Skip to content

Instantly share code, notes, and snippets.

@sysopfb

sysopfb/decode.md

Created July 8, 2022 20:29
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save sysopfb/b95ee104781f7562018e055d7e1a1c47 to your computer and use it in GitHub Desktop.
Save sysopfb/b95ee104781f7562018e055d7e1a1c47 to your computer and use it in GitHub Desktop.
Download ZIP
lockbit black blob decoding POC
Raw
decode.md

Blobs in lockbit black are decoded similar to BlackMatter but with a new LCG based on 64 bit

The init seed for the sample I REd was at the start of .pdata

POC decoding, pretty quick and dirty due to time constraints

def mul64(a1, a2):
    return(a1 * a2)

def LCG(a1):
    xkey = mul64(a1, 0x5851f42d4c957f2d) & 0xffffffffffffffff
    xkey += 0x14057b7ef767814f
    xkey = xkey & 0xffffffffffffffff
    ret = mul64(init_seed, xkey)
    ret = ret & 0xffffffffffffffff
    return(ret,xkey)

init_seed = 0x669aec516260d2fc
(xor_key, new_seed) = LCG(init_seed)

bdata = bytearray(open(sys.argv[1], 'rb').read())
out = bytearray('')

for i in range(len(bdata)/8):
    key = bytearray(struct.pack('<Q', xor_key))
    data = bdata[i*8:(i+1)*8]
    data[0] ^= key[0]
    data[1] ^= key[5]
    data[2] ^= key[1]
    data[3] ^= key[4]
    data[4] ^= key[2]
    data[5] ^= key[7]
    data[6] ^= key[3]
    data[7] ^= key[6]
    out += data
    (xor_key, new_seed) = LCG(new_seed)

key = bytearray(struct.pack('<Q', xor_key))
rest = len(bdata) - len(out)
while rest > 0:
    data = bdata[(i+1)*8:]
    data[0] ^= key[0]
    rest -= 1
    if rest == 0:
        out += data
        break
    data[1] ^= key[5]
    rest -= 1
    if rest == 0:
        out += data
        break
    data[2] ^= key[1]
    rest -= 1
    if rest == 0:
        out += data
        break
    data[3] ^= key[4]
    rest -= 1
    if rest == 0:
        out += data
        break
    data[4] ^= key[2]
    rest -= 1
    if rest == 0:
        out += data
        break
    data[5] ^= key[7]
    rest -= 1
    if rest == 0:
        out += data
        break
    data[6] ^= key[3]
    rest -= 1
    if rest == 0:
        out += data
        break

Two decoded objects:

>>> import aplib
>>> aplib.decompress(str(out)).do()
('LockBit Black Ransomware\r\n\r\nYour data are stolen and encrypted\r\n\r\nThe data will be published on TOR website\r\nhttp://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion\r\nand http://lockbitapt.uz if you do not pay the ransom\r\n\r\nYou can contact us and decrypt one file for free on these TOR sites\r\nhttp://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion\r\nhttp://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion\r\nhttp://lockbitsupp.uz\r\n\r\nDecryption ID: %s', 358)


>>> import aplib
>>> aplib.decompress(str(out)).do()
('\xb3\x0c\x86"\xdbS\xffY]\xc0Vm(\xcd\xb9\xec\xcd\x1e\xe6\xaf\xb4\xa6\xc5z\xa1\x02\xa7\xa9)W\x8c\xfb\xb5AV\xc4\xf4\x98\x06\x93\xe0D\xa0\x04;\xb6\x80*\x8b\x13\xdd\xfb7\xb2\x84K\xa3\xadS\x94\x8b\x0egit\x84\xcb\x1f\xe2\x02\x06\xe4D\tY\x04\xcc\x91\xfa\xe53]\xa7\xe8\xb8Os\x13\xd0x\xa9ZQ\xbaLJV\x02\x93^A\xb6\xef%$]H\x8f\xa7\x7ftE\xa2XP%\xafgC\x1b\xf7~\xbc:L\xa4\x08r\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x01\x01\x00\x01\x01\x01\x01\x01\x01\x01\x01\x01\x00\x01\x01\x01\x01\x00\x00\x00\x01\x00\x00(\x00\x00\x00\xa9\x00\x00\x00\xea\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfb\x01\x00\x00\xd0\x04\x00\x00\x00\x00\x00\x00\xc5\x05\x00\x00\x02\x06\x00\x00LSEKA82B8oz1eHAmNX5oJtdsQuNYac7Gp9HypsA7puE4C8tS3bjK3E5OADaVZQirlON1Lq6OAa7UJUtMNXnwB3X5ZmuSOOq3lOZmU5tYG817Ot5cO2IiurM3Ou8AAAAA\x00FarMhpsJBzmWrgzwVqvI/FKi0oIA7GuEN1mX2/WmOsLkV6qFNariy9H3zsgAAAAA\x00AA6wZwAZsMWAG0jFQBigx0AacMdAGBDJQBsgycAbaMkAHGDJQB2Qyf7L/KHxlLpKMZbiSnGX4mQAG2DLgBywywAeKM0AG4DTwBhg1YCrnsnAGHjVwBiY1QAZwNUAGTDbgBtY28AbIN0AHAjdwBwY3cAcgN3bt2tKwByo3QAbmN83eMpMwBjA4YAcMOPAHIjhwBto5wAdgOfAGJDpABqY6QAcYOlAHpjpepsuzZPFFq8AHMDxwNhe4UAZyNkAHQjTwBxI3QAZEOMAAAAA\x00cwBxAGwAAABvAHIAYQBjAGwAZQAAAG8AYwBzAHMAZAAAAGQAYgBzAG4AbQBwAAAAcwB5AG4AYwB0AGkAbQBlAAAAYQBnAG4AdABzAHYAYwAAAGkAcwBxAGwAcABsAHUAcwBzAHYAYwAAAHgAZgBzAHMAdgBjAGMAbwBuAAAAbQB5AGQAZQBzAGsAdABvAHAAcwBlAHIAdgBpAGMAZQAAAG8AYwBhAHUAdABvAHUAcABkAHMAAABlAG4AYwBzAHYAYwAAAGYAaQByAGUAZgBvAHgAAAB0AGIAaQByAGQAYwBvAG4AZgBpAGcAAABtAHkAZABlAHMAawB0AG8AcABxAG8AcwAAAG8AYwBvAG0AbQAAAGQAYgBlAG4AZwA1ADAAAABzAHEAYgBjAG8AcgBlAHMAZQByAHYAaQBjAGUAAABlAHgAYwBlAGwAAABpAG4AZgBvAHAAYQB0AGgAAABtAHMAYQBjAGMAZQBzAHMAAABtAHMAcAB1AGIAAABvAG4AZQBuAG8AdABlAAAAbwB1AHQAbABvAG8AawAAAHAAbwB3AGUAcgBwAG4AdAAAAHMAdABlAGEAbQAAAHQAaABlAGIAYQB0AAAAdABoAHUAbgBkAGUAcgBiAGkAcgBkAAAAdgBpAHMAaQBvAAAAdwBpAG4AdwBvAHIAZAAAAHcAbwByAGQAcABhAGQAAABuAG8AdABlAHAAYQBkAAAAAAA=\x00dgBzAHMAAABzAHEAbAAAAHMAdgBjACQAAABtAGUAbQB0AGEAcwAAAG0AZQBwAG8AYwBzAAAAbQBzAGUAeABjAGgAYQBuAGcAZQAAAHMAbwBwAGgAbwBzAAAAdgBlAGUAYQBtAAAAYgBhAGMAawB1AHAAAABHAHgAVgBzAHMAAABHAHgAQgBsAHIAAABHAHgARgBXAEQAAABHAHgAQwBWAEQAAABHAHgAQwBJAE0AZwByAAAAAAB=\x009eI2aT+JI/6mK24RWVph+56xzKxJz8hUMueEk2KNA/RlvDtKIiKkUHjm6X1=\x006pwsSR7mKZWKQnMxGXQl25jZyIxKoNU4JMDNs3fsBIBhzz1qN0zAcBWJmglt9fo9vmTMiYD9NMIfhmAW/A+ZwAbdq5BSAhwXVjz4VppPEQLyXrrW80zCUtIyx6QVf6W8lydJ3WNhqf34HuObh6p9ms6dXhpFiV4o2k30zqB1qJ0wb3g1zoo/b/G3xN8mlwOEwkb4Dhs6vt1lrHHZwmSEwa2jpL9g5o+6TT/yprMFOY28/MGB6P+yi2S8CJc+gKmhWme2DlbzOVqbKCYnsDKAlOWnRt0UXXKMFBvzENz2+E7BAwtGDFmWAfkB+4UjRprLHXffIBuioKPll82bsDa8SmcIPln3Sio5aORm1uqB0mkJHROi3aZ8GuA84hwrvgaepBPXS282YZiMA3Cvp4dBGT0x3K9Ra4jenpfgvjIhYRObFQq2oti3sMFnVkwtoJRmPvpZqMCYsv0AZth4YA+cHQzxOq96wcvZKuku8eJ7xg5FWG5d2G8iFT4sF3zv2je/sSGeHl4qs3soi30Ez6OWQUGGWpMVHH0q7DRyUvY7R9MieDaE49mPGNcMN+5fn92AebGr6Tawj5mK9GXuxMCPVptpZfURdIp8HOlo2gTKhZxnspY93tIMG9Ldi0fdUx2NXCoB0uMJDdprl/JM2h3+TIiXQBMhZSmucW4dDOA1EJKZsGnLTtmnWOe9pUjfRxuYjZOAbCciDOd3dFpnXAMnoWNR3+P3bnHHCUuq3VQU5muxhhbn7iXXeQqXcZRrmR6IEP06w5hR7lEiA92amlKShKA6yCpq4DrH0KtNY3kzsm+Uh8EArVk8RLD6mBfqDiEXxkajR/5h0cHkIn+5UWr7iS725/sIpqeFpmFdkFYVsWnE7up0ZkEtq2/8Oz/YGpWHsK5fLQsD3bRbejyYfpaWDPQaRR1eWnU4VW48/aQnnidfbGKsjLp4/ozyn7eGAzkB440kyYCg5scUE11OQXHSnMeQ09wiX0hhrmXVJ1AlGIcZ2Wn+AMgAk/eIVTgf0v5fJxkXLylXSQMiNXnzY9kjsBxxQYE4V2larnn5GetmnQ7wKO0niPfmiJNUHJy0sTcnbtqrocyAIj+eYQf+Mr3gRJ+QCez+7VEO0bGoQKUsMAF4lejE/F4xplSWbiiMUOE3DSJ3JA5wjW8oFgWHdzwQ617ORa/ma8kWOgK1vTFmuuvnX+/ON2o9d2GDdH9yfSElTzqvQp/fCQPl6367FhsJfC70npxU0Gco1/tHcxrCh4gm660TuQejQ9mZu8xWKJQX1cWpz9PQVTEB3gH/zL7RYntUBlSfv5RL0zF4TNVsZABWIYZ56guosXMdM8qrVhDskrxEQTKxveU/BpJ4r3iONeDqwA2bLXfh/A35cX3Ih8qfSg0kXiwRnCbqwKKL+LojcNTythNyeONKzv2gzVoBba12ORgPoWdZfbdgncW2auwHqIJbSu53/1qdrVFPxU/Tux23QPYPKcTUSSlCyVs5rYeUWrneGkdM6joEswRTWQzZWjspoOd94qUSwhHF+nKQLF2DwshZ5RLjN9+Vzdn/QJiyxjCRrBoEbkXkmQH/IrjOcPKRluGepVTEZ+lptgT/7CWvOlMNH2FcL1jKmlHfdwBMC604MlBUkPi6hQmit1Hp7UJ9wiQfRgyOr+X0DnrwijyeKnXttlfhJsrgU353g1OfNtP1iQL+5DLzBSBLUmdmf9gGYJtdVCTD57iJpazEGhOFv27UFUP1UqUA31waLfNDjKOUcsReiTTGDHD+QHxyc2rA+sJ3MYD1Dc2cnu/Elmg/LqFLn8icbxZUcA7f4jaD4ESQb5DlUbQAGQmVBGcNf2lh7y996itLkzOQTAPDWOo5U0A2Ck8/I6CXw3ZvMqBQu/Gl4Fw6axF68wrTU1EapzHVY5ZmpuX2ouopA8MPI+e7wOc9ZWGLFxPUFdnNinZ6TN1ZQzfUwFI8MrG++Obai8ip4nthxmLSqmL15DP0YHWr65m0mFKQtgKxe2SI9Uq+10SSVTRwfz+ZHZZxfnvLW1cLAQ+f32TorpvzHlQKpn4t/f3y/1Xm0D4PRLBBcpW4iNfaIOllbz5DefGfZa1whlZPmA7tEk7RpkHhCc3n7/mr/OOyZQwRFfIwlV6UOxnmBFcCivDIW8WJaHhN51ql19czcd6Jyo4tTVDXSwVglFyYiN/5bDK6gPLKa6aybtVqmcR9WWq2olBUO8udswUmtBae9FSzmb6ZV9az2dtFmYWYvcFnny9lyLfbHvcN8av1yy8bXgfbTLDH3yfz7xH/qHaP72a8oFMJcm/qGBYIQyydAH5c5wSZkpzbSoNUFf5QLwjJGDeYVZgC/chHYxrDZFUft+0KBfaivAisaRmGdna78js1bcKwNaZEutbSMHXqtn9NbtA7IZbyPn8CqwFMJK5qiwOcAOCD40Pwqzkl7Ih0jy32/KfHsFaVNNAaKi4uaphtVsNNnEuopoeUPgOaRzVOPFu29YiRRs+RsBmTOOUNx10uZNVB5OIt+9NlrwE1Z2y2w2mmdHS+OkdLGAFb9jaVZR9EtDWn8DCCpAKntZbOWq0fPLgoB262z7M4YFnNsYHHSgTzoIbmtlNDhG4q08FMUtgs19QExI1O49YoZSMdWRVVe0PEPNRsx7EBLMRAFxSITBpISF4goLoeO4t4NUa9tSjrBJK4cMyzJ3mFSbABHdtgni1+MQSIT5DVuYV+3COBDFwwfCq0DnHS+0fwFy4ylAWKhqFde/Vz7Fc/lTG9bLMji+Ivet4YjIrkrmUmoUx2THAoCpXM/ocWh+avS+q/LnIYqxEwooRw7aXDERUip4LZs2FJhDKlk2i/M60eU21vJGznz7YvR56bUiCVLV/mjyEeELWpsgqCLTyf0mLnLXLsIeO//9udwxV6lTEFphhtuUe/qJLVTS7jBnfD7JMkDDaVinm7YDCVqbcOpYwgKJJgWYdW+gSpYSHPprxv5PEtykwHQ5NjBVBYLbpdcpcIPFfi/IcK4QDqBb6d7TVxEzu5xB8JCt7qYRG0G8u4Fw4tBg2+9zCWmArdbpNcg20vw4lXubCxdmW9a7vjeoQmWMBQr/46U2x26tAkUAVY+FRAMCyNqLjz6EPhcYLhT1F9i5Lpsdj7oRnDhtwPP4qhrFbhg9e/lAroGoqsHpGYHSqPxb2/wdSm5qhheF05vrD9GhOPp0HBedkLkWS5RF1/AN6jkzQtXtOnsWGMAlnuBQF3Stb9NcuEKZtOP+yhrIk7RsKr6mX2f+4GXKeNXyglW4yH4cuuHnl/bNBfLyGDtLYu/Gi33BuTptpoW0luBQ5aWyUyUZCNfqbIyRw5wC0icXWzNaUHVYRCoePlhX4U5rMYPIV0kvIPy2slCJUENkFcukaW22zfMPn4/9Hg3Ka823IetGg8PTFS2+abbrQJ1O1SoUOJsSijQ+2A+DeYwnVy3GFbojLlCwtVFLxLZykKLhQMTSsVxNqp8AGFF7OVUazb5b1bUN6Mw9UawckHNP7aeVnYMkb2eFtypk6c7C4waweVadCAsp54Q5PSl8uRwtpP5aqM9nJDESriqQLU+EDUWShObbt9IFK9eiEZPcskaSGOhEu2fgFyQ2rs3Nnz1AgjHLF9b49fC9K84qiwiNbRUIbNUBg+eOjH6Tr1vMxs3aOTo7xVGJfMxv3/gVEobfSVtsJaum0RsCGprDL4dJqIs4dOkBc47aAyY9pg1g3d86P3b1T5tdkmTZ0SKXahMCbPXdAD9AMF0RrFJ9VnW1Tm7V2hBjrrGoIqQjCdHuk8Zw7QWm/v3fUYo2oun/bYIU7krcjV1tgzffIOtmoujcz9rIlGLoT9Rkg354mI1B0Xq4mWjWfMmxFGraDfVSODWxu/HVBDU04dIeMiWclDxHkAIX3e7zmzAv7d09XwTsr+S59lBhpwXd3ftkk7DaHQuBTapMq4fbZPLJdtGBIMerDpQTyNWslp2V9v2ryCKycBg3tCIrncxHhrsIdY12jafvMbHlFZ0bKmkoX68o3RP2MAfavNHgZAcBLBOaAQeAjduI5pUyOJoqYY+M4gyUHIjk81vpVrbxGDJHVJ9aCblMRWDZ0tnzCZCnvjs+G64C0POjgbxhSnarkaIOcKtIIld6ovg5kPOdbVAYUD1DNNySPucpn6cwqL7cBcwPyWsoHeuNhqR5YdiXSVl0++8wbASRsYN7UXRw03HVfauPyiWAizHXr+2NUj5Xb7Seu0rR8UU8929Pq3JVGREeQGI8j91SEZJfeNpQqjmgVsXQs1MNW5pw12BemutrhaDGsYjF6okfNV9dVyexggNAzAgbRrezoid9T4S5S5h0PdYPP9DQr1JfEQL1jlqgOMJ655W6e8GEK3HBua7XhUqV2mcOlCscO3CgGpQI5BmZcF+lTXb4N+EdiBO+geYodTihw7DtnDhql1c2r139j1AOnERhkBaT7zs0dTCjz0xz8UpJ0gpnWQjfv887KFHgrWDLugjogGvolWHemUNtcecGTO/Cl3jkOblXwigCigkN2o0oubQ/W1NilLvtBzPeDH5ssceM9PTVD8q1RFkqAQgdhzvkofenAXopRwMFY9FjnxZyRTLc94rec0CSCxzVfip4mnrrvs/DKxuThktFzB8CNLpBi8Cv073BkusonMk44pTmQ1Fj8ITENyv9e7IAqv1pn0aA4lGhWP/g7T5JPPL07eo9o9i/Z33OdoBhcaokeiD/5mCBZIQj46ItTYlw2782LKXpbYKiy8i79pAEZ6z2SbKZLZ7g9mLHeDZDnPc4xn74//53IkOA7zhP+qKkfqG+0Chk3uE+VdgZswiG3b4fODNWfV1iBkovHuELK4uYFYQeDqasCkN3UAMRkZKkgQsXfcBH+AGzuVtUJKBA8T+1OY4asap85srkvzk3bTfWRsGfqK1MLMLnhoaboOuWFv4THFy5Urs78PBVu3qi4/il9C5juOEhJ7TWKDsmRq8w7Z3IjFrLsBJTzleGG32/khpdu3sDgPl/IHmHFNgfUNLAc/Xf6elfCeyXPVSSqhuCNVFWkHCY/tq203voYsMUVSmqxgo7rbOW0c9H0UCrriwkNRiJdxSlAcFDxy+rMsE5ZZC8VK7W7KXCqNn+nAlp0QZA5Bfp3mcFKovkU5RPCk8Ld54WFtijLEYY1E7y4XlrZMeRb3iuFFQ4s8D8ypXb4sKYCDJHdEtv/lP+iXCE/K9cVWZ5+r//Y+NqPlm7LKsk2Q9pUodaaCxtT6CiqHWnLl4xEkCCRw4zOA/MctcGQHw7chk1T91s7j0rJ8OGuuVH9LcZCn1wdDghY5/HKNVdFT3wh+St+aORdaHBCuYAF6tFL7wkncD7fHtG1YhjhCllZzUhsiwXLu1QB2xY66YkE+jmhmiriMyi8KkrZWafOlI/qZazLt9SN/lvom3p6Cu+MDMCopTlW9nY0HXkFZvFVKNggbj+M253rlxxcqWuVpdD7k3KiFx3otLvdZ9sMhQYo7EUvSyduPVf71Un5cqMrHXWYPOvp/SwEHKAJGTL+Qd7RB/uKeX2GqG8HjTmBRwH1GwoJKAzMx5BUrshZHoA9CTPXJpdvbDAC+/CbOJA8U2CDWYZB5EsJefJsnvLVDom4uwUTOFJb3tTjJRLkLj/wdOmxHdBXnJYUWKXLp/Oi3TNVsYsMDo6buCNflaZKFNocfYb+9S7T5Vm+TGF5lUIsebMR3kTlqjhk6egQO7PYE28Imq1NfGk6zGaQQjWBupBwpFgqsDuxb3KkrLyYSI+I7vA2dzP4GAYdsPG+4IV12eAOkaRlSCH6CIkfk/uxliPx7IkxjSuKxjK1R6iNxRS1FbmI4TLejzvoQr8u38B2qMrE7oejPkOVKHwPQkS/2/QF1F7V8mDwJJdXlVpnNQ4nj+SVBh+6FaYm3wEbHP2EiMMEJpGxBFZpH5cOnT2upaMyQ5cMDinf2vBr3Qj3tzxHPX+/iTs+1zwbb99E4B6NpBR3CH/TjBOTa2m37auQKS6ET/RNDbRoVEbzsieXuSzOoEo+NNOl+JkgTnczQSszPrxbPSX39J3YMCvCI1Umi9vfFPWvCKKEFJG8jSwF5ELkbP/ZWZZhXjQPe9GXAs7iF/Cyj61OgRutF3OP5OJ4zzEqhTO6VU0a1oERjPzAy+ej1PsUs7dEXdpNnHjzo3IOq5fqqH4XJDEdrDVxUIZo/fXCQpG5iFJKUz/J7chHQExhmd93t/JJxnRgmboAco7omMPgUiAduuUtQx9MNQBWz8edm1d6it8PYuDiRms4tMyulBu1ZgKzSTGZSRBWheQ0QPNX/5tnXXRQsEAYotUMalXeikeA7QJjSdvwMhe3lZxwF3u7NjMOleE7088l0uF2O29BN4uSQfvzAJwAmWX6dtaI3lNX5nayatnAfqV5f/w2gbOV2FKPo2QPWR92JwmV63K1wk6zo5DXw03SQDJklB4JJLnfFO8jKyK8Cp7iWKro+BE7lGWfUTqmU24v1BPG/siXQCWApmE0DjkqFKSEQulZ4hEVMmwWvg2IrRbXaD9CbWP2HpLaqbInIgpHYMHip8YagAi+G+7kvKfUfnDCgLwv5bz/UWdtPxgMKoIgdnCpACKd4bPx4h+oFjHlOrMRwiYL0xBeSMcyN/P/SPXmnJnAeTDpZe4hhSXVjjzbTolTk1uhdvXExIrgOeXwoRV6wCo3p+ww3n7YNcNt66T+J0qfnO1Qw/IrIdQ6FJNuywliJVKcaXi4aEIXBwxrE71fAh18XANpccJqAGNZ4DRzj4ia5EUIsSPfEpEiqHY9ThmLJN+uYBN2IUexw25p5C89wQaxbOY8aJonBdW9OaQAjOE/TRyfg/AiAQ4gnFq910bkwBLmFih0dhj7js3sk6eltdMTN7Gv5X/sQQg+xDf9HOjk9o5iMbu8cnBgmPwS3oC1OaE+3HWU9vRFzbNtbXMSUzM4b76Ulby8qqUslzNFTXlGhjn+AfUQtGnAxirwlv1ughl7b0Lh3aBMJJanwg2i0ZhTc5HiVGE8+ydOf4QWiASycOI3Bda97DNG+Y2V9Q//iNIehoSgaCuO84kQYF/JeTPurlLxsNB+xoZb0Ud7sROyaGTlRMPacO0HJ25g8iAmnTB+W4lZMVqEqCzoiJIBuPEqtNYQriZLdZqVT+Yd4vZs3efsP6WvGgDFxu/Z3viUhjKozdRBSj9UypVhoPcFnOPXXCQ1TQ1OA5FogoXMN55ZSPePtqoJIAzOiTdje75KWG2FRfIGiL93VXZ+RyRZd2BI4ZNTosRzHpNlj2zfz14G9bg0hMNpbHu7t3lWnH4PiSGAUCj5p6eYwCrA23bV31ZnS0UjfaeArGfQCcGSOcPvlspO/ryyUpiH9wHyXWY0aCg9tQvL1YiIZVWrzPMEf0CSSSD2wu8B28nEjyGp7KeD+uAVoiFn4S6QaCpC0/GA/5DvxlFN+e7x47cUJnpKnEuECpmK9Y2Uggys5iT10uUljbcUEM8dvbxoZxHYxohpJvXpQkvXx1fn39JNx9gEOvKQIWPo09ywO+2Rg6OYGGdkXbrWFbdOoIMrS4jLkaLDupdSrZ+8+kflgRcwBHyr9fAGmJqi89NhgvX+NUBaY1FCrImgR4MsaiA9w6ksOai3MKEG37JNe7vW0fHbNymCurM0TJYvIjwEOx6p/+M9xIT6h+XnMlsc6wWNf0bl859OiAGDsMHn7CJgjGh/h+TZB2RedmMOxxOvBVCfGbSvxk8Ni8dS9Rv11KfG2CVmqPN8vfOGc7pi1O1emtfxWIgrrdE99gRSNSBKeLLYEyKSv/rtapTPhqDyWNXFJ/AwYG4HRBEhphK5IC+7MgGf2U0sHVcRTrxpsGwJwDEJq5UhFHzvSz/9n6iMtX+j7umj1mJqlPzf9GV2MmD/c372mgBa0cJ9Pb6jSeWTPf99gnX+FjLwrW9wzN2a5bDlM7Jx0UZ9cyEEdgDKzHvcdpNHNd1YjER0+NiErHApVgPfuTxjqRqoUtREFUWtvVGZM9yq2BuKhcCGuaAFyCqocWSgzwNGjMLwMd5ZIEi7klyuHZp1H2GH2c3JO821ea+1PB/SOK/DYb5utMfDZew5J9pHVKzGwJiq6XmnnXOwIleAzkFBnwbA9pRDfqoDQhlWs7xuMNyFxRK6XaC8XOMjMb9yFZUFHdiUuG0XuDnZ6y4v6cKQ1AySGfsSZRNVbU8WqgFlgmzK501yD+wym2O5EEH6rLguqbqPoyJ6YbKaZi7V1IQPnkBWQyD9lzdbC9ZXNBAG8IxpvREsx/Pxcb77PHUMEwTuGFURNH1QjDy49sBAqTcJa9JJk8a2oGzXXXb5jc9KWgdTFr9oIgUhaz4UbFmG5DRjDzhNnYtI/Mf3wfY4ZvBtxZ8o8RnMx7GSIIxZdwrYU6ve7g0ZX2K+KH/S6tERlab1TLJ3DTre8U5LdW7i1U6dsK3MQDenuhyAssvrvFUnuLU9PesOeGnZ8JbZWhhXIgsw1pLwRR6xGVY4GgNuQDJ2kfrZIcb/BigAkCDCVFv4+EU/VFo9qXPSv1WfV4mH1KAXdyJucjDRtDcHbf5J7D/F/vb/idi9MzKSPlj5cPqhzLc2k4kCG8SdPpKE0zu/YcBPdjo0P7nxoTLtDkDrKgkzwfi3R43WBCsFfKRuo/c5vqdx195xQJSprMYtOUb9S9JTlzl+y3hBwb/R3aRRSeINU4F3QatlSjke0xGeaij+ojrJtYkTLsW4BDso6JMV/r1oJ932X/lnZ6jPA+wpA4Qt6KsaHMggsme8N6A56JtdfW5HJ6sc1cPFxxQXKxerC9wXuQR0dUceeyDkFZzkvGzTSgAhO2e5iqL0/nsVg5MBVOwI54Ht0CKxVoREBd+44tMbW7+TG3I4F5XGx1tbzZZaXggjQEqDtR1BzvydXL7rTgQJuuuWBjX8pUSPxfc8iZt1CGF6RFHD0fGwR1yMmHmwsS3a6yAX8tJsYWiIfYB0AJyc3fga1FeNiYh4miZpBhD7eX8JTFLwlDPtogOaS0yihpmj+LXzEi943F51HZvjgtlqCEOTi3kC3ut6f0Te/V8+foXr9fDBC1smeXESgqKQ2kXmPhmGMLpo4hdrEtSD1fN0BRfo3tiL2DdGRsLlV2tvW53eVKfAlmi+fQLQ3RfotN3oGxSAU9quEKBwehoBH/9jQcISc+L1OrWtEjIQQD1FchMgcn80nybR/QVs2uC3+TDspnl0dj3mAnPv7RfgMnDF2hFR0fD3fhRb9K3RoTh9Nk2ye6ADD49DP1hmr4HU1ZizvE+yk3SQE314kDJ4nqtST3XjqfLQCxfJLDyKF4wnLo7H2poA/kbaTKKKa2nsa+tnq57A529soy09TfQAdMxtBK+NWFyxiuToqaX4odWFUdocrMlLHPIIQpLN/MXxgxwu1O8u7w2JVkIz8PGedWBqW9EA5Q0p79+W7NNeg+r6p3n8XASFcHigWpL3d157DD8H5m3RzIHgufNlaHdKCp5lowVNo3RbilV4lNjkxc2q46Eo6H2iMWd3fnjYliEwojdvp8bxU2IqvU7nloTgzVCyvdzwHlI8W4KuLpahxD+xk/CD1PeGFk94Fx3nap32RkpypqmWErK/BK1oPpyHpHDcVgWc8a2GdRCBWtNIX4lbDUTwns/sni9dMLhuxUDMet1uPrXMZMf1LPGQvllvMHd6+K2uFqWDS6/XU3SzPuPjhXoMqFouEQWRedSnx+Dx4zooiWojQPwSHiNKRWryBS95yoRYzIKsISD4eG/v+aPr1casyP4xVi27RB+aBZU5jb33N3NbkxZV84yVvBRjiDWNNoO+WsFpCggVvFhJVykf3uB9pr1H4YGhZd4nGm1Af0gGytbegbG0qz372CAWIf0PEd/a50xOIY48JaTK4rsHpC0QTpxTJTml5nn6W83pjAKz6yxE64IXsYfvE0CYSxxpwvikiDYojzJjlo3657SAiG9qRSvT+HjE6EETs2DY5VW+KtkYpnocBge12qol+Q7jiW2csm7mXY8UZlDfaplL4gxjuHj6aNFeyUr+7VLTZvCAaNbkX5ixx7ZFSfyHjlEgF4PweTh8/wiy+e9w5LX3VsuEdorj03/RYmwLpZ8NOl8kDv+he9Px3WT9TqOGe7bLYi+OePYY/v8AOQRKYyJnxA6F16DCBYXtJuIih3+ZpNHKsrgvdfjd9jDW0XhuA67Wgm7XrLDL1/wcpx42BklnrasUr1kFu0KdC36kRedO31iGajtyOaE9DyXC0LXmPI3YSKrH8tAj85DSntGutbQAMrkLALJ+v9mKYtvS4Jo2B+Q8EQ69n5OjuE46e4gy9BkurBNoUr20LOc5MgtkHJbxcn8vk1weISOLIErcwRFSzChUxGo6p1KTK+t86vtozHI96I6nahdzCS3S9nWa3VA85nggqttXtJzw2bJ46sSbOBUXqcsYyffIfakyxlOlKPI/L19lVz14u2rPNWSd3JOZNCcb8WaEILSx5itJNXJN6XINSuJPkOtxbK0IM/1yweki6hkycXWIKHPBsmfTINTx7Wyu+UviXgKnqQ9tzD3TMKMhEoXqE80uXDyvKqOxo2v9zXrrbGlagaButcTDyJHIqAYZHO3jcaow5yKPrJKfWl9pqKzUJ2H8Ggs0SxbaqIgRZrTR68JTw3cgaHzKd2MpXd6bk2jQYqoYWASNbleCy1EwOIGicyS4pqVQQm8fX5Ir10ygdP5Js5+CF7wNCwn9fUcL3sR3natfzFo1ENxyUi8UUN2lSGQF6aKtldhlGOon9KhgkvCyLWP2gm78kS1x88Gm2o161RQvbR0kF81IiAp0/7X00KFDloSeMXtDsNBmP7HBmcTkkRqq7xb/RD9AYIsUdsZQ7R6vDEfKRBpGJU+BN9Op5MHTfnTgFWJWi8joApN6VVpsTOoEnpjB35wDv++kN5I/+MGUmTyaIcU59B+U3X120tTer+QtUPq8xTviLdZz/g0xtOzR3e18v2U4uwNoS9X05WB+bF3mMFhE5tWpYr6GzbmtJhJI7HAQNs2zXyduZHZHavVPlTFxNlMJmNUYYCOKg/v0n5XnFxDA+2qWP2K+GaF+ALLCCmfg1+R7k422U2+TtlSA8qhy+ynhtQMw1kSSbPAP24E8x/7eLqbNcDaHNaGhp95F3RGua6tu01yRepQXntFGHGD1oYKE4hjMUlfPzQDHiPaoAUfxjS7/ePA9ANsKdaB2dW4w0RPmue5t15C+iGPott9sERTCcc6dIMNDJEdC68s+66GHnRlVraoAZojPJGDbHA65no2MyZvUGM1MaarnBhwZoAlx43X1rRBUFgsFR24Xvqdw4odq0q0j9Xsk/jL2HSIv3XM9/SSypJeV/7W16n5GZnhiBYXIUNdTidZ8rh1TaxC4KYwFba84jJM0yXmULGQDJDqmzbKi4RANiqCzsGm431KmecQw2Hxx8+Ff26ZikPBVJ4a2sGoe7Iv2XaSpG0ChbKrTne+iLSXrE9FnZM8TjVm+mpkpquTfKfKojSiYN10hnX0AHChJo5p6tJJ7aad+5P8bNux0BlPSK6GMrmnwE6yHF6qP3WGA8C1851OCylcmP/CzxSPFHIAKlh9c46WsmlxPn5pk33LWCTsUVF7tkA8NzC5h4d+Gu0buDeSWg6L6TwVQCIDnMowurB+PH2WwUmiLD0k0dfSq93u5tiWhYi2VeyuzYy/xYv9ihycWBUMyAxgE/DqEBCGUQVMLqUF1IuDcUzrVSr0d+DXPfrmrE7lxH25ZhcMSpwEdfa+z4+Ax+SD71JrvYJVRAwtj0kKnQuDS1inmqMDUFRYflrMn8/g6gGmbZe9/uIunRWsbyINNzpMwiTGmoen76YZLOzlTr4EdoC5n6kaCoZyAukexV04zwEJUFikZSYA7t62nthxo5TzD/W2asr9UI1DuMuwV+vpp9lTwIzcjSbJBOfkD9c7zYccM24wi4AYKdUXBf56WarvcP7HF1xwKTlw9JeyZkCZGTj0uNTGjHQbXLDwuli2bh2yn3/fak5/GOtJs6l9rOMXFopiwz9j6gjLxFYoLWSTM3Yz+TkjheYeZ787DG03ltyV9lg2BKO8ziPZrfU4LI1oVCrq4BnSmuzeEQDDD4epzRLFIxSUuBUfK+qFkkmkBp69CSf705qIrwt64qYBll7c9qxnNNuUY/xlCDV+8EzXuqYEvvMDWO9DcQS82YiRZkMdPvkG//h8HJQyBJkF/vtA6kE/HAsKdti8MsVQCgi1TI21RlbUOyvlJDBcCQnqTnVYt8Vkj2laQ2goNtOLTiEyRkbQOS+NnYv9PE4nkAwCjxJjDJ9WXZ/myWlM+8YNirHmmXJMxzxKBfLA2PYMkMDpBumJBqYhtt7MDlThmAmBqkKp8UvWOnwCvZDRgZRHEEdkilThEMvbWNpY3wXiaObP5AZAKpMSNqdN5kr8/Je0fVyl65lq1GHe8X/h+9YEOls/p+3NM9qZ2zBATV8E45Zf2S4no1vosw1DFW284GlIz8GJOE3ClwylCmzAEgLVSd296mL+RZBWuddc+WSk9QaugaieOtnS05fG6a8F9mwJ26SHBqRgd88CEEfISNc5LyqPupve0mzYvDcRvnFNBYuMvtO6DN/ZNiZBQpSf0bkQjlfQGCHRKlJGeAgT71r0HJ3g7S+DSy/Q6EQ90oaH/ZShiK4YYfOhvTGGMrnbezMsbluo2E9xqEKMVVS3GXrHbcImW/qS4K5qiq4QuJlS/j3CJm312be0gbVOy89MfgwYDmQvB1O73Wic8BxA5SqXEhKCWxpgyVKMnTqpQLIe9MflCM/1scetYURyniO3DjUbQDJ0TTuRLXmmECKAQogyUpw7UjJ0OamTAx5j4w7GoRco1Yl28oGadZql4nw9DVjS2jOlh3fSKK8SOAZ0je59XcX65wdNoE4Uvjp8l7Dhl8XkHNS+pkkhj1BYk7JIhAgGhjD4zVBDnG9W6NtyI49XTKVhSIhJ9TtZbNy9O8MIQQI7/aL2+0XyBHTfXA5+auyDcvNCyugOCWD7pOOAg067aD1nLMRiTjc8e6d76eFjiV4Cxbj/W1uVDSepadgVBrLS3bjvpmAJNDEjlePp1b+HCSjoDNoKHvBcc+JWu4gMqKj8I75suS34dZbJldEbQx2GAY9zYP1HMawI5nuKCifYGVyaWK3h3kc91hmx1u56ENHiDwVFTCRnKYcbm5P2wlVji0sLRAvfWgsMDzTwxIxYkNG9p7BLwZ6ncfSdB4EH6kqcQJVhYUgvYq5swbSsgGseMSFvy16VWrFs6s4q4Ua31TLG2bV8W/c4YSVf87+Y9nJ+I9YGISqlQ+EttQebBtEZ7+IcIEcernx+ECCqA9s2ZOOqOf3gh9W9cKFcwmr7lZA3szTiqkuTRdB543SpSd5NQimRLAPyHIXrXkJE2eOxh2JaBKz50vIvxQdgQWwQ0jBVjjPKEpn/y9tKsaEwCXGs3HMLUDHT5+SSqhLtMtamRHQUVzoBxVuTdHlqVLcBRpE+4a9xa1As4bZGVUu3HgPyuz0/MGWchggyHDAArt7Uf8mZVW1gYw0byac+M43baUQ11rGgF5rYtFCGQh9sWKATJcYD/205IIAwEq1j8YXwKgQGiDrmnT8MtZKb6mk2lzjSUOiglK6SsZMj9ReXm2jXd09jAwlPhMmyQ76QtxDScBSMK96P0I0q6Syn9r6Hgr6os0oK2ZZ1hs2uRrsy+yKtJTIQe2bZfG1A1AKvwQGJZ6GfX2Qb1+nCZgP3GHH7ASwFT+JiMVmJ6SCXip4AhJLLGlPGlx7CH4RzzgsevFvJ9nQhdPlIFdT3TXVL1NtoBsDVAHCpLPbIjkweVct7mSCNtsIAf0Jw+jE5ddHJrnop9x4jnsKcNKV7EKUhKNYRHQPPxN91Oo80BG9PcqBhj2/1FJH1NW+pCS6G1hhEBeVtMXxULnWEazibcZpK8WyCinsOVDs4D/fRAJhVTngA+RjsQ4Y3ax1xp+WUE2eVHsYHI6V8a88xMwWDl0F6fX+ZPpFfGRxdV6YYNxDaqGPGhLKtYFOdf5QpWt1hbBh5G1eUNH8Zbeb+2NSikd4uA6kZGNo4N3wz98hZgJmN/mq4RCWxiM8vgy1O83/2VXYZ/EvZ3hHr62hC+vKb0rWivaUhW/FcjRZTxE5W5Fk9LImjWIvaxNzFw3SPuDf5kwaBU9XTntp3kYL7rUuT2mAxIvbm8rPCOjcXFYeKK969NhlPIqjXMn2qKQJ0LxU+VTzj/dNWp5McZgiHKCoOwMeKvgxGy/YB8UXYPaxEfxyzzB7RstuUv9LtwXdN5jebWWG1LAN3ObD82mL0qxZ0j8orxCdB40VVsEvM/c/DYfzjZVMjCmZ+Gw60Rl8B3ZXt61or64KGN4cfZPI4nvoKnoHVsyNSz1WeWkZ/5lYDezFdWCFwzjuQGDCEoUtODCUxHe+RBQJuvMmyKJ6xHG4MwuRhsCBp9vQzEYbtbylJc4GwwGj9VG/ma5uRE9xAnEX0tVSUb4hj3v8cHfDZyN9CEw9Qhs8IuNR4Mdmh8tTkRGWn4dpfg7AbFN8PbcxcAKMiHOJiZliYpus1OjCOo=\x00', 15686)

base64 blob has utf-16 strings:

u'sql\x00oracle\x00ocssd\x00dbsnmp\x00synctime\x00agntsvc\x00isqlplussvc\x00xfssvccon\x00mydesktopservice\x00ocautoupds\x00encsvc\x00firefox\x00tbirdconfig\x00mydesktopqos\x00ocomm\x00dbeng50\x00sqbcoreservice\x00excel\x00infopath\x00msaccess\x00mspub\x00onenote\x00outlook\x00powerpnt\x00steam\x00thebat\x00thunderbird\x00visio\x00winword\x00wordpad\x00notepad\x00\x00'
@sysopfb
Copy link
Author

sysopfb commented Jul 11, 2022

Reg block related to security services keys

SOFTWARE\\Policies\\Microsoft\\Windows\\System;GroupPolicyRefreshTimeDC;
SOFTWARE\\Policies\\Microsoft\\Windows\\System;GroupPolicyRefreshTimeOffsetDC;
SOFTWARE\\Policies\\Microsoft\\Windows\\System;GroupPolicyRefreshTime;
SOFTWARE\\Policies\\Microsoft\\Windows\\System;GroupPolicyRefreshTimeOffset;
SOFTWARE\\Policies\\Microsoft\\Windows\\System;EnableSmartScreen;
SOFTWARE\\Policies\\Microsoft\\Windows\\System;**del.ShellSmartScreenLevel;
SOFTWARE\\Policies\\Microsoft\\Windows Defender;DisableAntiSpyware;
SOFTWARE\\Policies\\Microsoft\\Windows Defender;DisableRoutinelyTakingAction;
SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection;DisableRealtimeMonitoring;
SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection;DisableBehaviorMonitoring;
SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Spynet;SubmitSamplesConsent;
SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Spynet;SpynetReporting;
SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile;EnableFirewall;
SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\StandardProfile;EnableFirewall;

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment