Introduction This post explains how to identify and extract encrypted contents stashed away in the Resource section of malware . It's a common technique used by malware authors to make analysis more difficult and the current analysis uses pestudio for initial analysis, using signsrch to identify encryption algorithms and using x64dbg to disassemble the binary Tools pestudio - https://www.winitor.com/ signsrch signsrch - http://aluigi.altervista.org/mytoolz.htm x64dbg- https://x64dbg.com/#start hxd - https://mh-nexus.de/en/hxd/ Disclaimer You are dealing with real malware samples Don’t expose them to internal networks or internet Analyze them in a controlled environments (sandboxes) We are not responsible for any consequences of damage if you fail to obey the rules Analysis A windows 7 virtual machine was setup with above mentioned tools. Ensured that a clean state of windows 7 with all tools was taken as a snapshot The below mentioned Kronos variant