xred | 35acdf1a5578a8605697cc8053509c51e8737921168f6f9917ba72d4e8bdc3ee

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\AVAST Software\Avast	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Avira\Antivirus	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\AVAST Software\Avast	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Avira\Antivirus	._cache_Synaptics.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
File opened for modification	\??\PhysicalDrive0	._cache_Synaptics.exe

Checks system information in the registry 2 TTPs 4 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	._cache_Synaptics.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	._cache_Synaptics.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2148	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2332	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2332	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2332	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2332	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2332	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2332	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2332	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2332	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2332	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2332	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
1500	._cache_Synaptics.exe
1500	._cache_Synaptics.exe
1500	._cache_Synaptics.exe
1500	._cache_Synaptics.exe
1500	._cache_Synaptics.exe
1500	._cache_Synaptics.exe
1500	._cache_Synaptics.exe
1500	._cache_Synaptics.exe
2332	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2332	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2332	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2332	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2332	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2332	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2332	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2332	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2332	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2332	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2332	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2332	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2332	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2332	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2332	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2332	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2332	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
1500	._cache_Synaptics.exe
1500	._cache_Synaptics.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2332	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Token: SeDebugPrivilege	1500	._cache_Synaptics.exe
Token: SeManageVolumePrivilege	2332	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Token: SeShutdownPrivilege	2332	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Token: SeShutdownPrivilege	2332	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Token: SeShutdownPrivilege	2332	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Token: SeShutdownPrivilege	2332	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Token: SeManageVolumePrivilege	1500	._cache_Synaptics.exe
Token: SeShutdownPrivilege	1500	._cache_Synaptics.exe
Token: SeShutdownPrivilege	1500	._cache_Synaptics.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2332	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2332	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2148	EXCEL.EXE
2332	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
1500	._cache_Synaptics.exe
1500	._cache_Synaptics.exe
2332	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
2332	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2332	2376	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe	30
PID 2376 wrote to memory of 2332	2376	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe	30
PID 2376 wrote to memory of 2332	2376	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe	30
PID 2376 wrote to memory of 2332	2376	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe	30
PID 2376 wrote to memory of 2740	2376	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe	31
PID 2376 wrote to memory of 2740	2376	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe	31
PID 2376 wrote to memory of 2740	2376	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe	31
PID 2376 wrote to memory of 2740	2376	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe	31
PID 2740 wrote to memory of 1500	2740	Synaptics.exe	33
PID 2740 wrote to memory of 1500	2740	Synaptics.exe	33
PID 2740 wrote to memory of 1500	2740	Synaptics.exe	33
PID 2740 wrote to memory of 1500	2740	Synaptics.exe	33

C:\Users\Admin\AppData\Local\Temp\2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Writes to the Master Boot Record (MBR)
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2332
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - Writes to the Master Boot Record (MBR)
    - Checks system information in the registry
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1500

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery