Windows 10 Registry containing odd "bad" encrypted characters, not Trojan:Win32/Xadupi

Recently I was snooping around the Windows 10 Registry and found some odd or "bad" looking encrypted characters and a quick search on internet revealed it might be a Trojan:Win32/Xadupi. This was unlikely since just created a fresh install of Win10, but had to make sure.

Seems many keys under HKEY_CLASSES_ROOT\Installer\Assemblies have these odd characters as suffixes and prefixes in REG_MULTI_SZ keys.

3PgDT0$gy?~Dc}DI]?&!Complete5.1.41212.0>C%.qkZL4=Ax1x8*pgU8o

WINDOWS 10 Registry Export 

1 2 3 4 5 6

RegtoText Windows Registry Conversion Version 5.00 [HKEY_CLASSES_ROOT\Installer\Assemblies\c:|Program Files (x86)|Microsoft Silverlight|5.1.40728.0|vi|system.resources.dll] "system.resources,culture=\"vi\",fileVersion=\"5.1.40728.0\",processorArchitecture=\"MSIL\",publicKeyToken=\"7cec85d7bea7798e\",version=\"5.0.5.0\""=[REG_MULTI_SZ] 3PgDT0$gy?~Dc}DI]?&!Complete5.1.41212.0>C%.qkZL4=Ax1x8*pgU8o 3PgDT0$gy?~Dc}DI]?&!Complete5.1.41212.0>WH7IkSJo49emP^-SBc]q

ANSWER : Not a Trojan

Turns out that this is a special encoded characters is part of a "Darwin Descriptor," (DD) and is a actually an encoded representation of a specific product, component, and feature.

Further reading at

• https://www.symantec.com/connect/articles/working-darwin-descriptors
• https://msdn.microsoft.com/en-us/library/aa302344.aspx

The Darwin Descriptor is special encoding, and roughly is
ProductCode: {encoded GUID} Feature : {non-encoded string} ComponentId: {encoded GUID}

The Darwin Descriptor is used when installing an application, and the GUIDs are used to register additional capabilities, such as adding a file association extension for the application. For example, Notepad's  file associated extension is with .txt. That's just one example, you can do more with the DD, read here https://msdn.microsoft.com/en-us/library/aa302344.aspx for details.

The full DD specification is described well in following link, and involves some byte reordering! Further reading at 

• https://www.symantec.com/connect/articles/working-darwin-descriptors
• http://www.laurierhodes.info/?q=node/34

The great news you can docode these values to be human readible, and back to a GUID.

Darwin Descriptor Decoder, download and check your key using the following link
https://www.symantec.com/connect/downloads/readydarwin-descriptors-dd

For example, using DarwinDesc_GUID.exe_.txt  from console (remove _.txt), to converted this string

1	3PgDT0$gy?~Dc}DI]?&!Complete5.1.41212.0>C%.qkZL4=Ax1x8*pgU8o

to the below decrypted text, we can read the GUIDs of ProductCode and ComponetID.

1 2 3 4 5 6 7 8 9 10

---------------------------Darwin Descriptor--------------------------- ProductCode: {89F4137D-6C26-4A84-BDB8-2E5A4BB71E00} Feature: Complete5.1.41212.0 ComponentId: {CFFE1F82-ED5D-4E98-92C5-8B16CCBD8CDA} --------------------------- OK ---------------------------

Update, a tool that will convert most hex values

RegtoText is a command line utility that converts a Windows Registry exported file (.reg) into a human readable text (.txt) file. Hex numbers are converted into ASCII characters when possible. Conversion can be challenging since registry key can accept any binary format, so heuristic and probabilistic methods are used to decode values when possible to ASCII.

http://regtotext.blogspot.ca/