diff --git a/dynamic.md b/dynamic.md
index f27dae5..bbfe319 100644
--- a/dynamic.md
+++ b/dynamic.md
@@ -140,4 +140,4 @@ Step over the create and write file functions to save the decrypted resource to
 
 Go to the URL in the icon.gif.
 
-[Section 5 <- Back](https://securedorg.github.io/RE101/section5)
\ No newline at end of file
+[Section 5 <- Back](https://securedorg.github.io/RE101/section5) | [Next -> Finale](https://securedorg.github.io/RE101/section6.1)
\ No newline at end of file
diff --git a/dynamic2.md b/dynamic2.md
new file mode 100644
index 0000000..4e58874
--- /dev/null
+++ b/dynamic2.md
@@ -0,0 +1,73 @@
+---
+layout: default
+permalink: /RE101/section6.1/
+title: Dynamic Analysis
+---
+[Go Back to Reverse Engineering Malware 101](https://securedorg.github.io/RE101/)
+
+# Section 6: Finale #
+
+Congrats, you made it through the workshop. All of your notes an debugging you should have come up with a similar control flow like the diagram and report below.
+
+*Click to Enlarge*
+[![alt text](https://securedorg.github.io/images/diagram.png "diagram")](https://securedorg.github.io/images/diagram.png)
+
+
+## Simple Report
+
+Filename: Unkown.exe
+
+Sha256: a635f37c16fc05e554a6c7b3f696e47e8eaf3531407cac27e357851cb710e615
+
+###Summary
+
+This file creates a copy of itself in the %APPDATA% location, sets persistence mechanisms, and beacons to definitely-not-evil.com. If beacon is successful, it will open a messagebox, then decrypt the resource which will then spawn a shell window to open the resource.
+
+###General Characteristics
+
+The file is UPX packed
+
+Import Functions:
+* GetEnvironmentVariable
+* CopyFile
+* DeleteFile
+* InternetOpen
+* InternetConnect
+* HttpOpenRequest
+* HttpSendRequest
+* MessageBox
+* FindResource
+* CryptStringToBinary
+* CreateFile
+* ShellExecute
+* CreateProcess
+
+
+###File System IOC
+
+CreateFile	C:\Users\victim\AppData\Roaming\dope.exe CreateFile icon.gif
+Network IOC
+
+GET /ayy HTTP/1.1 Content-Type: text/html MySpecialHeader: whatever User-Agent: definitely-not-evil.com Host: definitely-not-evil.com Cache-Control: no-cache 
+
+###Registry IOC
+
+RegQueryValue	HKCU\Software\Microsoft\Windows\CurrentVersion\Run\dope
+
+###Behavior & Control Flow
+
+Processes Created dope.exe
+1) Starts by decoding xor strings 
+2) Checks to see if dope.exe already exists in %APPDATA% 
+3) If it doesn't exist create a copy of itself to %APPDATA% as dope.exe 
+4) Set the startup registry key 
+5) Start the newly copied dope.exe process 
+6) Delete the original 
+7) Dope.exe will check the registry key if set 
+8) Call out to definitely-not-evil.com 
+9) If the result is "lmao" it will open a messagebox and extract the resource 
+10) Base64 decode the resource 
+11) Save decoded resource as icon.gif 
+12) Shellexecute to open icon.gif
+
+[Section 6 <- Back](https://securedorg.github.io/RE101/section6)
\ No newline at end of file
diff --git a/images/Diagram.png b/images/Diagram.png
new file mode 100644
index 0000000..b3636c4
Binary files /dev/null and b/images/Diagram.png differ