11fe7a13ad470ff3c39423f1ebb5b7abff8cf8a656d2ac97c0183d680d07687c

Analysis

max time kernel
124s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$1/listicka.exe
Size

10.7MB
MD5

b29bfd8ee3a426894b4ca3753e5b62a8
SHA1

47dca130179d877abc85cd7046a469c3ac74f502
SHA256

d3d7e6b3f65ba7375d356da4818f8caf09b185e200dd97310abeada793d82077
SHA512

2ddbf6c4d38029089db20bbf8d942bc852e6e48dda834e492be423ab5556c33bd180b2b4ea2de791d48edc581ed819f36583d3142293ad6fc53ec794ec5a4eb3
SSDEEP

196608:kdj55vVVlA1+bzOkUHQGuhlL3indHXPhiSpIUi5cOong7YflZP9uKy8Mpg:o5FHW1+zOkT7Kd3P43Uz5gglZPAg

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

szninstall.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	szninstall.exe

Executes dropped EXE 64 IoCs

Processes:

sznsetup-lt.exesznsetup-lt.exeunzip.exeunzip.exeREG.EXEREG.EXEREG.EXEREG.EXEREG.EXEREG.EXEREG.EXEREG.EXEREG.EXEREG.EXEREG.EXEREG.EXEREG.EXEszninstall.exesznsetup.exesznsetup.exeunzip.exeREG.EXEunzip.exeunzip.exeCPY.EXECPY.EXEunzip.exeCPY.EXEunzip.exeCPY.EXECPY.EXECPY.EXECPY.EXEREG.EXEunzip.exeCPY.EXEREG.EXEunzip.exeCPY.EXECPY.EXECPY.EXECPY.EXECPY.EXECPY.EXECPY.EXECPY.EXEREG.EXEREG.EXEREG.EXEsznpp.exeunzip.exeunzip.exeCPY.EXECPY.EXEszndesktop.exeszndesktop.exelisticka-x64.exesznpp.exeunzip.exeunzip.exesznpp.exesznpp.exesznpp.exeunzip.exe

pid	process
5108	sznsetup-lt.exe
5100	sznsetup-lt.exe
1480	unzip.exe
244	unzip.exe
3112	REG.EXE
312	REG.EXE
692	REG.EXE
3372	REG.EXE
4084	REG.EXE
756	REG.EXE
1948	REG.EXE
2852	REG.EXE
3996	REG.EXE
4976	REG.EXE
3100	REG.EXE
1372	REG.EXE
2976	REG.EXE
3464	szninstall.exe
3992	sznsetup.exe
3012	sznsetup.exe
4676	unzip.exe
2296	REG.EXE
3480	unzip.exe
5044	unzip.exe
2592	CPY.EXE
4728	CPY.EXE
4280	unzip.exe
3852	CPY.EXE
3324	unzip.exe
2024	CPY.EXE
4564	CPY.EXE
2164	CPY.EXE
4820	CPY.EXE
2508	REG.EXE
3932	unzip.exe
2128	CPY.EXE
5016	REG.EXE
4896	unzip.exe
4180	CPY.EXE
1260	CPY.EXE
3620	CPY.EXE
3952	CPY.EXE
1488	CPY.EXE
3156	CPY.EXE
4972	CPY.EXE
536	CPY.EXE
740	REG.EXE
3612	REG.EXE
3084	REG.EXE
1148	sznpp.exe
2840	unzip.exe
404	unzip.exe
5000	CPY.EXE
2336	CPY.EXE
4476	szndesktop.exe
4296	szndesktop.exe
1524	listicka-x64.exe
4576	sznpp.exe
3912	unzip.exe
2320	unzip.exe
1660	sznpp.exe
2020	sznpp.exe
1488	sznpp.exe
3412	unzip.exe

Loads dropped DLL 61 IoCs

Processes:

listicka.exerundll32.exeszndesktop.exeszndesktop.exelisticka-x64.exesznpp_64.exeszndesktop.exeszndesktop.exelisticka-x64.exeszninstall.exeszndesktop.exeszndesktop.exelisticka-x64.exesznpp_64.exechrome.exechrome.exechrome.exesetup.exesetup.exechrome.exechrome.exe

pid	process
3052	listicka.exe
3052	listicka.exe
3052	listicka.exe
3052	listicka.exe
3052	listicka.exe
3052	listicka.exe
3052	listicka.exe
3052	listicka.exe
4780	rundll32.exe
4780	rundll32.exe
4476	szndesktop.exe
4476	szndesktop.exe
4476	szndesktop.exe
4476	szndesktop.exe
4476	szndesktop.exe
4476	szndesktop.exe
4296	szndesktop.exe
4296	szndesktop.exe
4296	szndesktop.exe
4296	szndesktop.exe
1524	listicka-x64.exe
2284	sznpp_64.exe
3064	szndesktop.exe
3064	szndesktop.exe
3064	szndesktop.exe
3064	szndesktop.exe
5072	szndesktop.exe
5072	szndesktop.exe
5072	szndesktop.exe
5072	szndesktop.exe
244	listicka-x64.exe
3464	szninstall.exe
1076	szndesktop.exe
1076	szndesktop.exe
1076	szndesktop.exe
1076	szndesktop.exe
232	szndesktop.exe
232	szndesktop.exe
232	szndesktop.exe
232	szndesktop.exe
1540	listicka-x64.exe
3464	szninstall.exe
3388
3052	listicka.exe
5016	sznpp_64.exe
2656	chrome.exe
2656	chrome.exe
4408	chrome.exe
4408	chrome.exe
3388
452	chrome.exe
452	chrome.exe
4900	setup.exe
4900	setup.exe
3156	setup.exe
3156	setup.exe
1780	chrome.exe
1780	chrome.exe
4844	chrome.exe
4844	chrome.exe
5016	sznpp_64.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

REG.EXEREG.EXEREG.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cz.seznam.software.autoupdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\Seznam.cz\\szninstall.exe\" -c"	REG.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cz.seznam.software.szndesktop = "\"C:\\Users\\Admin\\AppData\\Roaming\\Seznam.cz\\bin\\wszndesktop.exe\" -q"	REG.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\seznam-listicka-distribuce = "\"C:\\Program Files (x86)\\Seznam.cz\\distribution\\szninstall.exe\" -s -d listicka 1 szn-software-listicka cz.seznam.software.autoupdate"	REG.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

UPX packed file 42 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\~0E578C52.000013EC.sznpkg\UNZIP.EXE	upx
behavioral4/memory/1480-69-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral4/memory/1480-80-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral4/memory/244-102-0x0000000000400000-0x000000000043F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\~0E578C52.000013EC.sznpkg\REG.EXE	upx
behavioral4/memory/3112-109-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral4/memory/3112-112-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral4/memory/312-115-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral4/memory/692-118-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral4/memory/3372-120-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral4/memory/4084-122-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral4/memory/756-124-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral4/memory/1948-126-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral4/memory/2852-128-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral4/memory/3996-130-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral4/memory/4976-132-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral4/memory/3100-134-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral4/memory/1372-136-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral4/memory/2976-139-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral4/memory/4676-201-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral4/memory/2296-206-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral4/memory/3480-223-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral4/memory/5044-241-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral4/memory/4280-257-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral4/memory/3324-279-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral4/memory/2508-284-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral4/memory/3932-299-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral4/memory/5016-302-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral4/memory/4896-327-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral4/memory/740-340-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral4/memory/3612-342-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral4/memory/3084-343-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral4/memory/2840-369-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral4/memory/404-412-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral4/memory/3912-430-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral4/memory/2320-449-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral4/memory/3412-504-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral4/memory/2272-567-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral4/memory/3208-584-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral4/memory/5036-602-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral4/memory/3348-673-0x0000000001000000-0x000000000101E000-memory.dmp	upx
behavioral4/memory/3560-676-0x0000000001000000-0x000000000101E000-memory.dmp	upx

Drops file in Program Files directory 50 IoCs

Processes:

cmd.exexcopy.exesznsetup.exesetup.exesetup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\sznsetup.exe	cmd.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\install\com.microsoft.msdn.msvcr110-11.0.51106.1-win32.zip	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install\packages.inf	xcopy.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\install\szn-software-listicka-3.0.0-win32.zip	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\sources.inf	cmd.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\sources.inf	sznsetup.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install\com.microsoft.msdn.msvcr110-11.0.51106.1-win32.zip	xcopy.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.libszndesktop-2.1.29-win32.zip	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.lightspeed-1210-12.10.12-win32.zip	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.lightspeed-1210-12.10.17-win32.zip	xcopy.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.sznsetup-1.2.6-win32.zip	xcopy.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\install\szn-software-base-1.0.0-win32.zip	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install\szn-software-listicka-3.0.0-win32.zip	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install\com.microsoft.msdn.msvcr100-10.0.40219.325-win32.zip	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.autoupdate-1.0.8-win32.zip	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.chromelisticka-2.0.4-win32.zip	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.libfoxloader-3.2.7-win32.zip	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install\szn-software-base-1.0.0-win32.zip	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install	xcopy.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.libfoxcub-3.3.4-win32.zip	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.libszndesktop-2.1.29-win32.zip	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.pp-1.0.2-win32.zip	xcopy.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\install\szn-software-fflisticka-4.0.4-win32.zip	xcopy.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.pp-1.0.2-win32.zip	xcopy.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.szndesktop-2.0.31-win32.zip	xcopy.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.szninstall-1.1.14-win32.zip	xcopy.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\install\com.microsoft.msdn.msvcr100-10.0.40219.325-win32.zip	xcopy.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.chromelisticka-2.0.4-win32.zip	xcopy.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.ielisticka3-3.3.1-win32.zip	xcopy.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.libfoxcub64-3.3.4-win32.zip	xcopy.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.libfoxloader-3.2.7-win32.zip	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.sznsetup-1.2.6-win32.zip	xcopy.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\install\packages.inf	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install\szn-software-fflisticka-4.0.4-win32.zip	xcopy.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.libfoxcub-3.3.4-win32.zip	xcopy.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.lightspeed-1210-12.10.17-win32.zip	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.szndesktop-2.0.31-win32.zip	xcopy.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\szninstall.exe	cmd.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\szninstall.exe	cmd.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\partner.conf	cmd.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\partner.conf	cmd.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.ielisticka3-3.3.1-win32.zip	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.szninstall-1.1.14-win32.zip	xcopy.exe
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\sznsetup.exe	cmd.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\sources.inf	cmd.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.autoupdate-1.0.8-win32.zip	xcopy.exe
File opened for modification	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.libfoxcub64-3.3.4-win32.zip	xcopy.exe
File created	C:\Program Files (x86)\Seznam.cz\distribution\install\cz.seznam.software.lightspeed-1210-12.10.12-win32.zip	xcopy.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeunzip.exesznpp.exeunzip.exeREG.EXEszndesktop.exelisticka.exeREG.EXEREG.EXEszninstall.exeunzip.exesznpp.execmd.exeREG.EXEcmd.exesznsetup.execmd.exesznpp.exeREG.EXEREG.EXEunzip.exeszndesktop.exeszndesktop.exeszninstall.exesznsetup.exeunzip.execmd.exeREG.EXEcmd.exeCPY.EXEsznpp.exeunzip.execmd.exesznsetup.exeREG.EXEREG.EXEcmd.execmd.execmd.exesznsetup.exeREG.EXEunzip.exeunzip.exesznpp.exeszndesktop.exeREG.EXEsznpp.execmd.exesznsetup.exeREG.EXEcmd.execmd.exeREG.EXEcmd.exesznpp.exesznpp.exeREG.EXEsznsetup.exeREG.EXEREG.EXEunzip.exesznsetup-lt.exeREG.EXEunzip.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unzip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sznpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unzip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	szndesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	listicka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	szninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unzip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sznpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sznsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sznpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unzip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	szndesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	szndesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	szninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sznsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unzip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CPY.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sznpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unzip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sznsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sznsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unzip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unzip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sznpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	szndesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sznpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sznsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sznpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sznpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sznsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unzip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sznsetup-lt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unzip.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exexcopy.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

chrome.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133723382173712945"	chrome.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

sznpp.exesznpp.exesznpp.exesznpp.exesznpp.exesznpp_64.exechrome.exechrome.exe

pid	process
4576	sznpp.exe
4576	sznpp.exe
1660	sznpp.exe
1660	sznpp.exe
2020	sznpp.exe
2020	sznpp.exe
664	sznpp.exe
664	sznpp.exe
3448	sznpp.exe
3448	sznpp.exe
5016	sznpp_64.exe
5016	sznpp_64.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4844	chrome.exe
4844	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exechrome.exe

pid process

4408 chrome.exe
4408 chrome.exe
4844 chrome.exe
4844 chrome.exe
4844 chrome.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

szninstall.exeszninstall.exechrome.exechrome.exe

description	pid	process
Token: SeTcbPrivilege	3464	szninstall.exe
Token: SeTcbPrivilege	3952	szninstall.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4844	chrome.exe
Token: SeCreatePagefilePrivilege	4844	chrome.exe
Token: SeShutdownPrivilege	4844	chrome.exe
Token: SeCreatePagefilePrivilege	4844	chrome.exe
Token: SeShutdownPrivilege	4844	chrome.exe
Token: SeCreatePagefilePrivilege	4844	chrome.exe

Suspicious use of FindShellTrayWindow 54 IoCs

Processes:

chrome.exechrome.exe

pid	process
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

chrome.exechrome.exe

pid	process
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe
4844	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

szndesktop.exelisticka-x64.exeszndesktop.exelisticka-x64.exeszndesktop.exelisticka-x64.exesznpp_64.exe

pid process

4296 szndesktop.exe
1524 listicka-x64.exe
5072 szndesktop.exe
244 listicka-x64.exe
232 szndesktop.exe
1540 listicka-x64.exe
5016 sznpp_64.exe

pid	process
4296	szndesktop.exe
1524	listicka-x64.exe
5072	szndesktop.exe
244	listicka-x64.exe
232	szndesktop.exe
1540	listicka-x64.exe
5016	sznpp_64.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

listicka.exesznsetup-lt.execmd.exeszninstall.exe

description	pid	process	target process
PID 3052 wrote to memory of 5108	3052	listicka.exe	sznsetup-lt.exe
PID 3052 wrote to memory of 5108	3052	listicka.exe	sznsetup-lt.exe
PID 3052 wrote to memory of 5108	3052	listicka.exe	sznsetup-lt.exe
PID 3052 wrote to memory of 5100	3052	listicka.exe	sznsetup-lt.exe
PID 3052 wrote to memory of 5100	3052	listicka.exe	sznsetup-lt.exe
PID 3052 wrote to memory of 5100	3052	listicka.exe	sznsetup-lt.exe
PID 5100 wrote to memory of 1480	5100	sznsetup-lt.exe	unzip.exe
PID 5100 wrote to memory of 1480	5100	sznsetup-lt.exe	unzip.exe
PID 5100 wrote to memory of 1480	5100	sznsetup-lt.exe	unzip.exe
PID 5100 wrote to memory of 3444	5100	sznsetup-lt.exe	cmd.exe
PID 5100 wrote to memory of 3444	5100	sznsetup-lt.exe	cmd.exe
PID 5100 wrote to memory of 3444	5100	sznsetup-lt.exe	cmd.exe
PID 5100 wrote to memory of 244	5100	sznsetup-lt.exe	unzip.exe
PID 5100 wrote to memory of 244	5100	sznsetup-lt.exe	unzip.exe
PID 5100 wrote to memory of 244	5100	sznsetup-lt.exe	unzip.exe
PID 5100 wrote to memory of 4124	5100	sznsetup-lt.exe	cmd.exe
PID 5100 wrote to memory of 4124	5100	sznsetup-lt.exe	cmd.exe
PID 5100 wrote to memory of 4124	5100	sznsetup-lt.exe	cmd.exe
PID 4124 wrote to memory of 3112	4124	cmd.exe	REG.EXE
PID 4124 wrote to memory of 3112	4124	cmd.exe	REG.EXE
PID 4124 wrote to memory of 3112	4124	cmd.exe	REG.EXE
PID 4124 wrote to memory of 312	4124	cmd.exe	REG.EXE
PID 4124 wrote to memory of 312	4124	cmd.exe	REG.EXE
PID 4124 wrote to memory of 312	4124	cmd.exe	REG.EXE
PID 4124 wrote to memory of 692	4124	cmd.exe	REG.EXE
PID 4124 wrote to memory of 692	4124	cmd.exe	REG.EXE
PID 4124 wrote to memory of 692	4124	cmd.exe	REG.EXE
PID 4124 wrote to memory of 3372	4124	cmd.exe	REG.EXE
PID 4124 wrote to memory of 3372	4124	cmd.exe	REG.EXE
PID 4124 wrote to memory of 3372	4124	cmd.exe	REG.EXE
PID 4124 wrote to memory of 4084	4124	cmd.exe	REG.EXE
PID 4124 wrote to memory of 4084	4124	cmd.exe	REG.EXE
PID 4124 wrote to memory of 4084	4124	cmd.exe	REG.EXE
PID 4124 wrote to memory of 756	4124	cmd.exe	REG.EXE
PID 4124 wrote to memory of 756	4124	cmd.exe	REG.EXE
PID 4124 wrote to memory of 756	4124	cmd.exe	REG.EXE
PID 4124 wrote to memory of 1948	4124	cmd.exe	REG.EXE
PID 4124 wrote to memory of 1948	4124	cmd.exe	REG.EXE
PID 4124 wrote to memory of 1948	4124	cmd.exe	REG.EXE
PID 4124 wrote to memory of 2852	4124	cmd.exe	REG.EXE
PID 4124 wrote to memory of 2852	4124	cmd.exe	REG.EXE
PID 4124 wrote to memory of 2852	4124	cmd.exe	REG.EXE
PID 4124 wrote to memory of 3996	4124	cmd.exe	REG.EXE
PID 4124 wrote to memory of 3996	4124	cmd.exe	REG.EXE
PID 4124 wrote to memory of 3996	4124	cmd.exe	REG.EXE
PID 4124 wrote to memory of 4976	4124	cmd.exe	REG.EXE
PID 4124 wrote to memory of 4976	4124	cmd.exe	REG.EXE
PID 4124 wrote to memory of 4976	4124	cmd.exe	REG.EXE
PID 4124 wrote to memory of 3100	4124	cmd.exe	REG.EXE
PID 4124 wrote to memory of 3100	4124	cmd.exe	REG.EXE
PID 4124 wrote to memory of 3100	4124	cmd.exe	REG.EXE
PID 4124 wrote to memory of 1372	4124	cmd.exe	REG.EXE
PID 4124 wrote to memory of 1372	4124	cmd.exe	REG.EXE
PID 4124 wrote to memory of 1372	4124	cmd.exe	REG.EXE
PID 4124 wrote to memory of 2976	4124	cmd.exe	REG.EXE
PID 4124 wrote to memory of 2976	4124	cmd.exe	REG.EXE
PID 4124 wrote to memory of 2976	4124	cmd.exe	REG.EXE
PID 3052 wrote to memory of 3464	3052	listicka.exe	szninstall.exe
PID 3052 wrote to memory of 3464	3052	listicka.exe	szninstall.exe
PID 3052 wrote to memory of 3464	3052	listicka.exe	szninstall.exe
PID 3464 wrote to memory of 3992	3464	szninstall.exe	sznsetup.exe
PID 3464 wrote to memory of 3992	3464	szninstall.exe	sznsetup.exe
PID 3464 wrote to memory of 3992	3464	szninstall.exe	sznsetup.exe
PID 3464 wrote to memory of 3012	3464	szninstall.exe	sznsetup.exe

C:\Users\Admin\AppData\Local\Temp\$1\listicka.exe
"C:\Users\Admin\AppData\Local\Temp\$1\listicka.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052

C:\Users\Admin\AppData\Roaming\Seznam.cz\sznsetup-lt.exe
"C:\Users\Admin\AppData\Roaming\Seznam.cz\sznsetup-lt.exe" -T "C:\Users\Admin\AppData\Roaming\Seznam.cz" -R "$\install" http://download.seznam.cz/update
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5108

C:\Users\Admin\AppData\Roaming\Seznam.cz\sznsetup-lt.exe
"C:\Users\Admin\AppData\Roaming\Seznam.cz\sznsetup-lt.exe" -T "C:\Users\Admin\AppData\Roaming\Seznam.cz" -i cz.seznam.software.szninstall
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100

C:\Users\Admin\AppData\Local\Temp\~0E578C52.000013EC.sznpkg\unzip.exe
C:\Users\Admin\AppData\Local\Temp\~0E578C52.000013EC.sznpkg\unzip.exe -d C:\Users\Admin\AppData\Local\Temp\~0E579347.000013EC.sznpkg -o C:\Users\Admin\AppData\Local\Temp\~0E578C52.000013EC.sznpkg\download\cz.seznam.software.sznsetup-1.2.7-win32.zip
3⤵
- Executes dropped EXE
PID:1480

C:\Windows\SysWOW64\cmd.exe
cmd /S /C "install.bat C:\Users\Admin\AppData\Roaming\Seznam.cz"
3⤵
- System Location Discovery: System Language Discovery
PID:3444

C:\Users\Admin\AppData\Local\Temp\~0E578C52.000013EC.sznpkg\unzip.exe
C:\Users\Admin\AppData\Local\Temp\~0E578C52.000013EC.sznpkg\unzip.exe -d C:\Users\Admin\AppData\Local\Temp\~0E579422.000013EC.sznpkg -o C:\Users\Admin\AppData\Local\Temp\~0E578C52.000013EC.sznpkg\download\cz.seznam.software.szninstall-1.1.15-win32.zip
3⤵
- Executes dropped EXE
PID:244

C:\Windows\SysWOW64\cmd.exe
cmd /S /C "install.bat C:\Users\Admin\AppData\Roaming\Seznam.cz"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4124

C:\Users\Admin\AppData\Local\Temp\~0E578C52.000013EC.sznpkg\REG.EXE
REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SeznamInstall" /f /va
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3112

C:\Users\Admin\AppData\Local\Temp\~0E578C52.000013EC.sznpkg\REG.EXE
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SeznamInstall" /f
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:312

C:\Users\Admin\AppData\Local\Temp\~0E578C52.000013EC.sznpkg\REG.EXE
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SeznamInstall" /f /v "InstallLocation" /d C:\Users\Admin\AppData\Roaming\Seznam.cz
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:692

C:\Users\Admin\AppData\Local\Temp\~0E578C52.000013EC.sznpkg\REG.EXE
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SeznamInstall" /f /v "DisplayName" /d "Seznam Software"
4⤵
- Executes dropped EXE
PID:3372

C:\Users\Admin\AppData\Local\Temp\~0E578C52.000013EC.sznpkg\REG.EXE
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SeznamInstall" /f /v "DisplayIcon" /d "C:\Users\Admin\AppData\Roaming\Seznam.cz\szninstall.exe,0"
4⤵
- Executes dropped EXE
PID:4084

C:\Users\Admin\AppData\Local\Temp\~0E578C52.000013EC.sznpkg\REG.EXE
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SeznamInstall" /f /v "UninstallString" /d "\"C:\Users\Admin\AppData\Roaming\Seznam.cz\szninstall.exe\" -X"
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:756

C:\Users\Admin\AppData\Local\Temp\~0E578C52.000013EC.sznpkg\REG.EXE
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SeznamInstall" /f /v "ModifyPath" /d "C:\Users\Admin\AppData\Roaming\Seznam.cz\szninstall.exe"
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1948

C:\Users\Admin\AppData\Local\Temp\~0E578C52.000013EC.sznpkg\REG.EXE
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SeznamInstall" /f /v "Publisher" /d "Seznam.cz"
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2852

C:\Users\Admin\AppData\Local\Temp\~0E578C52.000013EC.sznpkg\REG.EXE
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SeznamInstall" /f /v "URLInfoAbout" /d "http://software.seznam.cz"
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3996

C:\Users\Admin\AppData\Local\Temp\~0E578C52.000013EC.sznpkg\REG.EXE
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SeznamInstall" /f /v "HelpLink" /d "http://napoveda.seznam.cz/cz/software.html"
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4976

C:\Users\Admin\AppData\Local\Temp\~0E578C52.000013EC.sznpkg\REG.EXE
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SeznamInstall" /f /v "Comments" /d "Vsechny aplikace spolecnosti Seznam.cz a.s."
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3100

C:\Users\Admin\AppData\Local\Temp\~0E578C52.000013EC.sznpkg\REG.EXE
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SeznamInstall" /f /v "NoRepair" /t REG_DWORD /d 1
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1372

C:\Users\Admin\AppData\Local\Temp\~0E578C52.000013EC.sznpkg\REG.EXE
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SeznamInstall" /f /v "NoModify" /t REG_DWORD /d 0
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2976

C:\Users\Admin\AppData\Roaming\Seznam.cz\szninstall.exe
"C:\Users\Admin\AppData\Roaming\Seznam.cz\szninstall.exe" -u -i cz.seznam.software.autoupdate szn-software-listicka
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3464

C:\Users\Admin\AppData\Roaming\Seznam.cz\sznsetup.exe
C:\Users\Admin\AppData\Roaming\Seznam.cz\sznsetup.exe -V
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3992

C:\Users\Admin\AppData\Roaming\Seznam.cz\sznsetup.exe
C:\Users\Admin\AppData\Roaming\Seznam.cz\sznsetup.exe -T C:\Users\Admin\AppData\Roaming\Seznam.cz -i -u cz.seznam.software.autoupdate szn-software-listicka -p
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3012

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\unzip.exe
C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\unzip.exe -d C:\Users\Admin\AppData\Local\Temp\~0E57AD95.00000BC4.sznpkg -o C:\Users\Admin\AppData\Roaming\Seznam.cz\install\cz.seznam.software.autoupdate-1.0.8-win32.zip
4⤵
- Executes dropped EXE
PID:4676

C:\Windows\SysWOW64\cmd.exe
cmd /S /C "install.bat C:\Users\Admin\AppData\Roaming\Seznam.cz"
4⤵
PID:3040

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\REG.EXE
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "cz.seznam.software.autoupdate" /d "\"C:\Users\Admin\AppData\Roaming\Seznam.cz\szninstall.exe\" -c"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2296

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\unzip.exe
C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\unzip.exe -d C:\Users\Admin\AppData\Local\Temp\~0E57AE41.00000BC4.sznpkg -o C:\Users\Admin\AppData\Roaming\Seznam.cz\install\szn-software-base-1.0.0-win32.zip
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3480

C:\Windows\SysWOW64\cmd.exe
cmd /S /C "install.bat C:\Users\Admin\AppData\Roaming\Seznam.cz"
4⤵
- System Location Discovery: System Language Discovery
PID:3560

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\unzip.exe
C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\unzip.exe -d C:\Users\Admin\AppData\Local\Temp\~0E57AEAF.00000BC4.sznpkg -o C:\Users\Admin\AppData\Roaming\Seznam.cz\install\com.microsoft.msdn.msvcr110-11.0.51106.1-win32.zip
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5044

C:\Windows\SysWOW64\cmd.exe
cmd /S /C "install.bat C:\Users\Admin\AppData\Roaming\Seznam.cz"
4⤵
- System Location Discovery: System Language Discovery
PID:1540

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\CPY.EXE
cpy msvcp110.dll "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin"
5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2592

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\CPY.EXE
cpy msvcr110.dll "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin"
5⤵
- Executes dropped EXE
PID:4728

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\unzip.exe
C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\unzip.exe -d C:\Users\Admin\AppData\Local\Temp\~0E57AFE7.00000BC4.sznpkg -o C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\download\cz.seznam.software.lightspeed-1210-12.10.18-win32.zip
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4280

C:\Windows\SysWOW64\cmd.exe
cmd /S /C "install.bat C:\Users\Admin\AppData\Roaming\Seznam.cz"
4⤵
- System Location Discovery: System Language Discovery
PID:220

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\CPY.EXE
cpy lightspeed.dll "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin"
5⤵
- Executes dropped EXE
PID:3852

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\unzip.exe
C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\unzip.exe -d C:\Users\Admin\AppData\Local\Temp\~0E57B064.00000BC4.sznpkg -o C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\download\cz.seznam.software.libszndesktop-2.1.35-win32.zip
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3324

C:\Windows\SysWOW64\cmd.exe
cmd /S /C "install.bat C:\Users\Admin\AppData\Roaming\Seznam.cz"
4⤵
PID:1120

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\CPY.EXE
cpy "szndesktop.exe" "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin"
5⤵
- Executes dropped EXE
PID:2024

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\CPY.EXE
cpy "szndesktop.conf" "C:\Users\Admin\AppData\Roaming\Seznam.cz\conf"
5⤵
- Executes dropped EXE
PID:4564

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\CPY.EXE
cpy "szndesktop.webpak" "C:\Users\Admin\AppData\Roaming\Seznam.cz\data"
5⤵
- Executes dropped EXE
PID:2164

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\CPY.EXE
cpy "sznpp.exe" "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin"
5⤵
- Executes dropped EXE
PID:4820

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\REG.EXE
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SeznamInstall" /v DisplayVersion /t REG_SZ /d "2.1.35" /f
5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2508

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\unzip.exe
C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\unzip.exe -d C:\Users\Admin\AppData\Local\Temp\~0E57B13F.00000BC4.sznpkg -o C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\download\cz.seznam.software.szndesktop-2.0.32-win32.zip
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3932

C:\Windows\SysWOW64\cmd.exe
cmd /S /C "install.bat C:\Users\Admin\AppData\Roaming\Seznam.cz"
4⤵
PID:3796

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\CPY.EXE
cpy "wszndesktop.exe" "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin"
5⤵
- Executes dropped EXE
PID:2128

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\REG.EXE
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "cz.seznam.software.szndesktop" /d "\"C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\wszndesktop.exe\" -q"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:5016

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\unzip.exe
C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\unzip.exe -d C:\Users\Admin\AppData\Local\Temp\~0E57B1DB.00000BC4.sznpkg -o C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\download\cz.seznam.software.libfoxcub-3.3.8-win32.zip
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4896

C:\Windows\SysWOW64\cmd.exe
cmd /S /C "install.bat C:\Users\Admin\AppData\Roaming\Seznam.cz"
4⤵
- System Location Discovery: System Language Discovery
PID:4408

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\CPY.EXE
cpy libfoxcub.dll "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin"
5⤵
- Executes dropped EXE
PID:4180

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\CPY.EXE
cpy libfoxcub-x64.dll "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin"
5⤵
- Executes dropped EXE
PID:1260

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\CPY.EXE
cpy libfoxcub.conf "C:\Users\Admin\AppData\Roaming\Seznam.cz\conf\szndesktop.d"
5⤵
- Executes dropped EXE
PID:3620

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\CPY.EXE
cpy foxcub.conf "C:\Users\Admin\AppData\Roaming\Seznam.cz\conf\libfoxcub"
5⤵
- Executes dropped EXE
PID:3952

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\CPY.EXE
cpy remote.conf "C:\Users\Admin\AppData\Roaming\Seznam.cz\conf\libfoxcub"
5⤵
- Executes dropped EXE
PID:1488

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\CPY.EXE
cpy listickaconfig.webpak "C:\Users\Admin\AppData\Roaming\Seznam.cz\data"
5⤵
- Executes dropped EXE
PID:3156

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\CPY.EXE
cpy listickanastaveni.webpak "C:\Users\Admin\AppData\Roaming\Seznam.cz\data"
5⤵
- Executes dropped EXE
PID:4972

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\CPY.EXE
cpy speeddial.webpak "C:\Users\Admin\AppData\Roaming\Seznam.cz\data"
5⤵
- Executes dropped EXE
PID:536

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe libfoxcub.dll,UpgradeListicka
5⤵
- Loads dropped DLL
PID:4780

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\REG.EXE
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\szn-software-listicka" /v "UninstallString"
5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:740

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\REG.EXE
REG QUERY "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\szn-software-listicka" /v "UninstallString"
5⤵
- Executes dropped EXE
PID:3612

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\REG.EXE
REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EA837F48-5AD1-443E-AE34-FFE03CBF3099}" /F
5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3084

C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe
"C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe" -v report-ielisticka-install --status=0
5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1148

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\unzip.exe
C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\unzip.exe -d C:\Users\Admin\AppData\Local\Temp\~0E57B4C9.00000BC4.sznpkg -o C:\Users\Admin\AppData\Roaming\Seznam.cz\install\cz.seznam.software.libfoxloader-3.2.7-win32.zip
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2840

C:\Windows\SysWOW64\cmd.exe
cmd /S /C "install.bat C:\Users\Admin\AppData\Roaming\Seznam.cz"
4⤵
- System Location Discovery: System Language Discovery
PID:2668

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\unzip.exe
C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\unzip.exe -d C:\Users\Admin\AppData\Local\Temp\~0E57B556.00000BC4.sznpkg -o C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\download\cz.seznam.software.libfoxcub64-3.3.8-win32.zip
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:404

C:\Windows\SysWOW64\cmd.exe
cmd /S /C "install.bat C:\Users\Admin\AppData\Roaming\Seznam.cz"
4⤵
- System Location Discovery: System Language Discovery
PID:3160

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\CPY.EXE
cpy libfoxcub-x64.dll "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin"
5⤵
- Executes dropped EXE
PID:5000

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\CPY.EXE
cpy listicka-x64.exe "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin"
5⤵
- Executes dropped EXE
PID:2336

C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\szndesktop.exe
szndesktop.exe default restart
5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4476

C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\szndesktop.exe
szndesktop.exe default restart
6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4296

C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\listicka-x64.exe
"C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\listicka-x64.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1524

C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe
"C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe" report-startup
7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4576

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\unzip.exe
C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\unzip.exe -d C:\Users\Admin\AppData\Local\Temp\~0E57B65F.00000BC4.sznpkg -o C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\download\cz.seznam.software.ielisticka3-3.3.5-win32.zip
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3912

C:\Windows\SysWOW64\cmd.exe
cmd /S /C "install.bat C:\Users\Admin\AppData\Roaming\Seznam.cz"
4⤵
- System Location Discovery: System Language Discovery
PID:4564

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\unzip.exe
C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\unzip.exe -d C:\Users\Admin\AppData\Local\Temp\~0E57B6FC.00000BC4.sznpkg -o C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\download\szn-software-fflisticka-4.0.8-win32.zip
4⤵
- Executes dropped EXE
PID:2320

C:\Windows\SysWOW64\cmd.exe
cmd /S /C "install.bat C:\Users\Admin\AppData\Roaming\Seznam.cz"
4⤵
PID:5096

C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe
"C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe" install_ff "C:\Users\Admin\AppData\Roaming\Seznam.cz\data\fflisticka\seznam_doplnek_email-4.4.1-fx.xpi"
5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1660

C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe
"C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe" install_ff "C:\Users\Admin\AppData\Roaming\Seznam.cz\data\fflisticka\[email protected]"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2020

C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe
"C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe" install-firefox-nm
5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1488

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\unzip.exe
C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\unzip.exe -d C:\Users\Admin\AppData\Local\Temp\~0E57BAC4.00000BC4.sznpkg -o C:\Users\Admin\AppData\Roaming\Seznam.cz\install\cz.seznam.software.chromelisticka-2.0.4-win32.zip
4⤵
- Executes dropped EXE
PID:3412

C:\Windows\SysWOW64\cmd.exe
cmd /S /C "install.bat C:\Users\Admin\AppData\Roaming\Seznam.cz"
4⤵
- System Location Discovery: System Language Discovery
PID:3084

C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe
"C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe" install-chrome all
5⤵
- System Location Discovery: System Language Discovery
PID:1648

C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp_64.exe
"C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe" install-chrome all
6⤵
- Loads dropped DLL
PID:2284

C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe
"C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe" install-chrome-nm
5⤵
- System Location Discovery: System Language Discovery
PID:4668

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\unzip.exe
C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\unzip.exe -d C:\Users\Admin\AppData\Local\Temp\~0E57BBAF.00000BC4.sznpkg -o C:\Users\Admin\AppData\Roaming\Seznam.cz\install\com.microsoft.msdn.msvcr100-10.0.40219.325-win32.zip
4⤵
PID:2272

C:\Windows\SysWOW64\cmd.exe
cmd /S /C "install.bat C:\Users\Admin\AppData\Roaming\Seznam.cz"
4⤵
- System Location Discovery: System Language Discovery
PID:5012

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\CPY.EXE
cpy msvcp100.dll "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin"
5⤵
PID:2996

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\CPY.EXE
cpy msvcr100.dll "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin"
5⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\unzip.exe
C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\unzip.exe -d C:\Users\Admin\AppData\Local\Temp\~0E57BC2C.00000BC4.sznpkg -o C:\Users\Admin\AppData\Roaming\Seznam.cz\install\cz.seznam.software.pp-1.0.2-win32.zip
4⤵
- System Location Discovery: System Language Discovery
PID:3208

C:\Windows\SysWOW64\cmd.exe
cmd /S /C "install.bat C:\Users\Admin\AppData\Roaming\Seznam.cz"
4⤵
PID:4804

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\CPY.EXE
cpy unlockInstance.dll "C:\Users\Admin\AppData\Roaming\Seznam.cz\bin"
5⤵
PID:3352

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\CPY.EXE
cpy unlockInstance.conf "C:\Users\Admin\AppData\Roaming\Seznam.cz\conf\szndesktop.d"
5⤵
PID:4012

C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\szndesktop.exe
szndesktop.exe default restart
5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3064

C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\szndesktop.exe
szndesktop.exe default restart
6⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5072

C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe
"C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe" install-chrome retry
7⤵
PID:744

C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp_64.exe
"C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe" install-chrome retry
8⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5016

C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe --no-default-browser-check --new-window about:blank
9⤵
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffff3d6cc40,0x7ffff3d6cc4c,0x7ffff3d6cc58
10⤵
- Loads dropped DLL
PID:2656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,15684048736461209338,16393341968820545878,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1932 /prefetch:2
10⤵
PID:1760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2140,i,15684048736461209338,16393341968820545878,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2184 /prefetch:3
10⤵
PID:1484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,15684048736461209338,16393341968820545878,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2568 /prefetch:8
10⤵
PID:460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,15684048736461209338,16393341968820545878,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3096 /prefetch:1
10⤵
PID:3444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3080,i,15684048736461209338,16393341968820545878,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3196 /prefetch:1
10⤵
PID:5020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3720,i,15684048736461209338,16393341968820545878,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4492 /prefetch:8
10⤵
PID:2172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4788,i,15684048736461209338,16393341968820545878,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4728 /prefetch:8
10⤵
- Loads dropped DLL
PID:452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4488,i,15684048736461209338,16393341968820545878,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4832 /prefetch:8
10⤵
PID:3024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4672,i,15684048736461209338,16393341968820545878,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4728 /prefetch:8
10⤵
PID:3580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4816,i,15684048736461209338,16393341968820545878,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5108 /prefetch:8
10⤵
PID:4780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4972,i,15684048736461209338,16393341968820545878,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4676 /prefetch:8
10⤵
PID:1556

C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
10⤵
- Loads dropped DLL
- Drops file in Program Files directory
PID:3156

C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x27c,0x280,0x284,0x258,0x288,0x7ff7881e4698,0x7ff7881e46a4,0x7ff7881e46b0
11⤵
- Loads dropped DLL
- Drops file in Program Files directory
PID:4900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4364,i,15684048736461209338,16393341968820545878,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4688 /prefetch:8
10⤵
PID:1320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4976,i,15684048736461209338,16393341968820545878,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5048 /prefetch:8
10⤵
PID:2820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4700,i,15684048736461209338,16393341968820545878,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4732 /prefetch:8
10⤵
PID:3716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5064,i,15684048736461209338,16393341968820545878,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5072 /prefetch:8
10⤵
PID:1260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5016,i,15684048736461209338,16393341968820545878,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5168 /prefetch:8
10⤵
PID:4576

C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe --no-default-browser-check --new-window
9⤵
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffff3d6cc40,0x7ffff3d6cc4c,0x7ffff3d6cc58
10⤵
- Loads dropped DLL
PID:1780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2016,i,14198490676013669927,6835459596159570496,262144 --variations-seed-version=20241001-180143.436000 --mojo-platform-channel-handle=2012 /prefetch:2
10⤵
PID:1120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1972,i,14198490676013669927,6835459596159570496,262144 --variations-seed-version=20241001-180143.436000 --mojo-platform-channel-handle=2192 /prefetch:3
10⤵
PID:428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2304,i,14198490676013669927,6835459596159570496,262144 --variations-seed-version=20241001-180143.436000 --mojo-platform-channel-handle=2516 /prefetch:8
10⤵
PID:3428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,14198490676013669927,6835459596159570496,262144 --variations-seed-version=20241001-180143.436000 --mojo-platform-channel-handle=3172 /prefetch:1
10⤵
PID:4984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3192,i,14198490676013669927,6835459596159570496,262144 --variations-seed-version=20241001-180143.436000 --mojo-platform-channel-handle=3220 /prefetch:1
10⤵
PID:2408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3716,i,14198490676013669927,6835459596159570496,262144 --variations-seed-version=20241001-180143.436000 --mojo-platform-channel-handle=1700 /prefetch:1
10⤵
PID:4864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4552,i,14198490676013669927,6835459596159570496,262144 --variations-seed-version=20241001-180143.436000 --mojo-platform-channel-handle=4692 /prefetch:8
10⤵
PID:5004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4664,i,14198490676013669927,6835459596159570496,262144 --variations-seed-version=20241001-180143.436000 --mojo-platform-channel-handle=4668 /prefetch:8
10⤵
PID:4664

C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\listicka-x64.exe
"C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\listicka-x64.exe"
7⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:244

C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe
"C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe" report-startup
7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:664

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\unzip.exe
C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\unzip.exe -d C:\Users\Admin\AppData\Local\Temp\~0E57BF1A.00000BC4.sznpkg -o C:\Users\Admin\AppData\Roaming\Seznam.cz\install\szn-software-listicka-3.0.0-win32.zip
4⤵
PID:5036

C:\Windows\SysWOW64\cmd.exe
cmd /S /C "install.bat C:\Users\Admin\AppData\Roaming\Seznam.cz"
4⤵
- System Location Discovery: System Language Discovery
PID:1760

C:\Users\Admin\AppData\Roaming\Seznam.cz\sznsetup.exe
"C:\Users\Admin\AppData\Roaming\Seznam.cz\sznsetup.exe" -A 61655 cd "C:\Users\Admin\AppData\Roaming\Seznam.cz"
5⤵
- System Location Discovery: System Language Discovery
PID:1252

C:\Users\Admin\AppData\Roaming\Seznam.cz\sznsetup.exe
"C:\Users\Admin\AppData\Roaming\Seznam.cz\sznsetup.exe" -A 61655 "C:\Users\Admin\AppData\Local\Temp\~0E57BF1A.00000BC4.sznpkg\install.bat" ADMINPHASE . "C:\Program Files (x86)\Seznam.cz\distribution"
5⤵
- System Location Discovery: System Language Discovery
PID:4284

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\REG.EXE
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Seznam.cz\distribution" /f /v "listicka" /t REG_DWORD /d 1
5⤵
PID:3560

C:\Windows\SysWOW64\cmd.exe
cmd /S /C "C:\Users\Admin\AppData\Roaming\Seznam.cz\uninstall\cz_seznam_software_libszndesktop_2_1_35.reconfigure.bat C:\Users\Admin\AppData\Roaming\Seznam.cz"
4⤵
- System Location Discovery: System Language Discovery
PID:708

C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\szndesktop.exe
"C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\szndesktop.exe" default restart
5⤵
- Loads dropped DLL
PID:1076

C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\szndesktop.exe
"C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\szndesktop.exe" default restart
6⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:232

C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe
"C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe" install-chrome retry
7⤵
PID:3736

C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\listicka-x64.exe
"C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\listicka-x64.exe"
7⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1540

C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe
"C:\Users\Admin\AppData\Roaming\Seznam.cz\bin\sznpp.exe" report-startup
7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3448

C:\Users\Admin\AppData\Roaming\Seznam.cz\szninstall.exe
"C:\Users\Admin\AppData\Roaming\Seznam.cz\szninstall.exe" -S 61655
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~0E57BF1A.00000BC4.sznpkg\install.bat ADMINPHASE . "C:\Program Files (x86)\Seznam.cz\distribution"
4⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4308

C:\Users\Admin\AppData\Roaming\Seznam.cz\sznsetup.exe
".\sznsetup.exe" -T "C:\Program Files (x86)\Seznam.cz\distribution" -R "C:\Program Files (x86)\Seznam.cz\distribution\install"
5⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3032

C:\Windows\SysWOW64\xcopy.exe
xcopy /S /Y /G /I ".\install\*.*" "C:\Program Files (x86)\Seznam.cz\distribution\install"
5⤵
- Drops file in Program Files directory
- Enumerates system info in registry
PID:3836

C:\Users\Admin\AppData\Local\Temp\~0E579913.00000BC4.sznpkg\REG.EXE
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f /v "seznam-listicka-distribuce" /d "\"C:\Program Files (x86)\Seznam.cz\distribution\szninstall.exe\" -s -d listicka 1 szn-software-listicka cz.seznam.software.autoupdate"
5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3348

C:\Users\Admin\AppData\Roaming\Seznam.cz\sznsetup.exe
C:\Users\Admin\AppData\Roaming\Seznam.cz\sznsetup.exe -V
3⤵
- System Location Discovery: System Language Discovery
PID:1652

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4700

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\62813B66E4E7657B0076ACE1B741615F

Filesize
504B

MD5
17be4ca3e416928f142cb5288fb2db4f

SHA1
c0355f8c975beb494a3c4461740953076604459e

SHA256
af554a4c58eb247f4d11fa8f5d60e70a3c7b2e9bf58a4050a1a59064e78aaf48

SHA512
4ea32538b6bfb6bc9e38a16b46fe4b58d75cb1579e6e159b04b7296381c33654a5adc11b7f9939a05e145209171372bb36e3052e80d21cba9675699345cd78e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
1cb569c1c836f9a6763c3fa710b7b848

SHA1
ebdab8d89e645c2639fee2406762d62bc0b6f99b

SHA256
fb8336384df30fe9ae78854236342fe6c17211f630e504ad7cf73f87a54d5059

SHA512
bb56b8355d85c969df56b57afed0437136084558056a4138221cb317ddf334f607cc78411bb5fee4b7ebe6b60ecba40e1b9eaa7764de70566b028abfac651f45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\62813B66E4E7657B0076ACE1B741615F

Filesize
546B

MD5
043691da814d759728d2f60d004084b1

SHA1
9882e803dc03f952fa565c08a6f208eeb25fe708

SHA256
6afe87aaec6d024f75c4ca863aa78d5abd1eaaca6a1c3e37d8389de83576174d

SHA512
f212a20bc6627507a7224e5f8d4cf8f267ec4340b4ca59034968dd1cde3e9778fb55dd262bf1e3d042e41ba4c855dcc6ebadcd31fc6b842169f4cffbcab2f88e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
2c76afc5a2c5731743f37706c1fc87cf

SHA1
7e9b3c33b0e65d011882eae9d8224a3f2e30f7f6

SHA256
77fc781aa22f91c1beb606634a96088bfbbda95c1c2f08b679c281f2ffbb2dd6

SHA512
6cc81e2569857200dcd7f7c161536e9dd1fff4c9fb993fdc58c7f86b79b064713001de5d6af01136b4666439ce16532626559734549150408c8c101601ed8683

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
1880dcf532752a2c176cd04ccea681a9

SHA1
73d2347ac0eedf6f94f0f98b3051a8ea6470d840

SHA256
5d500edd5afb9ab726c1e79dcc9b163495cacb5e309dc72cc738a8d2431ceaa4

SHA512
8f8e4eaecc325a7c0c9fd029ada56591dc662672d0572eb8fe123277159693435da337acda98299722979570646397483fc328d5550b47b83e2c097499cce039

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
8a84ef6669bda382ae804d6e6ed4819b

SHA1
cc1e0fed04729b12369d8a216ba08c508a29b3a8

SHA256
1138df7e5c95ac5e1921fdfaa758fc3e8958807e46b8401e891f2a8f83e14c5c

SHA512
ceda8aba2302640f05e0823cae9695e49e7f23b145112b8d5ecc63e778d9449f6749291ba5e6dde7d1838d3dfb834a0d2ed854076127a982ec5f9e9e8c0729fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
1a0c992367958bb2dcdbefb12245aafa

SHA1
8c66bbcb984c2b21f25fe5f8e7c75f049e398935

SHA256
ce71419ffc897d2e605ef36e24753400465701083e2a7c1db17472e9c034be99

SHA512
f29f93f7ffd9f2ca26a91c0e09d32b7de68232a5045a71df582e28e6566174172243d6a8d8450104d045aedd51bc15cafd51b356ccab6d9d37a358b14b4e87ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
343d679215c243d5cc8de0c22afabcc9

SHA1
1b9797dd822dc0d2f63f15de344360b42d29b38d

SHA256
063774af1847e351127bdc8367a7ec9d80e2f9b815b9c957f674e16be2d6fb9b

SHA512
685f1f2ec73f64598953ec5633ca88697aac806ae84d9b7c392ea30609bd693bff562852d9eb88dd37f671a979cec261f3d98216884a71d4e869f596e53c38dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
abeb1bce18e843ea4296ee8ee429e0bc

SHA1
27b075cf8f0002eceb6940d852b1ddfd602267af

SHA256
291820807fdef42c7f83157c6b9ccf70361ef50ed28531b43b8b8000611d0416

SHA512
4c45106c1b3eb3d120543bd305ef91ab9625ac3979af393612407ba56e6d58b20938fe504a4c957d4de6fc1c27130a980e4f3ad9aa796a8996f9fe869e598c20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
01546ed0ca409eccbf1683719bf1affe

SHA1
0b4b143086fc0bdcb665a7b63fe9ea793e77811d

SHA256
0c27a46ab96e32c55e621df90019b1844f36432da922f0b5cc67d163b8ff2a0a

SHA512
dcfd35325d6a21f7eeb105132a034441b3dbdc38ad72a674a7f91b62d781f59c541d392cdf2c8ab28c2173f7ff8e3f51825dca8f488285305e6298e5b5491153

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
19KB

MD5
aa033481d712365041120b280d41d575

SHA1
bbc3d0e01bc995c2085f885850668ef3e5b6ca46

SHA256
8ff92fc268a15b63e27da3ce0acdf3792fef692794f81ff86344d137216698a1

SHA512
71c98e9b1be3722a29b4aac6e22688d93ee7e45852074c4eec8b26ade2ca28935e270df907ca66cbd6761f236c94f2905b4dc3789fcc64c5cd76199291283af4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
115KB

MD5
8cbbb0c711903fa13795bc025bbecafd

SHA1
5c4b30cf1d4469023364e6ee8391313385c5d25c

SHA256
2228656f18d3f085f4ac1c26ef68fd805f24d6378ff233c8688ff4ef7dfd514c

SHA512
c7fc9f7950c189170c602b6e496b9507450fd3d663a2bb5d16b647535da76b201bd29b844c0305a1786ec8c00a0df5b6f20e0f2210c289499693e898a0d93e95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
7715452762574b5bf590d57f39b6007a

SHA1
6045b56e985df293a2bd7b1a57f623e45853cb31

SHA256
3f5724bba683821489904802000bddde8e480fbe94b9b3b8cc85d497e43f5e99

SHA512
874e7004af9e087fbf715d9230f0941f5d0ea770d4b22d8e6c313340c23d8d7f7d3b36f9fcc8978d5e097011f7ad6ce76de032827f4dca2c09c91b03f8a4d390

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
210KB

MD5
9bd877b372667a74be4538995d208822

SHA1
b100f5008bd1c3d6ffe310aff3b8d9f922a38ecf

SHA256
cab87d7526d61eb0aea966fc74071a7a7f958b8acd9cbeaf092e1dec2448b138

SHA512
e582c1574f39584e8cfa29a34915aa4bfe6b9a5068a5b583516f9b0d356a3c4a38983b9140e726b1eab2669be82307d9ac3277bc610e63c0a8643d2c0a22ad99

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c152e16-2636-42b0-9973-905e0deae3c3.tmp

Filesize
623KB

MD5
da2228185d46a74ad7e5a3f37eecc67e

SHA1
95b4c24a06d6be1011356859e149b2fbe3b043ff

SHA256
09f7dd2a8b8cddb801fd9a69ebbc8a3cea7051b6230e59dd2f46656ddbbf688a

SHA512
61c8949bbba9763a49ad11705de96bcbe7ac2e676d7ad0b4f7f5b6e01d949360fd371e109da8a8bcc4439ebef6669d1271156a171481bcb58acb48d73e3b89b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\9762a396-b41e-4924-b288-996e7d0cf97b.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk8752.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk8752.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk8752.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4408_131598172\6571c52d-e52d-43cd-9370-6b0324c81bdb.tmp

Filesize
464KB

MD5
989c55975181f7d71d70b05f11b08e16

SHA1
d610b08a556bc02e794728da986d20049db4697c

SHA256
16d60813277d2a09fd36d8914de24212ac1353bab903c3bc6d4d5d92b42388e5

SHA512
bbaf608628b670c7fdb050ab13ba889adb826a7da7e241b2d213ce679861cc5315efdd0b94ad047ca3bdf337c6c3b8c6a49b12edcffdafa0b1629d3a53abae14

Download Submit
C:\Users\Admin\AppData\Local\Temp\sznpp.log

Filesize
2KB

MD5
01be964a88ab6781ed893c185b37b5d3

SHA1
dcde9604338dc5075d3ae5a613566d324f9f4dd3

SHA256
119bc090f8db75a70a6acf5eb2623f3c53d2d9fe1fabacdc98716b9cf1c6a14f

SHA512
90ba9603593cdffba3f548054a98b7bb1b83aa78c1161843c76070f827b56933b5dd4d9d27dafb0bd79793cb410e13030be42972c5be3bf29570c7659bb59a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\sznpp.log

Filesize
4KB

MD5
9a5d0f873089a115e53b409add9d58d7

SHA1
f424e01ba27e74fa33d6e859f60ab7097876c8f5

SHA256
f4207634c289c742df068d1a36115e288be77d4cd464a11a2097c1c3c7a76dd7

SHA512
85b428d5dc78f2c5d19759b3cc83f302a48aca7e3155d0582f7dbf39ba76ce1225d4690a69d1959253cde3ab018b8aeb7469482f35d905d5a171cde89e3d1ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\~0E578C52.000013EC.sznpkg\REG.EXE

Filesize
20KB

MD5
f0c0d05727a4e1e91f4347c2270500aa

SHA1
8f26b474cb7a8f8ace40e98574034d7322b1fbe8

SHA256
aa7c78cede348c8db9f932c2c54ee746e6b528691811de44578d238ba02721e2

SHA512
7fe720efd2a94624dfa5492afa6d0342cad232bcf8159d59ad2e52d8a21be1566bc457e980185bbf8e1332fd48199a1ad9d18b076cbb39f1011dc24b2601a25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~0E578C52.000013EC.sznpkg\UNZIP.EXE

Filesize
72KB

MD5
3fc25896b5b2fb8e20f28fab8c0e1143

SHA1
4019015aba1d7b6bcf4c3ca422b981eb2c0aa4d3

SHA256
b6d228616b5ad31449f4da41aeec9a6fc7a18fe51f672233fc7f6cae07e7f117

SHA512
6175fe637408d0d5c4ebc27fc39593d9b92fddd247303dbed652d7a5c7a05454ddfa21c8aff9a470894dc5dfa581123a53c02da650843e4f18156254b63802d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~0E578C52.000013EC.sznpkg\download\cz.seznam.software.szninstall-1.1.15-win32.zip

Filesize
423KB

MD5
4a72352104bdeb175a01ed156d1b752e

SHA1
20281025dd3caf05cf16b1b7756236e6b6646ad0

SHA256
b46db87456edb53d41462b77b58323e8446892fe876982a8258ee224e3f3ca00

SHA512
5dafb1e2d09a0436f293a626d171fbf049fe5df4acdc986719a80548632ad44234ac4ee55c0cb855efd29e9935310d55674989e7bea98207e615378643edeefe

Download Submit
C:\Users\Admin\AppData\Local\Temp\~0E578C52.000013EC.sznpkg\download\cz.seznam.software.sznsetup-1.2.7-win32.zip

Filesize
1.1MB

MD5
32a5827e232bd4ecdf03aa6e597b9a02

SHA1
f6d51f9b8371be92b025b6794ce76baa0332cfbe

SHA256
aae60f2257d7bb56fb270cc7e23ba88c3d6768d952cdf201c6ae6d8b7efacb5e

SHA512
165c659311b1b9c13240d48873a2fc99ca983691058a640a242f34b7be586889feeeceb21b223f37b53ea5b60d50ed3965c600df2b69049786334c4835839888

Download Submit
C:\Users\Admin\AppData\Local\Temp\~0E579347.000013EC.sznpkg\control.ini

Filesize
199B

MD5
723b8c5f1fa2d9c5c1d9830c34ba08ad

SHA1
34c12369a988e5d30f2beab2f1c7acc018761959

SHA256
57ace0b4e76f0045a7dae3e39b59c50193d9e45ab8bfa17a1f1d21dfb99dd3c8

SHA512
951acb2fa97ab2647de41549ac4e4d46fa0d8b7994a39ae293c1eb5a543fc562a76b3b87c3dac68b66f876fdb6eef694c5f62b885d5288993d14e2f272085904

Download Submit
C:\Users\Admin\AppData\Local\Temp\~0E579347.000013EC.sznpkg\install.bat

Filesize
90B

MD5
7be26bbb7d13c3c854f880e2d7c77f47

SHA1
e2c44acbc3e683fe54e4c24cc52bd5c64714c8cc

SHA256
0c58ca6afab9755bd17c25d4ac3c602bc12c78b2064fd36e781d7bfd3d55f200

SHA512
8e9cfdc1679a49e5053373e4583bf77d9c9dc4c18bcc4a01ad025d6de644ec0cbe72dadb4f3bfbf1e6873ee588b334b6a91310543c959766c48ec5095b0537d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~0E579347.000013EC.sznpkg\sznsetup.exe

Filesize
2.5MB

MD5
d0f5d99c74d568eb9909c7582a775dc7

SHA1
4d7d588c789b26e0a6afd6c2e3685a01da7b1351

SHA256
30caedf510c447a3dc0f8a068b6ed8c55409818c77faeb7e01e86df1c3949b2d

SHA512
5424989b78e418af100c10d8f6d12b13b78643ce2f5f7a9e0462a9571827dc8c1eef60324d64bb4ca7651262523434ada0b564a757a1b15d338ddaf47dcfcf01

Download Submit
C:\Users\Admin\AppData\Local\Temp\~0E579347.000013EC.sznpkg\uninstall.bat

Filesize
21B

MD5
0f2a9391c79202e47e212c8d2c4d6d43

SHA1
79b8df7d9aa3841ac189129472bb1a5020e9b4bf

SHA256
448e9c54e2079dcf42f4211c2b5a6415a0b9f7e80c351ccc32ee3236d6e5520a

SHA512
a649acea21db5fe3de14d4800939280204d1a69f6394eac68c211302f3ac240f21df10d4e4f0c4f07e6a2086e371e894360973a43dc0af87a8a08dc594b03d9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~0E579422.000013EC.sznpkg\control.ini

Filesize
274B

MD5
0a96eb2e0f4c2050cb65ac5e0efc9095

SHA1
844345f999be26a5248fcab702915b79f5268237

SHA256
7238ac1a9f601da52d6d12a61c5d4d15474f02766a9e56830999e9d59f7bebdc

SHA512
546e6042ee0cce3e775cd21f0cda56b6236cd59c0a4ca043db57802e767f2a91d2f89d82bf59a28389c7c47f7267628abcbb2d05c55093c69b70a9748ddae9ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\~0E579422.000013EC.sznpkg\install.bat

Filesize
908B

MD5
93c3affd6e3e86ad9fc944356e55712a

SHA1
8b2abea2446aee93d17cdd58d95b6494aee4783e

SHA256
5e3aebcf7ab3579b7ec48a0589130a961d4a2b7035f99fc9f196b260b62c156a

SHA512
83767a58b605e764a8cf199fb98691b371cb6da2fd7a6cc392632f0188f2d0251a9e6f73381f3212bf41add10b32f187e31c615fa799e4ba5d6cac7c36a2de66

Download Submit
C:\Users\Admin\AppData\Local\Temp\~0E579422.000013EC.sznpkg\szninstall.exe

Filesize
1.0MB

MD5
c73e94b86ed9b6bdff199bb7e8bf9d77

SHA1
81187638df3b943e9a990a8dfaa5ae70d4ae360b

SHA256
abcbbdcc62338959f0f74b257e34ac86aba9132675f34a389756f624909c0115

SHA512
56347635037935771708e803278678520e6cf6f16ac532d53ef571fd25bb86ff16677cb5832a16dca8d6921d5a9bf7672540bf29a92063627bfac8e6b6d79ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~0E579422.000013EC.sznpkg\uninstall.bat

Filesize
181B

MD5
1feff19973a4f9158c152836aa645da9

SHA1
5235da552796a62fb9a88394a049829bb43b3e22

SHA256
2de87146ed0503aadacc414fe9df49635d9722affefdfec0d485bfbaf2173b43

SHA512
e275593a178c32434a1c748908bfc70856e71ec49d9ef7cac71f03dc1602a8891fb891a8c09c4f94fdf88701bff2ac27742d92cc4f71d965d98b6a5fa093f155

Download Submit
C:\Users\Admin\AppData\Local\Temp\~0E57AD95.00000BC4.sznpkg\control.ini

Filesize
298B

MD5
179cf2126d63acb096bcf31d9e755a28

SHA1
148f948ea0df3d1eb9a5edf9d4ec98895d64bea9

SHA256
b0398a91eaa0add38c0a75fa398952e8df4eff4010d0957819e8dd55cfb33c94

SHA512
767b7e7c1a9c75e90631f020c72fdbceac054f789a899d972f6231ee236738d489a7269f80f2e5f64182e494bbb60f9ce89fb6819c4b4112e4a352eae9fc8508

Download Submit
C:\Users\Admin\AppData\Local\Temp\~0E57AD95.00000BC4.sznpkg\install.bat

Filesize
133B

MD5
f45c071fd1aba066c0a5877dccc37f07

SHA1
73c90d2a48adc0bc7ca8a5232c0b15c4d3304853

SHA256
24bc6e07585b3d7cf3812e5b1b377ac0e39a154d8c14b8b7b3ae03dda9c85803

SHA512
0027b487fcd0a9f51aed2d76551273f60fa2945b78ea68ff1e9f2f79c7b52944da40f063e29a815557b79504812402a151fec817b9a30bd8d6f5ce9eddb274eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\~0E57AD95.00000BC4.sznpkg\uninstall.bat

Filesize
104B

MD5
5d379cb847043d49e99717cbe5cfd1b1

SHA1
f9e82f6cc4eae5b60366d71a3446e439887f5491

SHA256
f9774b7b55ca1144c478108b561c1deab3bb1decba3212d07f136f7a00edf952

SHA512
e0fd611d55ee78f1978d3aace9318942adc460d0bc8056a25e78f916e496817c82388fea73969d0e53095e9c70a0fe1ec85732a1a1e96fbd64f90f2950d95a66

Download Submit
C:\Users\Admin\AppData\Local\Temp\~0E57AE41.00000BC4.sznpkg\control.ini

Filesize
260B

MD5
34ddba490baf20ce87da887262dfb101

SHA1
56f81ab1e53d1074436f8609e7e95a3651c747f2

SHA256
fae11ed16bfeb7c3c71df0eaf7fc5520bbd3a7bfcc72f319a795d9cfe49c327d

SHA512
e4cb8c3bb1ace9216baa6bf96f3c5673d3d8175d9c54d4e243678fbe136f980724e190ddf3a9e61c0517182606caff654afd03a17351cc11fbf92a23264cd288

Download Submit
C:\Users\Admin\AppData\Local\Temp\~0E57AE41.00000BC4.sznpkg\install.bat

Filesize
129B

MD5
3d00b26ac691fa886f7a9e557b882842

SHA1
9ec82a89e5f1b5720a13a54d178d553838fa6c6b

SHA256
34efd0e3ac0515fb1fd025ce99c84b9a99e67bf2fe9d4889e4fd76664f941f42

SHA512
ee01469a4f5e1055a9559c25df291f7c6a19e05ceaf6fbecb96d8ed50c8ba6c1f2e7bf563e82d383a4b65f13511f79074e51d741562128370d64c78f6d4279ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\~0E57AE41.00000BC4.sznpkg\uninstall.bat

Filesize
32B

MD5
82ced4b51204137afec924b9a0a34c92

SHA1
3e3dd1c485e7a421141cdf4aca14950e2f3bde77

SHA256
ea3fcd8551241061c5c4685d32dda1970de9cd6d509a20bd956d77b28a98ed97

SHA512
1890cb5281e76b48ede926f9b72f9c1f02f0e1a620038a9cc8423831ee666cdb05b20184ff348a6eb7c171b934d1d0461f28119e95f49a3e1358fa5a9442fae1

Download Submit
C:\Users\Admin\AppData\Roaming\Seznam.cz\install.log.2764.log

Filesize
28KB

MD5
dc856197b7f470338450fa1a7bb1d863

SHA1
744a8da56f45130cec6777766db6d358f0b18800

SHA256
ccfa4cf8f21ab9576cee55044fa781768a2944d1692fb60481fbe89a813d2d1d

SHA512
bc493c68c406446241e5ccc458f48ad005c9174626481f102a38819111746949378b35ee7cae566837fb1c9f02746cc41965f703e70c2487d34caf52e3e2e098

Download Submit
C:\Users\Admin\AppData\Roaming\Seznam.cz\install\cz.seznam.software.autoupdate-1.0.8-win32.zip

Filesize
849B

MD5
f4bebe89a8e1ac362fe3a79c97be1dde

SHA1
77e567394d7ac07a76ce5814de02d5867e33255f

SHA256
ecc1a7118616bb0481129d8abaa60df7f3e60a6ebc6e995d803e89736c45181e

SHA512
c5099bbbea5896ba984ba34ac9840c3c4fba086e5eaee458e521e171ae2ebabc43394332550c11924b56b2cca06d2b4da8ba5e9fac6bb342cc5b56c80f6e8b6a

Download Submit
C:\Users\Admin\AppData\Roaming\Seznam.cz\install\packages.inf

Filesize
11KB

MD5
f697b45dfbc054244dbd7c0b84a6978d

SHA1
3a8dd4a006489f666283ce878bfcb9d1d6429e97

SHA256
93566bc8cd8aaa71da3d8e7de5c27b79566231e37ae9de6ba1be47cedcfe24e5

SHA512
93322c3c7b56b064b2364c55c8400fda2f25a356788235271a7def4ede827417b4a9efcdb2a1ab59f4398f2c074d81fc7fe90b48694378ce65e1800ad28a63ba

Download Submit
C:\Users\Admin\AppData\Roaming\Seznam.cz\install\szn-software-base-1.0.0-win32.zip

Filesize
719B

MD5
074a93e1689ea64403d500b6c7a83ab4

SHA1
91717b519eae49dab6f62550862bbbbe67b14cf4

SHA256
95ceb6d4f123edd7043964bddbafa0e18c247762cd42581acbe621327b09bae0

SHA512
5e44e6e7027aa7477d0bd73c3d304022e33d15d43bf21c1e5b08f24d912c4a7597570e71ce2a7a02d5cd317df98b7a27b7b35c7dd18f1aafa249e76478779fdd

Download Submit
C:\Users\Admin\AppData\Roaming\Seznam.cz\packages.inf

Filesize
1KB

MD5
837c7a236eeada236bb51b254b840435

SHA1
3ce3c2103190b0f68a25c39b9d24847fd695aa24

SHA256
42875d1c3a02d0ac1985c65cde40b746c2f89c2e89cb421224f24d2cc3933879

SHA512
07e82a25b5ccdd6929f2a9b3ac3cd2e46bdab6cdf284bda4113eddbf6543e51cfb66e13dc90c71291442f6b1eaa2f0af7c91e4eb6de5797d5511f26271d3e5d1

Download Submit
C:\Users\Admin\AppData\Roaming\Seznam.cz\packages.inf.$$$

Filesize
12KB

MD5
7aa8702937a185b6d1994bc20953a8ca

SHA1
a90838d79959308255679879b0c293863d990036

SHA256
8fc36eb1b6d341c07f78d9402d34d8d8568ccb77b9eab283bc0a78a069a0b58b

SHA512
070e6ff60ce900508bb2d89398e70f4535aad3a19624196c4a61c6e9b9ab897ea1044abc13a893431254727f2dc083d4e90d11d80a1b2e38d04129f44add6d50

Download Submit
C:\Users\Admin\AppData\Roaming\Seznam.cz\packages.inf.$$$

Filesize
1KB

MD5
eb0713ed8c5f74e7c8f64afcbddf61a8

SHA1
a5500a362415595581cae47eaeb308f8c49d5c08

SHA256
910aa7f3dd4ebbf764110ebf8a7427279dce8e7324dad2ea770299026f5364b2

SHA512
d0a65c35bb4830109f3ba6ce7d631318424ea53b9fc2df77cf8d024a431dc0b09b21421454e69a3eeaf36166539fc80c4a303c8bebbb6bae3bf4e1ae397dc4e9

Download Submit
C:\Users\Admin\AppData\Roaming\Seznam.cz\sources.inf

Filesize
45B

MD5
8efb99dc1764c24a3afd26525cb801ae

SHA1
ef3001d662dc98ef5dcf2b971e6715bfbc4ffe50

SHA256
ea7af9470621ffdd4b4afb4380c0e0ec1fdd5f6d2d1b371304290474ac1c9b4a

SHA512
cf1a8b52d569dbd580473d95f213499b66f2e925134530ecf821a4b36a5701dee1a33b521859e3c1aa57a834ac7fbc8a830bcb51629755dd193895027b537b96

Download Submit
C:\Users\Admin\AppData\Roaming\Seznam.cz\sznsetup-lt.exe

Filesize
1.2MB

MD5
9033dbee427815f396f63928c3273862

SHA1
999a21163538790c49640969648818410ac3ef5c

SHA256
d73b8aeb672800608ad5df8351cbf38f7b7a6e56781c75827e7d10025ecddc6a

SHA512
efd48a08883cb19e704ba5b867f41edf25237f7ef55b3e408ca993fadfafc569b1bbfce3f2e1981444887866686835defe06c3a58c19d05792e2a5c53627394e

Download Submit
C:\Users\Admin\AppData\Roaming\Seznam.cz\uninstall\szn_software_fflisticka_4_0_8.install.bat

Filesize
687B

MD5
6773193894447a6084f1908abc14f403

SHA1
250cfce2c5796abe5c0ae05e309652910a1fe9d1

SHA256
0074fdfbe74480a40956a6dc9ecbca75e0c57232b3e742f16ec2a697b004ff52

SHA512
c63e438e0fac0da0b74160dffc39e216965fcc0a1c142c9dc06872b15a7b6765ee91440924d0fc1d246512d305c0553ff7d21201dd36d03e46e99d2ccac64af5

Download Submit
C:\Users\Admin\AppData\Roaming\Seznam.cz\uninstall\szn_software_fflisticka_4_0_8.uninstall.bat

Filesize
448B

MD5
054b05bc8bc79bda4d251e806dca7000

SHA1
952ecc5584d21fabe3fa4525b316ae7a2a563209

SHA256
a8e2256d67af00b8660a08d45cdde983abc87eb200d9fa887eaa5ab6c0797467

SHA512
e4eb2ac8194fe48bdf3e464a3c69ac748cbdb964013f8ed9a64f94220d7ac8e91399b62017309af3a4259ddbaeaec3c339bcdfa208be85dbf90c6e1bd10af13a

Download Submit
memory/244-102-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/312-115-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/404-412-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/692-118-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/740-340-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/756-124-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/1372-136-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/1480-69-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1480-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1948-126-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/2272-567-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2296-206-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/2320-449-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2508-284-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/2840-369-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2852-128-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/2976-139-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/3084-343-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/3100-134-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/3112-109-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/3112-112-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/3208-584-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3324-279-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3348-673-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/3372-120-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/3412-504-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3480-223-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3560-676-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/3612-342-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/3912-430-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3932-299-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3996-130-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/4084-122-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/4280-257-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4676-201-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4896-327-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4976-132-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/5016-302-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/5036-602-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5044-241-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download