, such as its Process Environment Block (PEB).
NtReadVirtualMemory Reads data from the memory of a specified process, often used to access the PEB.
NtQuerySystemInformation Retrieves information about the system, such as the list of loaded modules and their base addresses.

API Hashing

  • Shellcode often passes a precalculated hash to a function to resolve APIs.
  • This function:
    1. Iterates over all modules loaded by the process.
    2. For each module, the module name (e.g., kernel32.dll) is hashed.
    3. For each exported function in the module, the function name is hashed.
    4. The combined hash (i.e., the addition of the module name hash and function name hash) is compared against the hash passed to the function.
    5. If there is a match, the code resolves the address of the function so it can be called; if there is no match, it moves to the next loaded module and repeats the process.
API Hashing Description
LoadLibraryA Loads a dynamic-link library (DLL) into the address space of the calling process.
GetProcAddress Retrieves the address of an exported function or variable from a specified DLL.
LdrGetProcedureAddress Retrieves the address of an exported function or variable using the LDT.
GetModuleHandleA Retrieves a handle to the specified module (DLL or executable file).


Ransomware flow 101:

  1. Collect PC information
  2. Determine which file extension or directories need to be encrypted. Blacklist or whitelist extension.
  3. Get or find directories and files (with specific extension). May include net share.
  4. Generate cryptography key
  5. Encrypt files (overwrite or create new one). If creating a new one, it will delete the original file.
  6. Append the ransomware extension to the encrypted file
  7. Drop readme text file
  8. Optional
    • Delete shadow copy
    • Disable Windows lock file to maximize ransom file
    • Change wallpaper
    • Connect to CnC (Command and Control server)
    • Enumerate network share
    • Exploit vulnerabilities
    • Create persistence
    • Stop services
    • Stop process

Common CryptoAPI encryption

CryptoAPI Function Description
CryptAcquireContext Acquires a handle to a Cryptographic Service Provider (CSP) for cryptographic operations.
CryptImportKey Imports an embedded public key into the cryptographic context for use in encryption.
CryptGenRandom Generates random bytes suitable for cryptographic purposes, typically used for initialization vectors (IVs).
rand Generates pseudo-random bytes, often used for generating IVs as an alternative to CryptGenRandom.
GetTickCount Retrieves the number of milliseconds that have elapsed since the system was started, sometimes used for generating IVs.
CryptGenKey Generates a symmetric key for use in cryptographic operations such as encryption and decryption.
CryptSetKeyParam Modifies various aspects of a cryptographic key, such as the key’s operation mode or parameters.
CryptExportKey Exports a cryptographic key, often used for sharing public keys generated by CryptGenKey.
CryptEncrypt Encrypts data using the specified cryptographic key and algorithm obtained from CryptImportKey and CryptAcquireContext.
CryptDestroyKey Destroys the cryptographic key by freeing its resources.
CryptDeriveKey Derives a key from a specified hash value or password.
CryptDecrypt Decrypts data using the specified cryptographic key and algorithm obtained from CryptImportKey and CryptAcquireContext.
CryptReleaseContext Releases the handle to a cryptographic service provider (CSP) obtained from CryptAcquireContext.

File encryption APIs

File Encryption APIs Description
CreateFile Opens or creates a file for reading, writing, or both.
SetFilePointer Moves the file pointer within a file to a specified location.
SetFilePointerEx Extended version of SetFilePointer with support for large files.
WriteFile Writes data to a file, typically used for writing encrypted content and key information.
ReadFile Reads data from a file, usually used for reading the original file contents.
CloseFile Closes the file handle, releasing system resources.
MoveFile Renames or moves a file, often used to update file extensions after encryption.

Common algorithm of data

Despite reading the API, knowing the pattern of the algoritm and little bit of Google search may contribute the findings. Or we can use tool such as CAPA scanner or KANAL.


Common symmetric algorithms

  1. AES
  2. RC4
  3. Serphent
  4. Blowfish

Common Asymmetric algorithms

  1. RSA
CryptoAPI Function Description
CryptAcquireContext Acquires a handle to a Cryptographic Service Provider (CSP) for cryptographic operations. Required to use CryptoAPI
CryptEncrypt Encrypts data using the specified cryptographic key and algorithm obtained from CryptImportKey and CryptAcquireContext.
CryptDeriveKey Derives a key from a specified hash value or password. Parameter Algid is crucial.
CryptDecrypt Decrypts data using the specified cryptographic key and algorithm obtained from CryptImportKey and CryptAcquireContext.


  1. MD5 hashing
  2. SHA hashing
  3. CRC hashing
API Function Description
CryptAcquireContext Acquires a handle to a Cryptographic Service Provider (CSP) for cryptographic operations. Required to use CryptoAPI
CryptCreateHash Initiates the hashing of a stream of data. Parameter Algid is crucial.


  1. APLib Compression
  2. LZNT Compression
  3. LZMA Compression
API Function Description
RtlCompressBuffer Compresses a given buffer of data
RtlDecompressBuffer Decompresses a given buffer of compressed data


  • Shellcode is a sequence of bytes that represents assembly instructions.
  • Often allocates by VirtualAlloc
  • Hunt for the NOP (0x90) sled which designates its likely beginning, and the 00 byte values designate its likely end.
  • To load DLLs and resolve API function names, shellcode often seeks kernel32.dll for LoadLibrary and GetProcAddress.
  • Shellcode looks for the Process Environment Block (PEB) to locate kernel32.dll in memory of the exploited application.

Shellcode common opcodes

Opcode Description
FC This translates to the instruction CLD (clear direction flag).
EB This is the opcode for a relative jump instruction.
E8 This is the opcode for a CALL instruction.
55 8B EC This translates to the instructions push ebp and mov ebp,esp, commonly seen at the beginning of a function (i.e., the function prologue) in x86.

Rebase shellcode address

Formula: Base Address of image - Entry point of Shellcode



  • Then, perform reversing in debugger/disassembler or behavior analysis.
  • jmp2it
  • shellcode_launcer


  • IDA Pro. Press C to convert undefined data to code
  • Ghidra. Choose the right compiler for the language option
  • x64Dbg. Go through the code in debugger


  • scdbg
  • speakeasy

Helpful tools

  • xorsearch with param -W -d 3 = To spot shellcode patterns in binary files.

Other languages


  • Use DnSpy
    • Go to Entry Point
    • Find Reference
    • Use Module Breakpoint
    • Watch Local variables
    • Show in memory, dump in memory
  • De4dot for decode encoded strings
  • NETReactorSlayer for deobfuscate

Golang resources



Deobfuscation using browser

  1. Extract JS
  2. Create HTML
var x = eval(Susp JS code);
  1. Open JS in Browser
  2. Open dev tools > Sources
  3. BP “alert(x)” line
  4. Reload page and observe the output

Manual deobfucation

  1. Beautify the code
  2. Remove variables that is only used once
  3. Replace complicated values with readble values
  4. Rename variables names
  5. Manual deobfuscation using above steps and add some codes to debug the JS, such as document.write(interesting_var) or add new line of code to call the interesting function interesting_function()


  • Use VBDecompiler


  • Use Exe2Aut

Powershell fileless

  • Use psunveil. Refer:
  • Enable logging. Refer:

Building an effective YARA

  • Static file characteristics (
  • Embedded strings (PeStudio, strings64.exe,
  • Code analysis results (Ghidra).
  • Binary comparison results (Ghidra, BinDiff).
  • Use and review/improve the rule.


Personally, all tools in Flare-vm and Remnux is more than enough.

Helpful references

Some references that can help in analyzing malware:

  1. Anti technique Map: Provides a map of anti-analysis techniques used by malware.
  2. MalAPI: Resource detailing common Windows APIs used in analyzing and reversing Windows malware.
  3. Filesec: Resource listing file extensions commonly used by attackers.
  4. LOLBAS: Information on fileless and script-based techniques used by malware, known as Living Off the Land Binaries and Scripts.
  5. APT’s malware analysis reports: Reports and analyses of malware associated with Advanced Persistent Threat (APT) groups.
  6. Google: Using search engines for additional information and research.
  7. vx-underground: Underground forum and resource for malware research and analysis.
  8. Compilation of malware source code: Collection of malware source code for study and analysis.
  9. Ask the communities: Engaging with online communities and forums dedicated to malware analysis for assistance and collaboration.
  10. “Important Windows Functions, Appendix A, page 453, Practical Malware Analysis book”