HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
| Criteria | Value |
|---|---|
| Permissions | User |
| Security context | User |
| Persistence type | Registry |
| Code type | EXE |
| Launch type | Same logon required |
| Impact | Non-destructive |
| OS Version | All OS versions |
| Dependencies | OS only |
| Toolset | Scriptable |
Explorer tries to start an application specified as a value of Load within HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
As @rpargman writes in his tweet:
Load is a great regkey to look for in IR because in the usual case it doesn’t exist at all on modern Windows versions. It’s an old leftover that’s still supported for some backward reason.