Seems many keys under HKEY_CLASSES_ROOT\Installer\Assemblies have these odd characters as suffixes and prefixes in REG_MULTI_SZ keys.
3PgDT0$gy?~Dc}DI]?&!Complete5.1.41212.0>C%.qkZL4=Ax1x8*pgU8o
WINDOWS 10 Registry Export
1 2 3 4 5 6 | RegtoText Windows Registry Conversion Version 5.00[HKEY_CLASSES_ROOT\Installer\Assemblies\c:|Program Files (x86)|Microsoft Silverlight|5.1.40728.0|vi|system.resources.dll] "system.resources,culture=\"vi\",fileVersion=\"5.1.40728.0\",processorArchitecture=\"MSIL\",publicKeyToken=\"7cec85d7bea7798e\",version=\"5.0.5.0\""=[REG_MULTI_SZ] 3PgDT0$gy?~Dc}DI]?&!Complete5.1.41212.0>C%.qkZL4=Ax1x8*pgU8o 3PgDT0$gy?~Dc}DI]?&!Complete5.1.41212.0>WH7IkSJo49emP^-SBc]q |
ANSWER : Not a Trojan
Turns out that this is a special encoded characters is part of a "Darwin Descriptor," (DD) and is a actually an encoded representation of a specific product, component, and feature.
Further reading at
- https://www.symantec.com/connect/articles/working-darwin-descriptors
- https://msdn.microsoft.com/en-us/library/aa302344.aspx
ProductCode: {encoded GUID} Feature : {non-encoded string} ComponentId: {encoded GUID}
The Darwin Descriptor is used when installing an application, and the GUIDs are used to register additional capabilities, such as adding a file association extension for the application. For example, Notepad's file associated extension is with .txt. That's just one example, you can do more with the DD, read here https://msdn.microsoft.com/en-us/library/aa302344.aspx for details.
The full DD specification is described well in following link, and involves some byte reordering! Further reading at
- https://www.symantec.com/connect/articles/working-darwin-descriptors
- http://www.laurierhodes.info/?q=node/34
The great news you can docode these values to be human readible, and back to a GUID.
https://www.symantec.com/connect/downloads/readydarwin-descriptors-dd
For example, using DarwinDesc_GUID.exe_.txt from console (remove _.txt), to converted this string
1 | 3PgDT0$gy?~Dc}DI]?&!Complete5.1.41212.0>C%.qkZL4=Ax1x8*pgU8o |
to the below decrypted text, we can read the GUIDs of ProductCode and ComponetID.
1 2 3 4 5 6 7 8 9 10 | ---------------------------Darwin Descriptor--------------------------- ProductCode: {89F4137D-6C26-4A84-BDB8-2E5A4BB71E00} Feature: Complete5.1.41212.0 ComponentId: {CFFE1F82-ED5D-4E98-92C5-8B16CCBD8CDA} --------------------------- OK --------------------------- |
Update, a tool that will convert most hex values
RegtoText is a command line utility that converts a Windows Registry exported file (.reg) into a human readable text (.txt) file. Hex numbers are converted into ASCII characters when possible. Conversion can be challenging since registry key can accept any binary format, so heuristic and probabilistic methods are used to decode values when possible to ASCII.
http://regtotext.blogspot.ca/
No comments:
Post a Comment