This course focuses on fundamental runtime behaviors often attributed to malware executing on a system. The student will be given high level explanations of each of these behaviors and their importance to the malware lifecycle. The students will be exposed to currently support Windows kernel technologies such as minifilters and callback routines. Students will learn how to collect and analyze execution data in real time from the Windows Kernel. The course will also allow students to build their own malware analysis engine for a Windows 10 operating system. The focus of the analysis engine is to detect malware early in its execution based on identification of suspicious behaviors including those discussed in class. The students will be graded on homework and a group semester project to build and test a malware detection analysis engine using log files of malware and benign process executions provided by the instructor. Students will setup a Windows 10 virtual machine with the kernel data collectors for use in their homework. The project will be presented to the class towards the end of the semester. Programming knowledge in a language is required for the homework and semester project. Previous knowledge of Windows system internals, malware is helpful but not required. Students will not be given any malware binaries by the instructor at any time during this course.