Malware Analysis Report

2025-08-10 19:27

Sample ID 230713-rc9llaha43
Target Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.zip
SHA256 f10f3adda4426ff71c0fbcb9f3ccdd0d46733e3661921d0048435bc9788c93f0
Tags
guloader lokibot collection downloader spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f10f3adda4426ff71c0fbcb9f3ccdd0d46733e3661921d0048435bc9788c93f0

Threat Level: Known bad

The file Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.zip was found to be: Known bad.

Malicious Activity Summary

guloader lokibot collection downloader spyware stealer trojan

Lokibot

Guloader,Cloudeye

Loads dropped DLL

Reads user/profile data of web browsers

Checks QEMU agent file

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: AddClipboardFormatListener

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

outlook_office_path

Suspicious behavior: RenamesItself

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Modifies registry class

Checks processor information in registry

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-13 14:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-13 14:04

Reported

2023-07-13 14:07

Platform

win10v2004-20230703-en

Max time kernel

138s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Lokibot

trojan spyware stealer lokibot

Checks QEMU agent file

Description Indicator Process Target
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe N/A
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\statshemmeligheds.zir C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 868 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 868 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 868 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 868 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 868 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 868 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 868 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 868 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 868 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 868 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 868 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 804 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 804 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 2356 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 3208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 3208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4816 wrote to memory of 3208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.0.28109163\2008700094" -parentBuildID 20221007134813 -prefsHandle 1828 -prefMapHandle 1820 -prefsLen 20860 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c83df7f-8438-47b8-a5de-edeeec2e5dbd} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 1920 234c4e05458 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.1.1789040711\16726713" -parentBuildID 20221007134813 -prefsHandle 2328 -prefMapHandle 2324 -prefsLen 20896 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60e37648-1a3b-4d7e-a373-1f5b820eacf4} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 2356 234b7272558 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.2.1758971233\639175372" -childID 1 -isForBrowser -prefsHandle 1456 -prefMapHandle 3208 -prefsLen 20934 -prefMapSize 232645 -jsInitHandle 1172 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d67cfd2-4c95-4f98-8407-a622f43ea26f} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 3300 234c7cb3658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.3.892752573\628329880" -childID 2 -isForBrowser -prefsHandle 3644 -prefMapHandle 3640 -prefsLen 26359 -prefMapSize 232645 -jsInitHandle 1172 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d75c5f1e-9d06-45e1-a311-72ae53cb34e4} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 3652 234b7269f58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.4.948893861\1974531752" -childID 3 -isForBrowser -prefsHandle 4612 -prefMapHandle 4608 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1172 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64744aaa-dec6-4df6-a3e6-eae281c4ebc0} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 4624 234c9caa458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.7.786229675\410069347" -childID 6 -isForBrowser -prefsHandle 5448 -prefMapHandle 5452 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1172 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c676987-1feb-4771-a4f7-de02972fc11c} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 5440 234c9a8a158 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.6.264835245\438694947" -childID 5 -isForBrowser -prefsHandle 5256 -prefMapHandle 5260 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1172 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f66e19a-a4ab-4ad1-a6e0-9b01cb262ef1} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 5248 234c9a89e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.5.398737586\705088505" -childID 4 -isForBrowser -prefsHandle 5040 -prefMapHandle 5044 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1172 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a5216e6-dc46-4a78-86ac-070df94f12b5} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 5092 234c9a89b58 tab

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\These.docx" /o ""

C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 254.149.241.8.in-addr.arpa udp
US 8.8.8.8:53 assets.msn.com udp
DE 23.53.42.184:443 assets.msn.com tcp
US 8.8.8.8:53 184.42.53.23.in-addr.arpa udp
US 8.8.8.8:53 69.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 34.117.237.239:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 54.185.202.81:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 34.120.5.221:443 prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.65.55:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
US 8.8.8.8:53 81.202.185.54.in-addr.arpa udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
N/A 127.0.0.1:52481 tcp
N/A 127.0.0.1:52487 tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 24.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 82.240.123.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 3.17.178.52.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
NL 172.217.168.238:443 drive.google.com tcp
US 8.8.8.8:53 126.20.238.8.in-addr.arpa udp
US 8.8.8.8:53 238.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 doc-0c-4o-docs.googleusercontent.com udp
NL 142.251.36.1:443 doc-0c-4o-docs.googleusercontent.com tcp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 138.68.56.139:80 138.68.56.139 tcp
US 8.8.8.8:53 139.56.68.138.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 138.68.56.139:80 138.68.56.139 tcp
US 138.68.56.139:80 138.68.56.139 tcp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsy9C32.tmp\System.dll

MD5 75ed96254fbf894e42058062b4b4f0d1
SHA1 996503f1383b49021eb3427bc28d13b5bbd11977
SHA256 a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
SHA512 58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\05ypapi5.default-release\activity-stream.discovery_stream.json

MD5 1b5d1653a82dcffee311175dcc164fbc
SHA1 1d8ed433bfe1994e3b3ee790768eeddd4319a12c
SHA256 9d249a475b876914ce5b3364a9566eb8e80d3bd7ca6386fc1ec4a59a546a4587
SHA512 0624c4617490c1f7b312adf3553e7262c08889e27cddc91d9df614faac546e3024009bcc4f4cee51e01f680d5206e6c064f4e556d0d9ab9f61c62cc56badf80b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\prefs.js

MD5 cfdd55299f3df8fb7c08ab906991ce98
SHA1 e88241d2aa2a5bdf9b2ea74e9dd53f1938534f1a
SHA256 bdaf786c4a95be17fb4a90d8256125b417fe9f6e5497fd00c5004e44cabaace9
SHA512 07517ded2840efaf1234f8bf0ce0e8ae021d749388362655d687cfd708446fa3a80ec019b93db22e5b224f0a3f1fa198351470d4d572c7286635122e7418e540

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\prefs-1.js

MD5 5fb4a5b9ed048676168272676f46f6a5
SHA1 181ca1a3cd79bdc78ce82f642d6fc2212479dd26
SHA256 66ca187123b1a4c969d1b7cbb2549c2cd0332b82e175a7e5a80228572e321319
SHA512 be54d646d0969d997ef33284177ad97bc3d3824c386d526eea71542030c99ad55e667319f30ee2b104c219168d87b8808ce6b4fe96fd662bf5366aef6e122ad4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\sessionstore.jsonlz4

MD5 cc104f8c30653a539798ec66ed6d54ba
SHA1 343727512737c905016ff967a0715d8adba28336
SHA256 f65e21d967ccda300d34365e982e6b79c0567712fc667236ad50e3f60f8d93f6
SHA512 7dc14d6d645e8825b114470646a81ec8a6bfd2d7340e73cb84c90c9fa188732630b299e7cd6a34f16905d896c11dfcaa37f654d21e63372fd560d2693fe9ed85

memory/3832-299-0x00007FF8407D0000-0x00007FF8407E0000-memory.dmp

memory/3832-301-0x00007FF8407D0000-0x00007FF8407E0000-memory.dmp

memory/3832-302-0x00007FF880750000-0x00007FF880945000-memory.dmp

memory/3832-304-0x00007FF880750000-0x00007FF880945000-memory.dmp

memory/3832-306-0x00007FF880750000-0x00007FF880945000-memory.dmp

memory/3832-307-0x00007FF880750000-0x00007FF880945000-memory.dmp

memory/3832-308-0x00007FF8407D0000-0x00007FF8407E0000-memory.dmp

memory/3832-309-0x00007FF880750000-0x00007FF880945000-memory.dmp

memory/3832-305-0x00007FF8407D0000-0x00007FF8407E0000-memory.dmp

memory/3832-303-0x00007FF8407D0000-0x00007FF8407E0000-memory.dmp

memory/3832-300-0x00007FF880750000-0x00007FF880945000-memory.dmp

memory/3832-310-0x00007FF880750000-0x00007FF880945000-memory.dmp

memory/3832-311-0x00007FF880750000-0x00007FF880945000-memory.dmp

memory/3832-312-0x00007FF880750000-0x00007FF880945000-memory.dmp

memory/3832-313-0x00007FF880750000-0x00007FF880945000-memory.dmp

memory/3832-314-0x00007FF880750000-0x00007FF880945000-memory.dmp

memory/3832-315-0x00007FF880750000-0x00007FF880945000-memory.dmp

memory/3832-316-0x00007FF83E1F0000-0x00007FF83E200000-memory.dmp

memory/3832-317-0x00007FF880750000-0x00007FF880945000-memory.dmp

memory/3832-318-0x00007FF880750000-0x00007FF880945000-memory.dmp

memory/3832-319-0x00007FF880750000-0x00007FF880945000-memory.dmp

memory/3832-320-0x00007FF83E1F0000-0x00007FF83E200000-memory.dmp

memory/3832-321-0x00007FF880750000-0x00007FF880945000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 4566d1d70073cd75fe35acb78ff9d082
SHA1 f602ecc057a3c19aa07671b34b4fdd662aa033cc
SHA256 fe33f57205e2ebb981c4744d5a4ddc231f587a9a0589e6565c52e1051eadb0c0
SHA512 b9584ebfdd25cc588162dd6525a399c72ac03bf0c61709b96a19feba7217d840ae2c60d7b0d3b43307a2776f497a388e79ef8a646c12ae59a7f5cc4789bbf3c8

memory/3832-337-0x00007FF880750000-0x00007FF880945000-memory.dmp

memory/3832-351-0x00007FF880750000-0x00007FF880945000-memory.dmp

memory/3832-355-0x00007FF8407D0000-0x00007FF8407E0000-memory.dmp

memory/3832-356-0x00007FF8407D0000-0x00007FF8407E0000-memory.dmp

memory/3832-358-0x00007FF8407D0000-0x00007FF8407E0000-memory.dmp

memory/3832-357-0x00007FF8407D0000-0x00007FF8407E0000-memory.dmp

memory/3832-359-0x00007FF880750000-0x00007FF880945000-memory.dmp

memory/3048-360-0x0000000077811000-0x0000000077931000-memory.dmp

memory/3048-362-0x0000000074670000-0x0000000074676000-memory.dmp

memory/3048-361-0x0000000077811000-0x0000000077931000-memory.dmp

memory/4492-363-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4492-364-0x0000000077898000-0x0000000077899000-memory.dmp

memory/4492-377-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4492-378-0x0000000001660000-0x0000000005E7A000-memory.dmp

memory/4492-379-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4492-380-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4492-382-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4492-383-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4492-381-0x0000000001660000-0x0000000005E7A000-memory.dmp

memory/4492-384-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4492-385-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4492-390-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4492-398-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4492-399-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4492-400-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4492-404-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4492-405-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4492-406-0x0000000000400000-0x0000000001654000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-618519468-4027732583-1827558364-1000\0f5007522459c86e95ffcc62f32308f1_7cdcba7c-ddfa-4ddd-854f-aa7eeb433240

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-618519468-4027732583-1827558364-1000\0f5007522459c86e95ffcc62f32308f1_7cdcba7c-ddfa-4ddd-854f-aa7eeb433240

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

memory/4492-413-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4492-415-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4492-416-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4492-417-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4492-418-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4492-419-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4492-420-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4492-422-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4492-423-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4492-424-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4492-425-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4492-427-0x0000000077811000-0x0000000077931000-memory.dmp

memory/4492-428-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4492-429-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4492-430-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4492-431-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4492-432-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4492-434-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4492-435-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4492-436-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4492-437-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4492-438-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4492-439-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4492-441-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4492-442-0x0000000000400000-0x0000000001654000-memory.dmp