Malware correlation

1. Interesting #malware correlation 1: #keybase #emotet and #ramnit all access:
2. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\LastRestoreId
3.  
4. Interesting #malware correlation 2: #arsstealer and #pony use the exact same UA:
5. Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
6.  
7. Interesting #malware correlation 3: #smokeloader, #nanocore, and #keybase all access:
8. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\FinalizerActivityBypass
9.  
10. Interesting #malware correlation 4: new #smokeloader and #ursnif both access:
11. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\explorer.exe
12.  
13. Interesting #malware correlation 5: new #smokeloader, #netwire, and #emotet all check:
14. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ElevateNonAdmins
15.  
16. Interesting #malware correlation 6: #flawedammyy and #arsstealer both access:
17. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\SecurityCenter2
18.  
19. Interesting #malware correlation 7: #loda and #darkcomet both check:
20. HKEY_CURRENT_USER\Control Panel\Mouse\SwapMouseButtons
21.  
22. Interesting #malware correlation 8: #azorult v3 and #keybase both check:
23. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment