farzinenddo/apt41-registry-decryptor.ps1

## apt41-registry-decryptor.ps1
$CPU = (Get-ItemProperty HKLM:\HARDWARE\DESCRIPTION\System\CentralProcessor\0\).Identifier
$value = ls "Registry::HKEY_CLASSES_ROOT\$CPU*"

$key = [System.Text.Encoding]::UTF8.GetBytes([System.Text.Encoding]::UTF8.GetString($CPU.Substring(0,8)))
$iv = $key

$provider = New-Object System.Security.Cryptography.DESCryptoServiceProvider
$provider.Mode = [System.Security.Cryptography.CipherMode]::CBC
$provider.Padding = [System.Security.Cryptography.PaddingMode]::None
$decryptor = $provider.CreateDecryptor($key, $iv)

foreach($i in 0..14){
	$encrypted = $value.GetValue($value.Property[$i])
	try{
		$decrypted_value = [System.Text.Encoding]::UTF8.GetString($decryptor.TransformFinalBlock($encrypted, 0, $encrypted.Length))
		write-host $i $decrypted_value
	} catch {
		continue
	}
}
	$CPU = (Get-ItemProperty HKLM:\HARDWARE\DESCRIPTION\System\CentralProcessor\0\).Identifier
	$value = ls "Registry::HKEY_CLASSES_ROOT\$CPU*"

	$key = [System.Text.Encoding]::UTF8.GetBytes([System.Text.Encoding]::UTF8.GetString($CPU.Substring(0,8)))
	$iv = $key

	$provider = New-Object System.Security.Cryptography.DESCryptoServiceProvider
	$provider.Mode = [System.Security.Cryptography.CipherMode]::CBC
	$provider.Padding = [System.Security.Cryptography.PaddingMode]::None
	$decryptor = $provider.CreateDecryptor($key, $iv)

	foreach($i in 0..14){
	$encrypted = $value.GetValue($value.Property[$i])
	try{
	$decrypted_value = [System.Text.Encoding]::UTF8.GetString($decryptor.TransformFinalBlock($encrypted, 0, $encrypted.Length))
	write-host $i $decrypted_value
	} catch {
	continue
	}
	}