Malware Analysis Report

2025-08-11 06:04

Sample ID 240222-xgp1msdh4s
Target YNAB 4_4.3.857_Setup.exe
SHA256 f3021e45c82d72bd139d86f6a68c96af201bedf53a373f183dca037003b9cdc6
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f3021e45c82d72bd139d86f6a68c96af201bedf53a373f183dca037003b9cdc6

Threat Level: Shows suspicious behavior

The file YNAB 4_4.3.857_Setup.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Drops file in Program Files directory

Enumerates physical storage devices

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-22 18:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-22 18:49

Reported

2024-02-22 18:52

Platform

win7-20240221-en

Max time kernel

18s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe"

Signatures

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\YNAB 4\is-0IQGE.tmp C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Resources\is-PLAAI.tmp C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\assets\is-151UA.tmp C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\is-0TF6P.tmp C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\is-K749E.tmp C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\is-68VJ2.tmp C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\is-9E0R2.tmp C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\is-EF08J.tmp C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\META-INF\is-3J2BP.tmp C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\is-T603J.tmp C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\is-ULMLR.tmp C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Resources\is-VD04I.tmp C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\assets\is-PIRNN.tmp C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Resources\WebKit\is-9E1TQ.tmp C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\assets\is-IHKPE.tmp C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\META-INF\AIR\is-64ED9.tmp C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\META-INF\AIR\is-1I973.tmp C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File opened for modification C:\Program Files (x86)\YNAB 4\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\is-3NF2I.tmp C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\is-TTMFK.tmp C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Resources\is-9RVVN.tmp C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\assets\is-AK3HB.tmp C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\assets\is-DA7Q6.tmp C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Resources\WebKit\is-TNVPH.tmp C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\assets\is-E39SI.tmp C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\YNAB 4\YNAB 4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\YNAB 4\YNAB 4.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4 C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\DefaultIcon\ = "C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe,0" C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ofx\Content Type = "application/vnd.ynab.ofx" C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\ = "Bank File (Opened by YNAB 4)" C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\shell\open\ = "Open with YNAB 4" C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.qfx\ = "com.ynab.YNAB4.qfx" C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.qif\Content Type = "application/vnd.ynab.qif" C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Mime\Database\Content Type\application/vnd.ynab.qif C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ynab4 C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\shell\open C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\shell\open\command\ = "\"C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\DefaultIcon C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\shell\open\command C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\DefaultIcon\ = "C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe,0" C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\shell\open\command C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ynab4\Content Type = "application/vnd.ynab.ynab4" C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Mime\Database\Content Type\application/vnd.ynab.ynab4 C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\shell C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.qfx C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\ = "YNAB 4 Budget File" C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\shell\open\ = "Open with YNAB 4" C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ofx\ = "com.ynab.YNAB4.ofx" C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\shell\open\ = "Open with YNAB 4" C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\DefaultIcon C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\DefaultIcon\ = "C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe,0" C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.qif\ = "com.ynab.YNAB4.qif" C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ynab.ofx\Extension = ".ofx" C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\shell\open\command C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.qfx\Content Type = "application/vnd.ynab.qfx" C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ynab4\ = "com.ynab.YNAB4.ynab4" C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\shell C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ofx C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Mime\Database\Content Type\application/vnd.ynab.ofx C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\shell C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\ = "Bank File (Opened by YNAB 4)" C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\shell\open\command\ = "\"C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\shell C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\shell\open C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\DefaultIcon C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\DefaultIcon\ = "C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe,0" C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\shell\open\command\ = "\"C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\ = "Bank File (Opened by YNAB 4)" C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\shell\open\ = "Open with YNAB 4" C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\DefaultIcon C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.qif C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ynab.qif\Extension = ".qif" C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ynab.qfx\Extension = ".qfx" C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\shell\open C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\shell\open\command\ = "\"C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ynab.ynab4\Extension = ".ynab4" C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\shell\open\command C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Mime\Database\Content Type\application/vnd.ynab.qfx C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\shell\open C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\YNAB 4\YNAB 4.exe N/A
N/A N/A C:\Program Files (x86)\YNAB 4\YNAB 4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3000 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp
PID 3000 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp
PID 3000 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp
PID 3000 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp
PID 3000 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp
PID 3000 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp
PID 3000 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp
PID 2204 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp C:\Program Files (x86)\YNAB 4\YNAB 4.exe
PID 2204 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp C:\Program Files (x86)\YNAB 4\YNAB 4.exe
PID 2204 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp C:\Program Files (x86)\YNAB 4\YNAB 4.exe
PID 2204 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp C:\Program Files (x86)\YNAB 4\YNAB 4.exe

Processes

C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe

"C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe"

C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp" /SL5="$400F4,20782605,219136,C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe"

C:\Program Files (x86)\YNAB 4\YNAB 4.exe

"C:\Program Files (x86)\YNAB 4\YNAB 4.exe"

C:\Program Files (x86)\YNAB 4\YNAB 4.exe

"C:\Program Files (x86)\YNAB 4\YNAB 4.exe"

C:\Program Files (x86)\YNAB 4\YNAB 4.exe

"C:\Program Files (x86)\YNAB 4\YNAB 4.exe"

Network

N/A

Files

memory/3000-1-0x0000000000400000-0x0000000000440000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp

MD5 29f9be62944155dbb6b0b4f07138ea96
SHA1 5095375e40047d1b0daa4527c5de271ab23cd2f0
SHA256 168e5bbfcc47229ae0375ece11b7c9dabeb0a6bc820058fc2c86f4682cd0388f
SHA512 fe9bf378c278986118a7e17d326c795796c6ff20e3c6770ceeffc5d3f948d552147e41d3364cb1e55919d1c54974d135e28fc0753fc555c56a6dd839e4b264fd

memory/2204-14-0x00000000001D0000-0x00000000001D1000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-I98OU.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp

MD5 64308ddd6c9807fd9bb0260c299b4072
SHA1 73a945f5b628103e76dfbeeac78fcc4bf27402cd
SHA256 7d204a50d0180545077609f87fbae45565e7f40dc857a123774609705ff488bb
SHA512 b246714b01450051498f3ac058a75eea6d9a9ea2694ca292e70238eb05645d20f8c45ec6cbf457dbb5363889ce2fc7538fcb48bbf42bc97f61d93787e531c503

\Program Files (x86)\YNAB 4\YNAB 4.exe

MD5 8498b21d1c4582162ae4e100822babe5
SHA1 7f4e05fe9eacbbb8a4fca9baf2fb0a5b732fd03e
SHA256 160256d4687b59be6202de349e777aaeac5e93c037c41304f24d34883f2d5327
SHA512 0b5e7afeb082a4cc76bd0284203ee635fc17f2a4163655b19bba7c8cb7642cfa61ec16b8b5be87557d051d89400a8b7fcd77e48b7618263221303401c6db2db1

C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Adobe AIR.dll

MD5 3f9585968be04fec46d1f0e3abe09b1b
SHA1 f8b3f7d8b8e81125629dcdc54c7aea378d61bca2
SHA256 d00b2eff90913e2997db239f8967b37a436ae3d5870f4f75d097ca79f89e89e2
SHA512 27dafd908224546f3884208b450e1726ef43a511e5b27432ef43ff1a6a1c9e8f2df925290bb68b4116bfea552324fdba2f14d0ac3cb53b90bb6c5650b90177d3

\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Adobe AIR.dll

MD5 8d631fce8d59ccf0a6425e2f5992fc50
SHA1 038a4c7e20ffb20bedc63bd1f6dc76ba8eeee66e
SHA256 1278e37b56ce892401c80105e0e00e89a0d9bdf03716e06ea28ff35a9a74d82a
SHA512 f8cc9c0dfb741eb993d109b9716e793dde583c1d0a5d6fcebc02c671dda73a8ab76fa5595617b994cbe4a2e1488f10eb21b1987038b9ff387f640c73646890f8

memory/2500-79-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2204-85-0x0000000000400000-0x0000000000539000-memory.dmp

memory/3000-86-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Program Files (x86)\YNAB 4\META-INF\AIR\application.xml

MD5 8f7487c76b681fba22a05c595f39b8bf
SHA1 87e7b04dde3a8fa5dbfa57c6b8b8f1bb8a64989d
SHA256 ebdf4f7eaded6a910cc811b77fd89653baee2402dbdeb282358dc208471ce255
SHA512 5b4c9d195e91e27f4d2bb3a215a1099c31e25f0576b55b7233fbf5a4b27bdcad0e7e1dffc3acb0fd7424c7dc8c0b8ad5a9cbbaeb2dc1db1584e32ad4aa5afc2e

memory/2952-90-0x0000000000230000-0x0000000000231000-memory.dmp

\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Adobe AIR.dll

MD5 81df1976f97b334794f3ab1782701215
SHA1 338d051f59d028f7c9a89786d143405855e5288c
SHA256 6a340a1e99ed774082033c8d9ba9aa0fb3b55b7fd3bed5c61a093f491b40f70b
SHA512 6df325dd354e36533e322da22eabeeb29fd06f2d66f61ec229563b3cf391c6dcf052bd7b727e115054ed3e4446acac525336ed1560e51b777c110915f57d1344

\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Adobe AIR.dll

MD5 5230ff4bab65d45658816473c840b42c
SHA1 8893c1591a12b29c1f04b39970c710aeaf90755b
SHA256 8489bd42c4af2ddaf8fc23348f145dc7729b39eccffc1e1154805176854231c4
SHA512 32a1053a68cce9f5ff3a31b4704a829e655c0a2a031dface75a86b54124a7fc0d4fc283c682f4456e5efb62b7ab8f7b4d38a734401a48e22995e75524b2ec472

C:\Program Files (x86)\YNAB 4\YNAB 4.exe

MD5 030a3bc512c0981a90149c5e2db3f348
SHA1 3967e08c546a77f327997a30cd05cff1d3d0bddb
SHA256 3c3cf54b228c5ab5cdc62da694e56ec99ac3a3ff6e073521cec7e31980f5eb92
SHA512 bbaa807abedef894e4dd1b4b51411629ca4c2faea199e4b69402f7c20066a9c02d61f01f0f5e06f0c1947098e6f441fbf9fecfbe97b75dad6df7ff7bc4c25e24

memory/1852-203-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2952-211-0x00000000038E0000-0x0000000003AE0000-memory.dmp

memory/2952-213-0x00000000038E0000-0x0000000003AE0000-memory.dmp

memory/2952-215-0x00000000038E0000-0x0000000003AE0000-memory.dmp

memory/2952-223-0x00000000038E0000-0x0000000003AE0000-memory.dmp

memory/2952-225-0x00000000038E0000-0x0000000003AE0000-memory.dmp

memory/2952-227-0x00000000038E0000-0x0000000003AE0000-memory.dmp

memory/2952-229-0x00000000038E0000-0x0000000003AE0000-memory.dmp

memory/2952-231-0x00000000038E0000-0x0000000003AE0000-memory.dmp

memory/2952-233-0x00000000038E0000-0x0000000003AE0000-memory.dmp

memory/2952-235-0x00000000038E0000-0x0000000003AE0000-memory.dmp

memory/2952-237-0x00000000038E0000-0x0000000003AE0000-memory.dmp

memory/2952-239-0x00000000038E0000-0x0000000003AE0000-memory.dmp

memory/2952-241-0x00000000038E0000-0x0000000003AE0000-memory.dmp

memory/2952-243-0x00000000038E0000-0x0000000003AE0000-memory.dmp

memory/2952-245-0x00000000038E0000-0x0000000003AE0000-memory.dmp

memory/2952-247-0x00000000038E0000-0x0000000003AE0000-memory.dmp

memory/2952-249-0x00000000038E0000-0x0000000003AE0000-memory.dmp

memory/2952-251-0x00000000038E0000-0x0000000003AE0000-memory.dmp

memory/2952-254-0x00000000038E0000-0x0000000003AE0000-memory.dmp

memory/2952-256-0x00000000038E0000-0x0000000003AE0000-memory.dmp

memory/2952-258-0x00000000038E0000-0x0000000003AE0000-memory.dmp

memory/2952-260-0x00000000038E0000-0x0000000003AE0000-memory.dmp

memory/2952-262-0x00000000038E0000-0x0000000003AE0000-memory.dmp

memory/2952-264-0x00000000038E0000-0x0000000003AE0000-memory.dmp

memory/2952-266-0x00000000038E0000-0x0000000003AE0000-memory.dmp

memory/2952-268-0x00000000038E0000-0x0000000003AE0000-memory.dmp

memory/2952-270-0x00000000038E0000-0x0000000003AE0000-memory.dmp

memory/2952-272-0x00000000038E0000-0x0000000003AE0000-memory.dmp

memory/2952-274-0x00000000038E0000-0x0000000003AE0000-memory.dmp

memory/2952-276-0x00000000038E0000-0x0000000003AE0000-memory.dmp

memory/2952-278-0x00000000038E0000-0x0000000003AE0000-memory.dmp

memory/2952-280-0x00000000038E0000-0x0000000003AE0000-memory.dmp

memory/2952-282-0x00000000038E0000-0x0000000003AE0000-memory.dmp

memory/2952-284-0x00000000038E0000-0x0000000003AE0000-memory.dmp

C:\Program Files (x86)\YNAB 4\YNAB.swf

MD5 a6857bd683c10362bf0513034dc6dd91
SHA1 cc3a1839aaf3389bd2881f819eba30a7fb9e9ef5
SHA256 51e077287100d014acad98cfd9b0e2af9bcf244e02ee1e17796c17c58e7af3dc
SHA512 7d57bbfb078100253cccc8ee9f04ff5a0075d085f07935539fe778d2d8be1f9e84625b2ee31b9f4d919f48bc3ac80a53b20cff55cc8ebad3c03412387f649e5e

memory/1852-361-0x0000000003670000-0x0000000003870000-memory.dmp

memory/1852-362-0x0000000003670000-0x0000000003870000-memory.dmp

memory/1852-363-0x0000000003670000-0x0000000003870000-memory.dmp

memory/1852-367-0x0000000003670000-0x0000000003870000-memory.dmp

memory/1852-368-0x0000000003670000-0x0000000003870000-memory.dmp

memory/1852-369-0x0000000003670000-0x0000000003870000-memory.dmp

memory/1852-370-0x0000000003670000-0x0000000003870000-memory.dmp

memory/1852-371-0x0000000003670000-0x0000000003870000-memory.dmp

memory/1852-372-0x0000000003670000-0x0000000003870000-memory.dmp

memory/1852-373-0x0000000003670000-0x0000000003870000-memory.dmp

memory/1852-374-0x0000000003670000-0x0000000003870000-memory.dmp

memory/1852-375-0x0000000003670000-0x0000000003870000-memory.dmp

memory/1852-376-0x0000000003670000-0x0000000003870000-memory.dmp

memory/1852-377-0x0000000003670000-0x0000000003870000-memory.dmp

memory/1852-378-0x0000000003670000-0x0000000003870000-memory.dmp

memory/1852-379-0x0000000003670000-0x0000000003870000-memory.dmp

memory/1852-380-0x0000000003670000-0x0000000003870000-memory.dmp

memory/1852-381-0x0000000003670000-0x0000000003870000-memory.dmp

memory/1852-382-0x0000000003670000-0x0000000003870000-memory.dmp

memory/1852-384-0x0000000003670000-0x0000000003870000-memory.dmp

memory/1852-385-0x0000000003670000-0x0000000003870000-memory.dmp

memory/1852-386-0x0000000003670000-0x0000000003870000-memory.dmp

memory/1852-387-0x0000000003670000-0x0000000003870000-memory.dmp

memory/1852-388-0x0000000003670000-0x0000000003870000-memory.dmp

memory/1852-389-0x0000000003670000-0x0000000003870000-memory.dmp

memory/1852-383-0x0000000003670000-0x0000000003870000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-22 18:49

Reported

2024-02-22 18:52

Platform

win10v2004-20240221-en

Max time kernel

72s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe"

Signatures

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Resources\is-M04UE.tmp C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\assets\is-FQ0GM.tmp C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File opened for modification C:\Program Files (x86)\YNAB 4\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\is-2FR2V.tmp C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Resources\is-R0QOR.tmp C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Resources\is-UL300.tmp C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Resources\WebKit\is-NTC84.tmp C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\assets\is-91SNA.tmp C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\META-INF\AIR\is-7HJIH.tmp C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\is-SARIE.tmp C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\META-INF\is-TV2UF.tmp C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\META-INF\AIR\is-29685.tmp C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\assets\is-CG7TQ.tmp C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\is-0S9JE.tmp C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\is-QD5A4.tmp C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\is-E280O.tmp C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\is-JCNM0.tmp C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Resources\WebKit\is-UT1CS.tmp C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\is-BPKSC.tmp C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\is-PU5HI.tmp C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\is-P3NJ8.tmp C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\assets\is-N1R6C.tmp C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\assets\is-NR774.tmp C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\assets\is-9HCG4.tmp C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
File created C:\Program Files (x86)\YNAB 4\is-E3R4R.tmp C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\YNAB 4\YNAB 4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\YNAB 4\YNAB 4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\YNAB 4\YNAB 4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\YNAB 4\YNAB 4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\YNAB 4\YNAB 4.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\YNAB 4\YNAB 4.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\YNAB 4\YNAB 4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\YNAB 4\YNAB 4.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\YNAB 4\YNAB 4.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\YNAB 4\YNAB 4.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\DefaultIcon\ = "C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe,0" C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\ = "Bank File (Opened by YNAB 4)" C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Mime\Database\Content Type\application/vnd.ynab.qif C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\ = "Bank File (Opened by YNAB 4)" C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ynab4 C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\DefaultIcon\ = "C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe,0" C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\shell\open\command C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\shell\open C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\DefaultIcon C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ofx C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\shell C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ynab.qfx\Extension = ".qfx" C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\shell\open C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.qif\ = "com.ynab.YNAB4.qif" C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\shell\open\command C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\DefaultIcon\ = "C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe,0" C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Mime\Database\Content Type\application/vnd.ynab.ynab4 C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\ = "Bank File (Opened by YNAB 4)" C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\DefaultIcon C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\shell\open\ = "Open with YNAB 4" C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\shell\open C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\shell\open\ = "Open with YNAB 4" C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ynab4\Content Type = "application/vnd.ynab.ynab4" C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.qfx\ = "com.ynab.YNAB4.qfx" C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.qfx\Content Type = "application/vnd.ynab.qfx" C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\shell C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4 C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\DefaultIcon C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\shell C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\shell\open\command C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\DefaultIcon C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\shell\open\ = "Open with YNAB 4" C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\shell\open\command\ = "\"C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\shell C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\shell\open\command\ = "\"C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ynab.ofx\Extension = ".ofx" C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\shell\open C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\shell\open\command\ = "\"C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Mime\Database\Content Type\application/vnd.ynab.ofx C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.qif C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ynab.ynab4\Extension = ".ynab4" C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ofx\ = "com.ynab.YNAB4.ofx" C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ynab.qif\Extension = ".qif" C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ynab4\ = "com.ynab.YNAB4.ynab4" C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\shell\open\command C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\DefaultIcon\ = "C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe,0" C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\shell\open\ = "Open with YNAB 4" C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\shell\open\command\ = "\"C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.qfx C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.qif\Content Type = "application/vnd.ynab.qif" C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\ = "YNAB 4 Budget File" C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ofx\Content Type = "application/vnd.ynab.ofx" C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Mime\Database\Content Type\application/vnd.ynab.qfx C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe

"C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe"

C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp" /SL5="$601DA,20782605,219136,C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe"

C:\Program Files (x86)\YNAB 4\YNAB 4.exe

"C:\Program Files (x86)\YNAB 4\YNAB 4.exe"

C:\Program Files (x86)\YNAB 4\YNAB 4.exe

"C:\Program Files (x86)\YNAB 4\YNAB 4.exe"

C:\Program Files (x86)\YNAB 4\YNAB 4.exe

"C:\Program Files (x86)\YNAB 4\YNAB 4.exe"

C:\Program Files (x86)\YNAB 4\YNAB 4.exe

"C:\Program Files (x86)\YNAB 4\YNAB 4.exe"

C:\Program Files (x86)\YNAB 4\YNAB 4.exe

"C:\Program Files (x86)\YNAB 4\YNAB 4.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x3f0 0x504

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 airdownload2.adobe.com udp
GB 104.78.176.172:80 airdownload2.adobe.com tcp
US 8.8.8.8:53 172.176.78.104.in-addr.arpa udp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 222.74.101.95.in-addr.arpa udp

Files

memory/1224-0-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-B56VB.tmp\YNAB 4_4.3.857_Setup.tmp

MD5 29f9be62944155dbb6b0b4f07138ea96
SHA1 5095375e40047d1b0daa4527c5de271ab23cd2f0
SHA256 168e5bbfcc47229ae0375ece11b7c9dabeb0a6bc820058fc2c86f4682cd0388f
SHA512 fe9bf378c278986118a7e17d326c795796c6ff20e3c6770ceeffc5d3f948d552147e41d3364cb1e55919d1c54974d135e28fc0753fc555c56a6dd839e4b264fd

memory/4784-6-0x0000000000680000-0x0000000000681000-memory.dmp

memory/1224-11-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4784-12-0x0000000000400000-0x0000000000539000-memory.dmp

memory/4784-15-0x0000000000680000-0x0000000000681000-memory.dmp

C:\Program Files (x86)\YNAB 4\YNAB 4.exe

MD5 8498b21d1c4582162ae4e100822babe5
SHA1 7f4e05fe9eacbbb8a4fca9baf2fb0a5b732fd03e
SHA256 160256d4687b59be6202de349e777aaeac5e93c037c41304f24d34883f2d5327
SHA512 0b5e7afeb082a4cc76bd0284203ee635fc17f2a4163655b19bba7c8cb7642cfa61ec16b8b5be87557d051d89400a8b7fcd77e48b7618263221303401c6db2db1

C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Adobe AIR.dll

MD5 2f78e6b4d4b124898ddfb55d6518fc47
SHA1 8c6b53f2dc09ab3cf003b3b2c85f8ab1e6f18e12
SHA256 dc09f9c05b41bb70543be1ca2dd1afc886ec80513c76403b26dc6b96ce1516d1
SHA512 133bc35c7681ffe9f6ec1419315b0a335395601bba98b17823c5a7d123de835ed98c2683143f16240c52125c2ebe115a56782b20badabb32a3303c8c93e9a142

C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Adobe AIR.dll

MD5 feabf173a4d6fcff6de6f8107a7577f4
SHA1 30cce8cc7b01c9bcfbda05bf728c10ff36fe225f
SHA256 d9c2040d6100fe441655abfbf795187a65ac282fe5fa9812e2cb80e3d6bb44bd
SHA512 82387f9056f2a54dc76ad7928426db597e08cf7aeceb1e12b07879af88ed131f3b18317c0ed61c32ef338e7208300d762f2d46ff5babca1259eb8435c0d46fe5

memory/1140-81-0x00000000030E0000-0x00000000030E1000-memory.dmp

memory/1140-102-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-103-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-106-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-107-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/4784-108-0x0000000000400000-0x0000000000539000-memory.dmp

memory/1140-109-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1224-111-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1140-110-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-112-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-113-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-114-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-115-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-116-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-117-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-118-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-119-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-120-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-121-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-122-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-123-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-124-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-125-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-126-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-127-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-128-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-130-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-129-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-131-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-133-0x00000000041B0000-0x00000000043B0000-memory.dmp

C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Adobe AIR.dll

MD5 7e083476ffae1cbfe0073585ae5fa3e8
SHA1 8570979361a9022033b09399afc27ecf9d0fc457
SHA256 0d07d6920178fb823d32c166e25a9deda77b4183f14c2fc8819840b6c9869adb
SHA512 7e33340060f15ae007eae767fb8b704869a32e41ae7437a7e77e0e17ba2f3870ee52d9b33024e56b6700d1beb1c87ece693f50d87795ba0e0429fb0fd6caca41

memory/848-138-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

memory/1140-141-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-143-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-139-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-146-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-147-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-149-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-151-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-152-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-154-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-156-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-157-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-158-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-159-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-162-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-165-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-161-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-169-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-155-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-173-0x00000000041B0000-0x00000000043B0000-memory.dmp

C:\Program Files (x86)\YNAB 4\META-INF\AIR\application.xml

MD5 8f7487c76b681fba22a05c595f39b8bf
SHA1 87e7b04dde3a8fa5dbfa57c6b8b8f1bb8a64989d
SHA256 ebdf4f7eaded6a910cc811b77fd89653baee2402dbdeb282358dc208471ce255
SHA512 5b4c9d195e91e27f4d2bb3a215a1099c31e25f0576b55b7233fbf5a4b27bdcad0e7e1dffc3acb0fd7424c7dc8c0b8ad5a9cbbaeb2dc1db1584e32ad4aa5afc2e

memory/1140-179-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-150-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-185-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-145-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-136-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-132-0x00000000041B0000-0x00000000043B0000-memory.dmp

memory/1140-227-0x00000000041B0000-0x00000000043B0000-memory.dmp

C:\Program Files (x86)\YNAB 4\YNAB.swf

MD5 e021266c87c4bfaa54550ec2c75f53da
SHA1 ebda774a7168d7b671c281e31b87dbd575a828b4
SHA256 518575bad9e6b43c4e23a40cdbc8aea40f467e942a25a4fb18cc7651e0345d35
SHA512 5e5d82c4587cc81ba5b02c93f30750b01a70d82a1096bda52b78671cd867c1990397e29e2452d296bb15b431e2ab0c1ef508627deeec5189f3b0f77ee697f889

C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Adobe AIR.dll

MD5 c9f2f5236f1c488cfbc2cea7e509cf96
SHA1 e71b76a0a001b34c63e64c40e9b041033f5b3201
SHA256 dfd5af2f6c3f85337daac0e43f65510b11802dbb6f0cc3220b7e19fae36a1ff0
SHA512 0b1b8584bff57f6fe9afe0936296e21165327e5b0ad119b2bd995ecf335b20c5b91ac5109c6a80175b03aad6310a3bc84302716eac9812e4f44ebca5e9911d56

memory/2976-308-0x0000000002F90000-0x0000000002F91000-memory.dmp

C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Adobe AIR.dll

MD5 4850bca2700b082163cfabe432f8d8f5
SHA1 034b14260d0ead77356f94f7825fe4c42367c478
SHA256 a4dfd0d7ae1923e9173afb1f844c9f316400356bc95d423521518bf49d21ba01
SHA512 3531f36d22a396ea4bd159655916b0dc356d9385b7360f56afdbe8fc0b492e7c629b640e390d0dadfe0a01e7c73e6bcc971ba29723cb76cfa90c7104731dcc00

memory/3352-480-0x0000000004110000-0x0000000004111000-memory.dmp

C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Adobe AIR.dll

MD5 c7181ca6ae8200fc29d8f8dcd4176c71
SHA1 a2eaf57902114faf3e50cba49f5d2fe04267149c
SHA256 8d551907bfb70faebd1abad63bf0d95f40825085c1e868b654c5307261143a53
SHA512 ac50b2eecc1e5b962ed2e306f3f7302dfa73b8831011136ea554939d24d1d8566ef15b2c8f06bd5b672f2c9fe6de3dd2a0f38d46ad46508a0e4a5b05181afbc5

memory/3660-543-0x0000000002B90000-0x0000000002B91000-memory.dmp

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol

MD5 9a86aaaf3235a7fe0b85e4b3bf4cbdb9
SHA1 5dd34ce2103ea948981cfa784cdd537246f7ef77
SHA256 0fa298e52c17a5d4d382cdf71ae73dee9fc3251b4f2ecfde29ffa0986a76b142
SHA512 d3e9a03c28c8ddb313c5ba3f517c7bf59a05fd17befb810440d8e230e08b669d004ed46dfcc8f01dcd94347342d96c4d887c4cca2507d8953259001aaf5e200f

memory/1140-2673-0x00000000030E0000-0x00000000030E1000-memory.dmp

memory/848-2978-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

memory/3352-3596-0x0000000004110000-0x0000000004111000-memory.dmp