I recently came back to play with strings artifacts extracted from a decently sized sample set. Looking at a normalized, clustered data set is always a good starting point for a research. It can be very boring, but every once in a while you will find something interesting.<\/p>\n
To kick it off here are some stats about Wow6432Node<\/a> key that I generated overnight.<\/p>\n With 64-bit boxes becoming pretty much the norm we naturally see more and more samples referring to this Registry key. If there is one reason for us to look at this data is to find out if there are perhaps some keys under Wow6432Node that may deserve some special attention… Who knows, maybe some new persistence mechanism or some new, interesting artifact is out there waiting for someone to discover it.<\/p>\n Obviously, stats may be misleading so use it at your own risk. Also, not all the keys are necessarily malicious. It’s just a bunch of keys that specifically refer to Wow6432Node, and are extracted from a large sample set.<\/p>\n Looking at the data below one thing strikes me immediately – the Run and RunOnce keys are pretty low on the list. Either software authors are not hardcoding them to avoid heuristic detections, or… there is really not that much software that modifies these keys directly.<\/p>\n I recently came back to play with strings artifacts extracted from a decently sized sample set. Looking at a normalized, clustered data set is always a good starting point for a research. It can be very boring, but every once … Continue reading \u00a0\u00a0179506 software\\wow6432node\\microsoft\\windows\\\r\n\u00a0 42517 software\\wow6432node\\clients\\startmenuinternet\r\n\u00a0 23631 software\\wow6432node\\microsoft\\windows\\currentversion\\uninstall\\avast\r\n\u00a0\u00a0 5074 software\\wow6432node\\javasoft\\java runtime environment\r\n\u00a0\u00a0 4859 software\\wow6432node\\javasoft\\java development kit\r\n\u00a0\u00a0 3274 software\\wow6432node\\beattool\r\n\u00a0\u00a0 3020 software\\wow6432node\\avast\r\n\u00a0\u00a0 2601 software\\wow6432node\\sweetim\r\n\u00a0\u00a0 1861 software\\wow6432node\\avira\r\n\u00a0\u00a0 1686 software\\wow6432node\\microsoft\\internet explorer\\extensions\\{ebd24bd3-e272-4fa3-a8ba-c5d709757cab}\r\n\u00a0\u00a0 1641 software\\wow6432node\\sweet-pagesoftware\r\n\u00a0\u00a0 1641 software\\wow6432node\\awesomehpsoftware\r\n\u00a0\u00a0 1639 software\\wow6432node\\webssearchessoftware\r\n\u00a0\u00a0 1638 software\\wow6432node\\qone8software\r\n\u00a0\u00a0 1638 software\\wow6432node\\microsoft\\windows\\currentversion\\uninstall\\{c4ed781c-7394-4906-aaff-d6ab64ff7c38}\r\n\u00a0\u00a0 1638 software\\wow6432node\\microsoft\\windows\\currentversion\\uninstall\\{889df117-14d1-44ee-9f31-c5fb5d47f68b}\r\n\u00a0\u00a0 1638 software\\wow6432node\\classes\\clsid\\{4aa46d49-459f-4358-b4d1-169048547c23}\r\n\u00a0\u00a0 1637 software\\wow6432node\\aartemissoftware\r\n\u00a0\u00a0 1636 software\\wow6432node\\avg\r\n\u00a0\u00a0 1551 software\\wow6432node\\microsoft\\windows\\currentversion\\uninstall\r\n\u00a0\u00a0 1515 software\\wow6432node\\avast software\r\n\u00a0\u00a0 1465 wow6432node\\clsid\\\r\n\u00a0\u00a0 1399 software\\wow6432node\\baidu security\\antivirus\r\n\u00a0\u00a0 1387 software\\wow6432node\\google\\chrome\\extensions\r\n\u00a0\u00a0 1141 \\software\\wow6432node\\baidu security\\pc faster\r\n\u00a0\u00a0\u00a0 913 software\\wow6432node\\microsoft\\windows\\currentversion\\uninstall\\avira\r\n\u00a0\u00a0\u00a0 623 software\\wow6432node\\omiga-plussoftware\\omiga-plushp\r\n\u00a0\u00a0\u00a0 583 software\\wow6432node\\red gate\\\r\n\u00a0\u00a0\u00a0 559 wow6432node\\clsid\\%s\r\n\u00a0\u00a0\u00a0 502 software\\wow6432node\r\n\u00a0\u00a0\u00a0 434 software\\wow6432node\\microsoft\\internet explorer\\extensions\r\n\u00a0\u00a0\u00a0 417 software\\wow6432node\\mozilla\\mozilla firefox\r\n\u00a0\u00a0\u00a0 403 software\\wow6432node\\microsoft\\windows\\currentversion\\uninstall\\\r\n\u00a0\u00a0\u00a0 384 software\\wow6432node\\microsoft\\internet explorer\\toolbar\r\n\u00a0\u00a0\u00a0 372 software\\wow6432node\\mozilla\\zvu.com\\%s\\main\r\n\u00a0\u00a0\u00a0 372 software\\wow6432node\\mozilla\\zvu.com\r\n\u00a0\u00a0\u00a0 363 software\\wow6432node\\microsoft\\windows\\currentversion\\run\r\n\u00a0\u00a0\u00a0 356 software\\wow6432node\\{smartassembly}\r\n\u00a0\u00a0\u00a0 326 software\\wow6432node\\microsoft\\office\\outlook\\addins\r\n\u00a0\u00a0\u00a0 295 hkey_local_machine\\software\\wow6432node\\vitalwerks\\duc\r\n\u00a0\u00a0\u00a0 281 software\\wow6432node\\babylontoolbar\\babylontoolbar\r\n\u00a0\u00a0\u00a0 265 software\\wow6432node\\brapp\r\n\u00a0\u00a0\u00a0 263 software\\wow6432node\\microsoft\\windows\\currentversion\\runonce\r\n\u00a0\u00a0\u00a0 253 software\\wow6432node\\asktoolbar\\macro\r\n\u00a0\u00a0\u00a0 215 software\\wow6432node\\mozilla\\mozilla firefox\\\r\n\u00a0\u00a0\u00a0 204 software\\wow6432node\\realnetworks\\dlp\r\n\u00a0\u00a0\u00a0 189 software\\wow6432node\\microsoft\\net framework setup\\ndp\\\r\n\u00a0\u00a0\u00a0 186 software\\wow6432node\\qone8software\\qone8hp\r\n\u00a0\u00a0\u00a0 168 software\\wow6432node\\v9software\r\n\u00a0\u00a0\u00a0 163 software\\wow6432node\\qvo6software\\qvo6hp\r\n\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"