11fe7a13ad470ff3c39423f1ebb5b7abff8cf8a656d2ac97c0183d680d07687c

Analysis

max time kernel
125s
max time network
132s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02/10/2024, 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$1/listicka.exe
Size

10.7MB
MD5

b29bfd8ee3a426894b4ca3753e5b62a8
SHA1

47dca130179d877abc85cd7046a469c3ac74f502
SHA256

d3d7e6b3f65ba7375d356da4818f8caf09b185e200dd97310abeada793d82077
SHA512

2ddbf6c4d38029089db20bbf8d942bc852e6e48dda834e492be423ab5556c33bd180b2b4ea2de791d48edc581ed819f36583d3142293ad6fc53ec794ec5a4eb3
SSDEEP

196608:kdj55vVVlA1+bzOkUHQGuhlL3indHXPhiSpIUi5cOong7YflZP9uKy8Mpg:o5FHW1+zOkT7Kd3P43Uz5gglZPAg

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2164	sznsetup-lt.exe
2792	sznsetup-lt.exe
2700	unzip.exe
2736	unzip.exe
2388	REG.EXE
728	REG.EXE
1236	REG.EXE
1984	REG.EXE
1288	REG.EXE
1932	REG.EXE
2884	REG.EXE
1688	REG.EXE
2276	REG.EXE
2144	REG.EXE
2392	REG.EXE
2904	REG.EXE
1108	REG.EXE
852	szninstall.exe
1928	sznsetup.exe
1624	sznsetup.exe
2016	unzip.exe
760	REG.EXE
2292	unzip.exe
2640	unzip.exe
2320	CPY.EXE
2340	CPY.EXE
2836	unzip.exe
2012	CPY.EXE
2164	unzip.exe
2576	CPY.EXE
2624	CPY.EXE
3028	CPY.EXE
2132	CPY.EXE
1976	REG.EXE
3036	unzip.exe
1668	CPY.EXE
860	REG.EXE
2040	unzip.exe
2876	CPY.EXE
1656	CPY.EXE
816	CPY.EXE
2660	CPY.EXE
3016	CPY.EXE
2900	CPY.EXE
2452	CPY.EXE
1688	CPY.EXE
1304	REG.EXE
1080	REG.EXE
1016	REG.EXE
2144	sznpp.exe
2808	unzip.exe
2020	unzip.exe
540	CPY.EXE
1600	CPY.EXE
1604	szndesktop.exe
1608	szndesktop.exe
2308	listicka-x64.exe
2100	sznpp.exe
2340	unzip.exe
2172	unzip.exe
1328	sznpp.exe
1692	sznpp.exe
1284	sznpp.exe
1932	unzip.exe

Loads dropped DLL 64 IoCs

pid	Process
2484	listicka.exe
2484	listicka.exe
2484	listicka.exe
2484	listicka.exe
2484	listicka.exe
2484	listicka.exe
2792	sznsetup-lt.exe
2792	sznsetup-lt.exe
2792	sznsetup-lt.exe
2792	sznsetup-lt.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
2484	listicka.exe
2484	listicka.exe
852	szninstall.exe
852	szninstall.exe
1624	sznsetup.exe
1624	sznsetup.exe
1812	cmd.exe
1812	cmd.exe
1624	sznsetup.exe
1624	sznsetup.exe
1624	sznsetup.exe
1624	sznsetup.exe
2100	cmd.exe
2100	cmd.exe
2100	cmd.exe
2100	cmd.exe
1624	sznsetup.exe
1624	sznsetup.exe
2744	cmd.exe
2744	cmd.exe
1624	sznsetup.exe
1624	sznsetup.exe
2556	cmd.exe
2556	cmd.exe
2556	cmd.exe
2556	cmd.exe
2556	cmd.exe
2556	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\cz.seznam.software.autoupdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\Seznam.cz\\szninstall.exe\" -c"	REG.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\cz.seznam.software.szndesktop = "\"C:\\Users\\Admin\\AppData\\Roaming\\Seznam.cz\\bin\\wszndesktop.exe\" -q"	REG.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\seznam-listicka-distribuce = "\"C:\\Program Files (x86)\\Seznam.cz\\distribution\\szninstall.exe\" -s -d listicka 1 szn-software-listicka cz.seznam.software.autoupdate"	REG.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

UPX packed file 54 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/files/0x000500000001a3e4-54.dat	upx
behavioral3/memory/2792-55-0x0000000000640000-0x000000000067F000-memory.dmp	upx
behavioral3/memory/2700-72-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral3/memory/2736-100-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral3/files/0x000500000001a2fc-105.dat	upx
behavioral3/memory/2388-111-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral3/memory/2388-113-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral3/memory/1732-117-0x0000000000170000-0x000000000018E000-memory.dmp	upx
behavioral3/memory/728-118-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral3/memory/1236-125-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral3/memory/1984-130-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral3/memory/1288-135-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral3/memory/1932-140-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral3/memory/1732-144-0x0000000000170000-0x000000000018E000-memory.dmp	upx
behavioral3/memory/2884-146-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral3/memory/1732-150-0x0000000000170000-0x000000000018E000-memory.dmp	upx
behavioral3/memory/1688-151-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral3/memory/1732-155-0x0000000000170000-0x000000000018E000-memory.dmp	upx
behavioral3/memory/2276-157-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral3/memory/2144-162-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral3/memory/2392-166-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral3/memory/2904-171-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral3/memory/1108-176-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral3/memory/2016-207-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral3/memory/760-211-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral3/memory/760-209-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral3/memory/2292-228-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral3/memory/2640-248-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral3/memory/2836-267-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral3/memory/2164-294-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral3/memory/1976-300-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral3/memory/1976-299-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral3/memory/3036-318-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral3/memory/860-322-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral3/memory/1624-331-0x0000000000810000-0x000000000084F000-memory.dmp	upx
behavioral3/memory/2040-352-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral3/memory/1304-365-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral3/memory/1080-367-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral3/memory/1016-371-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral3/memory/2808-403-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral3/memory/1624-438-0x0000000000810000-0x000000000084F000-memory.dmp	upx
behavioral3/memory/2020-452-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral3/memory/2340-474-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral3/memory/1624-486-0x0000000000810000-0x000000000084F000-memory.dmp	upx
behavioral3/memory/2172-488-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral3/memory/2172-500-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral3/memory/1624-535-0x0000000000810000-0x000000000084F000-memory.dmp	upx
behavioral3/memory/1932-564-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral3/memory/1356-633-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral3/memory/320-655-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral3/memory/2652-681-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral3/memory/3024-754-0x0000000000190000-0x00000000001AE000-memory.dmp	upx
behavioral3/memory/2276-756-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral3/memory/2432-760-0x0000000001000000-0x000000000101E000-memory.dmp	upx

Drops file in Program Files directory 48 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.libfoxloader-3.2.7-win32.zip	xcopy.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.lightspeed-1210-12.10.17-win32.zip	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.pp-1.0.2-win32.zip	xcopy.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\install\szn-software-fflisticka-4.0.4-win32.zip	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\sources.inf	cmd.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.libfoxcub64-3.3.4-win32.zip	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.szninstall-1.1.14-win32.zip	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.sznsetup-1.2.6-win32.zip	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install\packages.inf	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install\szn-software-fflisticka-4.0.4-win32.zip	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install\szn-software-listicka-3.0.0-win32.zip	xcopy.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.ielisticka3-3.3.1-win32.zip	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.libfoxcub64-3.3.4-win32.zip	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.szndesktop-2.0.31-win32.zip	xcopy.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\install\packages.inf	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.lightspeed-1210-12.10.17-win32.zip	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\sznsetup.exe	cmd.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\sources.inf	cmd.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\sources.inf	sznsetup.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install\com.microsoft.msdn.msvcr100-10.0.40219.325-win32.zip	xcopy.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.libfoxcub-3.3.4-win32.zip	xcopy.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.lightspeed-1210-12.10.12-win32.zip	xcopy.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\install\szn-software-base-1.0.0-win32.zip	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\partner.conf	cmd.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\install\com.microsoft.msdn.msvcr100-10.0.40219.325-win32.zip	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install\com.microsoft.msdn.msvcr110-11.0.51106.1-win32.zip	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.autoupdate-1.0.8-win32.zip	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.libfoxloader-3.2.7-win32.zip	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.libszndesktop-2.1.29-win32.zip	xcopy.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.szninstall-1.1.14-win32.zip	xcopy.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\install\szn-software-listicka-3.0.0-win32.zip	xcopy.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\szninstall.exe	cmd.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\partner.conf	cmd.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\install\com.microsoft.msdn.msvcr110-11.0.51106.1-win32.zip	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.chromelisticka-2.0.4-win32.zip	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.ielisticka3-3.3.1-win32.zip	xcopy.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.sznsetup-1.2.6-win32.zip	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\szninstall.exe	cmd.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.autoupdate-1.0.8-win32.zip	xcopy.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.chromelisticka-2.0.4-win32.zip	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.lightspeed-1210-12.10.12-win32.zip	xcopy.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.pp-1.0.2-win32.zip	xcopy.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.szndesktop-2.0.31-win32.zip	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install\szn-software-base-1.0.0-win32.zip	xcopy.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\sznsetup.exe	cmd.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.libfoxcub-3.3.4-win32.zip	xcopy.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.libszndesktop-2.1.29-win32.zip	xcopy.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unzip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sznpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sznsetup-lt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unzip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unzip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	szndesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sznpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sznpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sznsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unzip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sznpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	szninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sznpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sznpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unzip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unzip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unzip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unzip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sznpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sznsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	listicka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unzip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unzip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	szndesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sznsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	szndesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sznpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unzip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sznpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sznpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sznsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unzip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unzip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unzip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sznsetup.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2100	sznpp.exe
1328	sznpp.exe
1328	sznpp.exe
1692	sznpp.exe
1692	sznpp.exe
2668	sznpp.exe
2856	sznpp.exe
2688	sznpp_64.exe
2688	sznpp_64.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
1992	chrome.exe
1992	chrome.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeTcbPrivilege	852	szninstall.exe
Token: SeTcbPrivilege	3020	szninstall.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1608	szndesktop.exe
2308	listicka-x64.exe
2348	szndesktop.exe
2708	listicka-x64.exe
280	szndesktop.exe
2156	listicka-x64.exe
2688	sznpp_64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2164	2484	listicka.exe	30
PID 2484 wrote to memory of 2164	2484	listicka.exe	30
PID 2484 wrote to memory of 2164	2484	listicka.exe	30
PID 2484 wrote to memory of 2164	2484	listicka.exe	30
PID 2484 wrote to memory of 2164	2484	listicka.exe	30
PID 2484 wrote to memory of 2164	2484	listicka.exe	30
PID 2484 wrote to memory of 2164	2484	listicka.exe	30
PID 2484 wrote to memory of 2792	2484	listicka.exe	32
PID 2484 wrote to memory of 2792	2484	listicka.exe	32
PID 2484 wrote to memory of 2792	2484	listicka.exe	32
PID 2484 wrote to memory of 2792	2484	listicka.exe	32
PID 2484 wrote to memory of 2792	2484	listicka.exe	32
PID 2484 wrote to memory of 2792	2484	listicka.exe	32
PID 2484 wrote to memory of 2792	2484	listicka.exe	32
PID 2792 wrote to memory of 2700	2792	sznsetup-lt.exe	35
PID 2792 wrote to memory of 2700	2792	sznsetup-lt.exe	35
PID 2792 wrote to memory of 2700	2792	sznsetup-lt.exe	35
PID 2792 wrote to memory of 2700	2792	sznsetup-lt.exe	35
PID 2792 wrote to memory of 2636	2792	sznsetup-lt.exe	36
PID 2792 wrote to memory of 2636	2792	sznsetup-lt.exe	36
PID 2792 wrote to memory of 2636	2792	sznsetup-lt.exe	36
PID 2792 wrote to memory of 2636	2792	sznsetup-lt.exe	36
PID 2792 wrote to memory of 2736	2792	sznsetup-lt.exe	37
PID 2792 wrote to memory of 2736	2792	sznsetup-lt.exe	37
PID 2792 wrote to memory of 2736	2792	sznsetup-lt.exe	37
PID 2792 wrote to memory of 2736	2792	sznsetup-lt.exe	37
PID 2792 wrote to memory of 1732	2792	sznsetup-lt.exe	38
PID 2792 wrote to memory of 1732	2792	sznsetup-lt.exe	38
PID 2792 wrote to memory of 1732	2792	sznsetup-lt.exe	38
PID 2792 wrote to memory of 1732	2792	sznsetup-lt.exe	38
PID 1732 wrote to memory of 2388	1732	cmd.exe	39
PID 1732 wrote to memory of 2388	1732	cmd.exe	39
PID 1732 wrote to memory of 2388	1732	cmd.exe	39
PID 1732 wrote to memory of 2388	1732	cmd.exe	39
PID 1732 wrote to memory of 728	1732	cmd.exe	40
PID 1732 wrote to memory of 728	1732	cmd.exe	40
PID 1732 wrote to memory of 728	1732	cmd.exe	40
PID 1732 wrote to memory of 728	1732	cmd.exe	40
PID 1732 wrote to memory of 1236	1732	cmd.exe	41
PID 1732 wrote to memory of 1236	1732	cmd.exe	41
PID 1732 wrote to memory of 1236	1732	cmd.exe	41
PID 1732 wrote to memory of 1236	1732	cmd.exe	41
PID 1732 wrote to memory of 1984	1732	cmd.exe	42
PID 1732 wrote to memory of 1984	1732	cmd.exe	42
PID 1732 wrote to memory of 1984	1732	cmd.exe	42
PID 1732 wrote to memory of 1984	1732	cmd.exe	42
PID 1732 wrote to memory of 1288	1732	cmd.exe	43
PID 1732 wrote to memory of 1288	1732	cmd.exe	43
PID 1732 wrote to memory of 1288	1732	cmd.exe	43
PID 1732 wrote to memory of 1288	1732	cmd.exe	43
PID 1732 wrote to memory of 1932	1732	cmd.exe	44
PID 1732 wrote to memory of 1932	1732	cmd.exe	44
PID 1732 wrote to memory of 1932	1732	cmd.exe	44
PID 1732 wrote to memory of 1932	1732	cmd.exe	44
PID 1732 wrote to memory of 2884	1732	cmd.exe	45
PID 1732 wrote to memory of 2884	1732	cmd.exe	45
PID 1732 wrote to memory of 2884	1732	cmd.exe	45
PID 1732 wrote to memory of 2884	1732	cmd.exe	45
PID 1732 wrote to memory of 1688	1732	cmd.exe	46
PID 1732 wrote to memory of 1688	1732	cmd.exe	46
PID 1732 wrote to memory of 1688	1732	cmd.exe	46
PID 1732 wrote to memory of 1688	1732	cmd.exe	46
PID 1732 wrote to memory of 2276	1732	cmd.exe	47
PID 1732 wrote to memory of 2276	1732	cmd.exe	47

C:\Users\Admin\AppData\Local\Temp\$1\listicka.exe
"C:\Users\Admin\AppData\Local\Temp\$1\listicka.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Users\Admin\AppData\Roaming\Seznam.cz\sznsetup-lt.exe
  "C:\Users\Admin\AppData\Roaming\Seznam.cz\sznsetup-lt.exe" -T "C:\Users\Admin\AppData\Roaming\Seznam.cz" -R "$\install" http://download.seznam.cz/update
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Users\Admin\AppData\Roaming\Seznam.cz\sznsetup-lt.exe
  "C:\Users\Admin\AppData\Roaming\Seznam.cz\sznsetup-lt.exe" -T "C:\Users\Admin\AppData\Roaming\Seznam.cz" -i cz.seznam.software.szninstall
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\~0F76BA98.00000AE8.sznpkg\unzip.exe
    C:\Users\Admin\AppData\Local\Temp\~0F76BA98.00000AE8.sznpkg\unzip.exe -d C:\Users\Admin\AppData\Local\Temp\~0F76C783.00000AE8.sznpkg -o C:\Users\Admin\AppData\Roaming\Seznam.cz\install\cz.seznam.software.sznsetup-1.2.6-win32.zip
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    cmd /S /C "install.bat C:\Users\Admin\AppData\Roaming\Seznam.cz"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2636
- - C:\Users\Admin\AppData\Local\Temp\~0F76BA98.00000AE8.sznpkg\unzip.exe
    C:\Users\Admin\AppData\Local\Temp\~0F76BA98.00000AE8.sznpkg\unzip.exe -d C:\Users\Admin\AppData\Local\Temp\~0F76C84E.00000AE8.sznpkg -o C:\Users\Admin\AppData\Roaming\Seznam.cz\install\cz.seznam.software.szninstall-1.1.14-win32.zip
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    cmd /S /C "install.bat C:\Users\Admin\AppData\Roaming\Seznam.cz"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\~0F76BA98.00000AE8.sznpkg\REG.EXE
      REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SeznamInstall" /f /va
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2388
  - - C:\Users\Admin\AppData\Local\Temp\~0F76BA98.00000AE8.sznpkg\REG.EXE
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SeznamInstall" /f
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:728
  - - C:\Users\Admin\AppData\Local\Temp\~0F76BA98.00000AE8.sznpkg\REG.EXE
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SeznamInstall" /f /v "InstallLocation" /d C:\Users\Admin\AppData\Roaming\Seznam.cz
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1236
  - - C:\Users\Admin\AppData\Local\Temp\~0F76BA98.00000AE8.sznpkg\REG.EXE
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SeznamInstall" /f /v "DisplayName" /d "Seznam Software"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\~0F76BA98.00000AE8.sznpkg\REG.EXE
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SeznamInstall" /f /v "DisplayIcon" /d "C:\Users\Admin\AppData\Roaming\Seznam.cz\szninstall.exe,0"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1288
  - - C:\Users\Admin\AppData\Local\Temp\~0F76BA98.00000AE8.sznpkg\REG.EXE
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SeznamInstall" /f /v "UninstallString" /d "\"C:\Users\Admin\AppData\Roaming\Seznam.cz\szninstall.exe\" -X"
      4⤵
      Executes dropped EXE
      PID:1932
  - - C:\Users\Admin\AppData\Local\Temp\~0F76BA98.00000AE8.sznpkg\REG.EXE
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SeznamInstall" /f /v "ModifyPath" /d "C:\Users\Admin\AppData\Roaming\Seznam.cz\szninstall.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\~0F76BA98.00000AE8.sznpkg\REG.EXE
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SeznamInstall" /f /v "Publisher" /d "Seznam.cz"
      4⤵
      Executes dropped EXE
      PID:1688
  - - C:\Users\Admin\AppData\Local\Temp\~0F76BA98.00000AE8.sznpkg\REG.EXE
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SeznamInstall" /f /v "URLInfoAbout" /d "http://software.seznam.cz"
      4⤵
      Executes dropped EXE
      PID:2276
  - - C:\Users\Admin\AppData\Local\Temp\~0F76BA98.00000AE8.sznpkg\REG.EXE
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SeznamInstall" /f /v "HelpLink" /d "http://napoveda.seznam.cz/cz/software.html"
      4⤵
      Executes dropped EXE
      PID:2144
  - - C:\Users\Admin\AppData\Local\Temp\~0F76BA98.00000AE8.sznpkg\REG.EXE
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SeznamInstall" /f /v "Comments" /d "Vsechny aplikace spolecnosti Seznam.cz a.s."
      4⤵
      Executes dropped EXE
      PID:2392
  - - C:\Users\Admin\AppData\Local\Temp\~0F76BA98.00000AE8.sznpkg\REG.EXE
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SeznamInstall" /f /v "NoRepair" /t REG_DWORD /d 1
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2904
  - - C:\Users\Admin\AppData\Local\Temp\~0F76BA98.00000AE8.sznpkg\REG.EXE
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SeznamInstall" /f /v "NoModify" /t REG_DWORD /d 0
      4⤵
      Executes dropped EXE
      PID:1108
- C:\Users\Admin\AppData\Roaming\Seznam.cz\szninstall.exe
  "C:\Users\Admin\AppData\Roaming\Seznam.cz\szninstall.exe" -u -i cz.seznam.software.autoupdate szn-software-listicka
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:852
- - C:\Users\Admin\AppData\Roaming\Seznam.cz\sznsetup.exe
    C:\Users\Admin\AppData\Roaming\Seznam.cz\sznsetup.exe -V
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1928
- - C:\Users\Admin\AppData\Roaming\Seznam.cz\sznsetup.exe
    C:\Users\Admin\AppData\Roaming\Seznam.cz\sznsetup.exe -T C:\Users\Admin\AppData\Roaming\Seznam.cz -i -u cz.seznam.software.autoupdate szn-software-listicka -p
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1624
  - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\unzip.exe
      C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\unzip.exe -d C:\Users\Admin\AppData\Local\Temp\~0F76CD4D.00000658.sznpkg -o C:\Users\Admin\AppData\Roaming\Seznam.cz\install\cz.seznam.software.autoupdate-1.0.8-win32.zip
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2016
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /S /C "install.bat C:\Users\Admin\AppData\Roaming\Seznam.cz"
      4⤵
      Loads dropped DLL
      PID:1812
    - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\REG.EXE
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "cz.seznam.software.autoupdate" /d "\"C:\Users\Admin\AppData\Roaming\Seznam.cz\szninstall.exe\" -c"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:760
  - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\unzip.exe
      C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\unzip.exe -d C:\Users\Admin\AppData\Local\Temp\~0F76CD9B.00000658.sznpkg -o C:\Users\Admin\AppData\Roaming\Seznam.cz\install\szn-software-base-1.0.0-win32.zip
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2292
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /S /C "install.bat C:\Users\Admin\AppData\Roaming\Seznam.cz"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1980
  - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\unzip.exe
      C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\unzip.exe -d C:\Users\Admin\AppData\Local\Temp\~0F76CDE9.00000658.sznpkg -o C:\Users\Admin\AppData\Roaming\Seznam.cz\install\com.microsoft.msdn.msvcr110-11.0.51106.1-win32.zip
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2640
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /S /C "install.bat C:\Users\Admin\AppData\Roaming\Seznam.cz"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2100
    - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\CPY.EXE
        
        cpy msvcp110.dll "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin"
        5⤵
        Executes dropped EXE
        
        PID:2320
    - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\CPY.EXE
        
        cpy msvcr110.dll "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin"
        5⤵
        Executes dropped EXE
        
        PID:2340
  - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\unzip.exe
      C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\unzip.exe -d C:\Users\Admin\AppData\Local\Temp\~0F76CE57.00000658.sznpkg -o C:\Users\Admin\AppData\Roaming\Seznam.cz\install\cz.seznam.software.lightspeed-1210-12.10.17-win32.zip
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2836
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /S /C "install.bat C:\Users\Admin\AppData\Roaming\Seznam.cz"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2744
    - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\CPY.EXE
        
        cpy lightspeed.dll "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin"
        5⤵
        Executes dropped EXE
        
        PID:2012
  - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\unzip.exe
      C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\unzip.exe -d C:\Users\Admin\AppData\Local\Temp\~0F76CE95.00000658.sznpkg -o C:\Users\Admin\AppData\Roaming\Seznam.cz\install\cz.seznam.software.libszndesktop-2.1.29-win32.zip
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2164
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /S /C "install.bat C:\Users\Admin\AppData\Roaming\Seznam.cz"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2556
    - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\CPY.EXE
        
        cpy "szndesktop.exe" "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin"
        5⤵
        Executes dropped EXE
        
        PID:2576
    - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\CPY.EXE
        
        cpy "szndesktop.conf" "C:\Users\Admin\AppData\Roaming\Seznam.cz\conf"
        5⤵
        Executes dropped EXE
        
        PID:2624
    - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\CPY.EXE
        
        cpy "szndesktop.webpak" "C:\Users\Admin\AppData\Roaming\Seznam.cz\data"
        5⤵
        Executes dropped EXE
        
        PID:3028
    - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\CPY.EXE
        
        cpy "sznpp.exe" "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin"
        5⤵
        Executes dropped EXE
        
        PID:2132
    - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\REG.EXE
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SeznamInstall" /v DisplayVersion /t REG_SZ /d "2.1.29" /f
        5⤵
        Executes dropped EXE
        
        PID:1976
  - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\unzip.exe
      C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\unzip.exe -d C:\Users\Admin\AppData\Local\Temp\~0F76CF12.00000658.sznpkg -o C:\Users\Admin\AppData\Roaming\Seznam.cz\install\cz.seznam.software.szndesktop-2.0.31-win32.zip
      4⤵
      Executes dropped EXE
      PID:3036
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /S /C "install.bat C:\Users\Admin\AppData\Roaming\Seznam.cz"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1268
    - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\CPY.EXE
        
        cpy "wszndesktop.exe" "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin"
        5⤵
        Executes dropped EXE
        
        PID:1668
    - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\REG.EXE
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "cz.seznam.software.szndesktop" /d "\"C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\wszndesktop.exe\" -q"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:860
  - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\unzip.exe
      C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\unzip.exe -d C:\Users\Admin\AppData\Local\Temp\~0F76CF6F.00000658.sznpkg -o C:\Users\Admin\AppData\Roaming\Seznam.cz\install\cz.seznam.software.libfoxcub-3.3.4-win32.zip
      4⤵
      Executes dropped EXE
      PID:2040
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /S /C "install.bat C:\Users\Admin\AppData\Roaming\Seznam.cz"
      4⤵
      PID:2872
    - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\CPY.EXE
        
        cpy libfoxcub.dll "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin"
        5⤵
        Executes dropped EXE
        
        PID:2876
    - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\CPY.EXE
        
        cpy libfoxcub-x64.dll "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin"
        5⤵
        Executes dropped EXE
        
        PID:1656
    - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\CPY.EXE
        
        cpy libfoxcub.conf "C:\Users\Admin\AppData\Roaming\Seznam.cz\conf\szndesktop.d"
        5⤵
        Executes dropped EXE
        
        PID:816
    - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\CPY.EXE
        
        cpy foxcub.conf "C:\Users\Admin\AppData\Roaming\Seznam.cz\conf\libfoxcub"
        5⤵
        Executes dropped EXE
        
        PID:2660
    - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\CPY.EXE
        
        cpy remote.conf "C:\Users\Admin\AppData\Roaming\Seznam.cz\conf\libfoxcub"
        5⤵
        Executes dropped EXE
        
        PID:3016
    - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\CPY.EXE
        
        cpy listickaconfig.webpak "C:\Users\Admin\AppData\Roaming\Seznam.cz\data"
        5⤵
        Executes dropped EXE
        
        PID:2900
    - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\CPY.EXE
        
        cpy listickanastaveni.webpak "C:\Users\Admin\AppData\Roaming\Seznam.cz\data"
        5⤵
        Executes dropped EXE
        
        PID:2452
    - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\CPY.EXE
        
        cpy speeddial.webpak "C:\Users\Admin\AppData\Roaming\Seznam.cz\data"
        5⤵
        Executes dropped EXE
        
        PID:1688
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe libfoxcub.dll,UpgradeListicka
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
    - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\REG.EXE
        
        REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\szn-software-listicka" /v "UninstallString"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1304
    - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\REG.EXE
        
        REG QUERY "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\szn-software-listicka" /v "UninstallString"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1080
    - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\REG.EXE
        
        REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EA837F48-5AD1-443E-AE34-FFE03CBF3099}" /F
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1016
    - - C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe
        
        "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe" -v report-ielisticka-install --status=0
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2144
  - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\unzip.exe
      C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\unzip.exe -d C:\Users\Admin\AppData\Local\Temp\~0F76D20E.00000658.sznpkg -o C:\Users\Admin\AppData\Roaming\Seznam.cz\install\cz.seznam.software.libfoxloader-3.2.7-win32.zip
      4⤵
      Executes dropped EXE
      PID:2808
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /S /C "install.bat C:\Users\Admin\AppData\Roaming\Seznam.cz"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2404
  - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\unzip.exe
      C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\unzip.exe -d C:\Users\Admin\AppData\Local\Temp\~0F76D25C.00000658.sznpkg -o C:\Users\Admin\AppData\Roaming\Seznam.cz\install\cz.seznam.software.libfoxcub64-3.3.4-win32.zip
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2020
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /S /C "install.bat C:\Users\Admin\AppData\Roaming\Seznam.cz"
      4⤵
      System Location Discovery: System Language Discovery
      PID:896
    - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\CPY.EXE
        
        cpy libfoxcub-x64.dll "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin"
        5⤵
        Executes dropped EXE
        
        PID:540
    - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\CPY.EXE
        
        cpy listicka-x64.exe "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin"
        5⤵
        Executes dropped EXE
        
        PID:1600
    - - C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\szndesktop.exe
        
        szndesktop.exe default restart
        5⤵
        Executes dropped EXE
        
        PID:1604
      - C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\szndesktop.exe
        
        szndesktop.exe default restart
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\listicka-x64.exe
        
        "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\listicka-x64.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2308
        
        C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe
        
        "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe" report-startup
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2100
  - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\unzip.exe
      C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\unzip.exe -d C:\Users\Admin\AppData\Local\Temp\~0F76D308.00000658.sznpkg -o C:\Users\Admin\AppData\Roaming\Seznam.cz\install\cz.seznam.software.ielisticka3-3.3.1-win32.zip
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2340
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /S /C "install.bat C:\Users\Admin\AppData\Roaming\Seznam.cz"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\unzip.exe
      C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\unzip.exe -d C:\Users\Admin\AppData\Local\Temp\~0F76D365.00000658.sznpkg -o C:\Users\Admin\AppData\Roaming\Seznam.cz\install\szn-software-fflisticka-4.0.4-win32.zip
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2172
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /S /C "install.bat C:\Users\Admin\AppData\Roaming\Seznam.cz"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2820
    - - C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe
        
        "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe" install_ff "C:\Users\Admin\AppData\Roaming\Seznam.cz\data\fflisticka\seznam_pro_firefox_email-4.0.4-an+fx-windows.xpi"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1328
    - - C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe
        
        "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe" install_ff "C:\Users\Admin\AppData\Roaming\Seznam.cz\data\fflisticka\[email protected]"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1692
    - - C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe
        
        "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe" install-firefox-nm
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1284
  - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\unzip.exe
      C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\unzip.exe -d C:\Users\Admin\AppData\Local\Temp\~0F76E82D.00000658.sznpkg -o C:\Users\Admin\AppData\Roaming\Seznam.cz\install\cz.seznam.software.chromelisticka-2.0.4-win32.zip
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1932
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /S /C "install.bat C:\Users\Admin\AppData\Roaming\Seznam.cz"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2772
    - - C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe
        
        "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe" install-chrome all
        5⤵
        
        PID:2156
      - C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp_64.exe
        
        "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe" install-chrome all
        6⤵
        
        PID:2896
    - - C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe
        
        "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe" install-chrome-nm
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2872
  - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\unzip.exe
      C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\unzip.exe -d C:\Users\Admin\AppData\Local\Temp\~0F770406.00000658.sznpkg -o C:\Users\Admin\AppData\Roaming\Seznam.cz\install\com.microsoft.msdn.msvcr100-10.0.40219.325-win32.zip
      4⤵
      System Location Discovery: System Language Discovery
      PID:1356
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /S /C "install.bat C:\Users\Admin\AppData\Roaming\Seznam.cz"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1820
    - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\CPY.EXE
        
        cpy msvcp100.dll "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin"
        5⤵
        
        PID:2288
    - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\CPY.EXE
        
        cpy msvcr100.dll "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin"
        5⤵
        
        PID:2440
  - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\unzip.exe
      C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\unzip.exe -d C:\Users\Admin\AppData\Local\Temp\~0F770474.00000658.sznpkg -o C:\Users\Admin\AppData\Roaming\Seznam.cz\install\cz.seznam.software.pp-1.0.2-win32.zip
      4⤵
      System Location Discovery: System Language Discovery
      PID:320
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /S /C "install.bat C:\Users\Admin\AppData\Roaming\Seznam.cz"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1600
    - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\CPY.EXE
        
        cpy unlockInstance.dll "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin"
        5⤵
        
        PID:1604
    - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\CPY.EXE
        
        cpy unlockInstance.conf "C:\Users\Admin\AppData\Roaming\Seznam.cz\conf\szndesktop.d"
        5⤵
        
        PID:884
    - - C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\szndesktop.exe
        
        szndesktop.exe default restart
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2296
      - C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\szndesktop.exe
        
        szndesktop.exe default restart
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2348
        
        C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe
        
        "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe" install-chrome retry
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp_64.exe
        
        "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe" install-chrome retry
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2688
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        chrome.exe --no-default-browser-check --new-window about:blank
        9⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2024
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6f59758,0x7fef6f59768,0x7fef6f59778
        10⤵
        
        PID:1200
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1132 --field-trial-handle=1236,i,8357633516942697112,7136952856304417177,131072 /prefetch:2
        10⤵
        
        PID:3036
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 --field-trial-handle=1236,i,8357633516942697112,7136952856304417177,131072 /prefetch:8
        10⤵
        
        PID:1268
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1584 --field-trial-handle=1236,i,8357633516942697112,7136952856304417177,131072 /prefetch:8
        10⤵
        
        PID:1456
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2208 --field-trial-handle=1236,i,8357633516942697112,7136952856304417177,131072 /prefetch:1
        10⤵
        
        PID:2760
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2220 --field-trial-handle=1236,i,8357633516942697112,7136952856304417177,131072 /prefetch:1
        10⤵
        
        PID:2652
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1128 --field-trial-handle=1236,i,8357633516942697112,7136952856304417177,131072 /prefetch:2
        10⤵
        
        PID:760
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3228 --field-trial-handle=1236,i,8357633516942697112,7136952856304417177,131072 /prefetch:8
        10⤵
        
        PID:2980
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1404 --field-trial-handle=1236,i,8357633516942697112,7136952856304417177,131072 /prefetch:8
        10⤵
        
        PID:992
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3296 --field-trial-handle=1236,i,8357633516942697112,7136952856304417177,131072 /prefetch:8
        10⤵
        
        PID:2252
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3288 --field-trial-handle=1236,i,8357633516942697112,7136952856304417177,131072 /prefetch:8
        10⤵
        
        PID:1972
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3312 --field-trial-handle=1236,i,8357633516942697112,7136952856304417177,131072 /prefetch:8
        10⤵
        
        PID:1284
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1400 --field-trial-handle=1236,i,8357633516942697112,7136952856304417177,131072 /prefetch:8
        10⤵
        
        PID:752
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        chrome.exe --no-default-browser-check --new-window about:blank
        9⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1992
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6f59758,0x7fef6f59768,0x7fef6f59778
        10⤵
        
        PID:1916
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1184 --field-trial-handle=1312,i,14870618412897175204,543476431811498286,131072 /prefetch:2
        10⤵
        
        PID:2668
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1536 --field-trial-handle=1312,i,14870618412897175204,543476431811498286,131072 /prefetch:8
        10⤵
        
        PID:2316
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 --field-trial-handle=1312,i,14870618412897175204,543476431811498286,131072 /prefetch:8
        10⤵
        
        PID:1292
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2272 --field-trial-handle=1312,i,14870618412897175204,543476431811498286,131072 /prefetch:1
        10⤵
        
        PID:1724
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2292 --field-trial-handle=1312,i,14870618412897175204,543476431811498286,131072 /prefetch:1
        10⤵
        
        PID:1984
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2992 --field-trial-handle=1312,i,14870618412897175204,543476431811498286,131072 /prefetch:8
        10⤵
        
        PID:320
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1424 --field-trial-handle=1312,i,14870618412897175204,543476431811498286,131072 /prefetch:2
        10⤵
        
        PID:860
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1420 --field-trial-handle=1312,i,14870618412897175204,543476431811498286,131072 /prefetch:8
        10⤵
        
        PID:2248
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1136 --field-trial-handle=1312,i,14870618412897175204,543476431811498286,131072 /prefetch:8
        10⤵
        
        PID:1692
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3452 --field-trial-handle=1312,i,14870618412897175204,543476431811498286,131072 /prefetch:8
        10⤵
        
        PID:1988
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2976 --field-trial-handle=1312,i,14870618412897175204,543476431811498286,131072 /prefetch:8
        10⤵
        
        PID:2548
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3416 --field-trial-handle=1312,i,14870618412897175204,543476431811498286,131072 /prefetch:8
        10⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\listicka-x64.exe
        
        "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\listicka-x64.exe"
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2708
        
        C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe
        
        "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe" report-startup
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2668
  - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\unzip.exe
      C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\unzip.exe -d C:\Users\Admin\AppData\Local\Temp\~0F770712.00000658.sznpkg -o C:\Users\Admin\AppData\Roaming\Seznam.cz\install\szn-software-listicka-3.0.0-win32.zip
      4⤵
      System Location Discovery: System Language Discovery
      PID:2652
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /S /C "install.bat C:\Users\Admin\AppData\Roaming\Seznam.cz"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2604
    - - C:\Users\Admin\AppData\Roaming\Seznam.cz\sznsetup.exe
        
        "C:\Users\Admin\AppData\Roaming\Seznam.cz\sznsetup.exe" -A 49391 cd "C:\Users\Admin\AppData\Roaming\Seznam.cz"
        5⤵
        
        PID:2096
    - - C:\Users\Admin\AppData\Roaming\Seznam.cz\sznsetup.exe
        
        "C:\Users\Admin\AppData\Roaming\Seznam.cz\sznsetup.exe" -A 49391 "C:\Users\Admin\AppData\Local\Temp\~0F770712.00000658.sznpkg\install.bat" ADMINPHASE . "C:\Program Files (x86)\Seznam.cz\distribution"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:840
    - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\REG.EXE
        
        REG ADD "HKEY_CURRENT_USER\SOFTWARE\Seznam.cz\distribution" /f /v "listicka" /t REG_DWORD /d 1
        5⤵
        
        PID:2432
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /S /C "C:\Users\Admin\AppData\Roaming\Seznam.cz\uninstall\cz_seznam_software_libszndesktop_2_1_29.reconfigure.bat C:\Users\Admin\AppData\Roaming\Seznam.cz"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2588
    - - C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\szndesktop.exe
        
        "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\szndesktop.exe" default restart
        5⤵
        
        PID:1304
      - C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\szndesktop.exe
        
        "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\szndesktop.exe" default restart
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:280
        
        C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe
        
        "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe" install-chrome retry
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\listicka-x64.exe
        
        "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\listicka-x64.exe"
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2156
        
        C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe
        
        "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe" report-startup
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2856
- - C:\Users\Admin\AppData\Roaming\Seznam.cz\szninstall.exe
    "C:\Users\Admin\AppData\Roaming\Seznam.cz\szninstall.exe" -S 49391
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3020
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\~0F770712.00000658.sznpkg\install.bat ADMINPHASE . "C:\Program Files (x86)\Seznam.cz\distribution"
      4⤵
      Drops file in Program Files directory
      PID:3024
    - - C:\Users\Admin\AppData\Roaming\Seznam.cz\sznsetup.exe
        
        ".\sznsetup.exe" -T "C:\Program Files (x86)\Seznam.cz\distribution" -R "C:\Program Files (x86)\Seznam.cz\distribution\install"
        5⤵
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:696
    - - C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /S /Y /G /I ".\install\*.*" "C:\Program Files (x86)\Seznam.cz\distribution\install"
        5⤵
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:1328
    - - C:\Users\Admin\AppData\Local\Temp\~0F76CAFD.00000658.sznpkg\REG.EXE
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f /v "seznam-listicka-distribuce" /d "\"C:\Program Files (x86)\Seznam.cz\distribution\szninstall.exe\" -s -d listicka 1 szn-software-listicka cz.seznam.software.autoupdate"
        5⤵
        Adds Run key to start application
        
        PID:2276
- - C:\Users\Admin\AppData\Roaming\Seznam.cz\sznsetup.exe
    C:\Users\Admin\AppData\Roaming\Seznam.cz\sznsetup.exe -V
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1772

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2108

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\36b83909-b3e1-440c-8d9d-d7478788b99b.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\4ac431b6-2648-4e15-acaf-08f8e8de4f43.tmp

Filesize
327KB

MD5
c2f1546a135c8836d6a8bfb3c559b6d0

SHA1
d3238a20b50293d15a80756329d418097b761d89

SHA256
6c9d2691315782f416d68b824be846e2df63b873068ea2ef1d37c61a6cc181b8

SHA512
867f4aff854f8d310d8105f5e813a806b8cc697516c13e42d7c55c913da2fa3bbbb0747e7eea5f3c7aab2c3599746cb55c14bdb6ed0d2e3b01dd27711b56a8d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
6440e5b4ea3156744e4a29d42c8a2bd7

SHA1
da7b625fdca100cadf355ded3e112a57f8d25866

SHA256
c06f6986514f9e2a2853949c3809aa06a2d39594470ed4ffc77b5a9552565fb7

SHA512
960de88d405bccc917ad98c1cc04b9a3cb2daddd7a53ab5934e27e3bb2b1638dfa81688239db0910b53af711521a998a788ffabcdcaecf36caa0df2a31582d7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\358764ee-5199-4285-bf19-1529f816c892.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000009.dbtmp

Filesize
16B

MD5
979c29c2917bed63ccf520ece1d18cda

SHA1
65cd81cdce0be04c74222b54d0881d3fdfe4736c

SHA256
b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53

SHA512
e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000010.dbtmp

Filesize
16B

MD5
60e3f691077715586b918375dd23c6b0

SHA1
476d3eab15649c40c6aebfb6ac2366db50283d1b

SHA256
e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee

SHA512
d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1992_43948354\CRX_INSTALL\manifest.json

Filesize
1KB

MD5
133ccc2d332d15594437e8c95553673f

SHA1
94371e97fa874c2c61b982729a0054a2b606b435

SHA256
15b784fd1b38a3cd48298b278274a6e8273a2daf155be9802110fb8a6555e04c

SHA512
ff8203397dd66c9a0f6eb47f995b37c48c325f93cb204c85029307786ade6972e583a77196446027cd5a6cee53a0994e28af13cb30279d324d82ef8877519cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2024_1706980422\ec77daa9-ee1f-4481-9e3e-9be10fff4438.tmp

Filesize
464KB

MD5
989c55975181f7d71d70b05f11b08e16

SHA1
d610b08a556bc02e794728da986d20049db4697c

SHA256
16d60813277d2a09fd36d8914de24212ac1353bab903c3bc6d4d5d92b42388e5

SHA512
bbaf608628b670c7fdb050ab13ba889adb826a7da7e241b2d213ce679861cc5315efdd0b94ad047ca3bdf337c6c3b8c6a49b12edcffdafa0b1629d3a53abae14

Download Submit
C:\Users\Admin\AppData\Local\Temp\sznpp.log

Filesize
4KB

MD5
0f2826feef7c26c3d2bdf83ef10557eb

SHA1
4e4febdd71d8f7acc0f3acd593a91b218f651b90

SHA256
104457f93b1633bfc13f4d1bf424f1f945dd8cd00a4a749b38de2f7e67d54a0b

SHA512
1001d06eb4afd36ceae23f18107ef47d99b650b95a28508e6def6e3ce6bced1719605eb2fe73bf7abfb773fff56aed8b8821bd85035818a5b95d83d638829336

Download Submit
C:\Users\Admin\AppData\Local\Temp\sznpp.log

Filesize
3KB

MD5
ebac53a753aabe7beb5eb997a1e319b0

SHA1
f40a61a81c6985a97ae4164873874c9ec5c00e6f

SHA256
26d3e6dfb1aebb028408a73260b7e705aaa19e3bf20b83b9680a0c39d3495f5f

SHA512
2b540b5cc293ba2fdbdc0bd6306c1abcf1506a68bc9457adba0a7e57b8d16d8e6537016095307c95ad1ff632aeb6ca5adbb58a5c94620af5d680403ef72a7b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~0F76C783.00000AE8.sznpkg\control.ini

Filesize
199B

MD5
2a480f9bfdec7fc5af61cfdff2babc6b

SHA1
4aeb25ca881be7a44a316218e796c1abab624ed8

SHA256
16ef9338b5982daa165cae1634297e1f96624a15b67bcaaef45b7b698fed314c

SHA512
458da0fae5688dc679691ca58b68ce86ac32e6611e45ad9e184391c64e6f91a101b4c9f4f06e5b40b6569cff2c955c70b8d7672c574282c532ae2f31ee8f253b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~0F76C783.00000AE8.sznpkg\install.bat

Filesize
90B

MD5
7be26bbb7d13c3c854f880e2d7c77f47

SHA1
e2c44acbc3e683fe54e4c24cc52bd5c64714c8cc

SHA256
0c58ca6afab9755bd17c25d4ac3c602bc12c78b2064fd36e781d7bfd3d55f200

SHA512
8e9cfdc1679a49e5053373e4583bf77d9c9dc4c18bcc4a01ad025d6de644ec0cbe72dadb4f3bfbf1e6873ee588b334b6a91310543c959766c48ec5095b0537d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~0F76C783.00000AE8.sznpkg\sznsetup.exe

Filesize
2.5MB

MD5
d1fe31dc422eb836424138d422e9a631

SHA1
64541e55685820bb61197c44b8d8e1967f67ac15

SHA256
b558186abd38354ded183eaa3ce8fbc69e174b4e6f7b032f3574ab90f92c98a0

SHA512
60ac6926281597ea0a3b26f52d970175fb6bba4932449e80ac9d0dec40987a18b4947c9c58760864e6df13f7c701408df30a106d56ec178de4df3e26724a96dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\~0F76C783.00000AE8.sznpkg\uninstall.bat

Filesize
21B

MD5
0f2a9391c79202e47e212c8d2c4d6d43

SHA1
79b8df7d9aa3841ac189129472bb1a5020e9b4bf

SHA256
448e9c54e2079dcf42f4211c2b5a6415a0b9f7e80c351ccc32ee3236d6e5520a

SHA512
a649acea21db5fe3de14d4800939280204d1a69f6394eac68c211302f3ac240f21df10d4e4f0c4f07e6a2086e371e894360973a43dc0af87a8a08dc594b03d9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~0F76C84E.00000AE8.sznpkg\install.bat

Filesize
908B

MD5
93c3affd6e3e86ad9fc944356e55712a

SHA1
8b2abea2446aee93d17cdd58d95b6494aee4783e

SHA256
5e3aebcf7ab3579b7ec48a0589130a961d4a2b7035f99fc9f196b260b62c156a

SHA512
83767a58b605e764a8cf199fb98691b371cb6da2fd7a6cc392632f0188f2d0251a9e6f73381f3212bf41add10b32f187e31c615fa799e4ba5d6cac7c36a2de66

Download Submit
C:\Users\Admin\AppData\Local\Temp\~0F76C84E.00000AE8.sznpkg\szninstall.exe

Filesize
1.0MB

MD5
919f88f5158350947fb255358cea4907

SHA1
2f61718e14335b1f025bcf04e8d4d5a7d1bf6936

SHA256
e67e46dd7185a2b7928bdffa7893cbf7d4bb92e4881f38e9ddb5e582d2d2d48e

SHA512
ae192c862c915c7a236672e7a6130b3842d27e77b3411ffe04f2f451f2d3f7a5ee4a34923595946c0566b3ef001a6d7fb0432ea660da844fac36f21b199f3132

Download Submit
C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\listicka-x64.exe

Filesize
78KB

MD5
d893a7276d60fd252eaffe6e91aac434

SHA1
cfc5619c24f1eb11be5689ce4bf71dde149b69da

SHA256
62df14ced9a313dd632c8161f9e6dbdf74cfae6f2e5dddd1f28b380173e0210e

SHA512
525c314c2d6bba61a7dfc86e0ae9347f9c7184cfb9ccc1ff118446b9ae8e817e8f22a750e3799dde0777991b0a3b6263f5a58f45a54d76ea1504519cda9d9a4f

Download Submit
C:\Users\Admin\AppData\Roaming\Seznam.cz\conf\szndesktop.d\libfoxloader.conf

Filesize
165B

MD5
62a9a0e73b63972a82320b446840acd7

SHA1
26b36890d93f5e51d7d11dfe2285e6a77c0e58fb

SHA256
988d76b0345d673935912df151dfaede7a9892894d22907407b058397cbf174e

SHA512
90f047b66b2236de10b1fe050b07690f24f2492a76d181442ef66839d5334d3be6b8c09990f75066de686f593c6d05dce0eca0940074578c2d9ebfbff1f0c0c6

Download Submit
C:\Users\Admin\AppData\Roaming\Seznam.cz\install.log.848.log

Filesize
24KB

MD5
f34526765c8a07267bce219f1a8117dc

SHA1
ad258b729c38c031131488ea4516b5a3cc34d139

SHA256
a78e2031e177ca22edc8bac760e3fb434d61b11ba8b1e5be5f3c577230c22565

SHA512
bb3766870562322b6d4bc505acd579ddac6ef281450edd60e7580feb7095b017f9b908b0e32595879d101b5c52d6d69956958d5fece9c4a01fa42ee271ce34ea

Download Submit
C:\Users\Admin\AppData\Roaming\Seznam.cz\install\cz.seznam.software.szninstall-1.1.14-win32.zip

Filesize
404KB

MD5
bcd1142eb88f3ccfdf1c50ea60cfbc23

SHA1
8f5b28dba299b667098761ca12a9cdedcac045cc

SHA256
13a128092fc1f1a080ee7c3409d072ac04251028e771301ceb66008d86ee18af

SHA512
a82b94d3297e429335570d61221dedf92d4226952b87cce5ff7e1a6b3a8e9a3d0127f81b1748c5e3f58c032555a7ce9513c8ebeb247ced7352ac760b69c04c96

Download Submit
C:\Users\Admin\AppData\Roaming\Seznam.cz\install\cz.seznam.software.sznsetup-1.2.6-win32.zip

Filesize
1.1MB

MD5
457f45d1dd530d03defd57ce13ea6568

SHA1
6bdaff63863e54c18980e6d2bf406abb7279d70a

SHA256
a5da40f3b5a597d6dec28632a262efee7d5754ff40176c8fd964b72e7febe42b

SHA512
4adcfffd87d6fbeda4a6740a61fcca89e457ef002e9d0be73f4ba702061697831e87e02a5bb7bc6d58e63a0c774f67baa14ff80fdfda614a4e9bd961f1c20565

Download Submit
C:\Users\Admin\AppData\Roaming\Seznam.cz\install\packages.inf

Filesize
11KB

MD5
f697b45dfbc054244dbd7c0b84a6978d

SHA1
3a8dd4a006489f666283ce878bfcb9d1d6429e97

SHA256
93566bc8cd8aaa71da3d8e7de5c27b79566231e37ae9de6ba1be47cedcfe24e5

SHA512
93322c3c7b56b064b2364c55c8400fda2f25a356788235271a7def4ede827417b4a9efcdb2a1ab59f4398f2c074d81fc7fe90b48694378ce65e1800ad28a63ba

Download Submit
C:\Users\Admin\AppData\Roaming\Seznam.cz\packages.inf.$$$

Filesize
12KB

MD5
5dd0ae07069fb1e10b861f5ac6ed52fd

SHA1
6f1b153f7804f2c8b20258bc4fc762fcaebad94d

SHA256
4158a99be96d698271605c90ac951dd2a6a7d5128ade615d140859e7a147178f

SHA512
c30fd8e36089509000d97bf9397b43363a88914c77af214334146904d573dc0bab7f27c6932b950a8f9e6aa6362c5c50c999e6e3ab930fbc9a9e103dd4d0d2af

Download Submit
C:\Users\Admin\AppData\Roaming\Seznam.cz\sources.inf

Filesize
45B

MD5
8efb99dc1764c24a3afd26525cb801ae

SHA1
ef3001d662dc98ef5dcf2b971e6715bfbc4ffe50

SHA256
ea7af9470621ffdd4b4afb4380c0e0ec1fdd5f6d2d1b371304290474ac1c9b4a

SHA512
cf1a8b52d569dbd580473d95f213499b66f2e925134530ecf821a4b36a5701dee1a33b521859e3c1aa57a834ac7fbc8a830bcb51629755dd193895027b537b96

Download Submit
C:\Users\Admin\AppData\Roaming\Seznam.cz\uninstall\szn_software_fflisticka_4_0_4.install.bat

Filesize
702B

MD5
3743770e322d1b0f702e45f7c61ee1ce

SHA1
e5c6fa909d280484cb7223d68cbf116966bdb5fe

SHA256
443501e95ffcbd5e050aeaac1c7e0b657d892039165712b4a9cacd6557f17908

SHA512
0ffbf17749e4900512b92f0ef022747aace495d0df41594e84901d9e84a36e8732c9fea13591b97d3bd9984a4893584d934c1017a947feb5c3ec719c02c16da1

Download Submit
C:\Users\Admin\AppData\Roaming\Seznam.cz\uninstall\szn_software_fflisticka_4_0_4.uninstall.bat

Filesize
448B

MD5
054b05bc8bc79bda4d251e806dca7000

SHA1
952ecc5584d21fabe3fa4525b316ae7a2a563209

SHA256
a8e2256d67af00b8660a08d45cdde983abc87eb200d9fa887eaa5ab6c0797467

SHA512
e4eb2ac8194fe48bdf3e464a3c69ac748cbdb964013f8ed9a64f94220d7ac8e91399b62017309af3a4259ddbaeaec3c339bcdfa208be85dbf90c6e1bd10af13a

Download Submit
\Users\Admin\AppData\Local\Temp\nsdB6C3.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsdB6C3.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
\Users\Admin\AppData\Local\Temp\nsdB6C3.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\~0F76BA98.00000AE8.sznpkg\REG.EXE

Filesize
20KB

MD5
f0c0d05727a4e1e91f4347c2270500aa

SHA1
8f26b474cb7a8f8ace40e98574034d7322b1fbe8

SHA256
aa7c78cede348c8db9f932c2c54ee746e6b528691811de44578d238ba02721e2

SHA512
7fe720efd2a94624dfa5492afa6d0342cad232bcf8159d59ad2e52d8a21be1566bc457e980185bbf8e1332fd48199a1ad9d18b076cbb39f1011dc24b2601a25a

Download Submit
\Users\Admin\AppData\Local\Temp\~0F76BA98.00000AE8.sznpkg\UNZIP.EXE

Filesize
72KB

MD5
3fc25896b5b2fb8e20f28fab8c0e1143

SHA1
4019015aba1d7b6bcf4c3ca422b981eb2c0aa4d3

SHA256
b6d228616b5ad31449f4da41aeec9a6fc7a18fe51f672233fc7f6cae07e7f117

SHA512
6175fe637408d0d5c4ebc27fc39593d9b92fddd247303dbed652d7a5c7a05454ddfa21c8aff9a470894dc5dfa581123a53c02da650843e4f18156254b63802d1

Download Submit
\Users\Admin\AppData\Roaming\Seznam.cz\sznsetup-lt.exe

Filesize
1.2MB

MD5
9033dbee427815f396f63928c3273862

SHA1
999a21163538790c49640969648818410ac3ef5c

SHA256
d73b8aeb672800608ad5df8351cbf38f7b7a6e56781c75827e7d10025ecddc6a

SHA512
efd48a08883cb19e704ba5b867f41edf25237f7ef55b3e408ca993fadfafc569b1bbfce3f2e1981444887866686835defe06c3a58c19d05792e2a5c53627394e

Download Submit
memory/320-655-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/728-118-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/760-211-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/760-209-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/860-322-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/1016-371-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/1080-367-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/1108-176-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/1236-125-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/1268-320-0x0000000002260000-0x000000000227E000-memory.dmp

Filesize
120KB

Download
memory/1288-135-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/1304-365-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/1356-633-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1624-556-0x0000000000810000-0x000000000084F000-memory.dmp

Filesize
252KB

Download
memory/1624-200-0x0000000000810000-0x000000000084F000-memory.dmp

Filesize
252KB

Download
memory/1624-220-0x0000000000810000-0x000000000084F000-memory.dmp

Filesize
252KB

Download
memory/1624-535-0x0000000000810000-0x000000000084F000-memory.dmp

Filesize
252KB

Download
memory/1624-486-0x0000000000810000-0x000000000084F000-memory.dmp

Filesize
252KB

Download
memory/1624-466-0x0000000000810000-0x000000000084F000-memory.dmp

Filesize
252KB

Download
memory/1624-438-0x0000000000810000-0x000000000084F000-memory.dmp

Filesize
252KB

Download
memory/1624-221-0x0000000000810000-0x000000000084F000-memory.dmp

Filesize
252KB

Download
memory/1624-391-0x0000000000810000-0x000000000084F000-memory.dmp

Filesize
252KB

Download
memory/1624-622-0x0000000000810000-0x000000000084F000-memory.dmp

Filesize
252KB

Download
memory/1624-644-0x0000000000810000-0x000000000084F000-memory.dmp

Filesize
252KB

Download
memory/1624-331-0x0000000000810000-0x000000000084F000-memory.dmp

Filesize
252KB

Download
memory/1624-669-0x0000000000810000-0x000000000084F000-memory.dmp

Filesize
252KB

Download
memory/1624-670-0x0000000000810000-0x000000000084F000-memory.dmp

Filesize
252KB

Download
memory/1624-369-0x0000000000810000-0x000000000084F000-memory.dmp

Filesize
252KB

Download
memory/1688-151-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/1732-121-0x0000000000170000-0x000000000018E000-memory.dmp

Filesize
120KB

Download
memory/1732-108-0x0000000000170000-0x000000000018E000-memory.dmp

Filesize
120KB

Download
memory/1732-109-0x0000000000170000-0x000000000018E000-memory.dmp

Filesize
120KB

Download
memory/1732-117-0x0000000000170000-0x000000000018E000-memory.dmp

Filesize
120KB

Download
memory/1732-128-0x0000000000170000-0x000000000018E000-memory.dmp

Filesize
120KB

Download
memory/1732-144-0x0000000000170000-0x000000000018E000-memory.dmp

Filesize
120KB

Download
memory/1732-150-0x0000000000170000-0x000000000018E000-memory.dmp

Filesize
120KB

Download
memory/1732-155-0x0000000000170000-0x000000000018E000-memory.dmp

Filesize
120KB

Download
memory/1812-208-0x0000000000170000-0x000000000018E000-memory.dmp

Filesize
120KB

Download
memory/1932-140-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/1932-564-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1976-299-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/1976-300-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/1984-130-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/2016-207-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2020-452-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2040-352-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2144-162-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/2164-294-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2172-500-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2172-488-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2276-756-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/2276-157-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/2292-228-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2340-474-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2388-113-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/2388-111-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/2392-166-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/2432-760-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/2604-761-0x0000000000270000-0x000000000028E000-memory.dmp

Filesize
120KB

Download
memory/2640-248-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2652-681-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2700-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2736-100-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2792-123-0x0000000000640000-0x000000000067F000-memory.dmp

Filesize
252KB

Download
memory/2792-89-0x0000000000640000-0x000000000067F000-memory.dmp

Filesize
252KB

Download
memory/2792-55-0x0000000000640000-0x000000000067F000-memory.dmp

Filesize
252KB

Download
memory/2808-403-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2836-267-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2872-366-0x0000000000130000-0x000000000014E000-memory.dmp

Filesize
120KB

Download
memory/2872-368-0x0000000000130000-0x000000000014E000-memory.dmp

Filesize
120KB

Download
memory/2884-146-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/2904-171-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/3024-754-0x0000000000190000-0x00000000001AE000-memory.dmp

Filesize
120KB

Download
memory/3024-755-0x0000000000190000-0x00000000001AE000-memory.dmp

Filesize
120KB

Download
memory/3036-318-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download