diff --git a/dynamic.md b/dynamic.md
index cff8424..1844d15 100644
--- a/dynamic.md
+++ b/dynamic.md
@@ -5,4 +5,6 @@ title: Dynamic Analysis
 ---
 [Go Back to Reverse Engineering Malware 101](https://securedorg.github.io/RE101/)
 
-# Section 4: Dynamic Analysis #
+# Section 6: Dynamic Analysis #
+
+[Section 5 <- Back](https://securedorg.github.io/RE101/section5)
\ No newline at end of file
diff --git a/images/static1.png b/images/static1.png
new file mode 100644
index 0000000..96ffe68
Binary files /dev/null and b/images/static1.png differ
diff --git a/images/static2.gif b/images/static2.gif
new file mode 100644
index 0000000..bd6c995
Binary files /dev/null and b/images/static2.gif differ
diff --git a/images/triage1.png b/images/triage1.png
new file mode 100644
index 0000000..6190e3e
Binary files /dev/null and b/images/triage1.png differ
diff --git a/images/triage2.png b/images/triage2.png
new file mode 100644
index 0000000..d67c97d
Binary files /dev/null and b/images/triage2.png differ
diff --git a/images/triage3.png b/images/triage3.png
new file mode 100644
index 0000000..6c4926e
Binary files /dev/null and b/images/triage3.png differ
diff --git a/images/triage4.png b/images/triage4.png
new file mode 100644
index 0000000..f52a753
Binary files /dev/null and b/images/triage4.png differ
diff --git a/images/triage5.png b/images/triage5.png
new file mode 100644
index 0000000..5e669cf
Binary files /dev/null and b/images/triage5.png differ
diff --git a/static.md b/static.md
index 1358dea..2b1c8de 100644
--- a/static.md
+++ b/static.md
@@ -7,4 +7,42 @@ title: Static Analysis
 
 # Section 5: Static Analysis #
 
+## LAB 1
+
+### Possible Packer?
+Notice in CFF explorer that there is UPX in the header.
+![alt text](https://securedorg.github.io/images/triage2.png "UPX")
+
+When you open the executable in IDA, you will notice large section of non-disassembled code.
+![alt text](https://securedorg.github.io/images/triage4.png "IDA UPX")
+
+Because UPX is a common packer, the unpacker is already built in to CFF Explorer. Unpack and save the file with a name that identifies it as unpacked.
+![alt text](https://securedorg.github.io/images/triage5.png "Unpacking UPX")
+
+### Reopen the executable in IDA.
+
+The next step is getting a sense as to what the program is doing.
+So far we can assume:
+* This exe is connecting to the internet somehow
+* This exe is using a string encryption function
+* This exe might be spawning a shell
+
+---
+
+Navigate to the **String** window.
+
+Here is an interesting string that we should start with:
+![alt text](https://securedorg.github.io/images/static1.png "Strings window")
+
+Using the **X** key we can jump to the reference of that string in the assembly code.
+![alt text](https://securedorg.github.io/images/static2.gif "Strings window")
+
+This function is offset **00401340**. Notice in that function is setting a registry key using Window API [RegOpenKeyEx](https://msdn.microsoft.com/en-us/library/windows/desktop/ms724897%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396).
+
+We should rename this function **SetRegkey**.
+
+---
+
+ 
+
 [Section 4 <- Back](https://securedorg.github.io/RE101/section4) | [Next -> Section 6](https://securedorg.github.io/RE101/section6)
diff --git a/triage.md b/triage.md
index d90180d..db667a2 100644
--- a/triage.md
+++ b/triage.md
@@ -77,8 +77,10 @@ You can use the **Malware Analysis Report** template [HERE](https://securedorg.g
 2. Copy over the unknown file
 3. Check the file header by opening the file in the hex editor **HxD**
 * Notice the first 1 byte is **MZ** meaning it's a PE Binary
+![alt text](https://securedorg.github.io/images/triage1.png "MZ Header")
 4. Now right click the file and select **CFF explorer** to check the PE header
 * Note the imports it's using
+![alt text](https://securedorg.github.io/images/triage3.png "Imports")
 5. Calculate the hash using **quickhash**, go to virustotal.com and search the hash
 6. Open the file in **BinText** and record any interesting strings