35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

Analysis

max time kernel
151s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6.exe
Size

842KB
MD5

44ab671f5c236837cec2588ffa3b13a0
SHA1

35aa266ccc17754c64a195349698da143cbcccea
SHA256

35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6
SHA512

20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad
SSDEEP

24576:wX/ajNHhm/QeN/7DSBfWhYqmTI96H0m8R:hHU/ph7GBfWOqClHy

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

ynyr.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\ynyr.exe -dwup"	ynyr.exe

Executes dropped EXE 47 IoCs

Processes:

ynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exe

pid	process
4540	ynyr.exe
3704	ynyr.exe
3296	ynyr.exe
2168	ynyr.exe
4216	ynyr.exe
4576	ynyr.exe
4904	ynyr.exe
3780	ynyr.exe
4316	ynyr.exe
3092	ynyr.exe
1568	ynyr.exe
3336	ynyr.exe
3864	ynyr.exe
2324	ynyr.exe
1752	ynyr.exe
2496	ynyr.exe
912	ynyr.exe
1632	ynyr.exe
2020	ynyr.exe
1988	ynyr.exe
3800	ynyr.exe
3716	ynyr.exe
1084	ynyr.exe
4740	ynyr.exe
948	ynyr.exe
3708	ynyr.exe
1460	ynyr.exe
3972	ynyr.exe
4148	ynyr.exe
1452	ynyr.exe
3596	ynyr.exe
4016	ynyr.exe
3636	ynyr.exe
408	ynyr.exe
3448	ynyr.exe
1748	ynyr.exe
60	ynyr.exe
2296	ynyr.exe
1944	ynyr.exe
3240	ynyr.exe
2348	ynyr.exe
5116	ynyr.exe
1772	ynyr.exe
2316	ynyr.exe
4124	ynyr.exe
2204	ynyr.exe
4688	ynyr.exe

Suspicious use of SetThreadContext 24 IoCs

Processes:

35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exe

description	pid	process	target process
PID 2480 set thread context of 1248	2480	35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6.exe	35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6.exe
PID 4540 set thread context of 3704	4540	ynyr.exe	ynyr.exe
PID 2168 set thread context of 4216	2168	ynyr.exe	ynyr.exe
PID 4576 set thread context of 4904	4576	ynyr.exe	ynyr.exe
PID 3780 set thread context of 4316	3780	ynyr.exe	ynyr.exe
PID 3092 set thread context of 1568	3092	ynyr.exe	ynyr.exe
PID 3336 set thread context of 3864	3336	ynyr.exe	ynyr.exe
PID 2324 set thread context of 1752	2324	ynyr.exe	ynyr.exe
PID 2496 set thread context of 912	2496	ynyr.exe	ynyr.exe
PID 1632 set thread context of 2020	1632	ynyr.exe	ynyr.exe
PID 1988 set thread context of 3800	1988	ynyr.exe	ynyr.exe
PID 3716 set thread context of 1084	3716	ynyr.exe	ynyr.exe
PID 4740 set thread context of 948	4740	ynyr.exe	ynyr.exe
PID 3708 set thread context of 1460	3708	ynyr.exe	ynyr.exe
PID 3972 set thread context of 4148	3972	ynyr.exe	ynyr.exe
PID 1452 set thread context of 3596	1452	ynyr.exe	ynyr.exe
PID 4016 set thread context of 3636	4016	ynyr.exe	ynyr.exe
PID 408 set thread context of 3448	408	ynyr.exe	ynyr.exe
PID 1748 set thread context of 60	1748	ynyr.exe	ynyr.exe
PID 2296 set thread context of 1944	2296	ynyr.exe	ynyr.exe
PID 3240 set thread context of 2348	3240	ynyr.exe	ynyr.exe
PID 5116 set thread context of 1772	5116	ynyr.exe	ynyr.exe
PID 2316 set thread context of 4124	2316	ynyr.exe	ynyr.exe
PID 2204 set thread context of 4688	2204	ynyr.exe	ynyr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6.exe35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exeynyr.exe

description	pid	process	target process
PID 2480 wrote to memory of 1248	2480	35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6.exe	35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6.exe
PID 2480 wrote to memory of 1248	2480	35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6.exe	35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6.exe
PID 2480 wrote to memory of 1248	2480	35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6.exe	35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6.exe
PID 2480 wrote to memory of 1248	2480	35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6.exe	35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6.exe
PID 2480 wrote to memory of 1248	2480	35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6.exe	35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6.exe
PID 2480 wrote to memory of 1248	2480	35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6.exe	35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6.exe
PID 2480 wrote to memory of 1248	2480	35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6.exe	35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6.exe
PID 2480 wrote to memory of 1248	2480	35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6.exe	35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6.exe
PID 1248 wrote to memory of 4540	1248	35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6.exe	ynyr.exe
PID 1248 wrote to memory of 4540	1248	35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6.exe	ynyr.exe
PID 1248 wrote to memory of 4540	1248	35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6.exe	ynyr.exe
PID 4540 wrote to memory of 3704	4540	ynyr.exe	ynyr.exe
PID 4540 wrote to memory of 3704	4540	ynyr.exe	ynyr.exe
PID 4540 wrote to memory of 3704	4540	ynyr.exe	ynyr.exe
PID 4540 wrote to memory of 3704	4540	ynyr.exe	ynyr.exe
PID 4540 wrote to memory of 3704	4540	ynyr.exe	ynyr.exe
PID 4540 wrote to memory of 3704	4540	ynyr.exe	ynyr.exe
PID 4540 wrote to memory of 3704	4540	ynyr.exe	ynyr.exe
PID 4540 wrote to memory of 3704	4540	ynyr.exe	ynyr.exe
PID 3704 wrote to memory of 3296	3704	ynyr.exe	ynyr.exe
PID 3704 wrote to memory of 3296	3704	ynyr.exe	ynyr.exe
PID 3704 wrote to memory of 3296	3704	ynyr.exe	ynyr.exe
PID 3704 wrote to memory of 3296	3704	ynyr.exe	ynyr.exe
PID 3704 wrote to memory of 3296	3704	ynyr.exe	ynyr.exe
PID 3296 wrote to memory of 2168	3296	ynyr.exe	ynyr.exe
PID 3296 wrote to memory of 2168	3296	ynyr.exe	ynyr.exe
PID 3296 wrote to memory of 2168	3296	ynyr.exe	ynyr.exe
PID 2168 wrote to memory of 4216	2168	ynyr.exe	ynyr.exe
PID 2168 wrote to memory of 4216	2168	ynyr.exe	ynyr.exe
PID 2168 wrote to memory of 4216	2168	ynyr.exe	ynyr.exe
PID 2168 wrote to memory of 4216	2168	ynyr.exe	ynyr.exe
PID 2168 wrote to memory of 4216	2168	ynyr.exe	ynyr.exe
PID 2168 wrote to memory of 4216	2168	ynyr.exe	ynyr.exe
PID 2168 wrote to memory of 4216	2168	ynyr.exe	ynyr.exe
PID 2168 wrote to memory of 4216	2168	ynyr.exe	ynyr.exe
PID 3296 wrote to memory of 4576	3296	ynyr.exe	ynyr.exe
PID 3296 wrote to memory of 4576	3296	ynyr.exe	ynyr.exe
PID 3296 wrote to memory of 4576	3296	ynyr.exe	ynyr.exe
PID 4576 wrote to memory of 4904	4576	ynyr.exe	ynyr.exe
PID 4576 wrote to memory of 4904	4576	ynyr.exe	ynyr.exe
PID 4576 wrote to memory of 4904	4576	ynyr.exe	ynyr.exe
PID 4576 wrote to memory of 4904	4576	ynyr.exe	ynyr.exe
PID 4576 wrote to memory of 4904	4576	ynyr.exe	ynyr.exe
PID 4576 wrote to memory of 4904	4576	ynyr.exe	ynyr.exe
PID 4576 wrote to memory of 4904	4576	ynyr.exe	ynyr.exe
PID 4576 wrote to memory of 4904	4576	ynyr.exe	ynyr.exe
PID 3296 wrote to memory of 3780	3296	ynyr.exe	ynyr.exe
PID 3296 wrote to memory of 3780	3296	ynyr.exe	ynyr.exe
PID 3296 wrote to memory of 3780	3296	ynyr.exe	ynyr.exe
PID 3780 wrote to memory of 4316	3780	ynyr.exe	ynyr.exe
PID 3780 wrote to memory of 4316	3780	ynyr.exe	ynyr.exe
PID 3780 wrote to memory of 4316	3780	ynyr.exe	ynyr.exe
PID 3780 wrote to memory of 4316	3780	ynyr.exe	ynyr.exe
PID 3780 wrote to memory of 4316	3780	ynyr.exe	ynyr.exe
PID 3780 wrote to memory of 4316	3780	ynyr.exe	ynyr.exe
PID 3780 wrote to memory of 4316	3780	ynyr.exe	ynyr.exe
PID 3780 wrote to memory of 4316	3780	ynyr.exe	ynyr.exe
PID 3296 wrote to memory of 3092	3296	ynyr.exe	ynyr.exe
PID 3296 wrote to memory of 3092	3296	ynyr.exe	ynyr.exe
PID 3296 wrote to memory of 3092	3296	ynyr.exe	ynyr.exe
PID 3092 wrote to memory of 1568	3092	ynyr.exe	ynyr.exe
PID 3092 wrote to memory of 1568	3092	ynyr.exe	ynyr.exe
PID 3092 wrote to memory of 1568	3092	ynyr.exe	ynyr.exe
PID 3092 wrote to memory of 1568	3092	ynyr.exe	ynyr.exe

C:\Users\Admin\AppData\Local\Temp\35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6.exe
"C:\Users\Admin\AppData\Local\Temp\35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2480

C:\Users\Admin\AppData\Local\Temp\35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6.exe
"C:\Users\Admin\AppData\Local\Temp\35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1248

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Local\Temp\35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6.exe -dwup
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4540

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Local\Temp\35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6.exe -dwup
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3296

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2168

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
7⤵
- Executes dropped EXE
PID:4216

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4576

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
7⤵
- Executes dropped EXE
PID:4904

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3780

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
7⤵
- Executes dropped EXE
PID:4316

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3092

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
7⤵
- Executes dropped EXE
PID:1568

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3336

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
7⤵
- Executes dropped EXE
PID:3864

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2324

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
7⤵
- Executes dropped EXE
PID:1752

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2496

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
7⤵
- Executes dropped EXE
PID:912

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1632

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
7⤵
- Executes dropped EXE
PID:2020

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1988

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
7⤵
- Executes dropped EXE
PID:3800

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3716

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
7⤵
- Executes dropped EXE
PID:1084

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4740

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
7⤵
- Executes dropped EXE
PID:948

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3708

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
7⤵
- Executes dropped EXE
PID:1460

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3972

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
7⤵
- Executes dropped EXE
PID:4148

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1452

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
7⤵
- Executes dropped EXE
PID:3596

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4016

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
7⤵
- Executes dropped EXE
PID:3636

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:408

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
7⤵
- Executes dropped EXE
PID:3448

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1748

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
7⤵
- Executes dropped EXE
PID:60

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2296

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
7⤵
- Executes dropped EXE
PID:1944

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3240

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
7⤵
- Executes dropped EXE
PID:2348

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5116

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
7⤵
- Executes dropped EXE
PID:1772

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2316

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
7⤵
- Executes dropped EXE
PID:4124

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2204

C:\Users\Admin\AppData\Roaming\ynyr.exe
C:\Users\Admin\AppData\Roaming\ynyr.exe
7⤵
- Executes dropped EXE
PID:4688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
C:\Users\Admin\AppData\Roaming\ynyr.exe

Filesize
842KB

MD5
44ab671f5c236837cec2588ffa3b13a0

SHA1
35aa266ccc17754c64a195349698da143cbcccea

SHA256
35bf46a4562df3fdb49ab5cae2b83d4ff81ff495d916d2c4c3cd21aa3deb97f6

SHA512
20ddf228c9bf5a38fe582fbd725b7ee29248115219dcdae23ef471e68806be908ad3e84a63686da98cc7681b15cf433391f69de301efd463efd16184526f1fad

Download Submit
memory/60-279-0x0000000000000000-mapping.dmp

Download
memory/60-284-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/408-269-0x0000000000000000-mapping.dmp

Download
memory/912-204-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/912-199-0x0000000000000000-mapping.dmp

Download
memory/948-231-0x0000000000000000-mapping.dmp

Download
memory/948-236-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1084-223-0x0000000000000000-mapping.dmp

Download
memory/1084-228-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1248-133-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1248-132-0x0000000000000000-mapping.dmp

Download
memory/1248-135-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1248-136-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1452-253-0x0000000000000000-mapping.dmp

Download
memory/1460-239-0x0000000000000000-mapping.dmp

Download
memory/1460-244-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1568-175-0x0000000000000000-mapping.dmp

Download
memory/1568-180-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1632-205-0x0000000000000000-mapping.dmp

Download
memory/1748-277-0x0000000000000000-mapping.dmp

Download
memory/1752-191-0x0000000000000000-mapping.dmp

Download
memory/1752-196-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1772-303-0x0000000000000000-mapping.dmp

Download
memory/1772-308-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1944-287-0x0000000000000000-mapping.dmp

Download
memory/1944-292-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1988-213-0x0000000000000000-mapping.dmp

Download
memory/2020-212-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2020-207-0x0000000000000000-mapping.dmp

Download
memory/2168-149-0x0000000000000000-mapping.dmp

Download
memory/2204-317-0x0000000000000000-mapping.dmp

Download
memory/2296-285-0x0000000000000000-mapping.dmp

Download
memory/2316-309-0x0000000000000000-mapping.dmp

Download
memory/2324-189-0x0000000000000000-mapping.dmp

Download
memory/2348-300-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2348-295-0x0000000000000000-mapping.dmp

Download
memory/2496-197-0x0000000000000000-mapping.dmp

Download
memory/3092-173-0x0000000000000000-mapping.dmp

Download
memory/3240-293-0x0000000000000000-mapping.dmp

Download
memory/3296-146-0x0000000000000000-mapping.dmp

Download
memory/3336-181-0x0000000000000000-mapping.dmp

Download
memory/3448-271-0x0000000000000000-mapping.dmp

Download
memory/3448-276-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3596-260-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3596-255-0x0000000000000000-mapping.dmp

Download
memory/3636-268-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3636-263-0x0000000000000000-mapping.dmp

Download
memory/3704-145-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3704-140-0x0000000000000000-mapping.dmp

Download
memory/3704-144-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3704-148-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3708-237-0x0000000000000000-mapping.dmp

Download
memory/3716-221-0x0000000000000000-mapping.dmp

Download
memory/3780-165-0x0000000000000000-mapping.dmp

Download
memory/3800-215-0x0000000000000000-mapping.dmp

Download
memory/3800-220-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3864-188-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3864-183-0x0000000000000000-mapping.dmp

Download
memory/3972-245-0x0000000000000000-mapping.dmp

Download
memory/4016-261-0x0000000000000000-mapping.dmp

Download
memory/4124-311-0x0000000000000000-mapping.dmp

Download
memory/4124-316-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4148-252-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4148-247-0x0000000000000000-mapping.dmp

Download
memory/4216-156-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4216-151-0x0000000000000000-mapping.dmp

Download
memory/4316-167-0x0000000000000000-mapping.dmp

Download
memory/4316-172-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4540-137-0x0000000000000000-mapping.dmp

Download
memory/4576-157-0x0000000000000000-mapping.dmp

Download
memory/4688-319-0x0000000000000000-mapping.dmp

Download
memory/4688-324-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4740-229-0x0000000000000000-mapping.dmp

Download
memory/4904-164-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4904-159-0x0000000000000000-mapping.dmp

Download
memory/5116-301-0x0000000000000000-mapping.dmp

Download