Static clues only go so far; eventually, you must watch malware run. In this module, you build a layered toolkit, Process Explorer, Process Hacker, Procmon, API Logger, CMD Watcher, and IDA debugger, to capture every file write, registry tweak, API call, and decrypted string in real time. You will rehearse on generic samples, then tackle the FlawedAmmyy RAT end-to-end: correlate PCAP traffic with sandbox telemetry, single-step through its remote-control routines, and harvest IOCs straight into custom YARA signatures. By the end, you’ll wield a repeatable dynamic-analysis workflow that turns chaotic runtime behaviour into precise, automatable detections.