{"id":1145,"date":"2012-07-20T15:51:50","date_gmt":"2012-07-20T15:51:50","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=1145"},"modified":"2012-10-14T23:47:35","modified_gmt":"2012-10-14T23:47:35","slug":"random-stats-from-1m-samples-regkeys","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2012\/07\/20\/random-stats-from-1m-samples-regkeys\/","title":{"rendered":"Random Stats from 1M samples \u2013 RegKeys"},"content":{"rendered":"

Update<\/strong><\/p>\n

Harlan<\/a> proposed to search for ‘system\\’. I did and added stats below.<\/p>\n

Old post<\/strong><\/p>\n

Corey<\/a> asked on Twitter about stats for registry keys so I grepped the strings extracted from samples for traces of related artifacts. Since it’s a non-trivial task (at least dynamic analysis are needed to confirm which reg keys are really used during run-time and even more work is needed to confirm which keys are actually malware-related) I only searched for the ‘Software\\’\u00a0 string assuming that is is a decent keyword to start with. If you have better ideas, please let me know.<\/p>\n

These are above 1000 occurrences for ‘SOFTWARE\\’:<\/p>\n

\u00a0112294 SOFTWARE\\Borland\\Delphi\\RTL\r\n\u00a0 89263 Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n\u00a0 81916 Software\\Borland\\Delphi\\Locales\r\n\u00a0 80672 Software\\Borland\\Locales\r\n\u00a0 53495 Software\\Microsoft\\Windows\\CurrentVersion\r\n\u00a0 48312 SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\n\u00a0 45933 Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\r\n\u00a0 31554 SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\r\n\u00a0 21968 Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\r\n\u00a0 21788 Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\r\n\u00a0 21420 Software\\Microsoft\\Internet Explorer\\Main\r\n\u00a0 20350 SOFTWARE\\\r\n\u00a0 18188 Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\r\n\u00a0 17461 Software\\\r\n\u00a0 16913 SOFTWARE\\Microsoft\\Windows\\CurrentVersion\r\n\u00a0 16271 SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\r\n\u00a0 11711 SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\Hidden\\SHOWALL\r\n\u00a0 10785 SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\r\n\u00a0 10471 SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\r\n\u00a0 10305 Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\r\n\u00a0\u00a0 9981 Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\User Agent\\Post Platform\r\n\u00a0\u00a0 9894 SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\SuperHidden\r\n\u00a0\u00a0 9443 SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\r\n\u00a0\u00a0 9285 SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\HideFileExt\r\n\u00a0\u00a0 8805 Software\\%s\r\n\u00a0\u00a0 8371 Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\r\n\u00a0\u00a0 8215 SOFTWARE\\Microsoft\\Internet Explorer\\Main\r\n\u00a0\u00a0 8206 Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Network\r\n\u00a0\u00a0 7826 Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\r\n\u00a0\u00a0 7614 Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Comdlg32\r\n\u00a0\u00a0 7465 Software\\Microsoft\\Internet Explorer\r\n\u00a0\u00a0 7252 SoftWare\\Microsoft\\Windows\\CurrentVersion\\Run\r\n\u00a0\u00a0 7183 SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\r\n\u00a0\u00a0 6988 SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\r\n\u00a0\u00a0 6918 SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\Hidden\\NOHIDDEN\r\n\u00a0\u00a0 6187 Software\\WinLicense\r\n\u00a0\u00a0 5573 SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellExecuteHooks\r\n\u00a0\u00a0 5510 Software\\Microsoft\\Active Setup\\Installed Components\\\r\n\u00a0\u00a0 5209 HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\r\n\u00a0\u00a0 5184 SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\r\n\u00a0\u00a0 4925 Software\\Microsoft\\Internet Explorer\\PageSetup\r\n\u00a0\u00a0 4886 Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\r\n\u00a0\u00a0 4739 Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\WinOldApp\r\n\u00a0\u00a0 4625 Software\\Microsoft\\OLE\r\n\u00a0\u00a0 4568 SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\\r\n\u00a0\u00a0 4396 SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\r\n\u00a0\u00a0 4348 Software\\Microsoft\\Windows\\CurrentVersion\\explorer\\Browser Helper Objects\\\r\n\u00a0\u00a0 4182 SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\explorer\\run\r\n\u00a0\u00a0 3994 Software\\Classes\\\r\n\u00a0\u00a0 3933 SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system\r\n\u00a0\u00a0 3739 Software\\Microsoft\\Windows\\CurrentVersion\\run\r\n\u00a0\u00a0 3704 Software\\Fenomen Games\\Game Downloader\\1.1\\List\r\n\u00a0\u00a0 3533 SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\r\n\u00a0\u00a0 3532 SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\r\n\u00a0\u00a0 3506 Software\\WinRAR SFX\r\n\u00a0\u00a0 3498 SOFTWARE\\SweetIM\\Messenger\r\n\u00a0\u00a0 3492 SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v1.1.4322\r\n\u00a0\u00a0 3420 Software\\MediaGet\r\n\u00a0\u00a0 3420 SOFTWARE\\MediaGet\r\n\u00a0\u00a0 3408 Software\\Mediaget\r\n\u00a0\u00a0 3408 SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{70B96CD0-FDF2-489E-8FA0-0F92ED599368}\r\n\u00a0\u00a0 3407 Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MediaGet\r\n\u00a0\u00a0 3316 SOFTWARE\\BabylonToolbar\\BabylonToolbar\\Instl\r\n\u00a0\u00a0 3302 Software\\BioWare\\NWN\\Neverwinter\r\n\u00a0\u00a0 3291 SOFTWARE\\Microsoft\\Security Center\r\n\u00a0\u00a0 3281 SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\r\n\u00a0\u00a0 3268 Software\\Policies\\Microsoft\\Internet Explorer\\Control Panel\r\n\u00a0\u00a0 3238 Software\\Microsoft\\Windows\\CurrentVersion\\explorer\\ShellExecuteHooks\r\n\u00a0\u00a0 3207 Software\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad\r\n\u00a0\u00a0 3149 Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\r\n\u00a0\u00a0 2978 Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\run\r\n\u00a0\u00a0 2899 SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\r\n\u00a0\u00a0 2764 Software\\Microsoft\\Windows NT\\CurrentVersion\r\n\u00a0\u00a0 2763 Software\\Microsoft\\Internet Account Manager\\Accounts\r\n\u00a0\u00a0 2749 Software\\Microsoft\\Internet Explorer\\TypedURLs\r\n\u00a0\u00a0 2746 SOFTWARE\\Microsoft\\Internet Explorer\r\n\u00a0\u00a0 2686 Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\r\n\u00a0\u00a0 2643 Software\\Microsoft\\Windows\\CurrentVersion\\policies\\explorer\\run\r\n\u00a0\u00a0 2619 Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\r\n\u00a0\u00a0 2527 Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing\\Trust Database\\0\r\n\u00a0\u00a0 2513 Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache\r\n\u00a0\u00a0 2478 Software\\Wine\r\n\u00a0\u00a0 2402 Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\User Agent\r\n\u00a0\u00a0 2400 Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\\r\n\u00a0\u00a0 2339 Software\\Valve\\Half-Life\\Settings\r\n\u00a0\u00a0 2308 SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Hotfix\\Q246009\r\n\u00a0\u00a0 2299 Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\r\n\u00a0\u00a0 2249 SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServices\r\n\u00a0\u00a0 2244 SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\r\n\u00a0\u00a0 2234 Software\\Ask.com.tmp\r\n\u00a0\u00a0 2133 Software\\Valve\\CounterStrike\\Settings\r\n\u00a0\u00a0 2107 SOFTWARE\\Microsoft\\Shared Tools\\MSConfig\\startupreg\r\n\u00a0\u00a0 2099 SOFTWARE\\Microsoft\\Shared Tools\\MSConfig\\startupfolder\r\n\u00a0\u00a0 2098 Software\\Activision\\Soldier of Fortune II - Double Helix\r\n\u00a0\u00a0 2033 SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\\r\n\u00a0\u00a0 1941 Software\\Eugen Systems\\The Gladiators\r\n\u00a0\u00a0 1931 Software\\AppDataLow\r\n\u00a0\u00a0 1866 SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\ActiveDesktop\r\n\u00a0\u00a0 1851 SOFTWARE\\WinRAR\r\n\u00a0\u00a0 1842 Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\r\n\u00a0\u00a0 1841 Software\\ASProtect\\Key\r\n\u00a0\u00a0 1833 Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\%s\r\n\u00a0\u00a0 1829 Software\\Unreal Technology\\Installed Apps\\UT2003\r\n\u00a0\u00a0 1822 SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\r\n\u00a0\u00a0 1813 Software\\Valve\\Gunman\\Settings\r\n\u00a0\u00a0 1811 Software\\JoWooD\\InstalledGames\\IG2\r\n\u00a0\u00a0 1807 Software\\Electronic Arts\\EA GAMES\\Generals\\ergc\r\n\u00a0\u00a0 1802 Software\\Microsoft\\Protected Storage System Provider\r\n\u00a0\u00a0 1798 Software\\Silver Style Entertainment\\Soldiers Of Anarchy\\Settings\r\n\u00a0\u00a0 1791 Software\\Electronic Arts\\EA Sports\\FIFA 2003\\ergc\r\n\u00a0\u00a0 1761 Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\HideDesktopIcons\\NewStartPanel\r\n\u00a0\u00a0 1687 Software\\Microsoft\\Internet Explorer\\New Windows\\Allow\r\n\u00a0\u00a0 1686 SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\\r\n\u00a0\u00a0 1665 Software\\Microsoft\\Internet Explorer\\SearchScopes\r\n\u00a0\u00a0 1646 SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\r\n\u00a0\u00a0 1617 Software\\Westwood\\Tiberian Sun\r\n\u00a0\u00a0 1606 Software\\Westwood\\Red Alert 2\r\n\u00a0\u00a0 1576 Software\\3d0\\Status\r\n\u00a0\u00a0 1571 Software\\Electronic Arts\\EA Sports\\NHL 2003\\ergc\r\n\u00a0\u00a0 1571 Software\\Electronic Arts\\EA Sports\\NHL 2002\\ergc\r\n\u00a0\u00a0 1570 Software\\Techland\\Chrome\r\n\u00a0\u00a0 1570 Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Google Chrome\r\n\u00a0\u00a0 1570 Software\\Microsoft\\Windows\r\n\u00a0\u00a0 1565 Software\\Electronic Arts\\EA Sports\\FIFA 2002\\ergc\r\n\u00a0\u00a0 1563 Software\\Electronic Arts\\EA GAMES\\Battlefield 1942\\ergc\r\n\u00a0\u00a0 1560 Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2\r\n\u00a0\u00a0 1560 Software\\Microsoft\\%s %s Manager\\%ss\r\n\u00a0\u00a0 1560 Software\\Electronic Arts\\EA GAMES\\Battlefield 1942 Secret Weapons of WWII\\ergc\r\n\u00a0\u00a0 1559 Software\\Electronic Arts\\EA GAMES\\Battlefield 1942 The Road to Rome\\ergc\r\n\u00a0\u00a0 1555 Software\\Electronic Arts\\EA Sports\\Nascar Racing 2002\\ergc\r\n\u00a0\u00a0 1553 Software\\Electronic Arts\\EA Sports\\Nascar Racing 2003\\ergc\r\n\u00a0\u00a0 1545 Software\\Westwood\\Red Alert\r\n\u00a0\u00a0 1541 Software\\Fenomen Games\\Game Downloader\\1.1\\Completed\r\n\u00a0\u00a0 1534 Software\\Illusion Softworks\\Hidden & Dangerous 2\r\n\u00a0\u00a0 1528 Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskScheduler\r\n\u00a0\u00a0 1515 Software\\Unreal Technology\\Installed Apps\\UT2004\r\n\u00a0\u00a0 1502 Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Domains\\\r\n\u00a0\u00a0 1490 Software\\Electronic Arts\\EA GAMES\\Battlefield Vietnam\\ergc\r\n\u00a0\u00a0 1483 SOFTWARE\\Mozilla\\Mozilla Firefox\r\n\u00a0\u00a0 1481 Software\\Red Storm Entertainment\\RAVENSHIELD\r\n\u00a0\u00a0 1478 Software\\Westwood\\NOX\r\n\u00a0\u00a0 1478 Software\\Electronic Arts\\EA GAMES\\Command and Conquer Generals Zero Hour\\ergc\r\n\u00a0\u00a0 1475 Software\\IGI 2 Retail\r\n\u00a0\u00a0 1474 Software\\Electronic Arts\\EA GAMES\\Need For Speed Hot Pursuit 2\r\n\u00a0\u00a0 1472 Software\\Electronic Arts\\EA GAMES\\Need For Speed Underground\\ergc\r\n\u00a0\u00a0 1461 Software\\Electronic Arts\\EA GAMES\\Medal of Honor Allied Assault Spearhead\\ergc\r\n\u00a0\u00a0 1461 Software\\Electronic Arts\\EA GAMES\\Medal of Honor Allied Assault Breakthrough\\ergc\r\n\u00a0\u00a0 1460 Software\\Electronic Arts\\EA GAMES\\Shogun Total War - Warlord Edition\\ergc\r\n\u00a0\u00a0 1460 Software\\Electronic Arts\\EA GAMES\\Medal of Honor Allied Assault\\ergc\r\n\u00a0\u00a0 1459 Software\\Electronic Arts\\EA GAMES\\Black and White\\ergc\r\n\u00a0\u00a0 1458 Software\\Policies\\Microsoft\\Internet Explorer\\Restrictions\r\n\u00a0\u00a0 1458 Software\\Electronic Arts\\EA GAMES\\Global Operations\\ergc\r\n\u00a0\u00a0 1458 Software\\Electronic Arts\\EA Distribution\\Freedom Force\\ergc\r\n\u00a0\u00a0 1457 Software\\Electronic Arts\\EA GAMES\\James Bond 007 Nightfire\\ergc\r\n\u00a0\u00a0 1456 Software\\Yahoo\\Pager\\View\\YMSGR_Launchcast\r\n\u00a0\u00a0 1433 SOFTWARE\\Classes\\http\\shell\\open\\commandV\r\n\u00a0\u00a0 1405 Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\ActiveDesktop\r\n\u00a0\u00a0 1373 SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer\\Run\r\n\u00a0\u00a0 1373 SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\\r\n\u00a0\u00a0 1351 SOFTWARE\\Microsoft\\Windows NT Script Host\\Microsoft DxDiag\\WinSettings\r\n\u00a0\u00a0 1342 SOFTWARE\\Vitalwerks\\DUC\r\n\u00a0\u00a0 1337 SOFTWARE\\Policies\\Microsoft\\Windows\\Installer\r\n\u00a0\u00a0 1300 Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\EscDomains\\\r\n\u00a0\u00a0 1296 SOFTWARE\\CnNuo20\\socket\r\n\u00a0\u00a0 1287 Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\http\\UserChoice\r\n\u00a0\u00a0 1246 SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\netcache\r\n\u00a0\u00a0 1246 SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost\r\n\u00a0\u00a0 1224 SOFTWARE\\Microsoft\\Active Setup\\Installed Components\r\n\u00a0\u00a0 1214 Software\\Yahoo\\Pager\\View\\YMSGR_buzz\r\n\u00a0\u00a0 1195 Software\\Microsoft\\Internet Explorer\\TypedAddress\r\n\u00a0\u00a0 1190 SOFTWARE\\Microsoft\\IDSCNP\r\n\u00a0\u00a0 1177 Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\r\n\u00a0\u00a0 1170 SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\r\n\u00a0\u00a0 1165 SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\\r\n\u00a0\u00a0 1165 HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows]\r\n\u00a0\u00a0 1150 Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\r\n\u00a0\u00a0 1136 Software\\Microsoft\\Internet Explorer\\Desktop\\General\r\n\u00a0\u00a0 1129 Software\\EGDHTML\r\n\u00a0\u00a0 1125 Software\\Microsoft\r\n\u00a0\u00a0 1121 SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer\\Run\\\r\n\u00a0\u00a0 1111 Software\\Microsoft\\Internet Explorer\\Toolbar\r\n\u00a0\u00a0 1102 Software\\Microsoft\\Windows\\CurrentVersion\\Network\\LanMan\r\n\u00a0\u00a0 1075 Software\\Microsoft\\Internet Explorer\\Toolbar\\WebBrowser\r\n\u00a0\u00a0 1059 Software\\Zylom\\MyZylom\\Credentials\r\n\u00a0\u00a0 1058 Software\\Microsoft\\Windows\\CurrentVersion\\\r\n\u00a0\u00a0 1054 SOFTWARE\\Microsoft\\Shared Tools\\MSConfig\\startupreg\\\r\n\u00a0\u00a0 1049 SOFTWARE\\Microsoft\\Shared Tools\\MSConfig\\startupfolder\\\r\n\u00a0\u00a0 1040 Software\\microsoft\\windows\\currentversion\\Explorer\\shellexecutehooks\r\n\u00a0\u00a0 1039 Software\\Borland\\Database Engine\r\n\u00a0\u00a0 1034 Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\r\n\u00a0\u00a0 1034 SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer\\run\r\n\u00a0\u00a0 1023 SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Ratings\\PICSRules\\.Default\\0\\PRPolicy\\\r\n\u00a0\u00a0 1023 SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Ratings\\PICSRules\\.Default\\0\\PRPolicy\r\n\u00a0\u00a0 1016 Software\\Yahoo\\Pager\\View\\YMSGR_Calendar\r\n\u00a0\u00a0 1016 Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\IEXPLORE.EXE\r\n\u00a0\u00a0 1013 Software\\AppDataLow\\RivalGamingData\r\n\u00a0\u00a0 1009 Software\\Classes\\CLSID\\%s\\InprocServer32\r\n\u00a0\u00a0 1002 Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\HideDesktopIcons\\ClassicStartMenu\r\n\r\n'SYSTEM\\'\r\n\u00a0 52751 System\\CurrentControlSet\\Control\\Keyboard Layouts\\%.8x\r\n\u00a0 14516 SYSTEM\\CurrentControlSet\\Services\\\r\n\u00a0\u00a0 6913 SYSTEM\\CurrentControlSet\\Control\\Keyboard Layouts\\\r\n\u00a0\u00a0 5894 SYSTEM\\CurrentControlSet\\Services\\%s\r\n\u00a0\u00a0 4994 SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List\r\n\u00a0\u00a0 4170 SYSTEM\\CurrentControlSet\\Control\\Lsa\r\n\u00a0\u00a0 3361 SYSTEM\\CurrentControlSet\\services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\r\n\u00a0\u00a0 3081 SYSTEM\\CurrentControlSet\\Control\\ProductOptions\r\n\u00a0\u00a0 3022 System\\CurrentControlSet\\Control\\Session Manager\r\n\u00a0\u00a0 2722 SYSTEM\\CurrentControlSet\\Control\\Terminal Server\r\n\u00a0\u00a0 2575 SYSTEM\\CurrentControlSet\\Services\r\n\u00a0\u00a0 2547 SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\r\n\u00a0\u00a0 2486 System\\CurrentControlSet\\Services\\\r\n\u00a0\u00a0 2388 System\\CurrentControlSet\\Control\\Session Manager\\FileRenameOperations\r\n\u00a0\u00a0 1468 SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\r\n\u00a0\u00a0 1416 SYSTEM\\\r\n\u00a0\u00a0 1397 system\\sservice.exe\r\n\u00a0\u00a0 1341 SYSTEM\\CurrentControlSet\\Services\\TermService\r\n\u00a0\u00a0 1316 SYSTEM\\CurrentControlSet\\Services\\TermDD\r\n\u00a0\u00a0 1303 SYSTEM\\CurrentControlSet\\Control\\Session Manager\r\n\u00a0\u00a0 1215 SYSTEM\\CurrentControlSet\\Services\\lanmanserver\\parameters\r\n\u00a0\u00a0 1213 SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Wds\\rdpwd\\Tds\\tcp\r\n\u00a0\u00a0 1203 SYSTEM\\ControlSet001\\Services\\\r\n\u00a0\u00a0 1171 SYSTEM\\CurrentControlSet\\Services\\SharedAccess\r\n\u00a0\u00a0 1135 system\\\r\n\u00a0\u00a0 1086 SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\RDPTcp\r\n\u00a0\u00a0\u00a0 964 SYSTEM\\ControlSet001\\Services\\%s\r\n\u00a0\u00a0\u00a0 929 SYSTEM\\CurrentControlSet\\Services\\lanmanworkstation\\parameters\r\n\u00a0\u00a0\u00a0 928 SYSTEM\\CurrentControlSet\\Services\\%s\\Performance\r\n\u00a0\u00a0\u00a0 920 SYSTEM\\CurrentControlSet\\Services\\wscsvc\r\n\u00a0\u00a0\u00a0 914 SYSTEM\\ControlSet001\\Control\\SafeBoot\r\n\u00a0\u00a0\u00a0 882 System\\CurrentControlSet\\Control\\Windows\r\n\u00a0\u00a0\u00a0 828 SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Minimal\\{4D36E967-E325-11CE-BFC1-08002BE10318}\r\n\u00a0\u00a0\u00a0 822 SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\{4D36E967-E325-11CE-BFC1-08002BE10318}\r\n\u00a0\u00a0\u00a0 757 SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\r\n\u00a0\u00a0\u00a0 702 SYSTEM\\CurrentControlSet\\Services\\EventLog\\Application\\\r\n\u00a0\u00a0\u00a0 695 SYSTEM\\ControlSet001\\Control\\SafeBoot\\Minimal\\{4D36E967-E325-11CE-BFC1-08002BE10318}\r\n\u00a0\u00a0\u00a0 691 System\\CurrentControlSet\\Services\\VxD\\VNETSUP\r\n\u00a0\u00a0\u00a0 691 SYSTEM\\ControlSet001\\Control\\SafeBoot\\Network\\{4D36E967-E325-11CE-BFC1-08002BE10318}\r\n\u00a0\u00a0\u00a0 687 System\\\r\n\u00a0\u00a0\u00a0 683 SYSTEM\\CurrentControlSet\\Services\\WinDHCPsvc\r\n\u00a0\u00a0\u00a0 656 SYSTEM\\CurrentControlSet\\Control\r\n\u00a0\u00a0\u00a0 618 System\\CurrentControlSet\\Control\r\n\u00a0\u00a0\u00a0 608 SYSTEM\\CurrentControlSet\\services\\WinSock2\\Parameters\\Protocol_Catalog9\\Catalog_Entries\\000000000001\r\n\u00a0\u00a0\u00a0 606 SYSTEM\\CurrentControlSet\\Services\\WinSock2\\Parameters\\Protocol_Catalog9\\Catalog_Entries\r\n\u00a0\u00a0\u00a0 558 SYSTEM\\CurrentControlSet\r\n\u00a0\u00a0\u00a0 556 SYSTEM\\CurrentControlSet\\Control\\SafeBoot\r\n\u00a0\u00a0\u00a0 542 SYSTEM\\CurrentControlSet\\Services\\srservice\r\n\u00a0\u00a0\u00a0 539 SYSTEM\\CurrentControlSet\\Services\\Messenger\r\n\u00a0\u00a0\u00a0 517 SYSTEM\\CurrentControlSet\\Services\\%s\\Parameters\r\n\u00a0\u00a0\u00a0 496 System\\CurrentControlSet\\Control\\ProductOptions\r\n\u00a0\u00a0\u00a0 481 SYSTEM\\CurrentControlSet\\Services\\RemoteRegistry\r\n\u00a0\u00a0\u00a0 465 SYSTEM\\CurrentControlSet\\Services\\WinSock2\\speednet_sph\r\n\u00a0\u00a0\u00a0 462 SYSTEM\\CurrentControlSet\\Services\\TlntSvr\r\n\u00a0\u00a0\u00a0 455 SYSTEM\\CurrentControlSet\\Services\\RemoteAccess\\RouterManagers\\Ip\r\n\u00a0\u00a0\u00a0 452 SYSTEM\\ControlSet001\\Control\\StorageDevicePolicies\\WriteProtect\r\n\u00a0\u00a0\u00a0 437 System\\CurrentControlSet\\Services\\RemoteAccess\r\n\u00a0\u00a0\u00a0 433 system\\CurrentControlSet\\Services\\VxD\\VNETSUP\r\n\u00a0\u00a0\u00a0 413 System\\CurrentControlSet\\Services\\SharedAccess\r\n\u00a0\u00a0\u00a0 407 SYSTEM\\CurrentControlSet\\Services\\CelInDrv\r\n\u00a0\u00a0\u00a0 404 System\\CurrentControlSet\\Control\\ComputerName\\ComputerName\r\n\u00a0\u00a0\u00a0 395 SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Minimal\r\n\u00a0\u00a0\u00a0 393 SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\r\n\u00a0\u00a0\u00a0 382 SYSTEM\\MountedDevices\r\n\u00a0\u00a0\u00a0 374 SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\\r\n\u00a0\u00a0\u00a0 372 SYSTEM\\CurrentControlSet\\Control\\Nls\\Language\r\n\u00a0\u00a0\u00a0 369 System\\CurrentControlSet\\Services\\10DD75E0\r\n\u00a0\u00a0\u00a0 367 SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\\r\n\u00a0\u00a0\u00a0 364 SYSTEM\\CurrentControlSet\\Services\\wuauserv\r\n\u00a0\u00a0\u00a0 359 SYSTEM\\ControlSet001\\Services\\srservice\r\n\u00a0\u00a0\u00a0 355 SYSTEM\\CurrentControlSet\\Services\\navapsvc\r\n\u00a0\u00a0\u00a0 353 system\\wininv.dll\r\n\u00a0\u00a0\u00a0 352 system\\winkey.dll\r\n\u00a0\u00a0\u00a0 351 SYSTEM\\ControlSet001\\Services\\navapsvc\r\n\u00a0\u00a0\u00a0 338 SYSTEM\\ControlSet001\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List\r\n\u00a0\u00a0\u00a0 337 SYSTEM\\ControlSet002\\Control\\Terminal Server\\\r\n\u00a0\u00a0\u00a0 318 SYSTEM\\CurrentControlSet\\Services\\BITS\\Parameters\r\n\u00a0\u00a0\u00a0 314 SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E96D-E325-11CE-BFC1-08002BE10318}\\\r\n\u00a0\u00a0\u00a0 313 SYSTEM\\CurrentControlSet\\Services\\10DD75E0\r\n\u00a0\u00a0\u00a0 312 SYSTEM\\CurrentControlSet\\Services\\Winsock\\Parameters\r\n\u00a0\u00a0\u00a0 310 SYSTEM\\CurrentControlSet\\Services\\Winsock2\\Parameters\r\n\u00a0\u00a0\u00a0 295 SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\\r\n\u00a0\u00a0\u00a0 294 System\\CurrentControlSet\\Services\\AE2CA9B0\r\n\u00a0\u00a0\u00a0 290 SYSTEM\\InfoTime\r\n\u00a0\u00a0\u00a0 288 system\\CurrentControlSet\\Services\r\n\u00a0\u00a0\u00a0 284 SYSTEM\\CurrentControlSet\\Control\\nls\\codepage\r\n\u00a0\u00a0\u00a0 280 SYSTEM\\ControlSet001\\Services\\kspooldaemon\r\n\u00a0\u00a0\u00a0 279 system\\cURRENTcONTROLsET\\sERVICES\\%s\r\n\u00a0\u00a0\u00a0 278 System\\CurrentControlSet\\Services\\VxD\\MSTCP\r\n\u00a0\u00a0\u00a0 273 System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List\r\n\u00a0\u00a0\u00a0 272 SYSTEM\\CurrentControlSet\\Services\\ERSvc\r\n\u00a0\u00a0\u00a0 271 System\\CurrentControlSet\\Control\\MPRServices\\TestService\r\n\u00a0\u00a0\u00a0 270 SYSTEM\\ControlSet001\\Enum\\Root\\LEGACY_KSPOOLDAEMON\\0000\r\n\u00a0\u00a0\u00a0 266 SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\r\n\u00a0\u00a0\u00a0 262 SYSTEM\\CurrentControlSet\\Control\\Windows\r\n\u00a0\u00a0\u00a0 261 System\\CurrentControlSet\\Control\\Lsa\r\n\u00a0\u00a0\u00a0 254 System\\CurrentControlSet\\Services\\KAVsys\r\n\u00a0\u00a0\u00a0 254 SYSTEM\\ControlSet003\\Services\\BITS\\Parameters\r\n\u00a0\u00a0\u00a0 252 SYSTEM\\ControlSet001\\Services\\KSD2Service\r\n\u00a0\u00a0\u00a0 239 SYSTEM\\ControlSet001\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List\\\r\n\u00a0\u00a0\u00a0 238 SYSTEM\\ControlSet001\\Services\\wscsvc\r\n\u00a0\u00a0\u00a0 232 SYSTEM\\CurrentControlSet\\Control\\ComputerName\\ComputerName\r\n\u00a0\u00a0\u00a0 230 SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\r\n\u00a0\u00a0\u00a0 225 System\\CurrentControlSet\\Services\\Tcpip\\Parameters\r\n\u00a0\u00a0\u00a0 223 SYSTEM\\CurrentControlSet\\Services\\AeLookupSvcs\r\n\u00a0\u00a0\u00a0 214 system\\cURRENTcONTROLsET\\sERVICES\\\r\n\u00a0\u00a0\u00a0 214 SYSTEM\\CurrentControlSet\\Services\\Schedule\r\n\u00a0\u00a0\u00a0 210 SYSTEM\\CurrentControlSet\\Control\\Class\r\n\u00a0\u00a0\u00a0 209 System\\CurrentControlSet\\Services\r\n\u00a0\u00a0\u00a0 207 SYSTEM\\CurrentControlSet\\Services\\kkdc\r\n\u00a0\u00a0\u00a0 205 System\\CurrentControlSet\\Services\\%s\r\n\u00a0\u00a0\u00a0 202 SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\DomainProfile\\AuthorizedApplications\\List\r\n\u00a0\u00a0\u00a0 198 SYSTEM\\ControlSet001\\Services\\wuauserv\r\n\u00a0\u00a0\u00a0 194 SYSTEM\\CurrentControlSet\\Services\\NetBT\\Parameters\r\n\u00a0\u00a0\u00a0 192 SYSTEM\\CurrentControlSet\\Services\\CSNetManagerXp\r\n\u00a0\u00a0\u00a0 189 SYSTEM\\ControlSet001\\Services\\SharedAccess\r\n\u00a0\u00a0\u00a0 188 System\\CurrentControlSet\\Services\\Class\\\r\n\u00a0\u00a0\u00a0 185 SYSTEM\\CurrentControlSet\\Services\\Class\r\n\u00a0\u00a0\u00a0 182 SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\r\n\u00a0\u00a0\u00a0 180 System\\CurrentControlSet\\Services\\WinSock2\\Parameters\\\r\n\u00a0\u00a0\u00a0 180 System\\CurrentControlSet\\Services\\E2C9CC2C\r\n\u00a0\u00a0\u00a0 176 SYSTEM\\CurrentControlSet\\Services\\SSHNAS\r\n\u00a0\u00a0\u00a0 175 System\\CurrentControlSet\\Control\\Class\\\r\n\u00a0\u00a0\u00a0 175 SYSTEM\\Setup\r\n\u00a0\u00a0\u00a0 175 SYSTEM\\CurrentControlSet\\Services\\BITS\r\n\u00a0\u00a0\u00a0 174 SYSTEM\\CurrentControlSet\\Services\\DomainService\r\n\u00a0\u00a0\u00a0 174 SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\\r\n\u00a0\u00a0\u00a0 173 SYSTEM\\CurrentControlSet\\Services\\ManagereUpdate\r\n\u00a0\u00a0\u00a0 172 SYSTEM\\CurrentControlSet\\Services\\WinSock2\\ESPI11\r\n\u00a0\u00a0\u00a0 169 SYSTEM\\CurrentControlSet\\Services\\acpidisk\r\n\u00a0\u00a0\u00a0 168 SYSTEM\\CurrentControlSet\\Services\\Ball\\\r\n\u00a0\u00a0\u00a0 167 SYSTEM\\CurrentControlSet\\Services\\Medie Sariel Number Services\r\n\u00a0\u00a0\u00a0 166 SYSTEM\\CurrentControlSet\\Services\\Kingsoft Antivirus WebShield Service\r\n\u00a0\u00a0\u00a0 164 System\\WPA\\ApplianceServer\r\n\u00a0\u00a0\u00a0 164 SYSTEM\\CurrentControlSet\\Services\\Ball\r\n\u00a0\u00a0\u00a0 163 SYSTEM\\CurrentControlSet\\Control\\TimeZoneInformation<\/pre>\n","protected":false},"excerpt":{"rendered":"
Update Harlan proposed to search for ‘system\\’. I did and added stats below. Old post Corey asked on Twitter about stats for registry keys so I grepped the strings extracted from samples for traces of related artifacts. Since it’s a … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[28,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1145"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=1145"}],"version-history":[{"count":6,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1145\/revisions"}],"predecessor-version":[{"id":1153,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1145\/revisions\/1153"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=1145"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=1145"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=1145"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}