betabot | 928d06ae692be5a216946aa53308e34b920cdd65eb1eb1f7aad9d4edf779c8b6

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gysmqwy73.exe	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gysmqwy73.exe\DisableExceptionChainValidation	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "gotewet.exe"	explorer.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\LayerAuthForm = "C:\\ProgramData\\LayerAuth\\gysmqwy73.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LayerAuthForm = "\"C:\\ProgramData\\LayerAuth\\gysmqwy73.exe\""	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
5064	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
3688	explorer.exe
3688	explorer.exe
3688	explorer.exe
3688	explorer.exe
3688	explorer.exe
3688	explorer.exe
3688	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3240 set thread context of 5064	3240	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe	93

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2808	3688	WerFault.exe	94

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	explorer.exe

Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	explorer.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	explorer.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main	explorer.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3688	explorer.exe
3688	explorer.exe
3688	explorer.exe
3688	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
5064	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
5064	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5064	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	3240	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Token: SeDebugPrivilege	5064	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Token: SeRestorePrivilege	5064	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Token: SeBackupPrivilege	5064	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	5064	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	5064	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Token: SeShutdownPrivilege	5064	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	5064	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	5064	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Token: SeCreateTokenPrivilege	5064	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	5064	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Token: SeSecurityPrivilege	5064	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	5064	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	5064	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Token: 33	5064	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Token: SeDebugPrivilege	3688	explorer.exe
Token: SeRestorePrivilege	3688	explorer.exe
Token: SeBackupPrivilege	3688	explorer.exe
Token: SeLoadDriverPrivilege	3688	explorer.exe
Token: SeCreatePagefilePrivilege	3688	explorer.exe
Token: SeShutdownPrivilege	3688	explorer.exe
Token: SeTakeOwnershipPrivilege	3688	explorer.exe
Token: SeChangeNotifyPrivilege	3688	explorer.exe
Token: SeCreateTokenPrivilege	3688	explorer.exe
Token: SeMachineAccountPrivilege	3688	explorer.exe
Token: SeSecurityPrivilege	3688	explorer.exe
Token: SeAssignPrimaryTokenPrivilege	3688	explorer.exe
Token: SeCreateGlobalPrivilege	3688	explorer.exe
Token: 33	3688	explorer.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 5064	3240	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe	93
PID 3240 wrote to memory of 5064	3240	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe	93
PID 3240 wrote to memory of 5064	3240	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe	93
PID 3240 wrote to memory of 5064	3240	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe	93
PID 3240 wrote to memory of 5064	3240	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe	93
PID 3240 wrote to memory of 5064	3240	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe	93
PID 3240 wrote to memory of 5064	3240	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe	93
PID 3240 wrote to memory of 5064	3240	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe	93
PID 3240 wrote to memory of 5064	3240	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe	93
PID 3240 wrote to memory of 5064	3240	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe	93
PID 5064 wrote to memory of 3688	5064	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe	94
PID 5064 wrote to memory of 3688	5064	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe	94
PID 5064 wrote to memory of 3688	5064	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe	94

C:\Users\Admin\AppData\Local\Temp\a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Users\Admin\AppData\Local\Temp\a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe"
  2⤵
  - Sets file execution options in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks processor information in registry
  - Suspicious behavior: MapViewOfSection
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Modifies firewall policy service
    - Sets file execution options in registry
    - Checks BIOS information in registry
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies Internet Explorer Protected Mode
    - Modifies Internet Explorer Protected Mode Banner
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3688
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 1152
      4⤵
      Program crash
      PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3688 -ip 3688
1⤵
PID:4376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

7

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

3

System Information Discovery

4