Malware Analysis Report

2025-08-11 06:04

Sample ID 240222-xdnneaec68
Target YNAB 4_4.3.857_Setup.exe
SHA256 f3021e45c82d72bd139d86f6a68c96af201bedf53a373f183dca037003b9cdc6
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f3021e45c82d72bd139d86f6a68c96af201bedf53a373f183dca037003b9cdc6

Threat Level: Shows suspicious behavior

The file YNAB 4_4.3.857_Setup.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Loads dropped DLL

Executes dropped EXE

Checks installed software on the system

Drops file in Program Files directory

Enumerates physical storage devices

Checks processor information in registry

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-22 18:44

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-22 18:44

Reported

2024-02-22 18:47

Platform

win7-20240221-en

Max time kernel

122s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
N/A N/A C:\Program Files (x86)\YNAB 4\YNAB 4.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\YNAB 4\is-JRBJD.tmp C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Resources\WebKit\is-6QMF7.tmp C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\assets\is-72U5T.tmp C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\is-S010J.tmp C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Resources\is-NUAB5.tmp C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Resources\is-IDGSF.tmp C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Resources\WebKit\is-GE2E7.tmp C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\is-EQG4J.tmp C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\is-UTC62.tmp C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Resources\is-BPOO5.tmp C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\assets\is-7P1J0.tmp C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\assets\is-S10BN.tmp C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\assets\is-UGN59.tmp C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\is-KARNU.tmp C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\is-PNHHU.tmp C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\is-57EM6.tmp C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\META-INF\AIR\is-Q4CO8.tmp C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\META-INF\AIR\is-9DEOM.tmp C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\is-S0K0A.tmp C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\is-E1RJN.tmp C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\assets\is-0RFTF.tmp C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\assets\is-IIA8L.tmp C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\is-JBOVM.tmp C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\META-INF\is-1GQOD.tmp C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File opened for modification C:\Program Files (x86)\YNAB 4\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\YNAB 4\YNAB 4.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\YNAB 4\YNAB 4.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Mime\Database\Content Type\application/vnd.ynab.ynab4 C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\shell\open\command C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.qfx\ = "com.ynab.YNAB4.qfx" C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ynab.qfx\Extension = ".qfx" C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\shell\open C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\shell\open C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Mime\Database\Content Type\application/vnd.ynab.ofx C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Mime\Database\Content Type\application/vnd.ynab.qif C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\shell\open\command C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\shell\open\ = "Open with YNAB 4" C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\shell\open C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\shell C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\shell\open\command\ = "\"C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\shell\open\command\ = "\"C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\shell C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4 C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ofx\Content Type = "application/vnd.ynab.ofx" C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ynab.qif\Extension = ".qif" C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\shell\open\ = "Open with YNAB 4" C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\DefaultIcon\ = "C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe,0" C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\ = "Bank File (Opened by YNAB 4)" C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\DefaultIcon\ = "C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe,0" C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\shell C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\DefaultIcon\ = "C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe,0" C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\shell\open\command\ = "\"C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\ = "Bank File (Opened by YNAB 4)" C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.qif\ = "com.ynab.YNAB4.qif" C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.qif\Content Type = "application/vnd.ynab.qif" C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ynab4\ = "com.ynab.YNAB4.ynab4" C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.qif C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Mime\Database\Content Type\application/vnd.ynab.qfx C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\ = "Bank File (Opened by YNAB 4)" C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\shell\open\ = "Open with YNAB 4" C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\shell\open\command\ = "\"C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ynab4\Content Type = "application/vnd.ynab.ynab4" C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.qfx\Content Type = "application/vnd.ynab.qfx" C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\shell\open C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\DefaultIcon C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\shell C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\shell\open\ = "Open with YNAB 4" C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\DefaultIcon C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\DefaultIcon\ = "C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe,0" C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ynab.ofx\Extension = ".ofx" C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\DefaultIcon C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ofx\ = "com.ynab.YNAB4.ofx" C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.qfx C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ynab4 C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ynab.ynab4\Extension = ".ynab4" C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\shell\open\command C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\DefaultIcon C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\shell\open\command C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\ = "YNAB 4 Budget File" C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ofx C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Program Files (x86)\YNAB 4\YNAB 4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Program Files (x86)\YNAB 4\YNAB 4.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Program Files (x86)\YNAB 4\YNAB 4.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\YNAB 4\YNAB 4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1640 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp
PID 1640 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp
PID 1640 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp
PID 1640 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp
PID 1640 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp
PID 1640 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp
PID 1640 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp
PID 2264 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp C:\Program Files (x86)\YNAB 4\YNAB 4.exe
PID 2264 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp C:\Program Files (x86)\YNAB 4\YNAB 4.exe
PID 2264 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp C:\Program Files (x86)\YNAB 4\YNAB 4.exe
PID 2264 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp C:\Program Files (x86)\YNAB 4\YNAB 4.exe
PID 2444 wrote to memory of 1864 N/A C:\Program Files (x86)\YNAB 4\YNAB 4.exe C:\WINDOWS\SysWOW64\hostname.exe
PID 2444 wrote to memory of 1864 N/A C:\Program Files (x86)\YNAB 4\YNAB 4.exe C:\WINDOWS\SysWOW64\hostname.exe
PID 2444 wrote to memory of 1864 N/A C:\Program Files (x86)\YNAB 4\YNAB 4.exe C:\WINDOWS\SysWOW64\hostname.exe
PID 2444 wrote to memory of 1864 N/A C:\Program Files (x86)\YNAB 4\YNAB 4.exe C:\WINDOWS\SysWOW64\hostname.exe

Processes

C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe

"C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe"

C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp" /SL5="$70124,20782605,219136,C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe"

C:\Program Files (x86)\YNAB 4\YNAB 4.exe

"C:\Program Files (x86)\YNAB 4\YNAB 4.exe"

C:\WINDOWS\SysWOW64\hostname.exe

"C:\WINDOWS\system32\hostname.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 airdownload2.adobe.com udp
GB 104.78.176.172:80 airdownload2.adobe.com tcp
US 8.8.8.8:53 www.youneedabudget.com udp
US 172.67.69.237:443 www.youneedabudget.com tcp
US 8.8.8.8:53 www.ynab.com udp
IE 34.249.200.254:443 www.ynab.com tcp
IE 34.249.200.254:443 www.ynab.com tcp
IE 34.249.200.254:443 www.ynab.com tcp
IE 34.249.200.254:443 www.ynab.com tcp

Files

memory/1640-0-0x0000000000400000-0x0000000000440000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp

MD5 29f9be62944155dbb6b0b4f07138ea96
SHA1 5095375e40047d1b0daa4527c5de271ab23cd2f0
SHA256 168e5bbfcc47229ae0375ece11b7c9dabeb0a6bc820058fc2c86f4682cd0388f
SHA512 fe9bf378c278986118a7e17d326c795796c6ff20e3c6770ceeffc5d3f948d552147e41d3364cb1e55919d1c54974d135e28fc0753fc555c56a6dd839e4b264fd

memory/2264-7-0x0000000000240000-0x0000000000241000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-AJ2CE.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/1640-14-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2264-15-0x0000000000400000-0x0000000000539000-memory.dmp

\Program Files (x86)\YNAB 4\YNAB 4.exe

MD5 8498b21d1c4582162ae4e100822babe5
SHA1 7f4e05fe9eacbbb8a4fca9baf2fb0a5b732fd03e
SHA256 160256d4687b59be6202de349e777aaeac5e93c037c41304f24d34883f2d5327
SHA512 0b5e7afeb082a4cc76bd0284203ee635fc17f2a4163655b19bba7c8cb7642cfa61ec16b8b5be87557d051d89400a8b7fcd77e48b7618263221303401c6db2db1

C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Adobe AIR.dll

MD5 c083f8f26617d6adb86d2415a1bd42ff
SHA1 db6e31df956d3ba91f9e355a7b03de9f323b66b9
SHA256 39842ff576bca2d34a50ecfe8dcb04f3ff524aac0263cc456f9e7e872f7bb788
SHA512 7578012b40902dd63b57d265c13b71617327296908674f1daaa5f29c75b09075834386868776a26bc1fd8a944c899c9e8e3691c901e1d1c67e355dc176380e37

\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Adobe AIR.dll

MD5 241b62402135af6850d8060eea33b87f
SHA1 ef054b48ef6265c5d9e3880233710b5bfce82055
SHA256 b081e922ade2d47f8b3f4e632f6a4edcfd263086e36b86f9e2d3a90c7227eb61
SHA512 a7a7c03844d41d7a25bc20550f864b520e0f163c0ac6c60925f2315177471df99d3fe38efbaf56bc84e8bc6ddd62cd4a7f24c43eae91220bc3a36e599afce6d5

memory/2444-78-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2264-85-0x0000000000400000-0x0000000000539000-memory.dmp

memory/1640-103-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Program Files (x86)\YNAB 4\META-INF\AIR\application.xml

MD5 8f7487c76b681fba22a05c595f39b8bf
SHA1 87e7b04dde3a8fa5dbfa57c6b8b8f1bb8a64989d
SHA256 ebdf4f7eaded6a910cc811b77fd89653baee2402dbdeb282358dc208471ce255
SHA512 5b4c9d195e91e27f4d2bb3a215a1099c31e25f0576b55b7233fbf5a4b27bdcad0e7e1dffc3acb0fd7424c7dc8c0b8ad5a9cbbaeb2dc1db1584e32ad4aa5afc2e

memory/2444-194-0x0000000003510000-0x0000000003710000-memory.dmp

memory/2444-195-0x0000000003510000-0x0000000003710000-memory.dmp

memory/2444-196-0x0000000003510000-0x0000000003710000-memory.dmp

memory/2444-198-0x0000000003810000-0x0000000003830000-memory.dmp

memory/2444-197-0x0000000003810000-0x0000000003830000-memory.dmp

memory/2444-199-0x0000000003810000-0x0000000003830000-memory.dmp

memory/2444-200-0x0000000003510000-0x0000000003710000-memory.dmp

memory/2444-201-0x0000000003510000-0x0000000003710000-memory.dmp

memory/2444-202-0x0000000003510000-0x0000000003710000-memory.dmp

memory/2444-203-0x0000000003510000-0x0000000003710000-memory.dmp

memory/2444-204-0x0000000003510000-0x0000000003710000-memory.dmp

memory/2444-205-0x0000000003510000-0x0000000003710000-memory.dmp

memory/2444-207-0x0000000003510000-0x0000000003710000-memory.dmp

memory/2444-208-0x0000000003510000-0x0000000003710000-memory.dmp

memory/2444-209-0x0000000003510000-0x0000000003710000-memory.dmp

memory/2444-210-0x0000000003510000-0x0000000003710000-memory.dmp

memory/2444-211-0x0000000003510000-0x0000000003710000-memory.dmp

memory/2444-212-0x0000000003510000-0x0000000003710000-memory.dmp

memory/2444-213-0x0000000003510000-0x0000000003710000-memory.dmp

memory/2444-214-0x0000000003510000-0x0000000003710000-memory.dmp

memory/2444-216-0x0000000003510000-0x0000000003710000-memory.dmp

memory/2444-217-0x0000000003510000-0x0000000003710000-memory.dmp

memory/2444-218-0x0000000003510000-0x0000000003710000-memory.dmp

memory/2444-220-0x0000000003510000-0x0000000003710000-memory.dmp

memory/2444-222-0x0000000003510000-0x0000000003710000-memory.dmp

memory/2444-223-0x0000000003510000-0x0000000003710000-memory.dmp

memory/2444-225-0x0000000003510000-0x0000000003710000-memory.dmp

memory/2444-226-0x0000000003510000-0x0000000003710000-memory.dmp

memory/2444-227-0x0000000003510000-0x0000000003710000-memory.dmp

memory/2444-229-0x0000000003510000-0x0000000003710000-memory.dmp

memory/2444-232-0x0000000003810000-0x0000000003830000-memory.dmp

memory/2444-235-0x0000000003810000-0x0000000003830000-memory.dmp

memory/2444-237-0x0000000003810000-0x0000000003830000-memory.dmp

memory/2444-239-0x0000000003810000-0x0000000003830000-memory.dmp

memory/2444-238-0x0000000003810000-0x0000000003830000-memory.dmp

memory/2444-236-0x0000000003810000-0x0000000003830000-memory.dmp

memory/2444-234-0x0000000003810000-0x0000000003830000-memory.dmp

memory/2444-233-0x0000000003810000-0x0000000003830000-memory.dmp

memory/2444-231-0x0000000003510000-0x0000000003710000-memory.dmp

memory/2444-230-0x0000000003510000-0x0000000003710000-memory.dmp

memory/2444-240-0x0000000003810000-0x0000000003830000-memory.dmp

memory/2444-242-0x0000000003510000-0x0000000003710000-memory.dmp

memory/2444-245-0x0000000003810000-0x0000000003830000-memory.dmp

memory/2444-246-0x0000000003810000-0x0000000003830000-memory.dmp

memory/2444-249-0x0000000003810000-0x0000000003830000-memory.dmp

memory/2444-252-0x0000000003810000-0x0000000003830000-memory.dmp

memory/2444-248-0x0000000003810000-0x0000000003830000-memory.dmp

memory/2444-241-0x0000000003510000-0x0000000003710000-memory.dmp

memory/2444-228-0x0000000003510000-0x0000000003710000-memory.dmp

memory/2444-224-0x0000000003510000-0x0000000003710000-memory.dmp

memory/2444-221-0x0000000003510000-0x0000000003710000-memory.dmp

memory/2444-219-0x0000000003510000-0x0000000003710000-memory.dmp

C:\Program Files (x86)\YNAB 4\YNAB.swf

MD5 8d8732d0f71ec7f42ed3a4c25e5df1f8
SHA1 577b068c905fc0d446466af506bbad11d3f46c38
SHA256 54d1285f133a9fa0e34a7fca7aeef572e14a98d784e296180c0ff30c971314d8
SHA512 330a477c4cdd024b22f3e64c2c4add5ace8511f2866fc810f61651e31bd6a95ab0dc66719bcf15eeab2784e960fb06b1b6e46b2044de7397c95ee77a60d12125

memory/2444-206-0x0000000003510000-0x0000000003710000-memory.dmp

memory/2444-281-0x0000000003810000-0x0000000003830000-memory.dmp

memory/2444-282-0x0000000003810000-0x0000000003830000-memory.dmp

memory/2444-293-0x0000000003510000-0x0000000003710000-memory.dmp

memory/2444-294-0x0000000003510000-0x0000000003710000-memory.dmp

memory/2444-295-0x0000000003510000-0x0000000003710000-memory.dmp

memory/2444-391-0x00000000021F0000-0x00000000021FA000-memory.dmp

memory/2444-390-0x00000000021F0000-0x00000000021FA000-memory.dmp

memory/2444-389-0x00000000021F0000-0x00000000021FA000-memory.dmp

memory/2444-388-0x00000000021F0000-0x00000000021FA000-memory.dmp

memory/2444-4072-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2444-7106-0x00000000021F0000-0x00000000021FA000-memory.dmp

memory/2444-7108-0x00000000021F0000-0x00000000021FA000-memory.dmp

memory/2444-7110-0x00000000021F0000-0x00000000021FA000-memory.dmp

memory/2444-7111-0x00000000021F0000-0x00000000021FA000-memory.dmp

memory/2444-7113-0x00000000021F0000-0x00000000021FA000-memory.dmp

memory/2444-7115-0x00000000021F0000-0x00000000021FA000-memory.dmp

C:\Program Files (x86)\YNAB 4\styles.swf

MD5 d8fa8b1d79c4fddd83b920382ea6b0db
SHA1 f7095bb39def83997ba9f340eb2aebe88af98976
SHA256 79ff741d4a04dd58e1db3735a676562a3d15a25697ceab4f876197bb885dda76
SHA512 948b812916f99f2d58f7fe24b034bed43c2bcc15ea5c45c7196052923190e66a3071bd20b252bf606598bbc2041f0155407e4e7ec5495cf8d48863e59d5125cb

C:\Users\Admin\AppData\Local\Temp\CabA1FC.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarA21E.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-22 18:44

Reported

2024-02-22 18:47

Platform

win10v2004-20240221-en

Max time kernel

146s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\YNAB 4\YNAB 4.exe N/A
N/A N/A C:\Program Files (x86)\YNAB 4\YNAB 4.exe N/A
N/A N/A C:\Program Files (x86)\YNAB 4\YNAB 4.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\YNAB 4\is-2SVT4.tmp C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Resources\is-MH2F9.tmp C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\assets\is-VK95I.tmp C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Resources\is-0QNMT.tmp C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Resources\WebKit\is-87E3O.tmp C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\assets\is-QEL8A.tmp C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\assets\is-IQEV2.tmp C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\META-INF\AIR\is-2R9RQ.tmp C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\is-UCG51.tmp C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\META-INF\AIR\is-IED79.tmp C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\is-6QC48.tmp C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\assets\is-5RG1A.tmp C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\assets\is-GBS58.tmp C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\is-1BULP.tmp C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\is-2KHQS.tmp C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\is-U7I63.tmp C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\is-457GL.tmp C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Resources\is-JR3F5.tmp C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\assets\is-UOSJN.tmp C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File opened for modification C:\Program Files (x86)\YNAB 4\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\is-5ETBK.tmp C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\is-141Q1.tmp C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Resources\WebKit\is-NSQIV.tmp C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\META-INF\is-V3AG7.tmp C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\is-3B4FP.tmp C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\YNAB 4\YNAB 4.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\YNAB 4\YNAB 4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\YNAB 4\YNAB 4.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\YNAB 4\YNAB 4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\YNAB 4\YNAB 4.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\YNAB 4\YNAB 4.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\DefaultIcon C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ynab.ofx\Extension = ".ofx" C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\DefaultIcon C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\DefaultIcon\ = "C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe,0" C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\shell\open\command\ = "\"C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\ = "Bank File (Opened by YNAB 4)" C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ofx\ = "com.ynab.YNAB4.ofx" C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ofx\Content Type = "application/vnd.ynab.ofx" C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.qif\Content Type = "application/vnd.ynab.qif" C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\DefaultIcon\ = "C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe,0" C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.qfx C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ynab.qfx\Extension = ".qfx" C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\shell\open C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\ = "Bank File (Opened by YNAB 4)" C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ynab4 C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ynab.ynab4\Extension = ".ynab4" C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\shell\open\command C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\shell C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\shell\open\ = "Open with YNAB 4" C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\shell\open\command\ = "\"C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\shell\open\ = "Open with YNAB 4" C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.qfx\ = "com.ynab.YNAB4.qfx" C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\shell\open\command C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ynab.qif\Extension = ".qif" C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\shell C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\shell\open\command C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.qif C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\shell\open\command C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\ = "Bank File (Opened by YNAB 4)" C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\shell C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\shell\open\command\ = "\"C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Mime\Database\Content Type\application/vnd.ynab.ynab4 C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\shell\open C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\shell\open\ = "Open with YNAB 4" C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\shell\open\ = "Open with YNAB 4" C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ynab4\ = "com.ynab.YNAB4.ynab4" C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ynab4\Content Type = "application/vnd.ynab.ynab4" C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\shell\open\command\ = "\"C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Mime\Database\Content Type\application/vnd.ynab.qfx C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\shell\open C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.qif\ = "com.ynab.YNAB4.qif" C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\shell C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.qfx\Content Type = "application/vnd.ynab.qfx" C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Mime\Database\Content Type\application/vnd.ynab.qif C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\DefaultIcon C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Mime\Database\Content Type\application/vnd.ynab.ofx C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ofx C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\shell\open C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\DefaultIcon\ = "C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe,0" C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\DefaultIcon\ = "C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe,0" C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4 C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\ = "YNAB 4 Budget File" C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\DefaultIcon C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\YNAB 4\YNAB 4.exe N/A
N/A N/A C:\Program Files (x86)\YNAB 4\YNAB 4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe

"C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe"

C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp" /SL5="$6006A,20782605,219136,C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe"

C:\Program Files (x86)\YNAB 4\YNAB 4.exe

"C:\Program Files (x86)\YNAB 4\YNAB 4.exe"

C:\Program Files (x86)\YNAB 4\YNAB 4.exe

"C:\Program Files (x86)\YNAB 4\YNAB 4.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x33c 0x4bc

C:\Program Files (x86)\YNAB 4\YNAB 4.exe

"C:\Program Files (x86)\YNAB 4\YNAB 4.exe"

C:\WINDOWS\SysWOW64\hostname.exe

"C:\WINDOWS\system32\hostname.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 10.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 airdownload2.adobe.com udp
GB 104.78.176.172:80 airdownload2.adobe.com tcp
US 8.8.8.8:53 172.176.78.104.in-addr.arpa udp
US 8.8.8.8:53 www.youneedabudget.com udp
US 104.26.15.242:443 www.youneedabudget.com tcp
US 8.8.8.8:53 242.15.26.104.in-addr.arpa udp
US 8.8.8.8:53 www.ynab.com udp
IE 52.17.119.105:443 www.ynab.com tcp
US 8.8.8.8:53 105.119.17.52.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 201.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 193.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/2188-0-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2188-2-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp

MD5 29f9be62944155dbb6b0b4f07138ea96
SHA1 5095375e40047d1b0daa4527c5de271ab23cd2f0
SHA256 168e5bbfcc47229ae0375ece11b7c9dabeb0a6bc820058fc2c86f4682cd0388f
SHA512 fe9bf378c278986118a7e17d326c795796c6ff20e3c6770ceeffc5d3f948d552147e41d3364cb1e55919d1c54974d135e28fc0753fc555c56a6dd839e4b264fd

memory/2288-7-0x0000000002520000-0x0000000002521000-memory.dmp

memory/2188-12-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2288-13-0x0000000000400000-0x0000000000539000-memory.dmp

memory/2288-16-0x0000000002520000-0x0000000002521000-memory.dmp

memory/2288-38-0x0000000000400000-0x0000000000539000-memory.dmp

C:\Program Files (x86)\YNAB 4\YNAB 4.exe

MD5 8498b21d1c4582162ae4e100822babe5
SHA1 7f4e05fe9eacbbb8a4fca9baf2fb0a5b732fd03e
SHA256 160256d4687b59be6202de349e777aaeac5e93c037c41304f24d34883f2d5327
SHA512 0b5e7afeb082a4cc76bd0284203ee635fc17f2a4163655b19bba7c8cb7642cfa61ec16b8b5be87557d051d89400a8b7fcd77e48b7618263221303401c6db2db1

C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Adobe AIR.dll

MD5 556f36c4681a5991dd00a894a418c8f5
SHA1 87198ce222fec384e7a5d8c2f30a9732a96b6ec3
SHA256 3025ef1da177649b2bd4f6a632d03f3391490f58ad35a5dd9e88440f7b898c25
SHA512 13cbd117503addcbfbff96f64c82f024e92a4790d4f4e184cad5f585a7a1b59228c9654226d77b39868d78758bbe43e9a56041f71130513ab29dcc5d7b6d580a

C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Adobe AIR.dll

MD5 e35e24dcfe02348c8691098a6d90f5d2
SHA1 3d63d11798940b82a3b7259230b83495eedd830f
SHA256 9fadb97b12990ed707a50ad11a7e57a5ab9eae7a7be08abca9d87828959d98c0
SHA512 673867d835c145dc49004325d8385d7f668339a12aee3c6e88805d9e297829f823f88e081f967d54dfc0570eede372e52f26ad88909bb82c95da10c11e0ddb04

memory/2416-80-0x0000000002530000-0x0000000002531000-memory.dmp

memory/2416-102-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-104-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-103-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-105-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-108-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-109-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-112-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-110-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-113-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-114-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2188-115-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2416-116-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2288-111-0x0000000000400000-0x0000000000539000-memory.dmp

memory/2416-117-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-118-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-119-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-121-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-120-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-122-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-123-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-124-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-125-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-127-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-128-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-129-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-130-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-132-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-131-0x0000000004140000-0x0000000004340000-memory.dmp

C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Adobe AIR.dll

MD5 d30499473f649f35a9196f7a7c55ab96
SHA1 6f2997bf5679d427733a7c57b23a53f755a47e41
SHA256 be5fb81ee431cc99f0af8caaac5ebee7000808bccc7a7ea1238f8ef12632d334
SHA512 03715da6c38d3281ead876d0f0eb6a6c9a9d940f4c5c924fc1ae680cabca7146f63231d8a3eec20f8b19bf7eb895141e7375e3fbce4e7555fecd491dc881b262

memory/2416-135-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-136-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-126-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-138-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-139-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-140-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-141-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-142-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-137-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-143-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-144-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-145-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-148-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-149-0x0000000004140000-0x0000000004340000-memory.dmp

C:\Program Files (x86)\YNAB 4\META-INF\AIR\application.xml

MD5 8f7487c76b681fba22a05c595f39b8bf
SHA1 87e7b04dde3a8fa5dbfa57c6b8b8f1bb8a64989d
SHA256 ebdf4f7eaded6a910cc811b77fd89653baee2402dbdeb282358dc208471ce255
SHA512 5b4c9d195e91e27f4d2bb3a215a1099c31e25f0576b55b7233fbf5a4b27bdcad0e7e1dffc3acb0fd7424c7dc8c0b8ad5a9cbbaeb2dc1db1584e32ad4aa5afc2e

memory/2416-150-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-146-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-151-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-152-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-153-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-154-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-155-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-157-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-159-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-161-0x0000000004140000-0x0000000004340000-memory.dmp

memory/2416-166-0x0000000004140000-0x0000000004340000-memory.dmp

C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Adobe AIR.dll

MD5 712206a7d184dc40d36d7752bc572950
SHA1 17ea95e114a5f047f7697d080b213c68437bba84
SHA256 1bb20a972c535a197268a7c9e75a7754cb6ab741f1ed9f8db5faa470c5d584cc
SHA512 150283e0831afdda05438c25cd02f5c039d6a8bfea2bc687368a7668e9b88a291bd4317cf95fe067986c452419714e87bed3a1b819ed0cc19cc2c157e5679472

memory/4252-168-0x0000000002730000-0x0000000002731000-memory.dmp

memory/2416-172-0x0000000004140000-0x0000000004340000-memory.dmp

memory/4252-214-0x0000000003AD0000-0x0000000003CD0000-memory.dmp

memory/2416-213-0x0000000004140000-0x0000000004340000-memory.dmp