#Sample SHA-256
FA110CC263C5616318E203BE12888BACCEC9C9D3799864EAFCFA89605F1BA723

#Questions
1. Part of the sample’s data is encrypted. At what offsets in the file is this encrypted data stored?
2. What is the address of the function responsible for loading the encrypted data?
3. What is the address of the function responsible for decrypting the encrypted data?
4. What encryption algorithm is used to encrypt the ransom note?
5. What is the key used to decrypt the ransom note?
6. Decrypt the sample’s data from question 1. What is the email address referenced in the ransom note?
7. Describe the persistence mechanism used in the sample. What are the addresses of the functions responsible for setting the persistence mechanism?
8. The sample drops and runs a .BAT file shortly after running. Where on the filesystem is it dropped, What commands does it run and what purpose does it serve?
9. What are the directories the sample excludes from encryption?
10. What family of ransomware do you think this sample belongs to?

Good luck :)