Edit tour

Windows Analysis Report
YogaDNSSetup.exe

Overview

General Information

Sample Name:	YogaDNSSetup.exe
Analysis ID:	599656
MD5:	ac752df0ebb3fc9fcbb3b906b4050c17
SHA1:	7f4686f519ffcab1510a6c422206387b3a89c134
SHA256:	2224b2d7b8fc7782f59ef6cbf8b15f98051309b2c6ab395836563954ce63b1e9
Infos:

Detection

Score:	28
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

NDIS Filter Driver detected (likely used to intercept and sniff network traffic)

Creates an autostart registry key pointing to binary in C:\Windows

Creates multiple autostart registry keys

Obfuscated command line found

Uses 32bit PE files

Creates files inside the driver directory

Queries the volume information (name, serial number etc) of a device

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Sigma detected: Suspicious Rundll32 Activity

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Found dropped PE file which has not been started or loaded

PE file contains executable resources (Code or Archives)

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Uses net.exe to stop services

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Found evasive API chain checking for process token information

Contains functionality to launch a program with higher privileges

PE file contains more sections than normal

Queries time zone information

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Sigma detected: Suspicious Rundll32 Setupapi.dll Activity

Creates a process in suspended mode (likely to inject code)

Sigma detected: Autorun Keys Modification

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

System is w10x64

YogaDNSSetup.exe (PID: 6768 cmdline: "C:\Users\user\Desktop\YogaDNSSetup.exe" MD5: AC752DF0EBB3FC9FCBB3B906B4050C17)

YogaDNSSetup.tmp (PID: 6828 cmdline: "C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp" /SL5="$7037A,7654068,831488,C:\Users\user\Desktop\YogaDNSSetup.exe" MD5: 7FD3620B726C3B90AD03266C3942ACA9)

YogaDNS.exe (PID: 6940 cmdline: "C:\Program Files (x86)\YogaDNS\YogaDNS.exe" /ForceExit MD5: FB51F3CA7F0785C5AF983D599F715FF3)

net.exe (PID: 6508 cmdline: "NET.EXE" stop DnsFltEngineDrv MD5: DD0561156F62BC1958CE0E370B23711B)

conhost.exe (PID: 6908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

net1.exe (PID: 6964 cmdline: C:\Windows\system32\net1 stop DnsFltEngineDrv MD5: B5A26C2BF17222E86B91D26F1247AF3E)

rundll32.exe (PID: 6848 cmdline: "RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files (x86)\YogaDNS\Driver\DnsFltEngineDrv.inf MD5: 73C519F050C20580F8A62C849D49215A)

runonce.exe (PID: 5108 cmdline: "C:\Windows\system32\runonce.exe" -r MD5: 5F3BE52A00D8C741AE0B7FCE861F90AD)

grpconv.exe (PID: 7044 cmdline: "C:\Windows\System32\grpconv.exe" -o MD5: 7E727D9259367AF1C140377A4BF173C0)

YogaDNS.exe (PID: 5116 cmdline: "C:\Program Files (x86)\YogaDNS\YogaDNS.exe" /ShowWnd MD5: FB51F3CA7F0785C5AF983D599F715FF3)

YogaDNS.exe (PID: 7008 cmdline: "C:\Program Files (x86)\YogaDNS\YogaDNS.exe" /AutoRun MD5: FB51F3CA7F0785C5AF983D599F715FF3)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

There are no malicious signatures, click here to show all signatures.

Source: Process started

Author: juju4, Jonhnathan Ribeiro, oscd.community: Data: Command: "RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files (x86)\YogaDNS\Driver\DnsFltEngineDrv.inf, CommandLine: "RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files (x86)\YogaDNS\Driver\DnsFltEngineDrv.inf, CommandLine|base64offset|contains: [HZ, Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp" /SL5="$7037A,7654068,831488,C:\Users\user\Desktop\YogaDNSSetup.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp, ParentProcessId: 6828, ParentProcessName: YogaDNSSetup.tmp, ProcessCommandLine: "RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files (x86)\YogaDNS\Driver\DnsFltEngineDrv.inf, ProcessId: 6848, ProcessName: rundll32.exe

Source: Process started

Author: Konstantin Grishchenko, oscd.community: Data: Command: "C:\Windows\system32\runonce.exe" -r, CommandLine: "C:\Windows\system32\runonce.exe" -r, CommandLine|base64offset|contains: , Image: C:\Windows\System32\runonce.exe, NewProcessName: C:\Windows\System32\runonce.exe, OriginalFileName: C:\Windows\System32\runonce.exe, ParentCommandLine: "RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files (x86)\YogaDNS\Driver\DnsFltEngineDrv.inf, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 6848, ParentProcessName: rundll32.exe, ProcessCommandLine: "C:\Windows\system32\runonce.exe" -r, ProcessId: 5108, ProcessName: runonce.exe

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton: Data: Details: "C:\Program Files (x86)\YogaDNS\YogaDNS.exe" /AutoRun, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp, ProcessId: 6828, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\YogaDNS

Source: Process started

Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: "NET.EXE" stop DnsFltEngineDrv, CommandLine: "NET.EXE" stop DnsFltEngineDrv, CommandLine|base64offset|contains: ), Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp" /SL5="$7037A,7654068,831488,C:\Users\user\Desktop\YogaDNSSetup.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp, ParentProcessId: 6828, ParentProcessName: YogaDNSSetup.tmp, ProcessCommandLine: "NET.EXE" stop DnsFltEngineDrv, ProcessId: 6508, ProcessName: net.exe

Source: Process started

Author: frack113: Data: Command: "C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp" /SL5="$7037A,7654068,831488,C:\Users\user\Desktop\YogaDNSSetup.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp" /SL5="$7037A,7654068,831488,C:\Users\user\Desktop\YogaDNSSetup.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp, NewProcessName: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp, OriginalFileName: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp, ParentCommandLine: "C:\Users\user\Desktop\YogaDNSSetup.exe" , ParentImage: C:\Users\user\Desktop\YogaDNSSetup.exe, ParentProcessId: 6768, ParentProcessName: YogaDNSSetup.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp" /SL5="$7037A,7654068,831488,C:\Users\user\Desktop\YogaDNSSetup.exe" , ProcessId: 6828, ProcessName: YogaDNSSetup.tmp

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: YogaDNSSetup.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 172.104.9.252:443 -> 192.168.2.4:49781 version: TLS 1.2

Source: YogaDNSSetup.exe

Static PE information: certificate valid

Source: YogaDNSSetup.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Dev\Projects\YogaDns\YogaDns\DnsFltEngineDrv\ARM64\Release\DnsFltEngineDrv.pdb source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Dev\Projects\YogaDns\YogaDns\DnsManager\Release\YogaDns.pdb source: YogaDNS.exe, 0000000E.00000000.354784209.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 0000000E.00000002.359521770.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000002.780552664.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000000.372693427.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000002.402385021.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000000.398393400.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, is-MENUL.tmp.2.dr
Source:	Binary string: C:\Dev\Projects\YogaDns\YogaDns\DnsFltEngineDrv\ARM64\Release\DnsFltEngineDrv.pdbGCTL source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: [C:\Dev\Projects\YogaDns\YogaDns\DnsFltEngineDrv\Release\DnsFltEngineDrv.pdb source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Dev\Projects\YogaDns\YogaDns\DnsFltEngineDrv\x64\Release\DnsFltEngineDrv.pdb source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.381382892.000001C0471C3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.379498242.000001C0471C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.378722652.000001C0471B4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Dev\Projects\YogaDns\YogaDns\ServiceManager\Release\ServiceManager.pdb source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Dev\Projects\YogaDns\YogaDns\DnsManager\Release\YogaDns.pdbgT source: YogaDNS.exe, 0000000E.00000000.354784209.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 0000000E.00000002.359521770.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000002.780552664.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000000.372693427.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000002.402385021.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000000.398393400.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, is-MENUL.tmp.2.dr
Source:	Binary string: C:\Dev\Projects\YogaDns\YogaDns\DnsFltEngineDrv\Release\DnsFltEngineDrv.pdb source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_0040AEF4 FindFirstFileW,FindClose,	0_2_0040AEF4
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	0_2_0040A928
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Code function: 2_2_0060C2B0 FindFirstFileW,GetLastError,	2_2_0060C2B0
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Code function: 2_2_0040E6A0 FindFirstFileW,FindClose,	2_2_0040E6A0
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Code function: 2_2_0040E0D4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	2_2_0040E0D4
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Code function: 2_2_006B8DE4 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,	2_2_006B8DE4

Networking

NDIS Filter Driver detected (likely used to intercept and sniff network traffic)

Source: is-A6E8V.tmp.2.dr	Static PE information: Found NDIS imports: FwpmFilterAdd0, FwpsAllocateNetBufferAndNetBufferList0, FwpsFreeNetBufferList0, FwpsInjectTransportSendAsync0, FwpsInjectTransportReceiveAsync0, FwpsQueryPacketInjectionState0, FwpsFlowAssociateContext0, FwpsFlowRemoveContext0, FwpsAcquireClassifyHandle0, FwpsReleaseClassifyHandle0, FwpsPendClassify0, FwpsCompleteClassify0, FwpsAcquireWritableLayerDataPointer0, FwpsApplyModifiedLayerData0, FwpsStreamInjectAsync0, FwpsCopyStreamDataToBuffer0, FwpsCalloutRegister1, FwpsCalloutUnregisterByKey0, FwpsInjectionHandleCreate0, FwpsInjectionHandleDestroy0, FwpmEngineOpen0, FwpmEngineClose0, FwpmProviderAdd0, FwpmSubLayerAdd0, FwpmCalloutAdd0
Source: SET3827.tmp.19.dr	Static PE information: Found NDIS imports: FwpmFilterAdd0, FwpsAllocateNetBufferAndNetBufferList0, FwpsFreeNetBufferList0, FwpsInjectTransportSendAsync0, FwpsInjectTransportReceiveAsync0, FwpsQueryPacketInjectionState0, FwpsFlowAssociateContext0, FwpsFlowRemoveContext0, FwpsAcquireClassifyHandle0, FwpsReleaseClassifyHandle0, FwpsPendClassify0, FwpsCompleteClassify0, FwpsAcquireWritableLayerDataPointer0, FwpsApplyModifiedLayerData0, FwpsStreamInjectAsync0, FwpsCopyStreamDataToBuffer0, FwpsCalloutRegister1, FwpsCalloutUnregisterByKey0, FwpsInjectionHandleCreate0, FwpsInjectionHandleDestroy0, FwpmEngineOpen0, FwpmEngineClose0, FwpmProviderAdd0, FwpmSubLayerAdd0, FwpmCalloutAdd0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443

Source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:8888
Source: YogaDNSSetup.exe, 00000000.00000003.255250594.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.exe, 00000000.00000003.255720198.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.tmp, 00000002.00000002.405288393.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-MENUL.tmp.2.dr	String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: YogaDNSSetup.exe, 00000000.00000003.255250594.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.exe, 00000000.00000003.255720198.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.tmp, 00000002.00000002.405288393.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-MENUL.tmp.2.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: YogaDNSSetup.exe, 00000000.00000003.255250594.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.exe, 00000000.00000003.255720198.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.tmp, 00000002.00000002.405288393.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-MENUL.tmp.2.dr	String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://dnscrypt.me
Source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://nawala.id
Source: YogaDNSSetup.exe, 00000000.00000003.255250594.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.exe, 00000000.00000003.255720198.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.tmp, 00000002.00000002.405288393.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-MENUL.tmp.2.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: YogaDNSSetup.exe, 00000000.00000003.255250594.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.exe, 00000000.00000003.255720198.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.tmp, 00000002.00000002.405288393.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-MENUL.tmp.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: YogaDNSSetup.exe, 00000000.00000003.255250594.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.exe, 00000000.00000003.255720198.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.tmp, 00000002.00000002.405288393.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-MENUL.tmp.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: YogaDNSSetup.exe, 00000000.00000003.255250594.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.exe, 00000000.00000003.255720198.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.tmp, 00000002.00000002.405288393.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-MENUL.tmp.2.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: YogaDNSSetup.exe, 00000000.00000003.255250594.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.exe, 00000000.00000003.255720198.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.tmp, 00000002.00000002.405288393.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-MENUL.tmp.2.dr	String found in binary or memory: http://s.symcd.com06
Source: YogaDNSSetup.exe, 00000000.00000003.255250594.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.exe, 00000000.00000003.255720198.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.tmp, 00000002.00000002.405288393.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-MENUL.tmp.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: YogaDNSSetup.exe, 00000000.00000003.255250594.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.exe, 00000000.00000003.255720198.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.tmp, 00000002.00000002.405288393.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-MENUL.tmp.2.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: YogaDNSSetup.exe, 00000000.00000003.255250594.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.exe, 00000000.00000003.255720198.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.tmp, 00000002.00000002.405288393.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-MENUL.tmp.2.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: YogaDNSSetup.exe, 00000000.00000003.255250594.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.exe, 00000000.00000003.255720198.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.tmp, 00000002.00000002.405288393.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-MENUL.tmp.2.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: rundll32.exe, 00000013.00000003.381382892.000001C0471C3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.382118486.000001C0471C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.379498242.000001C0471C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.378722652.000001C0471B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.micft.com/pkiops/crl/Microsoft%20Windows%20Third%20Party%20Component%20CA%202014.crl0
Source: YogaDNSSetup.tmp, 00000002.00000003.259649062.0000000003400000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.tmp, 00000002.00000003.404081501.0000000002543000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.yogadns.com
Source: YogaDNSSetup.exe, 00000000.00000003.408481363.0000000002283000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.yogadns.comQ6(
Source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://arvind.io).
Source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://blahdns.com/
Source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cdome.comodo.com/shield/
Source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cleanbrowsing.org/
Source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cruisemaniac.com)
Source: YogaDNSSetup.exe, 00000000.00000003.255250594.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.exe, 00000000.00000003.255720198.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.tmp, 00000002.00000002.405288393.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-MENUL.tmp.2.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: YogaDNSSetup.exe, 00000000.00000003.255250594.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.exe, 00000000.00000003.255720198.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.tmp, 00000002.00000002.405288393.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-MENUL.tmp.2.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: YogaDNSSetup.exe, 00000000.00000003.255250594.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.exe, 00000000.00000003.255720198.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.tmp, 00000002.00000002.405288393.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-MENUL.tmp.2.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dns.seby.io
Source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dnscrypt-tupi.org/
Source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dnscrypt.info/doc
Source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dnscrypt.info/public-servers
Source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dnscrypt.nl
Source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dnswarden.com
Source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://download.dnscrypt.info/blacklists/
Source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://download.dnscrypt.info/resolvers-list/v2/parental-control.md
Source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md
Source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://fr.dnscrypt.info
Source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://fr.dnscrypt.info/sfw.html
Source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/DNSCrypt/dnscrypt-resolvers
Source: YogaDNSSetup.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: YogaDNSSetup.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: YogaDNS.exe, 0000000E.00000000.354784209.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 0000000E.00000002.359521770.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000002.780552664.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000000.372693427.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000002.402385021.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000000.398393400.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, is-MENUL.tmp.2.dr	String found in binary or memory: https://my.nextdns.io/startOpen
Source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://powerdns.org
Source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://quad9.net/
Source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/parental-control.md
Source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp, YogaDNS.exe, 0000000E.00000000.354784209.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 0000000E.00000002.359521770.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000002.780552664.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000000.372693427.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000002.402385021.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000000.398393400.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, is-MENUL.tmp.2.dr	String found in binary or memory: https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md
Source: YogaDNS.exe, 0000000E.00000000.354784209.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 0000000E.00000002.359521770.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000002.780552664.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000000.372693427.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000002.402385021.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000000.398393400.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, is-MENUL.tmp.2.dr	String found in binary or memory: https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/relays.md
Source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://userspace.com.au
Source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dnscrypt.uk
Source: YogaDNSSetup.exe, 00000000.00000003.255250594.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.exe, 00000000.00000003.255720198.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.tmp, 00000002.00000002.405288393.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-MENUL.tmp.2.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: YogaDNSSetup.exe, 00000000.00000003.255250594.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.exe, 00000000.00000003.255720198.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.tmp, YogaDNSSetup.tmp, 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.innosetup.com/
Source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp, YogaDNS.exe, 0000000E.00000002.362207495.000000006D239000.00000008.00000001.01000000.0000000B.sdmp, YogaDNS.exe, 00000015.00000002.781472809.000000006D779000.00000008.00000001.01000000.0000000B.sdmp, YogaDNS.exe, 00000017.00000002.404055579.000000006D779000.00000008.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.quad9.net/quad9-resolvers.md
Source: YogaDNSSetup.exe, 00000000.00000003.255250594.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.exe, 00000000.00000003.255720198.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.tmp, YogaDNSSetup.tmp, 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.remobjects.com/ps
Source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.rubyfish.cn/
Source: is-MENUL.tmp.2.dr	String found in binary or memory: https://www.yogadns.com
Source: YogaDNS.exe, 00000015.00000002.781112284.00000000054F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.yogadns.com/download
Source: YogaDNS.exe, 00000015.00000002.781112284.00000000054F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.yogadns.com/download/
Source: YogaDNS.exe, 00000015.00000002.781112284.00000000054F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.yogadns.com/download/f
Source: YogaDNS.exe, 0000000E.00000000.354784209.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 0000000E.00000002.359521770.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000002.780552664.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000000.372693427.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000002.402385021.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000000.398393400.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, is-MENUL.tmp.2.dr	String found in binary or memory: https://www.yogadns.com/last_versions/windows/
Source: YogaDNS.exe, 0000000E.00000000.354784209.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 0000000E.00000002.359521770.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000002.780552664.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000000.372693427.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000002.402385021.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000000.398393400.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, is-MENUL.tmp.2.dr	String found in binary or memory: https://www.yogadns.com/last_versions/windows/(Update
Source: is-MENUL.tmp.2.dr	String found in binary or memory: https://www.yogadns.com/pricing/
Source: YogaDNS.exe, 0000000E.00000000.354977645.000000000131F000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000000.372825835.000000000131F000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000002.402546321.000000000131F000.00000002.00000001.01000000.0000000A.sdmp, is-MENUL.tmp.2.dr	String found in binary or memory: https://www.yogadns.com/pricing/buy.html
Source: YogaDNS.exe, 0000000E.00000000.354784209.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 0000000E.00000002.359521770.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000002.780552664.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000000.372693427.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000002.402385021.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000000.398393400.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, is-MENUL.tmp.2.dr	String found in binary or memory: https://www.yogadns.com/pricing/buy.htmlsystemunknown
Source: YogaDNS.exe, 0000000E.00000000.354784209.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 0000000E.00000002.359521770.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000002.780552664.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000000.372693427.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000002.402385021.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000000.398393400.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, is-MENUL.tmp.2.dr	String found in binary or memory: https://www.yogadns.comIncorrect
Source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://yogadns.com/docs/#serviceOpen%Ts
Source: YogaDNS.exe, 0000000E.00000000.354784209.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 0000000E.00000002.359521770.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000002.780552664.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000000.372693427.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000002.402385021.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000000.398393400.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, is-MENUL.tmp.2.dr	String found in binary or memory: https://yogadns.com/docs/runasCannot
Source: YogaDNS.exe, 0000000E.00000002.360341039.0000000001706000.00000004.00000020.00020000.00000000.sdmp, YogaDNS.exe, 0000000E.00000000.354784209.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 0000000E.00000002.359521770.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000002.780552664.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000000.372693427.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000002.402385021.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000000.398393400.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, is-MENUL.tmp.2.dr	String found in binary or memory: https://yogadns.com/resolvers/resolvers.md
Source: YogaDNS.exe, 0000000E.00000002.360341039.0000000001706000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yogadns.com/resolvers/resolvers.mdWS
Source: YogaDNS.exe, 0000000E.00000002.360341039.0000000001706000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yogadns.com/resolvers/resolvers.mdesb_
Source: YogaDNS.exe, 0000000E.00000000.354784209.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 0000000E.00000002.359521770.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000002.780552664.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000000.372693427.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000002.402385021.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000000.398393400.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, is-MENUL.tmp.2.dr	String found in binary or memory: https://yogadns.com/resolvers/resolvers.mdhttps://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolv

Source: unknown

DNS traffic detected: queries for: www.yogadns.com

Source: global traffic

HTTP traffic detected: GET /last_versions/windows/13100/ HTTP/1.1User-Agent: YogaDNSHost: www.yogadns.comCache-Control: no-cache

Source: unknown

HTTPS traffic detected: 172.104.9.252:443 -> 192.168.2.4:49781 version: TLS 1.2

Source: YogaDNS.exe, 0000000E.00000002.360268536.00000000016CA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: YogaDNSSetup.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED

Source: C:\Windows\System32\rundll32.exe

File created: C:\Windows\system32\DRIVERS\SET3827.tmp

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

File deleted: C:\Windows\System32\drivers\SET3827.tmp

Jump to behavior

Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_004AF110
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Code function: 2_2_0060F6D8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		2_2_0060F6D8

Source: C:\Windows\System32\rundll32.exe

File created: C:\Windows\system32\DRIVERS\SET3827.tmp

Jump to behavior

Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_004323DC	0_2_004323DC
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_004255DC	0_2_004255DC
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_0040E9C4	0_2_0040E9C4
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Code function: 2_2_006B786C	2_2_006B786C
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Code function: 2_2_0040C938	2_2_0040C938

Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Code function: String function: 0060CD28 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Code function: String function: 005F5C7C appears 50 times
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Code function: String function: 005F5F60 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Code function: String function: 005DE888 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Code function: String function: 006163B4 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Code function: String function: 00616130 appears 39 times

Source: YogaDNSSetup.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-44LQ8.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Source: YogaDNSSetup.exe, 00000000.00000003.255250594.00000000024C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs YogaDNSSetup.exe
Source: YogaDNSSetup.exe, 00000000.00000000.254371047.00000000004C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs YogaDNSSetup.exe
Source: YogaDNSSetup.exe, 00000000.00000003.408416167.0000000002248000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs YogaDNSSetup.exe
Source: YogaDNSSetup.exe, 00000000.00000003.255720198.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs YogaDNSSetup.exe
Source: YogaDNSSetup.exe	Binary or memory string: OriginalFileName vs YogaDNSSetup.exe

Source: YogaDNSSetup.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: YogaDNSSetup.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: YogaDNSSetup.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: YogaDNSSetup.tmp.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: YogaDNSSetup.tmp.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: YogaDNSSetup.tmp.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: YogaDNSSetup.tmp.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-44LQ8.tmp.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-44LQ8.tmp.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-44LQ8.tmp.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-44LQ8.tmp.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-MENUL.tmp.2.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: is-MENUL.tmp.2.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: is-MENUL.tmp.2.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: is-MENUL.tmp.2.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: is-MENUL.tmp.2.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: is-MENUL.tmp.2.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: is-MENUL.tmp.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-MENUL.tmp.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-MENUL.tmp.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-MENUL.tmp.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-MENUL.tmp.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-MENUL.tmp.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-MENUL.tmp.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-MENUL.tmp.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-VKNMA.tmp.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: is-OA2B1.tmp.2.dr	Static PE information: Number of sections : 20 > 10
Source: is-GG959.tmp.2.dr	Static PE information: Number of sections : 11 > 10

Source: C:\Users\user\Desktop\YogaDNSSetup.exe

File read: C:\Users\user\Desktop\YogaDNSSetup.exe

Jump to behavior

Source: C:\Users\user\Desktop\YogaDNSSetup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\YogaDNSSetup.exe "C:\Users\user\Desktop\YogaDNSSetup.exe"
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp "C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp" /SL5="$7037A,7654068,831488,C:\Users\user\Desktop\YogaDNSSetup.exe"
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Process created: C:\Program Files (x86)\YogaDNS\YogaDNS.exe "C:\Program Files (x86)\YogaDNS\YogaDNS.exe" /ForceExit
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Process created: C:\Windows\SysWOW64\net.exe "NET.EXE" stop DnsFltEngineDrv
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop DnsFltEngineDrv
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Process created: C:\Windows\System32\rundll32.exe "RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files (x86)\YogaDNS\Driver\DnsFltEngineDrv.inf
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\runonce.exe "C:\Windows\system32\runonce.exe" -r
Source: unknown	Process created: C:\Program Files (x86)\YogaDNS\YogaDNS.exe "C:\Program Files (x86)\YogaDNS\YogaDNS.exe" /AutoRun
Source: C:\Windows\System32\runonce.exe	Process created: C:\Windows\System32\grpconv.exe "C:\Windows\System32\grpconv.exe" -o
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Process created: C:\Program Files (x86)\YogaDNS\YogaDNS.exe "C:\Program Files (x86)\YogaDNS\YogaDNS.exe" /ShowWnd
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp "C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp" /SL5="$7037A,7654068,831488,C:\Users\user\Desktop\YogaDNSSetup.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Process created: C:\Program Files (x86)\YogaDNS\YogaDNS.exe "C:\Program Files (x86)\YogaDNS\YogaDNS.exe" /ForceExit	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Process created: C:\Windows\SysWOW64\net.exe "NET.EXE" stop DnsFltEngineDrv	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Process created: C:\Windows\System32\rundll32.exe "RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files (x86)\YogaDNS\Driver\DnsFltEngineDrv.inf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Process created: C:\Program Files (x86)\YogaDNS\YogaDNS.exe "C:\Program Files (x86)\YogaDNS\YogaDNS.exe" /ShowWnd	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop DnsFltEngineDrv	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\runonce.exe "C:\Windows\system32\runonce.exe" -r	Jump to behavior
Source: C:\Windows\System32\runonce.exe	Process created: C:\Windows\System32\grpconv.exe "C:\Windows\System32\grpconv.exe" -o	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_004AF110
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Code function: 2_2_0060F6D8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		2_2_0060F6D8

Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Users\user\Desktop\YogaDNSSetup.exe

File created: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp

Jump to behavior

Source: classification engine

Classification label: sus28.troj.winEXE@19/32@1/2

Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp

Code function: 2_2_0062CFB8 GetVersion,CoCreateInstance,

2_2_0062CFB8

Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\YogaDNSSetup.exe

Code function: 0_2_0041A4DC GetDiskFreeSpaceW,

0_2_0041A4DC

Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp

Process created: C:\Windows\System32\rundll32.exe "RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files (x86)\YogaDNS\Driver\DnsFltEngineDrv.inf

Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\YogaDnsRunning
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6908:120:WilError_01

Source: C:\Users\user\Desktop\YogaDNSSetup.exe

Code function: 0_2_004AF9F0 FindResourceW,SizeofResource,LoadResource,LockResource,

0_2_004AF9F0

Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp

File created: C:\Program Files (x86)\YogaDNS

Jump to behavior

Source: YogaDNSSetup.exe	String found in binary or memory: Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file af
Source: YogaDNSSetup.exe	String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp

Window found: window name: TMainForm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Automated click: I accept the agreement
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Automated click: OK

Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: YogaDNSSetup.exe

Static file information: File size 8517648 > 1048576

Source: YogaDNSSetup.exe

Static PE information: certificate valid

Source: YogaDNSSetup.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Dev\Projects\YogaDns\YogaDns\DnsFltEngineDrv\ARM64\Release\DnsFltEngineDrv.pdb source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Dev\Projects\YogaDns\YogaDns\DnsManager\Release\YogaDns.pdb source: YogaDNS.exe, 0000000E.00000000.354784209.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 0000000E.00000002.359521770.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000002.780552664.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000000.372693427.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000002.402385021.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000000.398393400.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, is-MENUL.tmp.2.dr
Source:	Binary string: C:\Dev\Projects\YogaDns\YogaDns\DnsFltEngineDrv\ARM64\Release\DnsFltEngineDrv.pdbGCTL source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: [C:\Dev\Projects\YogaDns\YogaDns\DnsFltEngineDrv\Release\DnsFltEngineDrv.pdb source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Dev\Projects\YogaDns\YogaDns\DnsFltEngineDrv\x64\Release\DnsFltEngineDrv.pdb source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.381382892.000001C0471C3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.379498242.000001C0471C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.378722652.000001C0471B4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Dev\Projects\YogaDns\YogaDns\ServiceManager\Release\ServiceManager.pdb source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Dev\Projects\YogaDns\YogaDns\DnsManager\Release\YogaDns.pdbgT source: YogaDNS.exe, 0000000E.00000000.354784209.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 0000000E.00000002.359521770.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000002.780552664.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000000.372693427.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000002.402385021.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000000.398393400.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, is-MENUL.tmp.2.dr
Source:	Binary string: C:\Dev\Projects\YogaDns\YogaDns\DnsFltEngineDrv\Release\DnsFltEngineDrv.pdb source: YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Obfuscated command line found

Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp "C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp" /SL5="$7037A,7654068,831488,C:\Users\user\Desktop\YogaDNSSetup.exe"
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp "C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp" /SL5="$7037A,7654068,831488,C:\Users\user\Desktop\YogaDNSSetup.exe"			Jump to behavior

Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_004B5000 push 004B50DEh; ret	0_2_004B50D6
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_004B5980 push 004B5A48h; ret	0_2_004B5A40
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_00458000 push ecx; mov dword ptr [esp], ecx	0_2_00458005
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_0049B03C push ecx; mov dword ptr [esp], edx	0_2_0049B03D
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_004A00F8 push ecx; mov dword ptr [esp], edx	0_2_004A00F9
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_00458084 push ecx; mov dword ptr [esp], ecx	0_2_00458089
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_004B1084 push 004B10ECh; ret	0_2_004B10E4
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_004A1094 push ecx; mov dword ptr [esp], edx	0_2_004A1095
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_0041A0B4 push ecx; mov dword ptr [esp], ecx	0_2_0041A0B8
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_004270BC push 00427104h; ret	0_2_004270FC
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_00458108 push ecx; mov dword ptr [esp], ecx	0_2_0045810D
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_004321C8 push ecx; mov dword ptr [esp], edx	0_2_004321C9
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_004A21D8 push ecx; mov dword ptr [esp], edx	0_2_004A21D9
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_0049E1B8 push ecx; mov dword ptr [esp], edx	0_2_0049E1B9
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_0049A260 push 0049A378h; ret	0_2_0049A370
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_00455268 push ecx; mov dword ptr [esp], ecx	0_2_0045526C
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_004252D4 push ecx; mov dword ptr [esp], eax	0_2_004252D9
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_004592FC push ecx; mov dword ptr [esp], edx	0_2_004592FD
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_0045B284 push ecx; mov dword ptr [esp], edx	0_2_0045B285
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_00430358 push ecx; mov dword ptr [esp], eax	0_2_00430359
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_00430370 push ecx; mov dword ptr [esp], eax	0_2_00430371
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_00459394 push ecx; mov dword ptr [esp], ecx	0_2_00459398
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_004A1428 push ecx; mov dword ptr [esp], edx	0_2_004A1429
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_0049B424 push ecx; mov dword ptr [esp], edx	0_2_0049B425
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_004A24D8 push ecx; mov dword ptr [esp], edx	0_2_004A24D9
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_004224F0 push 004225F4h; ret	0_2_004225EC
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_004304F0 push ecx; mov dword ptr [esp], eax	0_2_004304F1
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_00499490 push ecx; mov dword ptr [esp], edx	0_2_00499493
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_00458564 push ecx; mov dword ptr [esp], edx	0_2_00458565
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_00458574 push ecx; mov dword ptr [esp], edx	0_2_00458575
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_00457574 push ecx; mov dword ptr [esp], ecx	0_2_00457578

Source: YogaDNSSetup.exe	Static PE information: section name: .didata
Source: YogaDNSSetup.tmp.0.dr	Static PE information: section name: .didata
Source: is-44LQ8.tmp.2.dr	Static PE information: section name: .didata
Source: is-OA2B1.tmp.2.dr	Static PE information: section name: /4
Source: is-OA2B1.tmp.2.dr	Static PE information: section name: /19
Source: is-OA2B1.tmp.2.dr	Static PE information: section name: /35
Source: is-OA2B1.tmp.2.dr	Static PE information: section name: /51
Source: is-OA2B1.tmp.2.dr	Static PE information: section name: /63
Source: is-OA2B1.tmp.2.dr	Static PE information: section name: /77
Source: is-OA2B1.tmp.2.dr	Static PE information: section name: /89
Source: is-OA2B1.tmp.2.dr	Static PE information: section name: /102
Source: is-OA2B1.tmp.2.dr	Static PE information: section name: /113
Source: is-OA2B1.tmp.2.dr	Static PE information: section name: /124
Source: is-OA2B1.tmp.2.dr	Static PE information: section name: /138
Source: is-GG959.tmp.2.dr	Static PE information: section name: /4

Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	File created: C:\Program Files (x86)\YogaDNS\Driver\is-A6E8V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	File created: C:\Program Files (x86)\YogaDNS\dnscrypt.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	File created: C:\Program Files (x86)\YogaDNS\Driver\DnsFltEngineDrv.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	File created: C:\Program Files (x86)\YogaDNS\ServiceManager.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-BAV9K.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	File created: C:\Program Files (x86)\YogaDNS\is-44LQ8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	File created: C:\Program Files (x86)\YogaDNS\is-MENUL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	File created: C:\Program Files (x86)\YogaDNS\unins000.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\system32\DRIVERS\DnsFltEngineDrv.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\System32\drivers\SET3827.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	File created: C:\Program Files (x86)\YogaDNS\libcrypto-1_1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	File created: C:\Program Files (x86)\YogaDNS\is-GG959.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	File created: C:\Program Files (x86)\YogaDNS\is-VKNMA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	File created: C:\Program Files (x86)\YogaDNS\is-OA2B1.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	File created: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	File created: C:\Program Files (x86)\YogaDNS\YogaDNS.exe (copy)	Jump to dropped file

Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\system32\DRIVERS\DnsFltEngineDrv.sys (copy)			Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\System32\drivers\SET3827.tmp			Jump to dropped file

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\System32\rundll32.exe

Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv

Jump to behavior

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run YogaDNS			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YogaDNS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YogaDNS\YogaDNS.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YogaDNS\Uninstall YogaDNS.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YogaDNS\YogaDNS Service Manager.lnk	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp

Process created: C:\Windows\SysWOW64\net.exe "NET.EXE" stop DnsFltEngineDrv

Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run YogaDNS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run YogaDNS	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Code function: 2_2_005C90B4 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,MessageBoxW,SetActiveWindow,		2_2_005C90B4
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Code function: 2_2_006A68B0 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,SetActiveWindow,		2_2_006A68B0

Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\grpconv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\grpconv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\grpconv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\grpconv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\YogaDNS\dnscrypt.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\YogaDNS\Driver\is-A6E8V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\YogaDNS\ServiceManager.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BAV9K.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\SET3827.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\YogaDNS\is-GG959.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\YogaDNS\is-VKNMA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\YogaDNS\is-OA2B1.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_2-21796

Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\YogaDNSSetup.exe

Code function: 0_2_004AF91C GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

0_2_004AF91C

Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_0040AEF4 FindFirstFileW,FindClose,	0_2_0040AEF4
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: 0_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	0_2_0040A928
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Code function: 2_2_0060C2B0 FindFirstFileW,GetLastError,	2_2_0060C2B0
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Code function: 2_2_0040E6A0 FindFirstFileW,FindClose,	2_2_0040E6A0
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Code function: 2_2_0040E0D4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	2_2_0040E0D4
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Code function: 2_2_006B8DE4 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,	2_2_006B8DE4

Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Code function: 14_2_0121B271 mov eax, dword ptr fs:[00000030h]	14_2_0121B271
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Code function: 21_2_0121B271 mov eax, dword ptr fs:[00000030h]	21_2_0121B271
Source: C:\Program Files (x86)\YogaDNS\YogaDNS.exe	Code function: 23_2_0121B271 mov eax, dword ptr fs:[00000030h]	23_2_0121B271

Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp

Code function: 2_2_006A60E8 ShellExecuteExW,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

2_2_006A60E8

Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop DnsFltEngineDrv			Jump to behavior
Source: C:\Windows\System32\runonce.exe	Process created: C:\Windows\System32\grpconv.exe "C:\Windows\System32\grpconv.exe" -o			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp

Code function: 2_2_005C8B3C InitializeSecurityDescriptor,SetSecurityDescriptorDacl,

2_2_005C8B3C

Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp

Code function: 2_2_005C7CE0 AllocateAndInitializeSid,GetVersion,GetModuleHandleW,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,

2_2_005C7CE0

Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	0_2_0040B044
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: GetLocaleInfoW,	0_2_0041E034
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: GetLocaleInfoW,	0_2_0041E080
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: GetLocaleInfoW,	0_2_004AF218
Source: C:\Users\user\Desktop\YogaDNSSetup.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0040A4CC
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	2_2_0040E7F0
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Code function: GetLocaleInfoW,	2_2_006103F8
Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_0040DC78

Source: C:\Users\user\Desktop\YogaDNSSetup.exe

Code function: 0_2_00405AE0 cpuid

0_2_00405AE0

Source: C:\Windows\System32\runonce.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Bias

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp

Code function: 2_2_00625754 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeW,GetLastError,CreateFileW,SetNamedPipeHandleState,CreateProcessW,CloseHandle,CloseHandle,

2_2_00625754

Source: C:\Users\user\Desktop\YogaDNSSetup.exe

Code function: 0_2_0041C3D8 GetLocalTime,

0_2_0041C3D8

Source: C:\Users\user\Desktop\YogaDNSSetup.exe

Code function: 0_2_004B5114 GetModuleHandleW,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy,

0_2_004B5114

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	1 Windows Service	1 Exploitation for Privilege Escalation	11 Deobfuscate/Decode Files or Information	1 Network Sniffing	11 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	12 Command and Scripting Interpreter	211 Registry Run Keys / Startup Folder	1 Access Token Manipulation	2 Obfuscated Files or Information	1 Input Capture	2 File and Directory Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	11 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Service Execution	Logon Script (Windows)	1 Windows Service	1 File Deletion	Security Account Manager	1 Network Sniffing	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	12 Process Injection	32 Masquerading	NTDS	35 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	211 Registry Run Keys / Startup Folder	1 Access Token Manipulation	LSA Secrets	1 Query Registry	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	12 Process Injection	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Rundll32	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	2 System Owner/User Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	1 Remote System Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
YogaDNSSetup.exe	2%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Link
C:\Program Files (x86)\YogaDNS\Driver\DnsFltEngineDrv.sys (copy)	0%	ReversingLabs
C:\Program Files (x86)\YogaDNS\Driver\is-A6E8V.tmp	0%	ReversingLabs
C:\Program Files (x86)\YogaDNS\ServiceManager.exe (copy)	0%	Metadefender	Browse
C:\Program Files (x86)\YogaDNS\ServiceManager.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\YogaDNS\YogaDNS.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\YogaDNS\dnscrypt.dll (copy)	0%	Metadefender	Browse
C:\Program Files (x86)\YogaDNS\dnscrypt.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\YogaDNS\is-44LQ8.tmp	2%	ReversingLabs
C:\Program Files (x86)\YogaDNS\is-GG959.tmp	3%	Metadefender	Browse
C:\Program Files (x86)\YogaDNS\is-GG959.tmp	0%	ReversingLabs
C:\Program Files (x86)\YogaDNS\is-MENUL.tmp	0%	ReversingLabs
C:\Program Files (x86)\YogaDNS\is-OA2B1.tmp	0%	Metadefender	Browse
C:\Program Files (x86)\YogaDNS\is-OA2B1.tmp	0%	ReversingLabs
C:\Program Files (x86)\YogaDNS\is-VKNMA.tmp	0%	Metadefender	Browse
C:\Program Files (x86)\YogaDNS\is-VKNMA.tmp	0%	ReversingLabs
C:\Program Files (x86)\YogaDNS\libcrypto-1_1.dll (copy)	3%	Metadefender	Browse
C:\Program Files (x86)\YogaDNS\libcrypto-1_1.dll (copy)	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:8888	0%	Avira URL Cloud	safe
https://dns.seby.io	0%	Avira URL Cloud	safe
https://dnscrypt-tupi.org/	0%	Avira URL Cloud	safe
https://cleanbrowsing.org/	0%	Avira URL Cloud	safe
https://www.rubyfish.cn/	0%	Avira URL Cloud	safe
https://www.yogadns.com/last_versions/windows/(Update	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/relays.md	0%	Avira URL Cloud	safe
https://www.yogadns.comIncorrect	0%	Avira URL Cloud	safe
https://yogadns.com/docs/runasCannot	0%	Avira URL Cloud	safe
https://arvind.io).	0%	Avira URL Cloud	safe
https://dnscrypt.info/public-servers	0%	Avira URL Cloud	safe
https://dnscrypt.nl	0%	Avira URL Cloud	safe
https://www.quad9.net/quad9-resolvers.md	0%	Avira URL Cloud	safe
https://yogadns.com/resolvers/resolvers.mdhttps://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolv	0%	Avira URL Cloud	safe
https://www.yogadns.com/pricing/buy.htmlsystemunknown	0%	Avira URL Cloud	safe
https://download.dnscrypt.info/resolvers-list/v2/parental-control.md	0%	Avira URL Cloud	safe
https://www.remobjects.com/ps	0%	URL Reputation	safe
https://www.innosetup.com/	0%	URL Reputation	safe
https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md	0%	Avira URL Cloud	safe
https://yogadns.com/resolvers/resolvers.mdWS	0%	Avira URL Cloud	safe
https://www.yogadns.com/last_versions/windows/	0%	Avira URL Cloud	safe
http://dnscrypt.me	0%	Avira URL Cloud	safe
https://my.nextdns.io/startOpen	0%	Avira URL Cloud	safe
https://www.yogadns.com/download/f	0%	Avira URL Cloud	safe
http://www.micft.com/pkiops/crl/Microsoft%20Windows%20Third%20Party%20Component%20CA%202014.crl0	0%	Avira URL Cloud	safe
https://fr.dnscrypt.info	0%	Avira URL Cloud	safe
https://www.yogadns.com/download/	0%	Avira URL Cloud	safe
https://dnscrypt.info/doc	0%	Avira URL Cloud	safe
https://userspace.com.au	0%	Avira URL Cloud	safe
https://dnswarden.com	0%	Avira URL Cloud	safe
https://fr.dnscrypt.info/sfw.html	0%	Avira URL Cloud	safe
https://www.dnscrypt.uk	0%	Avira URL Cloud	safe
https://yogadns.com/resolvers/resolvers.md	0%	Avira URL Cloud	safe
https://www.yogadns.com/download	0%	Avira URL Cloud	safe
http://www.yogadns.comQ6(	0%	Avira URL Cloud	safe
http://nawala.id	0%	Avira URL Cloud	safe
https://yogadns.com/docs/#serviceOpen%Ts	0%	Avira URL Cloud	safe
https://download.dnscrypt.info/blacklists/	0%	Avira URL Cloud	safe
https://blahdns.com/	0%	Avira URL Cloud	safe
https://www.yogadns.com/last_versions/windows/13100/	0%	Avira URL Cloud	safe
https://www.yogadns.com	0%	Avira URL Cloud	safe
https://quad9.net/	0%	Avira URL Cloud	safe
http://www.yogadns.com	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md	0%	Avira URL Cloud	safe
https://cruisemaniac.com)	0%	Avira URL Cloud	safe
https://yogadns.com/resolvers/resolvers.mdesb_	0%	Avira URL Cloud	safe
https://www.yogadns.com/pricing/	0%	Avira URL Cloud	safe
https://powerdns.org	0%	Avira URL Cloud	safe
https://www.yogadns.com/pricing/buy.html	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/parental-control.md	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
yogadns.com	172.104.9.252	true	false		high
www.yogadns.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.yogadns.com/last_versions/windows/13100/	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	YogaDNSSetup.exe	false		high
http://127.0.0.1:8888	YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dns.seby.io	YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/DNSCrypt/dnscrypt-resolvers	YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	false		high
https://dnscrypt-tupi.org/	YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cleanbrowsing.org/	YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.rubyfish.cn/	YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.yogadns.com/last_versions/windows/(Update	YogaDNS.exe, 0000000E.00000000.354784209.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 0000000E.00000002.359521770.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000002.780552664.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000000.372693427.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000002.402385021.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000000.398393400.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, is-MENUL.tmp.2.dr	false	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/relays.md	YogaDNS.exe, 0000000E.00000000.354784209.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 0000000E.00000002.359521770.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000002.780552664.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000000.372693427.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000002.402385021.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000000.398393400.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, is-MENUL.tmp.2.dr	false	Avira URL Cloud: safe	unknown
https://www.yogadns.comIncorrect	YogaDNS.exe, 0000000E.00000000.354784209.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 0000000E.00000002.359521770.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000002.780552664.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000000.372693427.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000002.402385021.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000000.398393400.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, is-MENUL.tmp.2.dr	false	Avira URL Cloud: safe	unknown
https://yogadns.com/docs/runasCannot	YogaDNS.exe, 0000000E.00000000.354784209.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 0000000E.00000002.359521770.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000002.780552664.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000000.372693427.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000002.402385021.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000000.398393400.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, is-MENUL.tmp.2.dr	false	Avira URL Cloud: safe	unknown
https://arvind.io).	YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://dnscrypt.info/public-servers	YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dnscrypt.nl	YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.quad9.net/quad9-resolvers.md	YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jrsoftware.org/ishelp/index.php?topic=setupcmdline	YogaDNSSetup.exe	false		high
https://yogadns.com/resolvers/resolvers.mdhttps://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolv	YogaDNS.exe, 0000000E.00000000.354784209.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 0000000E.00000002.359521770.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000002.780552664.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000000.372693427.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000002.402385021.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000000.398393400.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, is-MENUL.tmp.2.dr	false	Avira URL Cloud: safe	unknown
https://www.yogadns.com/pricing/buy.htmlsystemunknown	YogaDNS.exe, 0000000E.00000000.354784209.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 0000000E.00000002.359521770.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000002.780552664.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000000.372693427.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000002.402385021.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000000.398393400.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, is-MENUL.tmp.2.dr	false	Avira URL Cloud: safe	unknown
https://download.dnscrypt.info/resolvers-list/v2/parental-control.md	YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.remobjects.com/ps	YogaDNSSetup.exe, 00000000.00000003.255250594.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.exe, 00000000.00000003.255720198.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.tmp, YogaDNSSetup.tmp, 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp	false	URL Reputation: safe	unknown
https://www.innosetup.com/	YogaDNSSetup.exe, 00000000.00000003.255250594.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.exe, 00000000.00000003.255720198.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.tmp, YogaDNSSetup.tmp, 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp	false	URL Reputation: safe	unknown
https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md	YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://yogadns.com/resolvers/resolvers.mdWS	YogaDNS.exe, 0000000E.00000002.360341039.0000000001706000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.yogadns.com/last_versions/windows/	YogaDNS.exe, 0000000E.00000000.354784209.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 0000000E.00000002.359521770.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000002.780552664.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000000.372693427.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000002.402385021.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000000.398393400.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, is-MENUL.tmp.2.dr	false	Avira URL Cloud: safe	unknown
http://dnscrypt.me	YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://my.nextdns.io/startOpen	YogaDNS.exe, 0000000E.00000000.354784209.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 0000000E.00000002.359521770.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000002.780552664.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000000.372693427.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000002.402385021.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000000.398393400.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, is-MENUL.tmp.2.dr	false	Avira URL Cloud: safe	unknown
https://www.yogadns.com/download/f	YogaDNS.exe, 00000015.00000002.781112284.00000000054F0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.micft.com/pkiops/crl/Microsoft%20Windows%20Third%20Party%20Component%20CA%202014.crl0	rundll32.exe, 00000013.00000003.381382892.000001C0471C3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.382118486.000001C0471C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.379498242.000001C0471C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.378722652.000001C0471B4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fr.dnscrypt.info	YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.yogadns.com/download/	YogaDNS.exe, 00000015.00000002.781112284.00000000054F0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dnscrypt.info/doc	YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdome.comodo.com/shield/	YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	false		high
https://userspace.com.au	YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dnswarden.com	YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fr.dnscrypt.info/sfw.html	YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.dnscrypt.uk	YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://yogadns.com/resolvers/resolvers.md	YogaDNS.exe, 0000000E.00000002.360341039.0000000001706000.00000004.00000020.00020000.00000000.sdmp, YogaDNS.exe, 0000000E.00000000.354784209.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 0000000E.00000002.359521770.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000002.780552664.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000000.372693427.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000002.402385021.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000000.398393400.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, is-MENUL.tmp.2.dr	false	Avira URL Cloud: safe	unknown
https://www.yogadns.com/download	YogaDNS.exe, 00000015.00000002.781112284.00000000054F0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.yogadns.comQ6(	YogaDNSSetup.exe, 00000000.00000003.408481363.0000000002283000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://nawala.id	YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://yogadns.com/docs/#serviceOpen%Ts	YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://download.dnscrypt.info/blacklists/	YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://blahdns.com/	YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.yogadns.com	is-MENUL.tmp.2.dr	false	Avira URL Cloud: safe	unknown
https://quad9.net/	YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.openssl.org/H	YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp, YogaDNS.exe, 0000000E.00000002.362207495.000000006D239000.00000008.00000001.01000000.0000000B.sdmp, YogaDNS.exe, 00000015.00000002.781472809.000000006D779000.00000008.00000001.01000000.0000000B.sdmp, YogaDNS.exe, 00000017.00000002.404055579.000000006D779000.00000008.00000001.01000000.0000000B.sdmp	false		high
http://www.yogadns.com	YogaDNSSetup.tmp, 00000002.00000003.259649062.0000000003400000.00000004.00001000.00020000.00000000.sdmp, YogaDNSSetup.tmp, 00000002.00000003.404081501.0000000002543000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md	YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp, YogaDNS.exe, 0000000E.00000000.354784209.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 0000000E.00000002.359521770.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000002.780552664.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000000.372693427.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000002.402385021.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000000.398393400.000000000125E000.00000002.00000001.01000000.0000000A.sdmp, is-MENUL.tmp.2.dr	false	Avira URL Cloud: safe	unknown
https://cruisemaniac.com)	YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://yogadns.com/resolvers/resolvers.mdesb_	YogaDNS.exe, 0000000E.00000002.360341039.0000000001706000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.yogadns.com/pricing/	is-MENUL.tmp.2.dr	false	Avira URL Cloud: safe	unknown
https://powerdns.org	YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.yogadns.com/pricing/buy.html	YogaDNS.exe, 0000000E.00000000.354977645.000000000131F000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000015.00000000.372825835.000000000131F000.00000002.00000001.01000000.0000000A.sdmp, YogaDNS.exe, 00000017.00000002.402546321.000000000131F000.00000002.00000001.01000000.0000000A.sdmp, is-MENUL.tmp.2.dr	false	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/parental-control.md	YogaDNSSetup.tmp, 00000002.00000003.399104881.0000000005950000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.104.9.252	yogadns.com	United States		63949	LINODE-APLinodeLLCUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	599656
Start date and time:	2022-03-29 22:02:03 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 16m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	YogaDNSSetup.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	SUS
Classification:	sus28.troj.winEXE@19/32@1/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 55.3% (good quality ratio 53.1%) Quality average: 81.4% Quality standard deviation: 26.1%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: YogaDNSSetup.exe

Simulations

Behavior and APIs

Time	Type	Description
00:04:01	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run YogaDNS "C:\Program Files (x86)\YogaDNS\YogaDNS.exe" /AutoRun
00:04:09	Autostart	Run: HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv grpconv -o
00:04:18	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run YogaDNS "C:\Program Files (x86)\YogaDNS\YogaDNS.exe" /AutoRun

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Program Files (x86)\YogaDNS\Driver\DnsFltEngineDrv.inf (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp
File Type:	Windows setup INFormation, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1926
Entropy (8bit):	5.040698614780791
Encrypted:	false
SSDEEP:	24:ftgjNJ1ZQtOjX8+VzBZnycy+5iqp/LXUz2mMZD2eYTb:675j7Jm4YqpzkzsZD2eYTb
MD5:	82AED006FD809597EC7B068C52056B9B
SHA1:	9414D6A444B9DF3C43CC02BAFF00A0A696FEF011
SHA-256:	9C45D2F015203CA02AA576174C31F6008CDDB0B37867DED42386DB11A1964AAE
SHA-512:	DE6525C7F27B45139CF14F20EA5FCED3784C9AE670D96E239C5F286EBFABB6DD936CD1FCFD010235BE26ABDE4F30F75AA9DE82AC88BD7716C9F2D9AC023AC434
Malicious:	false
Reputation:	unknown
Preview:	;..; DnsFltEngineDrv.inf..;....[Version]...Signature.= "$WINDOWS NT$"...Class..= WFPCALLOUTS...ClassGuid.= {57465043-616C-6C6F-7574-5F636C617373}...Provider.= %ProviderString%...CatalogFile.= DnsFltEngineDrv.cat.. DriverVer = 01/25/2022,18.3.0.690....[SourceDisksNames].. 1 = %DnsFltEngineDrvDisk%,,,""....[SourceDisksFiles].. DnsFltEngineDrv.sys = 1,,....[DestinationDirs].. DefaultDestDir = 12 ; %WinDir%\System32\Drivers.. DnsFltEngineDrv.DriverFiles = 12 ; %WinDir%\System32\Drivers....[DefaultInstall].. OptionDesc = %DnsFltEngineDrvServiceDesc%.. CopyFiles = DnsFltEngineDrv.DriverFiles....[DefaultInstall.Services].. AddService = %DnsFltEngineDrvServiceName%,0x00000800,DnsFltEngineDrv.Service ;0x00000800 - SPSVCSINST_STARTSERVICE....[DefaultUninstall].. ;;DelFiles = DnsFltEngineDrv.DriverFiles....[DefaultUninstall.Services].. DelService = %DnsFltEngineDrvServiceName%,0x200

C:\Program Files (x86)\YogaDNS\Driver\DnsFltEngineDrv.sys (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	58632
Entropy (8bit):	6.718713880471932
Encrypted:	false
SSDEEP:	768:HdqUkP+xiUHZXT9mJSo8+6fbdzGgHUFBchr2D4yV3hJEb32nZ49z7:9ZHZXT9M8j5Gg0FBchqx3hJEblz7
MD5:	C12325E60A0F44F7F0DFA85877ED9C84
SHA1:	79C468B60B59CD7E5BA4806C4FD512A93F444E95
SHA-256:	6E550B6BBE69AA490EE69CCBFDD3084EAD8EA1C94166ACB13161C6F8F5E54B24
SHA-512:	2DBF96D7603545A3420503A7B28E77747166175EE70EE6AA9CAEDEE011FC8BEC14019572CB94D53A2676E1CF446537AFBD950F3ADE2BA107810A2E1527EF367F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,o.GM..GM..GM..N5..DM..N5..EM.."+..FM..GM..tM.."+..@M.."+..BM.."+..CM...$..KM...$..FM...$..FM..RichGM..........................PE..d...(..a.........."......t.....................@.........................................`A................................................d...d............p.. ........M......\......8............................................................................text....d.......f.................. ..h.rdata..,............j..............@..H.data...X............z..............@....pdata.. ....p.......~..............@..HPAGE....,........................... ..`INIT................................ ..b.rsrc...............................@..B.reloc..\...........................@..B................................................................................................................................................................

C:\Program Files (x86)\YogaDNS\Driver\is-A6E8V.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	58632
Entropy (8bit):	6.718713880471932
Encrypted:	false
SSDEEP:	768:HdqUkP+xiUHZXT9mJSo8+6fbdzGgHUFBchr2D4yV3hJEb32nZ49z7:9ZHZXT9M8j5Gg0FBchqx3hJEblz7
MD5:	C12325E60A0F44F7F0DFA85877ED9C84
SHA1:	79C468B60B59CD7E5BA4806C4FD512A93F444E95
SHA-256:	6E550B6BBE69AA490EE69CCBFDD3084EAD8EA1C94166ACB13161C6F8F5E54B24
SHA-512:	2DBF96D7603545A3420503A7B28E77747166175EE70EE6AA9CAEDEE011FC8BEC14019572CB94D53A2676E1CF446537AFBD950F3ADE2BA107810A2E1527EF367F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,o.GM..GM..GM..N5..DM..N5..EM.."+..FM..GM..tM.."+..@M.."+..BM.."+..CM...$..KM...$..FM...$..FM..RichGM..........................PE..d...(..a.........."......t.....................@.........................................`A................................................d...d............p.. ........M......\......8............................................................................text....d.......f.................. ..h.rdata..,............j..............@..H.data...X............z..............@....pdata.. ....p.......~..............@..HPAGE....,........................... ..`INIT................................ ..b.rsrc...............................@..B.reloc..\...........................@..B................................................................................................................................................................

C:\Program Files (x86)\YogaDNS\Driver\is-UMI1O.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp
File Type:	Windows setup INFormation, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1926
Entropy (8bit):	5.040698614780791
Encrypted:	false
SSDEEP:	24:ftgjNJ1ZQtOjX8+VzBZnycy+5iqp/LXUz2mMZD2eYTb:675j7Jm4YqpzkzsZD2eYTb
MD5:	82AED006FD809597EC7B068C52056B9B
SHA1:	9414D6A444B9DF3C43CC02BAFF00A0A696FEF011
SHA-256:	9C45D2F015203CA02AA576174C31F6008CDDB0B37867DED42386DB11A1964AAE
SHA-512:	DE6525C7F27B45139CF14F20EA5FCED3784C9AE670D96E239C5F286EBFABB6DD936CD1FCFD010235BE26ABDE4F30F75AA9DE82AC88BD7716C9F2D9AC023AC434
Malicious:	false
Reputation:	unknown
Preview:	;..; DnsFltEngineDrv.inf..;....[Version]...Signature.= "$WINDOWS NT$"...Class..= WFPCALLOUTS...ClassGuid.= {57465043-616C-6C6F-7574-5F636C617373}...Provider.= %ProviderString%...CatalogFile.= DnsFltEngineDrv.cat.. DriverVer = 01/25/2022,18.3.0.690....[SourceDisksNames].. 1 = %DnsFltEngineDrvDisk%,,,""....[SourceDisksFiles].. DnsFltEngineDrv.sys = 1,,....[DestinationDirs].. DefaultDestDir = 12 ; %WinDir%\System32\Drivers.. DnsFltEngineDrv.DriverFiles = 12 ; %WinDir%\System32\Drivers....[DefaultInstall].. OptionDesc = %DnsFltEngineDrvServiceDesc%.. CopyFiles = DnsFltEngineDrv.DriverFiles....[DefaultInstall.Services].. AddService = %DnsFltEngineDrvServiceName%,0x00000800,DnsFltEngineDrv.Service ;0x00000800 - SPSVCSINST_STARTSERVICE....[DefaultUninstall].. ;;DelFiles = DnsFltEngineDrv.DriverFiles....[DefaultUninstall.Services].. DelService = %DnsFltEngineDrvServiceName%,0x200

C:\Program Files (x86)\YogaDNS\ServiceManager.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	740272
Entropy (8bit):	6.133841932082904
Encrypted:	false
SSDEEP:	12288:zZMIgYkGOh9h2Vfn2ZQfhT5zhONOqXtVt1tih5c3S:zZMIgYkG12+fA9iha3S
MD5:	EA3A9D42CE0D9EBDB689FF7A3B79AF82
SHA1:	18A2E0E88EC80FEACF506709134A9B883D40F5FD
SHA-256:	87D7A5041B934E52A891161B83ADF99DD23EB50363C3CAE7D29377C3EBBD129E
SHA-512:	299AA3CBABA34861E3F465FCA57F9C702953F58D49DF1EB341247C66652B096D65E29B63AE3D23E2A380DD7815AD247AA1751B61F111F1C6FBD5A0AA3A473510
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........s.a...a...a.......a.......a.......a.......a.......a...a...c.......a.......a.......a../....a../..a...a...a../....a..Rich.a..........................PE..L.....Qa.....................P......n........ ....@.................................>F....@.........................................................,..........Pt...t..p....................u......Pu..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....[... ...,..................@....rsrc...............0..............@..@.reloc..Pt.......v..................@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\YogaDNS\YogaDNS.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4972464
Entropy (8bit):	6.9642813668084
Encrypted:	false
SSDEEP:	98304:eSiZ44OAkVBrBvfq0l99jTs7ciLSLPm8Z0FLOAkGkzdnEVomFHKnP0V8:eSiZ4LBtfqxSLPm00FLOyomFHKnP9
MD5:	FB51F3CA7F0785C5AF983D599F715FF3
SHA1:	FA699C8B581CDAB3707A2FF54314A874E0F6386C
SHA-256:	212AF26D313A1B2922E0F469D263D52D52762C912C824E362670288A387B79CF
SHA-512:	35C3C45E750E4F3AFF8FCD36B954273210A24A3A2BF985DF3766F1B71F614592258CAA392E3ABB843A32DED8800ACED182A15A1F17E3D81F20160A3F17249EA8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........).\.H...H...H.......H.......H......~H.......H.......H...H...K... ...H... ...H... ..dI...H...H..<!...H..<!...H...Hj..H..<!...H..Rich.H..................PE..L...s..a..................%..X&...............%...@..........................PL.......L...@...................................-......P/.X.............K......`I.d......p..........................0.*.@.............%..............................text...I.%.......%................. ..`.rdata...M....%..N....%.............@..@.data........0......................@....rsrc...X....P/.....................@..@.reloc..d....`I.......H.............@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\YogaDNS\dnscrypt-proxy.toml (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp
File Type:	ASCII text
Category:	dropped
Size (bytes):	14948
Entropy (8bit):	4.941455660446903
Encrypted:	false
SSDEEP:	192:xJ+mP8PIovuNZQ9EmSTI5Teig47/DkJL9zIxyp8t+M69p47Ggw+pdZDSX0Pl/wf:xvyMZQOm9eigEAJBzIYitSb
MD5:	2ADA32D744A8E73F8601E4C9C8114792
SHA1:	FCD11C721D2ED799FA5D28A479FAEE5A503CA784
SHA-256:	DDE19692FC1005FEE0FAA60206D979FAD6F2EE48BC1CF9EBD210C57DE3817406
SHA-512:	03360E6D0FCAFF5260F1B4F7537E7C5767A9EB2A2B5AD0CE7ADE95A8200025C64FB7D1AF51F242FF4D2D7C65B3F0D0F080C66CF7446B48BA1A9F14D4AE425C6A
Malicious:	false
Reputation:	unknown
Preview:	.##############################################.# #.# dnscrypt-proxy configuration #.# #.##############################################..## This is an example configuration file..## You should adjust it to your needs, and save it as "dnscrypt-proxy.toml".##.## Online documentation is available here: https://dnscrypt.info/doc....##################################.# Global settings #.##################################..## List of servers to use.##.## Servers from the "public-resolvers" source (see down below) can.## be viewed here: https://dnscrypt.info/public-servers.##.## If this line is commented, all registered servers matching the require_* filters.## will be used..##.## The proxy will automatically pick the fastest, working servers from the list..## Remove the leading # first to enable this; lines starting with # are ignored...# server_names = ['scaleway-fr', 'google',

C:\Program Files (x86)\YogaDNS\dnscrypt.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15314824
Entropy (8bit):	6.392775163085483
Encrypted:	false
SSDEEP:	98304:qxTaI8+GOry2lbQhd86hwXfOsz1uLEI3duYozZasCAQr/i9MCgtEs/DPjw4w6A62:8TaIBvKVtozZhCAFVgms/Djw4nMJ
MD5:	E4FF4EA5EC5BDBD29CB37B3B755C2726
SHA1:	E9A8FFB7DE11171D467340958E5EC0FB5F56A5B9
SHA-256:	9A9866FD5B661523ACCAB2EFC180157848F5219225EC7B24699E9E3C3FA5A047
SHA-512:	614E399688B9F51209CCE0F3DEAA0B348E26F63E31FE389757A6EFCFA9027405241E7C69167351D4D73A3DB7384D922E76245DB49AC492638B24C87ABE2B8905
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....vu`.....8.....!....../..@\|..............@/...$g.........................@......k.....@... ......................`i.).....y............................. z.x.............................z.......................y. ............................text...(-/......./.................`.``.data........@/......4/.............@.`..rdata..X.4..03...4..$3.............@.`@.bss..........g.......................`..edata..)....`i.......g.............@.0@.idata........y......Jx.............@.0..CRT....,.....z......Tx.............@.0..tls.... .....z......Vx.............@.0..reloc..x.... z......Xx.............@.0B/4............~......F\|.............@.@B/19.....\|.... ~......J\|.............@..B/35......>.......@..................@..B/51.........0.......V..............@..B/63......(......*..................@..B/77......'... ...(...4..............@..B/89.....<x...P...z...\..

C:\Program Files (x86)\YogaDNS\is-44LQ8.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3202504
Entropy (8bit):	6.332943576053673
Encrypted:	false
SSDEEP:	49152:7EA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTV+333TY:/92bz2Eb6pd7B6bAGx7s333T
MD5:	7FD3620B726C3B90AD03266C3942ACA9
SHA1:	66C0F6DB3E34003F6C5367B45D81D7533C284C8B
SHA-256:	3FB2CE91C0814D3D7F236496FE5374EF6FF502132A3FA30DEEDC3E22B910CA7B
SHA-512:	881EEED7EF5CF189511EB2D07C616B0CACE7AFF8D787514FB56293E01BF164A4C65783ACABD95787B33829CA38BA08FE684F207BDCB200D294D2602B3798F076
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Reputation:	unknown
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...(..`.................:,.........`F,......P,...@...........................1.....e.1...@......@....................-......p-.29....-...............0.......................................-......................y-.......-......................text.....,.......,................. ..`.itext...(... ,..*....,............. ..`.data........P,......>,.............@....bss.....y....,..........................idata..29...p-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc.........-.......-.............@..@..............1.......0.............@..@........................................................

C:\Program Files (x86)\YogaDNS\is-GG959.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	2420312
Entropy (8bit):	6.633009244683866
Encrypted:	false
SSDEEP:	49152:CjIbZhXddeDrsOHgc69kXvQUs2cwE9osptfy4ui3u70vgvee2VRQuz/TjifpTPbn:3b/tsscD69kXvQUs2cwWosptfy4ui3ul
MD5:	6111E3EFE0F6FE0E037642DDEAA34BF6
SHA1:	1CA5AE6607941C89A27E7C6BE76CFA40341B2C9E
SHA-256:	A86E52B8074B159301DDFE8E0FA54F113B1D3B35DA68D5802F8B0BE03EF4D426
SHA-512:	4BB25F81AC188BC7AB3179C62AAB29FEF1FFF86E35D0EE03E49C6F1410E284C428C518D0D01539E7B5F9E939A814E522225042DECE8F8104CA3CB9C2F5333652
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....\`..$........#...#......$..B........... ....@k..........................%.......%...@... ......................P".Y....P$.......$...............$.H.....$.h...........................l.!.....................(S$..............................text...............................`..`.data........ ....... ..............@.`..rdata..T....0.......0..............@.`@/4............!.......!.............@.0@.bss.....A....".......................`..edata..Y....P".......!.............@.0@.idata.......P$.......#.............@.0..CRT....,....p$.......#.............@.0..tls..........$.......#.............@.0..rsrc.........$.......$.............@.0..reloc..h.....$.......$.............@.0B........................................................................................................................................................................................

C:\Program Files (x86)\YogaDNS\is-MENUL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4972464
Entropy (8bit):	6.9642813668084
Encrypted:	false
SSDEEP:	98304:eSiZ44OAkVBrBvfq0l99jTs7ciLSLPm8Z0FLOAkGkzdnEVomFHKnP0V8:eSiZ4LBtfqxSLPm00FLOyomFHKnP9
MD5:	FB51F3CA7F0785C5AF983D599F715FF3
SHA1:	FA699C8B581CDAB3707A2FF54314A874E0F6386C
SHA-256:	212AF26D313A1B2922E0F469D263D52D52762C912C824E362670288A387B79CF
SHA-512:	35C3C45E750E4F3AFF8FCD36B954273210A24A3A2BF985DF3766F1B71F614592258CAA392E3ABB843A32DED8800ACED182A15A1F17E3D81F20160A3F17249EA8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........).\.H...H...H.......H.......H......~H.......H.......H...H...K... ...H... ...H... ..dI...H...H..<!...H..<!...H...Hj..H..<!...H..Rich.H..................PE..L...s..a..................%..X&...............%...@..........................PL.......L...@...................................-......P/.X.............K......`I.d......p..........................0.*.@.............%..............................text...I.%.......%................. ..`.rdata...M....%..N....%.............@..@.data........0......................@....rsrc...X....P/.....................@..@.reloc..d....`I.......H.............@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\YogaDNS\is-OA2B1.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15314824
Entropy (8bit):	6.392775163085483
Encrypted:	false
SSDEEP:	98304:qxTaI8+GOry2lbQhd86hwXfOsz1uLEI3duYozZasCAQr/i9MCgtEs/DPjw4w6A62:8TaIBvKVtozZhCAFVgms/Djw4nMJ
MD5:	E4FF4EA5EC5BDBD29CB37B3B755C2726
SHA1:	E9A8FFB7DE11171D467340958E5EC0FB5F56A5B9
SHA-256:	9A9866FD5B661523ACCAB2EFC180157848F5219225EC7B24699E9E3C3FA5A047
SHA-512:	614E399688B9F51209CCE0F3DEAA0B348E26F63E31FE389757A6EFCFA9027405241E7C69167351D4D73A3DB7384D922E76245DB49AC492638B24C87ABE2B8905
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....vu`.....8.....!....../..@\|..............@/...$g.........................@......k.....@... ......................`i.).....y............................. z.x.............................z.......................y. ............................text...(-/......./.................`.``.data........@/......4/.............@.`..rdata..X.4..03...4..$3.............@.`@.bss..........g.......................`..edata..)....`i.......g.............@.0@.idata........y......Jx.............@.0..CRT....,.....z......Tx.............@.0..tls.... .....z......Vx.............@.0..reloc..x.... z......Xx.............@.0B/4............~......F\|.............@.@B/19.....\|.... ~......J\|.............@..B/35......>.......@..................@..B/51.........0.......V..............@..B/63......(......*..................@..B/77......'... ...(...4..............@..B/89.....<x...P...z...\..

C:\Program Files (x86)\YogaDNS\is-QTSO1.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp
File Type:	ASCII text
Category:	dropped
Size (bytes):	14948
Entropy (8bit):	4.941455660446903
Encrypted:	false
SSDEEP:	192:xJ+mP8PIovuNZQ9EmSTI5Teig47/DkJL9zIxyp8t+M69p47Ggw+pdZDSX0Pl/wf:xvyMZQOm9eigEAJBzIYitSb
MD5:	2ADA32D744A8E73F8601E4C9C8114792
SHA1:	FCD11C721D2ED799FA5D28A479FAEE5A503CA784
SHA-256:	DDE19692FC1005FEE0FAA60206D979FAD6F2EE48BC1CF9EBD210C57DE3817406
SHA-512:	03360E6D0FCAFF5260F1B4F7537E7C5767A9EB2A2B5AD0CE7ADE95A8200025C64FB7D1AF51F242FF4D2D7C65B3F0D0F080C66CF7446B48BA1A9F14D4AE425C6A
Malicious:	false
Reputation:	unknown
Preview:	.##############################################.# #.# dnscrypt-proxy configuration #.# #.##############################################..## This is an example configuration file..## You should adjust it to your needs, and save it as "dnscrypt-proxy.toml".##.## Online documentation is available here: https://dnscrypt.info/doc....##################################.# Global settings #.##################################..## List of servers to use.##.## Servers from the "public-resolvers" source (see down below) can.## be viewed here: https://dnscrypt.info/public-servers.##.## If this line is commented, all registered servers matching the require_* filters.## will be used..##.## The proxy will automatically pick the fastest, working servers from the list..## Remove the leading # first to enable this; lines starting with # are ignored...# server_names = ['scaleway-fr', 'google',

C:\Program Files (x86)\YogaDNS\is-S3AL5.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp
File Type:	ASCII text
Category:	dropped
Size (bytes):	166
Entropy (8bit):	4.251107294008479
Encrypted:	false
SSDEEP:	3:Q9F7JzKW9gQCrK4lJh2gpxVtIb3DFVg/C6czoKYd6mRXTWo:GzKW+9bh2UVts35KqndUt
MD5:	240DF71B1A110C4DCEFFC1B77751B781
SHA1:	5BAD7EA4FB4D3EFEF27770CD61358CA9012E37AF
SHA-256:	06C74EF5EF53344C78C9AF2B29DC458A2ABE93F1BFF429705955C033E7A0686F
SHA-512:	EB9A441A8DDCD33FF123252515DE683E6C8FA8ACFD43EB43607944CF0E22914694C33B02D7954F30A0BD71890AFFC78894E4DC44FCBCCA93D3F0A8E0E14E535A
Malicious:	false
Reputation:	unknown
Preview:	. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5.. IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D.

C:\Program Files (x86)\YogaDNS\is-VCP4T.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp
File Type:	UTF-8 Unicode text
Category:	dropped
Size (bytes):	32931
Entropy (8bit):	5.824660809533723
Encrypted:	false
SSDEEP:	384:PsQPJwxTwqjhzFFNjkSUiZqBRgFrij5q4VHrSrRAyMpRJxF:EQAwqNzFFdkSU3BRkri11vF
MD5:	87266FAFF9BEA0D9464D17AE6F99C742
SHA1:	ADF6AF84FBC9A721AB45C52CDF99ED530B59CE00
SHA-256:	692184F7D1272B8D1EC73A56C91D6C94C4E8F2C49FD1BE6DD3F6D75BFC48574F
SHA-512:	3B226432B2768D9B568BD30E80C58842E943F61B73C0A6BDD6F001DAB5EFF85F913605AEF196999E51E617A20E2CA1A011453A902F8112E597C8EAD361F1C7BB
Malicious:	false
Reputation:	unknown
Preview:	# public-resolvers..This is an extensive list of public DNS resolvers supporting the.DNSCrypt and DNS-over-HTTP2 protocols...This list is maintained by Frank Denis <j @ dnscrypt [.] info>..Warning: it includes servers that may censor content, servers that don't.verify DNSSEC records, and servers that will collect and monetize your.queries...Adjust the `require_*` options in dnscrypt-proxy to filter that list.according to your needs...To use that list, add this to the `[sources]` section of your.`dnscrypt-proxy.toml` configuration file:.. [sources.'public-resolvers']. urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']. minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'. cache_file = 'public-resolvers.md'..--..## google-plain..sdns://AAEAAAAAAAAABzguOC44Ljg..## aaflalo-me-gcp..DNS-over-HTTPS proxy of aaflalo-me hosted in Google Clo

C:\Program Files (x86)\YogaDNS\is-VKNMA.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	740272
Entropy (8bit):	6.133841932082904
Encrypted:	false
SSDEEP:	12288:zZMIgYkGOh9h2Vfn2ZQfhT5zhONOqXtVt1tih5c3S:zZMIgYkG12+fA9iha3S
MD5:	EA3A9D42CE0D9EBDB689FF7A3B79AF82
SHA1:	18A2E0E88EC80FEACF506709134A9B883D40F5FD
SHA-256:	87D7A5041B934E52A891161B83ADF99DD23EB50363C3CAE7D29377C3EBBD129E
SHA-512:	299AA3CBABA34861E3F465FCA57F9C702953F58D49DF1EB341247C66652B096D65E29B63AE3D23E2A380DD7815AD247AA1751B61F111F1C6FBD5A0AA3A473510
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........s.a...a...a.......a.......a.......a.......a.......a...a...c.......a.......a.......a../....a../..a...a...a../....a..Rich.a..........................PE..L.....Qa.....................P......n........ ....@.................................>F....@.........................................................,..........Pt...t..p....................u......Pu..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....[... ...,..................@....rsrc...............0..............@..@.reloc..Pt.......v..................@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\YogaDNS\libcrypto-1_1.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	2420312
Entropy (8bit):	6.633009244683866
Encrypted:	false
SSDEEP:	49152:CjIbZhXddeDrsOHgc69kXvQUs2cwE9osptfy4ui3u70vgvee2VRQuz/TjifpTPbn:3b/tsscD69kXvQUs2cwWosptfy4ui3ul
MD5:	6111E3EFE0F6FE0E037642DDEAA34BF6
SHA1:	1CA5AE6607941C89A27E7C6BE76CFA40341B2C9E
SHA-256:	A86E52B8074B159301DDFE8E0FA54F113B1D3B35DA68D5802F8B0BE03EF4D426
SHA-512:	4BB25F81AC188BC7AB3179C62AAB29FEF1FFF86E35D0EE03E49C6F1410E284C428C518D0D01539E7B5F9E939A814E522225042DECE8F8104CA3CB9C2F5333652
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....\`..$........#...#......$..B........... ....@k..........................%.......%...@... ......................P".Y....P$.......$...............$.H.....$.h...........................l.!.....................(S$..............................text...............................`..`.data........ ....... ..............@.`..rdata..T....0.......0..............@.`@/4............!.......!.............@.0@.bss.....A....".......................`..edata..Y....P".......!.............@.0@.idata.......P$.......#.............@.0..CRT....,....p$.......#.............@.0..tls..........$.......#.............@.0..rsrc.........$.......$.............@.0..reloc..h.....$.......$.............@.0B........................................................................................................................................................................................

C:\Program Files (x86)\YogaDNS\public-resolvers.md (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp
File Type:	UTF-8 Unicode text
Category:	dropped
Size (bytes):	32931
Entropy (8bit):	5.824660809533723
Encrypted:	false
SSDEEP:	384:PsQPJwxTwqjhzFFNjkSUiZqBRgFrij5q4VHrSrRAyMpRJxF:EQAwqNzFFdkSU3BRkri11vF
MD5:	87266FAFF9BEA0D9464D17AE6F99C742
SHA1:	ADF6AF84FBC9A721AB45C52CDF99ED530B59CE00
SHA-256:	692184F7D1272B8D1EC73A56C91D6C94C4E8F2C49FD1BE6DD3F6D75BFC48574F
SHA-512:	3B226432B2768D9B568BD30E80C58842E943F61B73C0A6BDD6F001DAB5EFF85F913605AEF196999E51E617A20E2CA1A011453A902F8112E597C8EAD361F1C7BB
Malicious:	false
Reputation:	unknown
Preview:	# public-resolvers..This is an extensive list of public DNS resolvers supporting the.DNSCrypt and DNS-over-HTTP2 protocols...This list is maintained by Frank Denis <j @ dnscrypt [.] info>..Warning: it includes servers that may censor content, servers that don't.verify DNSSEC records, and servers that will collect and monetize your.queries...Adjust the `require_*` options in dnscrypt-proxy to filter that list.according to your needs...To use that list, add this to the `[sources]` section of your.`dnscrypt-proxy.toml` configuration file:.. [sources.'public-resolvers']. urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']. minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'. cache_file = 'public-resolvers.md'..--..## google-plain..sdns://AAEAAAAAAAAABzguOC44Ljg..## aaflalo-me-gcp..DNS-over-HTTPS proxy of aaflalo-me hosted in Google Clo

C:\Program Files (x86)\YogaDNS\root.key (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp
File Type:	ASCII text
Category:	dropped
Size (bytes):	166
Entropy (8bit):	4.251107294008479
Encrypted:	false
SSDEEP:	3:Q9F7JzKW9gQCrK4lJh2gpxVtIb3DFVg/C6czoKYd6mRXTWo:GzKW+9bh2UVts35KqndUt
MD5:	240DF71B1A110C4DCEFFC1B77751B781
SHA1:	5BAD7EA4FB4D3EFEF27770CD61358CA9012E37AF
SHA-256:	06C74EF5EF53344C78C9AF2B29DC458A2ABE93F1BFF429705955C033E7A0686F
SHA-512:	EB9A441A8DDCD33FF123252515DE683E6C8FA8ACFD43EB43607944CF0E22914694C33B02D7954F30A0BD71890AFFC78894E4DC44FCBCCA93D3F0A8E0E14E535A
Malicious:	false
Reputation:	unknown
Preview:	. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5.. IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D.

C:\Program Files (x86)\YogaDNS\unins000.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp
File Type:	data
Category:	dropped
Size (bytes):	7773
Entropy (8bit):	3.914996300655631
Encrypted:	false
SSDEEP:	192:0113YtclMr+IBl3bP4DSmfr4UP7pExjzkoAwCCgHn43Z+L:aytv9/3bPItopCZH43Zg
MD5:	AE3EC28A13AC41F5D99070FDD8A669BA
SHA1:	D0260CB4862CAA44C520E1DEB505A7033F4E66E2
SHA-256:	E648EFED59808D6B9ED554763A241FA7CC663A0B95CE6FAE83DBEEEE98B6B6F6
SHA-512:	DE466C5BBF4E01A2A2A31F540AD23176E1F407BD7C76FAD2AE61023C0A48D3F35BDB653C44E6206E753FE1A36BC3A7BFB55074E91528C81E1B54773A7A11E072
Malicious:	false
Reputation:	unknown
Preview:	Inno Setup Uninstall Log (b)....................................{642D9E44-C22E-4F97-9C5C-FDD97BF60891}..........................................................................................YogaDNS............................................................................................................................. ...]....................................................................................................................6h..................w........5.3.0.9.7.8......j.o.n.e.s......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.Y.o.g.a.D.N.S..................6.... ..............IFPS....#........................................................................................................ANYMETHOD.....................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TMAINFORM....TMAINFORM.........TUNINSTALLPROGRESSFORM....TUNINSTALLPROGRESSFORM.........TUNINSTALLSTEP.........TMSGBOXTYPE.................!MAIN....-

C:\Program Files (x86)\YogaDNS\unins000.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3202504
Entropy (8bit):	6.332943576053673
Encrypted:	false
SSDEEP:	49152:7EA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTV+333TY:/92bz2Eb6pd7B6bAGx7s333T
MD5:	7FD3620B726C3B90AD03266C3942ACA9
SHA1:	66C0F6DB3E34003F6C5367B45D81D7533C284C8B
SHA-256:	3FB2CE91C0814D3D7F236496FE5374EF6FF502132A3FA30DEEDC3E22B910CA7B
SHA-512:	881EEED7EF5CF189511EB2D07C616B0CACE7AFF8D787514FB56293E01BF164A4C65783ACABD95787B33829CA38BA08FE684F207BDCB200D294D2602B3798F076
Malicious:	false
Reputation:	unknown
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...(..`.................:,.........`F,......P,...@...........................1.....e.1...@......@....................-......p-.29....-...............0.......................................-......................y-.......-......................text.....,.......,................. ..`.itext...(... ,..*....,............. ..`.data........P,......>,.............@....bss.....y....,..........................idata..29...p-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc.........-.......-.............@..@..............1.......0.............@..@........................................................

C:\Program Files (x86)\YogaDNS\unins000.msg

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp
File Type:	data
Category:	dropped
Size (bytes):	23859
Entropy (8bit):	3.2764469892752675
Encrypted:	false
SSDEEP:	192:uhjNSCkf3SCqsTr6CCPanAG1tznL7VF+Iqfc51U5YQDztXfbKJG/Bfvo:uhK6CHr6fSX+7Q1U5YQDztB/B3o
MD5:	D4C511AD6BB3CBC7C799CB17446C6A06
SHA1:	A7B7FFF7F413E93C0ECBF8753814EF530EA1F09D
SHA-256:	4712AD03199E753531D6D79AB06249D84FF1D69921B75462F39172E3287F9784
SHA-512:	7F9208CD9DB5464C2A24160666F9132DF587BA1A902F7F35E9228FC5490C5925503C50938C391AF7AD137D136AA571C036DDF3493110BF8EE467E34F61ADBBB6
Malicious:	false
Reputation:	unknown
Preview:	Inno Setup Messages (6.0.0) (u)......................................\......*..C.a.n.c.e.l. .i.n.s.t.a.l.l.a.t.i.o.n...S.e.l.e.c.t. .a.c.t.i.o.n...&.I.g.n.o.r.e. .t.h.e. .e.r.r.o.r. .a.n.d. .c.o.n.t.i.n.u.e...&.T.r.y. .a.g.a.i.n...&.A.b.o.u.t. .S.e.t.u.p.........%.1. .v.e.r.s.i.o.n. .%.2.....%.3.........%.1. .h.o.m.e. .p.a.g.e.:.....%.4.....A.b.o.u.t. .S.e.t.u.p...Y.o.u. .m.u.s.t. .b.e. .l.o.g.g.e.d. .i.n. .a.s. .a.n. .a.d.m.i.n.i.s.t.r.a.t.o.r. .w.h.e.n. .i.n.s.t.a.l.l.i.n.g. .t.h.i.s. .p.r.o.g.r.a.m.....T.h.e. .f.o.l.l.o.w.i.n.g. .a.p.p.l.i.c.a.t.i.o.n.s. .a.r.e. .u.s.i.n.g. .f.i.l.e.s. .t.h.a.t. .n.e.e.d. .t.o. .b.e. .u.p.d.a.t.e.d. .b.y. .S.e.t.u.p... .I.t. .i.s. .r.e.c.o.m.m.e.n.d.e.d. .t.h.a.t. .y.o.u. .a.l.l.o.w. .S.e.t.u.p. .t.o. .a.u.t.o.m.a.t.i.c.a.l.l.y. .c.l.o.s.e. .t.h.e.s.e. .a.p.p.l.i.c.a.t.i.o.n.s.....T.h.e. .f.o.l.l.o.w.i.n.g. .a.p.p.l.i.c.a.t.i.o.n.s. .a.r.e. .u.s.i.n.g. .f.i.l.e.s. .t.h.a.t. .n.e.e.d. .t.o. .b.e. .u.p.d.a.t.e.d... .S.e.t.u.p. .w.i.l.l. .t.r.y. .t.o.

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YogaDNS\Uninstall YogaDNS.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Mar 29 21:03:54 2022, mtime=Tue Mar 29 21:03:54 2022, atime=Tue Mar 29 21:03:16 2022, length=3202504, window=hide
Category:	dropped
Size (bytes):	1089
Entropy (8bit):	4.693188686860934
Encrypted:	false
SSDEEP:	24:8mx7DX5dOE4KW6AgKdI7DdIXUUE5r7aB6m:8mJT5dOnpgKdI7DdIESB6
MD5:	68B11AD2E3DBFD11DF2A9601BD3D8654
SHA1:	BB38851AD49ABD9B1C1DCC92D45D02EFFCD5BDBA
SHA-256:	A087318E1CE086838F8F12857A7615D355818CBCC45C911E7E1E76C0D43F9641
SHA-512:	5EAB7888FDED80ABC4D8A77C88E495F40B230FFE47ED722C3B4A56AD2A3D8E424729FECEE52D4358C40883BBB0F56C12E8A4C8E136E27546A92E6FE7DEBB10D7
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ...a.^.C..A.e.C......C....0..........................P.O. .:i.....+00.../C:\.....................1.....}T\|...PROGRA~2.........L.}T......................V.....{B%.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....V.1.....}T....YogaDNS.@......}T\|.}T.......}........................Y.o.g.a.D.N.S.....f.2...0.}Ti. .unins000.exe..J......}T\|.}T\|.....D}.....................-..u.n.i.n.s.0.0.0...e.x.e.......Z...............-.......Y...........sWS~.....C:\Program Files (x86)\YogaDNS\unins000.exe..:.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.Y.o.g.a.D.N.S.\.u.n.i.n.s.0.0.0...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.Y.o.g.a.D.N.S.........*................@Z\|...K.J.........`.......X.......530978...........!a..%.H.VZAj...,.$.............!a..%.H.VZAj...,.$........................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YogaDNS\YogaDNS Service Manager.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Mar 29 21:03:59 2022, mtime=Tue Mar 29 21:03:59 2022, atime=Mon Sep 27 15:45:52 2021, length=740272, window=hide
Category:	dropped
Size (bytes):	1119
Entropy (8bit):	4.69211323982247
Encrypted:	false
SSDEEP:	24:8mgDX5dOE4KNHoJACI8dIV0dIXUUkSC7aB6m:8mgT5dOgoKCI8dIV0dIEXSTB6
MD5:	DCAD4E6F9044CED37C5A6AFDA5BBB0AA
SHA1:	158338AE4351F9C979634ADB28705E7C63BBC135
SHA-256:	199B65CCC37428AFF9AF5453A8BE99CC0C0CF2CD2CB8D78A04E293A2EBFC9D77
SHA-512:	F8D7BAB66C4464073E0D27E7A405F98101DAA3D00852463C6D36582021486090AF8D60D8AFA727D592E27DC2C3D5B2190F1C0256BBE8FA2A0F397CAFAC88D8A6
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ...1...C..._..C.....!.....K...........................P.O. .:i.....+00.../C:\.....................1.....}T\|...PROGRA~2.........L.}T......................V.....{B%.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....V.1.....}T....YogaDNS.@......}T\|.}T.......}........................Y.o.g.a.D.N.S.....r.2..K..;S.. .SERVIC~1.EXE..V......}T..}T................................S.e.r.v.i.c.e.M.a.n.a.g.e.r...e.x.e.......`...............-......._...........sWS~.....C:\Program Files (x86)\YogaDNS\ServiceManager.exe..@.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.Y.o.g.a.D.N.S.\.S.e.r.v.i.c.e.M.a.n.a.g.e.r...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.Y.o.g.a.D.N.S.........*................@Z\|...K.J.........`.......X.......530978...........!a..%.H.VZAj...o.$.............!a..%.H.VZAj...o.$........................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YogaDNS\YogaDNS.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Mar 29 21:03:54 2022, mtime=Tue Mar 29 21:03:54 2022, atime=Thu Feb 3 10:55:10 2022, length=4972464, window=hide
Category:	dropped
Size (bytes):	1082
Entropy (8bit):	4.648941379144392
Encrypted:	false
SSDEEP:	24:8mnsW9C0dOE4KeAsYtdIhdIXUUxwh7aB6m:8msW93dOysYtdIhdIEiB6
MD5:	F4A1B49AB3CCB18903FABE99D743AD54
SHA1:	AE73CF62962B659BB4E46E3B7FB3EC4D07A7DE21
SHA-256:	11AFA9D5D7C21949EA98478BAF101B5B1ECA7F71875BA181C16048E83D2CD841
SHA-512:	AD5FE9DBA30D65382113F0D5AF695C0F289B9EF50C3C1060058ED0DA8A1929CABF026F0CC4073E17311BF24FF12E6774BBFAD5CEB5D27DF6976080248B9A6B5F
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ...lI..C.. ...C...c........K..........................P.O. .:i.....+00.../C:\.....................1.....hTmM..PROGRA~2.........L.}Td.....................V.....n...P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....V.1.....}T....YogaDNS.@......}T\|.}T.......}........................Y.o.g.a.D.N.S.....b.2...K.CT.^ .YogaDNS.exe.H......}T\|.}T\|.....T}........................Y.o.g.a.D.N.S...e.x.e.......Y...............-.......X...........sWS~.....C:\Program Files (x86)\YogaDNS\YogaDNS.exe..9.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.Y.o.g.a.D.N.S.\.Y.o.g.a.D.N.S...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.Y.o.g.a.D.N.S.........*................@Z\|...K.J.........`.......X.......530978...........!a..%.H.VZAj...!.$.............!a..%.H.VZAj...!.$........................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-

C:\Users\Public\Desktop\YogaDNS.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Mar 29 21:03:54 2022, mtime=Tue Mar 29 21:03:54 2022, atime=Thu Feb 3 10:55:10 2022, length=4972464, window=hide
Category:	dropped
Size (bytes):	1064
Entropy (8bit):	4.664852396082318
Encrypted:	false
SSDEEP:	24:8mnsWDX5dOE4KeAsYAdIhdIXUUxwh7aB6m:8msWT5dOysYAdIhdIEiB6
MD5:	793B088683980F03B585254FA68DEBA2
SHA1:	B74BF4FCC98272C2D0A23619D331270AB5AB0310
SHA-256:	8076855DDC87202D0BE6B372D6A0622C5D20E73909BE1C8C3A25A9B7A07C9A77
SHA-512:	9323E583A1D47B1B5B64E5DE979D814D255C01E6F5F34ED9FC08F94E89D2B85ECC6BE6E2EE356C79CA7C57DFD1188481AA173F2BFEE8F183CCEA7FE4C9241C02
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ...lI..C.. ...C...c........K..........................P.O. .:i.....+00.../C:\.....................1.....}T\|...PROGRA~2.........L.}T......................V.....{B%.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....V.1.....}T....YogaDNS.@......}T\|.}T.......}........................Y.o.g.a.D.N.S.....b.2...K.CT.^ .YogaDNS.exe.H......}T\|.}T\|.....T}........................Y.o.g.a.D.N.S...e.x.e.......Y...............-.......X...........sWS~.....C:\Program Files (x86)\YogaDNS\YogaDNS.exe..0.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.Y.o.g.a.D.N.S.\.Y.o.g.a.D.N.S...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.Y.o.g.a.D.N.S.........*................@Z\|...K.J.........`.......X.......530978...........!a..%.H.VZAj...!.$.............!a..%.H.VZAj...!.$........................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl

Download File

Process:	C:\Windows\System32\runonce.exe
File Type:	data
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	2.088980131437431
Encrypted:	false
SSDEEP:	384:tV5ptOJViAbInBgC7kirGBZMqjFioiovryHhi9DtaKjhYNbWrOHvKfs+rXreS7uS:M
MD5:	4C4DF6618D2E1CA29A306F6792C93946
SHA1:	0BE8E86C8E15A2FFC11228EB50E0A15C57DCEC2E
SHA-256:	2EFB2E29C5D95C865E8C34626348E840469C17067A8304A2001C45DCB5F81B28
SHA-512:	4FE56058E9F5140DECC55AC0270B2A2E85604F25F7BDF0724D6774225877DBF08148BF16724BC75EC8E3314291F6529B7CE9EDFCD00924B3D723F6A44E76CDC7
Malicious:	false
Reputation:	unknown
Preview:	. .......................................................................................C............. .......B.......`D.C..Zb..................................................@.t.z.r.e.s...d.l.l.,.-.3.2.2.......................................................@.t.z.r.e.s...d.l.l.,.-.3.2.1..............................................................2.... .....$.!.C..........E.x.p.l.o.r.e.r.S.t.a.r.t.u.p.L.o.g._.R.u.n.O.n.c.e...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.E.x.p.l.o.r.e.r.\.E.x.p.l.o.r.e.r.S.t.a.r.t.u.p.L.o.g._.R.u.n.O.n.c.e...e.t.l...........P.P............C............................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-BAV9K.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp

Download File

Process:	C:\Users\user\Desktop\YogaDNSSetup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3202504
Entropy (8bit):	6.332943576053673
Encrypted:	false
SSDEEP:	49152:7EA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTV+333TY:/92bz2Eb6pd7B6bAGx7s333T
MD5:	7FD3620B726C3B90AD03266C3942ACA9
SHA1:	66C0F6DB3E34003F6C5367B45D81D7533C284C8B
SHA-256:	3FB2CE91C0814D3D7F236496FE5374EF6FF502132A3FA30DEEDC3E22B910CA7B
SHA-512:	881EEED7EF5CF189511EB2D07C616B0CACE7AFF8D787514FB56293E01BF164A4C65783ACABD95787B33829CA38BA08FE684F207BDCB200D294D2602B3798F076
Malicious:	true
Reputation:	unknown
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...(..`.................:,.........`F,......P,...@...........................1.....e.1...@......@....................-......p-.29....-...............0.......................................-......................y-.......-......................text.....,.......,................. ..`.itext...(... ,..*....,............. ..`.data........P,......>,.............@....bss.....y....,..........................idata..29...p-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc.........-.......-.............@..@..............1.......0.............@..@........................................................

C:\Users\user\AppData\Roaming\YogaDNS\Configuration.xml

Download File

Process:	C:\Program Files (x86)\YogaDNS\YogaDNS.exe
File Type:	XML 1.0 document, ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	809
Entropy (8bit):	5.100701957486456
Encrypted:	false
SSDEEP:	24:2dtbeMpRK/mxLzjQOFMGA9pYkFMGA9pYshOSCe:cFeMpRumdjzmukmuGX
MD5:	2DF9805DB557BF2494A8BBB69D55F083
SHA1:	4C1BE30CF5B2BD9C6B761066BD320CE93CAB4869
SHA-256:	EF2D62BEBA6A6BBCECE17AB0C0783B9F43FF1CD896661FBF391C8F2C3AC0BAA4
SHA-512:	B0589D8526D388AF9E01454839FC824AC6C4F22DF4CEAF048498C0A00900BA01EF0A2AEC1AC07D14078A16AA922DF070FA882E13E702675EA7334AB79D111417
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.<YogaDnsProfile file_format="1" product_id="1" product_min_version="127000">..<Settings ignore_rule_if_interface_down="1" blockTcpPort53="1" clearDnsCache="1" ttlMin="0" ttlMax="2147483647" captivePortalDetection="0" interceptOthers="0">...<DnsChecker testTarget="iana.org" testsPerTime="15" importUrls="https://yogadns.com/resolvers/resolvers.md..https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md..https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/relays.md.." />..</Settings>..<Rule name="Default" enabled="1" dnssec_local_validation="0" dnssec_reject_unsigned="0" hostnames="*" action="bypass" action_id="0" interface_id="" interface_id_type="id" interface_name="" />.</YogaDnsProfile>.

C:\Windows\System32\drivers\SET3827.tmp

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	58632
Entropy (8bit):	6.718713880471932
Encrypted:	false
SSDEEP:	768:HdqUkP+xiUHZXT9mJSo8+6fbdzGgHUFBchr2D4yV3hJEb32nZ49z7:9ZHZXT9M8j5Gg0FBchqx3hJEblz7
MD5:	C12325E60A0F44F7F0DFA85877ED9C84
SHA1:	79C468B60B59CD7E5BA4806C4FD512A93F444E95
SHA-256:	6E550B6BBE69AA490EE69CCBFDD3084EAD8EA1C94166ACB13161C6F8F5E54B24
SHA-512:	2DBF96D7603545A3420503A7B28E77747166175EE70EE6AA9CAEDEE011FC8BEC14019572CB94D53A2676E1CF446537AFBD950F3ADE2BA107810A2E1527EF367F
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,o.GM..GM..GM..N5..DM..N5..EM.."+..FM..GM..tM.."+..@M.."+..BM.."+..CM...$..KM...$..FM...$..FM..RichGM..........................PE..d...(..a.........."......t.....................@.........................................`A................................................d...d............p.. ........M......\......8............................................................................text....d.......f.................. ..h.rdata..,............j..............@..H.data...X............z..............@....pdata.. ....p.......~..............@..HPAGE....,........................... ..`INIT................................ ..b.rsrc...............................@..B.reloc..\...........................@..B................................................................................................................................................................

C:\Windows\system32\DRIVERS\DnsFltEngineDrv.sys (copy)

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	58632
Entropy (8bit):	6.718713880471932
Encrypted:	false
SSDEEP:	768:HdqUkP+xiUHZXT9mJSo8+6fbdzGgHUFBchr2D4yV3hJEb32nZ49z7:9ZHZXT9M8j5Gg0FBchqx3hJEblz7
MD5:	C12325E60A0F44F7F0DFA85877ED9C84
SHA1:	79C468B60B59CD7E5BA4806C4FD512A93F444E95
SHA-256:	6E550B6BBE69AA490EE69CCBFDD3084EAD8EA1C94166ACB13161C6F8F5E54B24
SHA-512:	2DBF96D7603545A3420503A7B28E77747166175EE70EE6AA9CAEDEE011FC8BEC14019572CB94D53A2676E1CF446537AFBD950F3ADE2BA107810A2E1527EF367F
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,o.GM..GM..GM..N5..DM..N5..EM.."+..FM..GM..tM.."+..@M.."+..BM.."+..CM...$..KM...$..FM...$..FM..RichGM..........................PE..d...(..a.........."......t.....................@.........................................`A................................................d...d............p.. ........M......\......8............................................................................text....d.......f.................. ..h.rdata..,............j..............@..H.data...X............z..............@....pdata.. ....p.......~..............@..HPAGE....,........................... ..`INIT................................ ..b.rsrc...............................@..B.reloc..\...........................@..B................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.953715763725193
TrID:	Win32 Executable (generic) a (10002005/4) 98.04% Inno Setup installer (109748/4) 1.08% InstallShield setup (43055/19) 0.42% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02%
File name:	YogaDNSSetup.exe
File size:	8517648
MD5:	ac752df0ebb3fc9fcbb3b906b4050c17
SHA1:	7f4686f519ffcab1510a6c422206387b3a89c134
SHA256:	2224b2d7b8fc7782f59ef6cbf8b15f98051309b2c6ab395836563954ce63b1e9
SHA512:	5a9a0c39f2ab33de33de061923a14cd099f6bc00f5238aceba4a7444c685da29f47f569251dc8db0fc209aeaa94644ca71e0a231e37307feb5ec61aec2642650
SSDEEP:	196608:lOh/ZavRjVT27MFXpmeXz4aUm6jpbYE3yHL:E9AvRh27aXcefHL
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	5030d06cecec80aa

Static PE Info

General

Entrypoint:	0x4b5eec
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60B88E27 [Thu Jun 3 08:09:11 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	5a594319a0d69dbc452e748bcf05892e

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	7/10/2019 8:15:39 AM 10/10/2022 8:15:39 AM
Subject Chain	CN="Initeks, OOO", O="Initeks, OOO", STREET="Prospect Komendantsky, 51/1, office 300", L=Saint Petersburg, S=Saint Petersburg, C=RU, OID.1.3.6.1.4.1.311.60.2.1.2=Saint Petersburg, OID.1.3.6.1.4.1.311.60.2.1.3=RU, SERIALNUMBER=1089847274439, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	32C66817CAB5463935C5B15C9ADA5C80
Thumbprint SHA-1:	D19CA782F95AD17B9EFCB47F6131D2E2124480DD
Thumbprint SHA-256:	9162B5093AF3079FF2B6478391645B8401D0AFC8385C93A7870CFB71E5A3BE2D
Serial:	3C6A8679F7B3FAA3AB61E213

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 004B10F0h
call 00007F65FCA814E5h
xor eax, eax
push ebp
push 004B65E2h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 004B659Eh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [004BE634h]
call 00007F65FCB23C0Fh
call 00007F65FCB23762h
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007F65FCA96F58h
mov edx, dword ptr [ebp-14h]
mov eax, 004C1D84h
call 00007F65FCA7C0D7h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [004C1D84h]
mov dl, 01h
mov eax, dword ptr [004237A4h]
call 00007F65FCA97FBFh
mov dword ptr [004C1D88h], eax
xor edx, edx
push ebp
push 004B654Ah
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007F65FCB23C97h
mov dword ptr [004C1D90h], eax
mov eax, dword ptr [004C1D90h]
cmp dword ptr [eax+0Ch], 01h
jne 00007F65FCB2A27Ah
mov eax, dword ptr [004C1D90h]
mov edx, 00000028h
call 00007F65FCA988B4h
mov edx, dword ptr [004C1D90h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xc4000	0x9a	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc2000	0xf36	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x10e00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x81d850	0x1fc0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc6000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc22e4	0x244	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xc3000	0x1a4	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb361c	0xb3800	False	0.344863934105	data	6.35605820433	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.itext	0xb5000	0x1688	0x1800	False	0.544921875	data	5.97275005522	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0xb7000	0x37a4	0x3800	False	0.360979352679	data	5.04440056201	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.bss	0xbb000	0x6de8	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0xc2000	0xf36	0x1000	False	0.3681640625	data	4.89870464796	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.didata	0xc3000	0x1a4	0x200	False	0.345703125	data	2.75636286825	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.edata	0xc4000	0x9a	0x200	False	0.2578125	data	1.87222286659	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xc5000	0x18	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rdata	0xc6000	0x5d	0x200	False	0.189453125	data	1.38389437522	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc7000	0x10e00	0x10e00	False	0.188990162037	data	3.71313503088	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xc7678	0xa68	dBase IV DBT of \200.DBF, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0xc80e0	0x668	data	English	United States
RT_ICON	0xc8748	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0xc8a30	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xc8b58	0x1628	dBase IV DBT of \200.DBF, blocks size 0, block length 4096, next free block index 40, next free block 0, next used block 101056512	English	United States
RT_ICON	0xca180	0xea8	data	English	United States
RT_ICON	0xcb028	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0xcb8d0	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xcbe38	0x12e5	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0xcd120	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4244635647, next used block 4294967295	English	United States
RT_ICON	0xd1348	0x25a8	data	English	United States
RT_ICON	0xd38f0	0x10a8	data	English	United States
RT_ICON	0xd4998	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_STRING	0xd4e00	0x360	data
RT_STRING	0xd5160	0x260	data
RT_STRING	0xd53c0	0x45c	data
RT_STRING	0xd581c	0x40c	data
RT_STRING	0xd5c28	0x2d4	data
RT_STRING	0xd5efc	0xb8	data
RT_STRING	0xd5fb4	0x9c	data
RT_STRING	0xd6050	0x374	data
RT_STRING	0xd63c4	0x398	data
RT_STRING	0xd675c	0x368	data
RT_STRING	0xd6ac4	0x2a4	data
RT_RCDATA	0xd6d68	0x10	data
RT_RCDATA	0xd6d78	0x2c4	data
RT_RCDATA	0xd703c	0x2c	data
RT_GROUP_ICON	0xd7068	0xbc	data	English	United States
RT_VERSION	0xd7124	0x584	data	English	United States
RT_MANIFEST	0xd76a8	0x726	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
kernel32.dll	GetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dll	InitCommonControls
version.dll	GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
user32.dll	CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dll	SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
netapi32.dll	NetWkstaGetInfo, NetApiBufferFree
advapi32.dll	RegQueryValueExW, AdjustTokenPrivileges, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

Exports

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x454060
__dbk_fcall_wrapper	2	0x40d0a0
dbkFCallWrapperAddr	1	0x4be63c

Version Infos

Description	Data
LegalCopyright	Copyright 2018-2022 Initex. All rights reserved.
FileVersion	1.31.0.1
CompanyName	Initex
Comments	This installation was built with Inno Setup.
ProductName	YogaDNS
ProductVersion	1.31
FileDescription	YogaDNS Setup
OriginalFileName
Translation	0x0000 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 30, 2022 00:04:15.286613941 CEST	49781	443	192.168.2.4	172.104.9.252
Mar 30, 2022 00:04:15.286668062 CEST	443	49781	172.104.9.252	192.168.2.4
Mar 30, 2022 00:04:15.286777020 CEST	49781	443	192.168.2.4	172.104.9.252
Mar 30, 2022 00:04:15.952944994 CEST	49781	443	192.168.2.4	172.104.9.252
Mar 30, 2022 00:04:15.952985048 CEST	443	49781	172.104.9.252	192.168.2.4
Mar 30, 2022 00:04:16.261466026 CEST	443	49781	172.104.9.252	192.168.2.4
Mar 30, 2022 00:04:16.261624098 CEST	49781	443	192.168.2.4	172.104.9.252
Mar 30, 2022 00:04:16.754159927 CEST	49781	443	192.168.2.4	172.104.9.252
Mar 30, 2022 00:04:16.754194021 CEST	443	49781	172.104.9.252	192.168.2.4
Mar 30, 2022 00:04:16.754605055 CEST	443	49781	172.104.9.252	192.168.2.4
Mar 30, 2022 00:04:16.754750967 CEST	49781	443	192.168.2.4	172.104.9.252
Mar 30, 2022 00:04:16.757684946 CEST	49781	443	192.168.2.4	172.104.9.252
Mar 30, 2022 00:04:16.798190117 CEST	443	49781	172.104.9.252	192.168.2.4
Mar 30, 2022 00:04:16.855345011 CEST	443	49781	172.104.9.252	192.168.2.4
Mar 30, 2022 00:04:16.855567932 CEST	443	49781	172.104.9.252	192.168.2.4
Mar 30, 2022 00:04:16.855664015 CEST	49781	443	192.168.2.4	172.104.9.252
Mar 30, 2022 00:04:16.855695963 CEST	49781	443	192.168.2.4	172.104.9.252
Mar 30, 2022 00:04:16.857202053 CEST	49781	443	192.168.2.4	172.104.9.252
Mar 30, 2022 00:04:16.857242107 CEST	443	49781	172.104.9.252	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 30, 2022 00:04:15.211683989 CEST	58171	53	192.168.2.4	8.8.8.8
Mar 30, 2022 00:04:15.234991074 CEST	53	58171	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mar 30, 2022 00:04:15.211683989 CEST	192.168.2.4	8.8.8.8	0x2fb6	Standard query (0)	www.yogadns.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Mar 30, 2022 00:04:15.234991074 CEST	8.8.8.8	192.168.2.4	0x2fb6	No error (0)	www.yogadns.com	yogadns.com		CNAME (Canonical name)	IN (0x0001)
Mar 30, 2022 00:04:15.234991074 CEST	8.8.8.8	192.168.2.4	0x2fb6	No error (0)	yogadns.com		172.104.9.252	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.yogadns.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49781	172.104.9.252	443	C:\Program Files (x86)\YogaDNS\YogaDNS.exe

Timestamp	Direction	Data
2022-03-29 22:04:16 UTC	OUT	GET /last_versions/windows/13100/ HTTP/1.1 User-Agent: YogaDNS Host: www.yogadns.com Cache-Control: no-cache
2022-03-29 22:04:16 UTC	IN	HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Tue, 29 Mar 2022 22:04:16 GMT Content-Type: text/html Content-Length: 41 Last-Modified: Tue, 15 Feb 2022 09:35:33 GMT Connection: close Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-cache X-Frame-Options: SAMEORIGIN Accept-Ranges: bytes
2022-03-29 22:04:16 UTC	IN	Data Raw: 32 20 31 33 31 30 30 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 79 6f 67 61 64 6e 73 2e 63 6f 6d 2f 64 6f 77 6e 6c 6f 61 64 2f Data Ascii: 2 13100 https://www.yogadns.com/download/

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: YogaDNSSetup.exePID: 6768, Parent PID: 5204

General

Target ID:	0
Start time:	00:03:15
Start date:	30/03/2022
Path:	C:\Users\user\Desktop\YogaDNSSetup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\YogaDNSSetup.exe"
Imagebase:	0x400000
File size:	8517648 bytes
MD5 hash:	AC752DF0EBB3FC9FCBB3B906B4050C17
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: YogaDNSSetup.tmpPID: 6828, Parent PID: 6768

General

Target ID:	2
Start time:	00:03:17
Start date:	30/03/2022
Path:	C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-HAI0J.tmp\YogaDNSSetup.tmp" /SL5="$7037A,7654068,831488,C:\Users\user\Desktop\YogaDNSSetup.exe"
Imagebase:	0x400000
File size:	3202504 bytes
MD5 hash:	7FD3620B726C3B90AD03266C3942ACA9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: YogaDNS.exePID: 6940, Parent PID: 6828

General

Target ID:	14
Start time:	00:04:02
Start date:	30/03/2022
Path:	C:\Program Files (x86)\YogaDNS\YogaDNS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\YogaDNS\YogaDNS.exe" /ForceExit
Imagebase:	0x1000000
File size:	4972464 bytes
MD5 hash:	FB51F3CA7F0785C5AF983D599F715FF3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: net.exePID: 6508, Parent PID: 6828

General

Target ID:	15
Start time:	00:04:06
Start date:	30/03/2022
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"NET.EXE" stop DnsFltEngineDrv
Imagebase:	0x1f0000
File size:	46592 bytes
MD5 hash:	DD0561156F62BC1958CE0E370B23711B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6908, Parent PID: 6508

General

Target ID:	16
Start time:	00:04:06
Start date:	30/03/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff647620000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: net1.exePID: 6964, Parent PID: 6508

General

Target ID:	18
Start time:	00:04:07
Start date:	30/03/2022
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 stop DnsFltEngineDrv
Imagebase:	0x70000
File size:	141312 bytes
MD5 hash:	B5A26C2BF17222E86B91D26F1247AF3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 6848, Parent PID: 6828

General

Target ID:	19
Start time:	00:04:08
Start date:	30/03/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	"RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files (x86)\YogaDNS\Driver\DnsFltEngineDrv.inf
Imagebase:	0x7ff696ff0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: runonce.exePID: 5108, Parent PID: 6848

General

Target ID:	20
Start time:	00:04:09
Start date:	30/03/2022
Path:	C:\Windows\System32\runonce.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\runonce.exe" -r
Imagebase:	0x7ff75c880000
File size:	57856 bytes
MD5 hash:	5F3BE52A00D8C741AE0B7FCE861F90AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: YogaDNS.exePID: 7008, Parent PID: 3616

General

Target ID:	21
Start time:	00:04:10
Start date:	30/03/2022
Path:	C:\Program Files (x86)\YogaDNS\YogaDNS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\YogaDNS\YogaDNS.exe" /AutoRun
Imagebase:	0x1000000
File size:	4972464 bytes
MD5 hash:	FB51F3CA7F0785C5AF983D599F715FF3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: grpconv.exePID: 7044, Parent PID: 5108

General

Target ID:	22
Start time:	00:04:11
Start date:	30/03/2022
Path:	C:\Windows\System32\grpconv.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\grpconv.exe" -o
Imagebase:	0x7ff79f340000
File size:	50688 bytes
MD5 hash:	7E727D9259367AF1C140377A4BF173C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: YogaDNS.exePID: 5116, Parent PID: 6828

General

Target ID:	23
Start time:	00:04:21
Start date:	30/03/2022
Path:	C:\Program Files (x86)\YogaDNS\YogaDNS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\YogaDNS\YogaDNS.exe" /ShowWnd
Imagebase:	0x1000000
File size:	4972464 bytes
MD5 hash:	FB51F3CA7F0785C5AF983D599F715FF3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: YogaDNSSetup.exePID: 6768, Parent PID: 5204COMMON

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.9%
Total number of Nodes:	837
Total number of Limit Nodes:	31

Executed Functions

Function 004B5114 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 165
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E004B5114(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				long _t39;
				_Unknown_base(*)()* _t42;
				_Unknown_base(*)()* _t43;
				_Unknown_base(*)()* _t46;
				signed int _t51;
				void* _t111;
				void* _t112;
				intOrPtr _t129;
				struct HINSTANCE__* _t148;
				intOrPtr* _t150;
				intOrPtr _t152;
				intOrPtr _t153;

				_t152 = _t153;
				_t112 = 7;
				do {
					_push(0);
					_push(0);
					_t112 = _t112 - 1;
				} while (_t112 != 0);
				_push(_t152);
				_push(0x4b5388);
				_push( *[fs:eax]);
				 *[fs:eax] = _t153;
				 *0x4be664 =  *0x4be664 - 1;
				if( *0x4be664 >= 0) {
					L19:
					_pop(_t129);
					 *[fs:eax] = _t129;
					_push(0x4b538f);
					return E00407A80( &_v60, 0xe);
				} else {
					_t148 = GetModuleHandleW(L"kernel32.dll");
					_t39 = GetVersion();
					_t111 = 0;
					if(_t39 != 0x600) {
						_t150 = GetProcAddress(_t148, "SetDefaultDllDirectories");
						if(_t150 != 0) {
							 *_t150(0x800);
							asm("sbb ebx, ebx");
							_t111 = 1;
						}
					}
					if(_t111 == 0) {
						_t46 = GetProcAddress(_t148, "SetDllDirectoryW");
						if(_t46 != 0) {
							 *_t46(0x4b53e4);
						}
						E0040E520( &_v8);
						E00407E00(0x4be668, _v8);
						if( *0x4be668 != 0) {
							_t51 =  *0x4be668;
							if(_t51 != 0) {
								_t51 =  *(_t51 - 4);
							}
							if( *((short*)( *0x4be668 + _t51 * 2 - 2)) != 0x5c) {
								E004086E4(0x4be668, 0x4b53f4);
							}
							E0040873C( &_v12, L"uxtheme.dll",  *0x4be668);
							E0040E54C(_v12, _t111);
							E0040873C( &_v16, L"userenv.dll",  *0x4be668);
							E0040E54C(_v16, _t111);
							E0040873C( &_v20, L"setupapi.dll",  *0x4be668);
							E0040E54C(_v20, _t111);
							E0040873C( &_v24, L"apphelp.dll",  *0x4be668);
							E0040E54C(_v24, _t111);
							E0040873C( &_v28, L"propsys.dll",  *0x4be668);
							E0040E54C(_v28, _t111);
							E0040873C( &_v32, L"dwmapi.dll",  *0x4be668);
							E0040E54C(_v32, _t111);
							E0040873C( &_v36, L"cryptbase.dll",  *0x4be668);
							E0040E54C(_v36, _t111);
							E0040873C( &_v40, L"oleacc.dll",  *0x4be668);
							E0040E54C(_v40, _t111);
							E0040873C( &_v44, L"version.dll",  *0x4be668);
							E0040E54C(_v44, _t111);
							E0040873C( &_v48, L"profapi.dll",  *0x4be668);
							E0040E54C(_v48, _t111);
							E0040873C( &_v52, L"comres.dll",  *0x4be668);
							E0040E54C(_v52, _t111);
							E0040873C( &_v56, L"clbcatq.dll",  *0x4be668);
							E0040E54C(_v56, _t111);
							E0040873C( &_v60, L"ntmarta.dll",  *0x4be668);
							E0040E54C(_v60, _t111);
						}
					}
					_t42 = GetProcAddress(_t148, "SetSearchPathMode");
					if(_t42 != 0) {
						 *_t42(0x8001);
					}
					_t43 = GetProcAddress(_t148, "SetProcessDEPPolicy");
					if(_t43 != 0) {
						 *_t43(1); // executed
					}
					goto L19;
				}
			}

0x004b5115
0x004b5117
0x004b511c
0x004b511c
0x004b511e
0x004b5120
0x004b5120
0x004b5128
0x004b5129
0x004b512e
0x004b5131
0x004b5134
0x004b513b
0x004b536d
0x004b536f
0x004b5372
0x004b5375
0x004b5387
0x004b5141
0x004b514b
0x004b514d
0x004b5154
0x004b515a
0x004b5167
0x004b516b
0x004b5172
0x004b5177
0x004b5179
0x004b5179
0x004b516b
0x004b517c
0x004b5188
0x004b518f
0x004b5196
0x004b5196
0x004b519b
0x004b51a8
0x004b51b4
0x004b51ba
0x004b51c1
0x004b51c6
0x004b51c6
0x004b51d4
0x004b51e0
0x004b51e0
0x004b51f3
0x004b51fb
0x004b520e
0x004b5216
0x004b5229
0x004b5231
0x004b5244
0x004b524c
0x004b525f
0x004b5267
0x004b527a
0x004b5282
0x004b5295
0x004b529d
0x004b52b0
0x004b52b8
0x004b52cb
0x004b52d3
0x004b52e6
0x004b52ee
0x004b5301
0x004b5309
0x004b531c
0x004b5324
0x004b5337
0x004b533f
0x004b533f
0x004b51b4
0x004b534a
0x004b5351
0x004b5358
0x004b5358
0x004b5360
0x004b5367
0x004b536b
0x004b536b
0x00000000
0x004b5367

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,004B5388,?,?,?,?,00000000,00000000), ref: 004B5146
GetVersion.KERNEL32(kernel32.dll,00000000,004B5388,?,?,?,?,00000000,00000000), ref: 004B514D
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 004B5162
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 004B5188

Part of subcall function 0040E54C: SetErrorMode.KERNEL32(00008000), ref: 0040E55A
Part of subcall function 0040E54C: LoadLibraryW.KERNEL32(00000000,00000000,0040E5AE,?,00000000,0040E5CC,?,00008000), ref: 0040E58F

GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004B534A
GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004B5360
SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,00000000,004B5388,?,?,?,?,00000000,00000000), ref: 004B536B

Strings

setupapi.dll, xrefs: 004B521E
SetProcessDEPPolicy, xrefs: 004B535A
SetDefaultDllDirectories, xrefs: 004B515C
apphelp.dll, xrefs: 004B5239
hK, xrefs: 004B51D6
kernel32.dll, xrefs: 004B5141
profapi.dll, xrefs: 004B52DB
SetDllDirectoryW, xrefs: 004B5182
uxtheme.dll, xrefs: 004B51E8
SetSearchPathMode, xrefs: 004B5344
propsys.dll, xrefs: 004B5254
hK, xrefs: 004B51A3
comres.dll, xrefs: 004B52F6
version.dll, xrefs: 004B52C0
oleacc.dll, xrefs: 004B52A5
ntmarta.dll, xrefs: 004B532C
userenv.dll, xrefs: 004B5203
clbcatq.dll, xrefs: 004B5311
cryptbase.dll, xrefs: 004B528A
dwmapi.dll, xrefs: 004B526F

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: AddressProc$ErrorHandleLibraryLoadModeModulePolicyProcessVersion
String ID: SetDefaultDllDirectories$SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$apphelp.dll$clbcatq.dll$comres.dll$cryptbase.dll$dwmapi.dll$hK$hK$kernel32.dll$ntmarta.dll$oleacc.dll$profapi.dll$propsys.dll$setupapi.dll$userenv.dll$uxtheme.dll$version.dll
API String ID: 2248137261-3182217745
Opcode ID: 68b2adb77f8f7151d30e1a894141e6e7486eaa9f98baa6450b00b79ea83e97ab
Instruction ID: 14362f36823de93a6bafc63c1bb5288ecf7b8ac372eee3bc1917329a49ba756d
Opcode Fuzzy Hash: 68b2adb77f8f7151d30e1a894141e6e7486eaa9f98baa6450b00b79ea83e97ab
Instruction Fuzzy Hash: 57513C34601504ABE701EBA6DC82FDEB3A5AB94348BA4493BE40077395DF7C9D428B6D

Uniqueness

Uniqueness Score: -1.00%

Function 004AF91C Relevance: 7.6, APIs: 5, Instructions: 80
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004AF91C(void* __eax) {
				char _v44;
				struct _SYSTEM_INFO _v80;
				long _v84;
				char _v88;
				long _t22;
				int _t28;
				void* _t37;
				struct _MEMORY_BASIC_INFORMATION* _t40;
				long _t41;
				void** _t42;

				_t42 =  &(_v80.dwPageSize);
				 *_t42 = __eax;
				_t40 =  &_v44;
				GetSystemInfo( &_v80); // executed
				_t22 = VirtualQuery( *_t42, _t40, 0x1c);
				if(_t22 == 0) {
					L17:
					return _t22;
				} else {
					while(1) {
						_t22 = _t40->AllocationBase;
						if(_t22 !=  *_t42) {
							goto L17;
						}
						if(_t40->State != 0x1000 || (_t40->Protect & 0x00000001) != 0) {
							L15:
							_t22 = VirtualQuery(_t40->BaseAddress + _t40->RegionSize, _t40, 0x1c);
							if(_t22 == 0) {
								goto L17;
							}
							continue;
						} else {
							_v88 = 0;
							_t41 = _t40->Protect;
							if(_t41 == 1 || _t41 == 2 || _t41 == 0x10 || _t41 == 0x20) {
								_t28 = VirtualProtect(_t40->BaseAddress, _t40->RegionSize, 0x40,  &_v84); // executed
								if(_t28 != 0) {
									_v88 = 1;
								}
							}
							_t37 = 0;
							while(_t37 < _t40->RegionSize) {
								E004AF914(_t40->BaseAddress + _t37);
								_t37 = _t37 + _v80.dwPageSize;
							}
							if(_v88 != 0) {
								VirtualProtect( *_t40, _t40->RegionSize, _v84,  &_v84); // executed
							}
							goto L15;
						}
					}
					goto L17;
				}
			}

0x004af920
0x004af923
0x004af926
0x004af92f
0x004af93b
0x004af942
0x004af9ee
0x004af9ee
0x004af948
0x004af9db
0x004af9db
0x004af9e1
0x00000000
0x00000000
0x004af954
0x004af9c7
0x004af9d2
0x004af9d9
0x00000000
0x00000000
0x00000000
0x004af95c
0x004af95c
0x004af961
0x004af967
0x004af986
0x004af98d
0x004af98f
0x004af98f
0x004af98d
0x004af994
0x004af9a5
0x004af99c
0x004af9a1
0x004af9a1
0x004af9af
0x004af9c2
0x004af9c2
0x00000000
0x004af9af
0x004af954
0x00000000
0x004af9db

APIs

GetSystemInfo.KERNEL32(?), ref: 004AF92F
VirtualQuery.KERNEL32(?,?,0000001C,?), ref: 004AF93B
VirtualProtect.KERNEL32(?,?,00000040,0000001C,?,?,0000001C), ref: 004AF986
VirtualProtect.KERNEL32(?,?,?,0000001C,?,?,00000040,0000001C,?,?,0000001C), ref: 004AF9C2
VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C,?), ref: 004AF9D2

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Virtual$ProtectQuery$InfoSystem
String ID:
API String ID: 2441996862-0
Opcode ID: 57281b4e736338f8d77ca256b537dd22dd4c981be38144bf210ac0f1d0b120f5
Instruction ID: 3a96586125c0dafbea7f6284d897bb751f900199eded140d0d018ead0d29608e
Opcode Fuzzy Hash: 57281b4e736338f8d77ca256b537dd22dd4c981be38144bf210ac0f1d0b120f5
Instruction Fuzzy Hash: C5212CB1104344BAD730DA99C885F6BBBEC9B56354F04492EF59583681D339E848C766

Uniqueness

Uniqueness Score: -1.00%

Function 0040B044 Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0040B044(char __eax, void* __ebx, intOrPtr* __edx, void* __eflags) {
				char _v8;
				short _v12;
				void* _v16;
				char _v20;
				char _v24;
				void* _t29;
				void* _t40;
				intOrPtr* _t44;
				intOrPtr _t55;
				void* _t61;

				_push(__ebx);
				_v24 = 0;
				_v20 = 0;
				_t44 = __edx;
				_v8 = __eax;
				E00407B04(_v8);
				_push(_t61);
				_push(0x40b104);
				_push( *[fs:eax]);
				 *[fs:eax] = _t61 + 0xffffffec;
				_t21 =  &_v16;
				L00403730();
				GetLocaleInfoW( &_v16 & 0x0000ffff, 3, _t21, 4);
				E0040858C( &_v20, 4,  &_v16);
				E0040873C(_t44, _v20, _v8);
				_t29 = E0040AEF4( *_t44, _t44); // executed
				if(_t29 == 0) {
					_v12 = 0;
					E0040858C( &_v24, 4,  &_v16);
					E0040873C(_t44, _v24, _v8);
					_t40 = E0040AEF4( *_t44, _t44); // executed
					if(_t40 == 0) {
						E00407A20(_t44);
					}
				}
				_pop(_t55);
				 *[fs:eax] = _t55;
				_push(E0040B10B);
				E00407A80( &_v24, 2);
				return E00407A20( &_v8);
			}

0x0040b04a
0x0040b04d
0x0040b050
0x0040b053
0x0040b055
0x0040b05b
0x0040b062
0x0040b063
0x0040b068
0x0040b06b
0x0040b070
0x0040b076
0x0040b07f
0x0040b08f
0x0040b09c
0x0040b0a3
0x0040b0aa
0x0040b0ac
0x0040b0bd
0x0040b0ca
0x0040b0d1
0x0040b0d8
0x0040b0dc
0x0040b0dc
0x0040b0d8
0x0040b0e3
0x0040b0e6
0x0040b0e9
0x0040b0f6
0x0040b103

APIs

GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040B104,?,?), ref: 0040B076
GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040B104,?,?), ref: 0040B07F

Part of subcall function 0040AEF4: FindFirstFileW.KERNEL32(00000000,?,00000000,0040AF52,?,?), ref: 0040AF27
Part of subcall function 0040AEF4: FindClose.KERNEL32(00000000,00000000,?,00000000,0040AF52,?,?), ref: 0040AF37

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
String ID:
API String ID: 3216391948-0
Opcode ID: 044937d21d1936a91ef9b6e1a310017a9e27582e27e23f6d989339badd03c388
Instruction ID: a9cfc37755e84068b6e5d0711ea0537dd567252b91127d2e7da10f621904fc04
Opcode Fuzzy Hash: 044937d21d1936a91ef9b6e1a310017a9e27582e27e23f6d989339badd03c388
Instruction Fuzzy Hash: 35113674A041099BDB00EB95C9529AEB3B9EF44304F50447FA515B73C1DB785E058A6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040AEF4 Relevance: 3.0, APIs: 2, Instructions: 33
fileCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0040AEF4(char __eax, signed int __ebx) {
				char _v8;
				struct _WIN32_FIND_DATAW _v600;
				void* _t15;
				intOrPtr _t24;
				void* _t27;

				_push(__ebx);
				_v8 = __eax;
				E00407B04(_v8);
				_push(_t27);
				_push(0x40af52);
				_push( *[fs:eax]);
				 *[fs:eax] = _t27 + 0xfffffdac;
				_t15 = FindFirstFileW(E004084EC(_v8),  &_v600); // executed
				if((__ebx & 0xffffff00 | _t15 != 0xffffffff) != 0) {
					FindClose(_t15);
				}
				_pop(_t24);
				 *[fs:eax] = _t24;
				_push(E0040AF59);
				return E00407A20( &_v8);
			}

0x0040aefd
0x0040aefe
0x0040af04
0x0040af0b
0x0040af0c
0x0040af11
0x0040af14
0x0040af27
0x0040af34
0x0040af37
0x0040af37
0x0040af3e
0x0040af41
0x0040af44
0x0040af51

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,0040AF52,?,?), ref: 0040AF27
FindClose.KERNEL32(00000000,00000000,?,00000000,0040AF52,?,?), ref: 0040AF37

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: bba38ffe097e2c5d51b68bca4dd41d34791c3125f335f0c7ddbac3aaaf9dd96f
Instruction ID: b27eefbf95a445daf5872925c41aeb1c7ded3ce7930a436f9b8cfd192dc84724
Opcode Fuzzy Hash: bba38ffe097e2c5d51b68bca4dd41d34791c3125f335f0c7ddbac3aaaf9dd96f
Instruction Fuzzy Hash: 5FF0B471518209BFC710FB75CD4294EB7ACEB043147A005B6B504F32C1E638AF149519

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB18 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E0040AB18(char __eax, void* __ebx, void* __ecx, void* __edx) {
				char _v8;
				char* _v12;
				void* _v16;
				int _v20;
				short _v542;
				long _t51;
				long _t85;
				long _t87;
				long _t89;
				long _t91;
				long _t93;
				void* _t97;
				intOrPtr _t106;
				intOrPtr _t108;
				void* _t112;
				void* _t113;
				intOrPtr _t114;

				_t112 = _t113;
				_t114 = _t113 + 0xfffffde4;
				_t97 = __edx;
				_v8 = __eax;
				E00407B04(_v8);
				_push(_t112);
				_push(0x40ad3d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t114;
				if(_v8 != 0) {
					E0040A34C( &_v542, E004084EC(_v8), 0x105);
				} else {
					GetModuleFileNameW(0,  &_v542, 0x105);
				}
				if(_v542 == 0) {
					L18:
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(E0040AD44);
					return E00407A20( &_v8);
				} else {
					_v12 = 0;
					_t51 = RegOpenKeyExW(0x80000001, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16); // executed
					if(_t51 == 0) {
						L10:
						_push(_t112);
						_push(0x40ad20);
						_push( *[fs:eax]);
						 *[fs:eax] = _t114;
						E0040A928( &_v542, 0x105);
						if(RegQueryValueExW(_v16,  &_v542, 0, 0, 0,  &_v20) != 0) {
							if(RegQueryValueExW(_v16, E0040AE30, 0, 0, 0,  &_v20) == 0) {
								_v12 = E004053F0(_v20);
								RegQueryValueExW(_v16, E0040AE30, 0, 0, _v12,  &_v20);
								E00408550(_t97, _v12);
							}
						} else {
							_v12 = E004053F0(_v20);
							RegQueryValueExW(_v16,  &_v542, 0, 0, _v12,  &_v20);
							E00408550(_t97, _v12);
						}
						_pop(_t108);
						 *[fs:eax] = _t108;
						_push(E0040AD27);
						if(_v12 != 0) {
							E0040540C(_v12);
						}
						return RegCloseKey(_v16);
					} else {
						_t85 = RegOpenKeyExW(0x80000002, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16); // executed
						if(_t85 == 0) {
							goto L10;
						} else {
							_t87 = RegOpenKeyExW(0x80000001, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
							if(_t87 == 0) {
								goto L10;
							} else {
								_t89 = RegOpenKeyExW(0x80000002, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
								if(_t89 == 0) {
									goto L10;
								} else {
									_t91 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Locales", 0, 0xf0019,  &_v16); // executed
									if(_t91 == 0) {
										goto L10;
									} else {
										_t93 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v16); // executed
										if(_t93 != 0) {
											goto L18;
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				}
			}

0x0040ab19
0x0040ab1b
0x0040ab22
0x0040ab24
0x0040ab2a
0x0040ab31
0x0040ab32
0x0040ab37
0x0040ab3a
0x0040ab41
0x0040ab6d
0x0040ab43
0x0040ab51
0x0040ab51
0x0040ab7a
0x0040ad27
0x0040ad29
0x0040ad2c
0x0040ad2f
0x0040ad3c
0x0040ab80
0x0040ab82
0x0040ab9a
0x0040aba1
0x0040ac41
0x0040ac43
0x0040ac44
0x0040ac49
0x0040ac4c
0x0040ac5a
0x0040ac7b
0x0040acca
0x0040acd4
0x0040acec
0x0040acf6
0x0040acf6
0x0040ac7d
0x0040ac85
0x0040ac9f
0x0040aca9
0x0040aca9
0x0040acfd
0x0040ad00
0x0040ad03
0x0040ad0c
0x0040ad11
0x0040ad11
0x0040ad1f
0x0040aba7
0x0040abbc
0x0040abc3
0x00000000
0x0040abc5
0x0040abda
0x0040abe1
0x00000000
0x0040abe3
0x0040abf8
0x0040abff
0x00000000
0x0040ac01
0x0040ac16
0x0040ac1d
0x00000000
0x0040ac1f
0x0040ac34
0x0040ac3b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ac3b
0x0040ac1d
0x0040abff
0x0040abe1
0x0040abc3
0x0040aba1

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040AD3D,?,?), ref: 0040AB51
RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040AD3D,?,?), ref: 0040AB9A
RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040AD3D,?,?), ref: 0040ABBC
RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0040ABDA
RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040ABF8
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040AC16
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040AC34
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040AD20,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040AD3D), ref: 0040AC74
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040AD20,?,80000001), ref: 0040AC9F
RegCloseKey.ADVAPI32(?,0040AD27,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040AD20,?,80000001,Software\Embarcadero\Locales), ref: 0040AD1A

Strings

Software\CodeGear\Locales, xrefs: 0040ABD0, 0040ABEE
Software\Embarcadero\Locales, xrefs: 0040AB90, 0040ABB2
Software\Borland\Delphi\Locales, xrefs: 0040AC2A
Software\Borland\Locales, xrefs: 0040AC0C

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Open$QueryValue$CloseFileModuleName
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
API String ID: 2701450724-3496071916
Opcode ID: 8af598c5208afc10239ec938650b713086258bd8f52ea94da89803fd33d180c8
Instruction ID: cdbeddac4db4dda9279672c2614f8dce2a18b15a4a55f9a64fe791b6da82c449
Opcode Fuzzy Hash: 8af598c5208afc10239ec938650b713086258bd8f52ea94da89803fd33d180c8
Instruction Fuzzy Hash: FB514371A80308BEEB10DA95CC46FAE77BCEB08709F504477BA04F75C1D6B8AA50975E

Uniqueness

Uniqueness Score: -1.00%

Function 004B63A1 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E004B63A1(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr _t17;
				struct HWND__* _t21;
				struct HWND__* _t22;
				struct HWND__* _t25;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t36;
				intOrPtr _t39;
				int _t40;
				intOrPtr _t41;
				intOrPtr _t43;
				struct HWND__* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				intOrPtr _t60;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				void* _t73;
				void* _t74;

				_t74 = __eflags;
				_t72 = __esi;
				_t71 = __edi;
				_t52 = __ebx;
				_pop(_t62);
				 *[fs:eax] = _t62;
				_t17 =  *0x4c1d88; // 0x0
				 *0x4c1d88 = 0;
				E00405CE8(_t17);
				_t21 = E0040E450(0, L"STATIC", 0,  *0x4be634, 0, 0, 0, 0, 0, 0, 0); // executed
				 *0x4ba450 = _t21;
				_t22 =  *0x4ba450; // 0x7037a
				 *0x4c1d80 = SetWindowLongW(_t22, 0xfffffffc, E004AF69C);
				_t25 =  *0x4ba450; // 0x7037a
				 *(_t73 - 0x58) = _t25;
				 *((char*)(_t73 - 0x54)) = 0;
				_t26 =  *0x4c1d90; // 0x4d703c
				_t4 = _t26 + 0x20; // 0x74cab4
				 *((intOrPtr*)(_t73 - 0x50)) =  *_t4;
				 *((char*)(_t73 - 0x4c)) = 0;
				_t28 =  *0x4c1d90; // 0x4d703c
				_t7 = _t28 + 0x24; // 0xcb000
				 *((intOrPtr*)(_t73 - 0x48)) =  *_t7;
				 *((char*)(_t73 - 0x44)) = 0;
				E0041A87C(L"/SL5=\"$%x,%d,%d,", 2, _t73 - 0x58, _t73 - 0x40);
				_push( *((intOrPtr*)(_t73 - 0x40)));
				_push( *0x4c1d84);
				_push(0x4b6680);
				E00422BC4(_t73 - 0x5c, __ebx, __esi, _t74);
				_push( *((intOrPtr*)(_t73 - 0x5c)));
				E004087C4(_t73 - 0x3c, __ebx, 4, __edi, __esi);
				_t36 =  *0x4c1d9c; // 0x0, executed
				E004AF728(_t36, _t52, 0x4ba44c,  *((intOrPtr*)(_t73 - 0x3c)), _t71, _t72, __fp0); // executed
				if( *0x4ba448 != 0xffffffff) {
					_t50 =  *0x4ba448; // 0x0
					E004AF60C(_t50);
				}
				_pop(_t68);
				 *[fs:eax] = _t68;
				_push(E004B6554);
				_t39 =  *0x4c1d88; // 0x0
				_t40 = E00405CE8(_t39);
				if( *0x4c1d9c != 0) {
					_t70 =  *0x4c1d9c; // 0x0
					_t40 = E004AF1B4(0, _t70, 0xfa, 0x32); // executed
				}
				if( *0x4c1d94 != 0) {
					_t47 =  *0x4c1d94; // 0x0
					_t40 = RemoveDirectoryW(E004084EC(_t47)); // executed
				}
				if( *0x4ba450 != 0) {
					_t46 =  *0x4ba450; // 0x7037a
					_t40 = DestroyWindow(_t46); // executed
				}
				if( *0x4c1d78 != 0) {
					_t41 =  *0x4c1d78; // 0x0
					_t60 =  *0x4c1d7c; // 0x1
					_t69 =  *0x426bb0; // 0x426bb4
					E00408D08(_t41, _t60, _t69);
					_t43 =  *0x4c1d78; // 0x0
					E0040540C(_t43);
					 *0x4c1d78 = 0;
					return 0;
				}
				return _t40;
			}

0x004b63a1
0x004b63a1
0x004b63a1
0x004b63a1
0x004b63a3
0x004b63a6
0x004b63d3
0x004b63da
0x004b63e0
0x004b6407
0x004b640c
0x004b6418
0x004b6423
0x004b642c
0x004b6431
0x004b6434
0x004b6438
0x004b643d
0x004b6440
0x004b6443
0x004b6447
0x004b644c
0x004b644f
0x004b6452
0x004b6463
0x004b6468
0x004b646b
0x004b6471
0x004b6479
0x004b647e
0x004b6489
0x004b6496
0x004b649b
0x004b64a7
0x004b64a9
0x004b64ae
0x004b64ae
0x004b64b5
0x004b64b8
0x004b64bb
0x004b64c0
0x004b64c5
0x004b64d1
0x004b64df
0x004b64e7
0x004b64e7
0x004b64f3
0x004b64f5
0x004b6500
0x004b6500
0x004b650c
0x004b650e
0x004b6514
0x004b6514
0x004b6520
0x004b6522
0x004b6527
0x004b652d
0x004b6533
0x004b6538
0x004b653d
0x004b6544
0x00000000
0x004b6544
0x004b6549

APIs

Part of subcall function 0040E450: CreateWindowExW.USER32 ref: 0040E48F

SetWindowLongW.USER32(0007037A,000000FC,004AF69C), ref: 004B641E

Part of subcall function 00422BC4: GetCommandLineW.KERNEL32(00000000,00422C06,?,?,00000000,?,004B647E,004B6680,?), ref: 00422BDA

Part of subcall function 004AF728: CreateProcessW.KERNEL32 ref: 004AF798
Part of subcall function 004AF728: CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004AF82C,00000000,004AF81C,00000000), ref: 004AF7AE
Part of subcall function 004AF728: MsgWaitForMultipleObjects.USER32 ref: 004AF7C7
Part of subcall function 004AF728: GetExitCodeProcess.KERNEL32 ref: 004AF7DB
Part of subcall function 004AF728: CloseHandle.KERNEL32(?,?,004BA44C,00000001,?,00000000,000000FF,000004FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004AF7E4

RemoveDirectoryW.KERNEL32(00000000,004B6554), ref: 004B6500
DestroyWindow.USER32(0007037A,004B6554), ref: 004B6514

Strings

<pM, xrefs: 004B6438, 004B6447
/SL5="$%x,%d,%d,, xrefs: 004B645E
InnoSetupLdrWindow, xrefs: 004B63FB
STATIC, xrefs: 004B6400

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
String ID: /SL5="$%x,%d,%d,$<pM$InnoSetupLdrWindow$STATIC
API String ID: 3586484885-2916600167
Opcode ID: 3c021837c984efc67f9ad3a794955b0d04b23bc85077f6812c73bb0a86195aee
Instruction ID: 04c90e22d0408fd8de4b79ff2beaee59f7a3a861a1d73b16261182ae62401715
Opcode Fuzzy Hash: 3c021837c984efc67f9ad3a794955b0d04b23bc85077f6812c73bb0a86195aee
Instruction Fuzzy Hash: EC416B74A002009FE754EBA9EC85B9A37B4EB85308F11453BE0059B2B6CB7CA851CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040426C Relevance: 12.2, APIs: 8, Instructions: 221
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E0040426C(void* __eax, signed int __edi, void* __ebp) {
				struct _MEMORY_BASIC_INFORMATION _v44;
				void* _v48;
				signed int __ebx;
				void* _t58;
				signed int _t61;
				int _t65;
				signed int _t67;
				void _t70;
				int _t71;
				signed int _t78;
				void* _t79;
				signed int _t81;
				intOrPtr _t82;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				signed int _t92;
				void* _t96;
				signed int _t99;
				void* _t103;
				intOrPtr _t104;
				void* _t106;
				void* _t108;
				signed int _t113;
				void* _t115;
				void* _t116;

				_t56 = __eax;
				_t89 =  *(__eax - 4);
				_t78 =  *0x4bb059; // 0x0
				if((_t89 & 0x00000007) != 0) {
					__eflags = _t89 & 0x00000005;
					if((_t89 & 0x00000005) != 0) {
						_pop(_t78);
						__eflags = _t89 & 0x00000003;
						if((_t89 & 0x00000003) == 0) {
							_push(_t78);
							_push(__edi);
							_t116 = _t115 + 0xffffffdc;
							_t103 = __eax - 0x10;
							E00403C48();
							_t58 = _t103;
							 *_t116 =  *_t58;
							_v48 =  *((intOrPtr*)(_t58 + 4));
							_t92 =  *(_t58 + 0xc);
							if((_t92 & 0x00000008) != 0) {
								_t79 = _t103;
								_t113 = _t92 & 0xfffffff0;
								_t99 = 0;
								__eflags = 0;
								while(1) {
									VirtualQuery(_t79,  &_v44, 0x1c);
									_t61 = VirtualFree(_t79, 0, 0x8000);
									__eflags = _t61;
									if(_t61 == 0) {
										_t99 = _t99 | 0xffffffff;
										goto L10;
									}
									_t104 = _v44.RegionSize;
									__eflags = _t113 - _t104;
									if(_t113 > _t104) {
										_t113 = _t113 - _t104;
										_t79 = _t79 + _t104;
										continue;
									}
									goto L10;
								}
							} else {
								_t65 = VirtualFree(_t103, 0, 0x8000); // executed
								if(_t65 == 0) {
									_t99 = __edi | 0xffffffff;
								} else {
									_t99 = 0;
								}
							}
							L10:
							if(_t99 == 0) {
								 *_v48 =  *_t116;
								 *( *_t116 + 4) = _v48;
							}
							 *0x4bdb78 = 0;
							return _t99;
						} else {
							return 0xffffffff;
						}
					} else {
						goto L31;
					}
				} else {
					__eflags = __bl;
					__ebx =  *__edx;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L14;
							}
							asm("pause");
							__eflags =  *0x4bb989;
							if(__eflags != 0) {
								continue;
							} else {
								Sleep(0);
								__edx = __edx;
								__ecx = __ecx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__eflags != 0) {
									Sleep(0xa);
									__edx = __edx;
									__ecx = __ecx;
									continue;
								}
							}
							goto L14;
						}
					}
					L14:
					_t14 = __edx + 0x14;
					 *_t14 =  *(__edx + 0x14) - 1;
					__eflags =  *_t14;
					__eax =  *(__edx + 0x10);
					if( *_t14 == 0) {
						__eflags = __eax;
						if(__eax == 0) {
							L20:
							 *(__ebx + 0x14) = __eax;
						} else {
							__eax =  *(__edx + 0xc);
							__ecx =  *(__edx + 8);
							 *(__eax + 8) = __ecx;
							 *(__ecx + 0xc) = __eax;
							__eax = 0;
							__eflags =  *((intOrPtr*)(__ebx + 0x18)) - __edx;
							if( *((intOrPtr*)(__ebx + 0x18)) == __edx) {
								goto L20;
							}
						}
						 *__ebx = __al;
						__eax = __edx;
						__edx =  *(__edx - 4);
						__bl =  *0x4bb059; // 0x0
						L31:
						__eflags = _t78;
						_t81 = _t89 & 0xfffffff0;
						_push(_t101);
						_t106 = _t56;
						if(__eflags != 0) {
							while(1) {
								_t67 = 0x100;
								asm("lock cmpxchg [0x4bbae8], ah");
								if(__eflags == 0) {
									goto L32;
								}
								asm("pause");
								__eflags =  *0x4bb989;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									_t67 = 0x100;
									asm("lock cmpxchg [0x4bbae8], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L32;
							}
						}
						L32:
						__eflags = (_t106 - 4)[_t81] & 0x00000001;
						_t87 = (_t106 - 4)[_t81];
						if(((_t106 - 4)[_t81] & 0x00000001) != 0) {
							_t67 = _t81 + _t106;
							_t88 = _t87 & 0xfffffff0;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E00403AC0(_t67);
							}
						} else {
							_t88 = _t87 | 0x00000008;
							__eflags = _t88;
							(_t106 - 4)[_t81] = _t88;
						}
						__eflags =  *(_t106 - 4) & 0x00000008;
						if(( *(_t106 - 4) & 0x00000008) != 0) {
							_t88 =  *(_t106 - 8);
							_t106 = _t106 - _t88;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E00403AC0(_t106);
							}
						}
						__eflags = _t81 - 0x13ffe0;
						if(_t81 == 0x13ffe0) {
							__eflags =  *0x4bbaf0 - 0x13ffe0;
							if( *0x4bbaf0 != 0x13ffe0) {
								_t82 = _t106 + 0x13ffe0;
								E00403B60(_t67);
								 *((intOrPtr*)(_t82 - 4)) = 2;
								 *0x4bbaf0 = 0x13ffe0;
								 *0x4bbaec = _t82;
								 *0x4bbae8 = 0;
								__eflags = 0;
								return 0;
							} else {
								_t108 = _t106 - 0x10;
								_t70 =  *_t108;
								_t96 =  *(_t108 + 4);
								 *(_t70 + 4) = _t96;
								 *_t96 = _t70;
								 *0x4bbae8 = 0;
								_t71 = VirtualFree(_t108, 0, 0x8000);
								__eflags = _t71 - 1;
								asm("sbb eax, eax");
								return _t71;
							}
						} else {
							 *(_t106 - 4) = _t81 + 3;
							 *(_t106 - 8 + _t81) = _t81;
							E00403B00(_t106, _t88, _t81);
							 *0x4bbae8 = 0;
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags = __eax;
						 *(__edx + 0x10) = __ecx;
						 *(__ecx - 4) = __eax;
						if(__eflags == 0) {
							__ecx =  *(__ebx + 8);
							 *(__edx + 0xc) = __ebx;
							 *(__edx + 8) = __ecx;
							 *(__ecx + 0xc) = __edx;
							 *(__ebx + 8) = __edx;
							 *__ebx = 0;
							__eax = 0;
							__eflags = 0;
							_pop(__ebx);
							return 0;
						} else {
							__eax = 0;
							__eflags = 0;
							 *__ebx = __al;
							_pop(__ebx);
							return 0;
						}
					}
				}
			}

0x0040426c
0x0040426c
0x00404275
0x0040427b
0x00404364
0x00404367
0x00404454
0x00404455
0x00404458
0x00403cf8
0x00403cfa
0x00403cfc
0x00403d01
0x00403d04
0x00403d09
0x00403d0d
0x00403d13
0x00403d17
0x00403d1d
0x00403d39
0x00403d3d
0x00403d40
0x00403d40
0x00403d42
0x00403d4a
0x00403d57
0x00403d5c
0x00403d5e
0x00403d60
0x00403d63
0x00403d63
0x00403d65
0x00403d69
0x00403d6b
0x00403d6d
0x00403d6f
0x00000000
0x00403d6f
0x00000000
0x00403d6b
0x00403d1f
0x00403d27
0x00403d2e
0x00403d34
0x00403d30
0x00403d30
0x00403d30
0x00403d2e
0x00403d73
0x00403d75
0x00403d7e
0x00403d87
0x00403d87
0x00403d8a
0x00403d9a
0x0040445e
0x00404463
0x00404463
0x00000000
0x00000000
0x00000000
0x00404281
0x00404281
0x00404283
0x00404285
0x004042e8
0x004042e8
0x004042ed
0x004042f1
0x00000000
0x00000000
0x004042f3
0x004042f5
0x004042fc
0x00000000
0x004042fe
0x00404302
0x00404307
0x00404308
0x00404309
0x0040430e
0x00404312
0x0040431c
0x00404321
0x00404322
0x00000000
0x00404322
0x00404312
0x00000000
0x004042fc
0x004042e8
0x00404287
0x00404287
0x00404287
0x00404287
0x0040428b
0x0040428e
0x004042bc
0x004042be
0x004042d3
0x004042d3
0x004042c0
0x004042c0
0x004042c3
0x004042c6
0x004042c9
0x004042cc
0x004042ce
0x004042d1
0x00000000
0x00000000
0x004042d1
0x004042d6
0x004042d8
0x004042da
0x004042dd
0x0040436d
0x00404370
0x00404372
0x00404374
0x00404375
0x00404377
0x00404328
0x00404328
0x0040432d
0x00404335
0x00000000
0x00000000
0x00404337
0x00404339
0x00404340
0x00000000
0x00404342
0x00404344
0x00404349
0x0040434e
0x00404356
0x0040435a
0x00000000
0x0040435a
0x00404356
0x00000000
0x00404340
0x00404328
0x00404379
0x00404379
0x00404381
0x00404385
0x004043bc
0x004043bf
0x004043c2
0x004043c4
0x004043ca
0x004043cc
0x004043cc
0x00404387
0x00404387
0x00404387
0x0040438a
0x0040438a
0x0040438e
0x00404392
0x004043d4
0x004043d7
0x004043d9
0x004043db
0x004043e1
0x004043e5
0x004043e5
0x004043e1
0x00404394
0x0040439a
0x004043ec
0x004043f6
0x00404424
0x0040442a
0x0040442f
0x00404436
0x00404440
0x00404446
0x0040444d
0x00404451
0x004043f8
0x004043f8
0x004043fb
0x004043fd
0x00404400
0x00404403
0x00404405
0x00404414
0x00404419
0x0040441c
0x00404420
0x00404420
0x0040439c
0x0040439f
0x004043a2
0x004043aa
0x004043af
0x004043b6
0x004043ba
0x004043ba
0x00404290
0x00404290
0x00404292
0x00404298
0x0040429b
0x004042a4
0x004042a7
0x004042aa
0x004042ad
0x004042b0
0x004042b3
0x004042b6
0x004042b6
0x004042b8
0x004042b9
0x0040429d
0x0040429d
0x0040429d
0x0040429f
0x004042a1
0x004042a2
0x004042a2
0x0040429b
0x0040428e

APIs

Sleep.KERNEL32(00000000,?,?,00000000,0040BB40,0040BBA6,?,00000000,?,?,0040BEC9,00000000,?,00000000,0040C3CA,00000000), ref: 00404302
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,0040BB40,0040BBA6,?,00000000,?,?,0040BEC9,00000000,?,00000000,0040C3CA), ref: 0040431C

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: bb44cecb062a42ab294f9ebbddb74143d6ecf503913ace061e42b720e5e9e313
Instruction ID: daf3465a9571387f72e828d046180f4ce70f3b260d456b91f151aa63c4646fa2
Opcode Fuzzy Hash: bb44cecb062a42ab294f9ebbddb74143d6ecf503913ace061e42b720e5e9e313
Instruction Fuzzy Hash: AA71E2B17042008BD715DF29CC84B16BBD8AF85715F2482BFE984AB3D2D7B899418789

Uniqueness

Uniqueness Score: -1.00%

Function 004B60E8 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 165
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E004B60E8(void* __ebx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr _t26;
				intOrPtr _t31;
				intOrPtr _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				intOrPtr _t44;
				intOrPtr _t47;
				intOrPtr _t51;
				intOrPtr _t53;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t59;
				intOrPtr _t61;
				WCHAR* _t63;
				intOrPtr _t69;
				intOrPtr _t74;
				int _t75;
				intOrPtr _t76;
				intOrPtr _t78;
				struct HWND__* _t81;
				intOrPtr _t82;
				intOrPtr _t86;
				void* _t90;
				intOrPtr _t93;
				intOrPtr _t99;
				intOrPtr _t101;
				intOrPtr _t107;
				intOrPtr _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t120;
				intOrPtr _t121;

				_t119 = __esi;
				_t118 = __edi;
				_t85 = __ebx;
				_pop(_t101);
				_pop(_t88);
				 *[fs:eax] = _t101;
				E004AF678(_t88);
				if( *0x4ba440 == 0) {
					if(( *0x4c1d71 & 0x00000001) == 0 &&  *0x4ba441 == 0) {
						_t61 =  *0x4ba674; // 0x4c0d0c
						_t4 = _t61 + 0x2f8; // 0x0
						_t63 = E004084EC( *_t4);
						_t88 = _t120 - 0x28;
						_t101 =  *0x4c1c48; // 0x0
						E00426F08(0xc2, _t120 - 0x28, _t101);
						if(MessageBoxW(0, E004084EC( *((intOrPtr*)(_t120 - 0x28))), _t63, 0x24) != 6) {
							 *0x4ba44c = 2;
							E0041F238();
						}
					}
					E004056D0();
					E004AEFE8(_t120 - 0x2c, _t85, _t101, _t118, _t119); // executed
					E00407E00(0x4c1d94,  *((intOrPtr*)(_t120 - 0x2c)));
					_t26 =  *0x4c1d84; // 0x0
					E00422954(_t26, _t88, _t120 - 0x34);
					E004226C8( *((intOrPtr*)(_t120 - 0x34)), _t85, _t120 - 0x30, L".tmp", _t118, _t119);
					_push( *((intOrPtr*)(_t120 - 0x30)));
					_t31 =  *0x4c1d94; // 0x0
					E00422660(_t31, _t120 - 0x38);
					_pop(_t90);
					E0040873C(0x4c1d98, _t90,  *((intOrPtr*)(_t120 - 0x38)));
					_t107 =  *0x4c1d98; // 0x0
					E00407E00(0x4c1d9c, _t107);
					_t37 =  *0x4c1d90; // 0x4d703c
					_t15 = _t37 + 0x14; // 0x755943
					_t38 =  *0x4c1d88; // 0x0
					E00423CE8(_t38,  *_t15);
					_push(_t120);
					_push(0x4b63ab);
					_push( *[fs:edx]);
					 *[fs:edx] = _t121;
					 *0x4c1de0 = 0;
					_t42 = E00423D00(1, 0, 1, 0); // executed
					 *0x4c1d8c = _t42;
					_push(_t120);
					_push(0x4b639a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t44 =  *0x4c1d90; // 0x4d703c
					_t16 = _t44 + 0x18; // 0x30ddc8
					 *0x4c1de0 = E004053F0( *_t16);
					_t47 =  *0x4c1d90; // 0x4d703c
					_t17 = _t47 + 0x18; // 0x30ddc8
					_t86 =  *0x4c1de0; // 0x7fba0010
					E00405884(_t86,  *_t17);
					_push(_t120);
					_push(0x4b62e9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t51 =  *0x424cd8; // 0x424d30
					_t93 =  *0x4c1d88; // 0x0
					_t53 = E00424748(_t93, 1, _t51); // executed
					 *0x4c1de4 = _t53;
					_push(_t120);
					_push(0x4b62d8);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t55 =  *0x4c1d90; // 0x4d703c
					_t18 = _t55 + 0x18; // 0x30ddc8
					_t56 =  *0x4c1de4; // 0x2173000
					E00424A24(_t56,  *_t18, _t86);
					_pop(_t114);
					 *[fs:eax] = _t114;
					_push(E004B62DF);
					_t59 =  *0x4c1de4; // 0x2173000
					return E00405CE8(_t59);
				} else {
					_t69 =  *0x4ba674; // 0x4c0d0c
					_t1 = _t69 + 0x1d0; // 0x0
					E004AFA44( *_t1, __ebx, __edi, __esi);
					 *0x4ba44c = 0;
					_pop(_t115);
					 *[fs:eax] = _t115;
					_push(E004B6554);
					_t74 =  *0x4c1d88; // 0x0
					_t75 = E00405CE8(_t74);
					if( *0x4c1d9c != 0) {
						_t117 =  *0x4c1d9c; // 0x0
						_t75 = E004AF1B4(0, _t117, 0xfa, 0x32); // executed
					}
					if( *0x4c1d94 != 0) {
						_t82 =  *0x4c1d94; // 0x0
						_t75 = RemoveDirectoryW(E004084EC(_t82)); // executed
					}
					if( *0x4ba450 != 0) {
						_t81 =  *0x4ba450; // 0x7037a
						_t75 = DestroyWindow(_t81); // executed
					}
					if( *0x4c1d78 != 0) {
						_t76 =  *0x4c1d78; // 0x0
						_t99 =  *0x4c1d7c; // 0x1
						_t116 =  *0x426bb0; // 0x426bb4
						E00408D08(_t76, _t99, _t116);
						_t78 =  *0x4c1d78; // 0x0
						E0040540C(_t78);
						 *0x4c1d78 = 0;
						return 0;
					}
					return _t75;
				}
			}

0x004b60e8
0x004b60e8
0x004b60e8
0x004b60ea
0x004b60ec
0x004b60ed
0x004b610d
0x004b6119
0x004b613e
0x004b614b
0x004b6150
0x004b6156
0x004b615c
0x004b615f
0x004b6169
0x004b6181
0x004b6183
0x004b618d
0x004b618d
0x004b6181
0x004b6192
0x004b619a
0x004b61a7
0x004b61af
0x004b61b4
0x004b61c4
0x004b61cc
0x004b61d0
0x004b61d5
0x004b61e2
0x004b61e3
0x004b61ed
0x004b61f3
0x004b61f8
0x004b61fd
0x004b6200
0x004b6205
0x004b620c
0x004b620d
0x004b6212
0x004b6215
0x004b621a
0x004b6232
0x004b6237
0x004b623e
0x004b623f
0x004b6244
0x004b6247
0x004b624a
0x004b624f
0x004b6257
0x004b625c
0x004b6261
0x004b6264
0x004b626e
0x004b6275
0x004b6276
0x004b627b
0x004b627e
0x004b6281
0x004b6287
0x004b6294
0x004b6299
0x004b62a0
0x004b62a1
0x004b62a6
0x004b62a9
0x004b62ac
0x004b62b1
0x004b62b6
0x004b62bb
0x004b62c2
0x004b62c5
0x004b62c8
0x004b62cd
0x004b62d7
0x004b611b
0x004b611b
0x004b6120
0x004b6126
0x004b612d
0x004b64b5
0x004b64b8
0x004b64bb
0x004b64c0
0x004b64c5
0x004b64d1
0x004b64df
0x004b64e7
0x004b64e7
0x004b64f3
0x004b64f5
0x004b6500
0x004b6500
0x004b650c
0x004b650e
0x004b6514
0x004b6514
0x004b6520
0x004b6522
0x004b6527
0x004b652d
0x004b6533
0x004b6538
0x004b653d
0x004b6544
0x00000000
0x004b6544
0x004b6549
0x004b6549

APIs

MessageBoxW.USER32(00000000,00000000,00000000,00000024), ref: 004B6179

Part of subcall function 004AFA44: MessageBoxW.USER32(00000000,00000000,Setup,00000010), ref: 004AFAAE

RemoveDirectoryW.KERNEL32(00000000,004B6554), ref: 004B6500
DestroyWindow.USER32(0007037A,004B6554), ref: 004B6514

Part of subcall function 004AF1B4: Sleep.KERNEL32(?,?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1D3
Part of subcall function 004AF1B4: GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1F6
Part of subcall function 004AF1B4: GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF200

Strings

0MB, xrefs: 004B6281
<pM, xrefs: 004B61F8, 004B624A, 004B625C, 004B62AC
.tmp, xrefs: 004B61BF

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: ErrorLastMessage$DestroyDirectoryRemoveSleepWindow
String ID: .tmp$0MB$<pM
API String ID: 3858953238-1900878030
Opcode ID: 930ec171da33bb7cb26a68baf49ed61eca7e6ecce176de484762bd5e64518e8e
Instruction ID: b159488041d1577a8b45ed1a1d18f26c00613076fc9a683522f38ff229f2206a
Opcode Fuzzy Hash: 930ec171da33bb7cb26a68baf49ed61eca7e6ecce176de484762bd5e64518e8e
Instruction Fuzzy Hash: AC615A342002009FD755EF69ED86EAA37A5EB4A308F51453AF801976B2DA3CBC51CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004AF728 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E004AF728(void* __eax, void* __ebx, DWORD* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				struct _STARTUPINFOW _v76;
				void* _v88;
				void* _v92;
				int _t23;
				intOrPtr _t49;
				DWORD* _t51;
				void* _t56;

				_v8 = 0;
				_t51 = __ecx;
				_t53 = __edx;
				_t41 = __eax;
				_push(_t56);
				_push(0x4af7ff);
				_push( *[fs:eax]);
				 *[fs:eax] = _t56 + 0xffffffa8;
				_push(0x4af81c);
				_push(__eax);
				_push(0x4af82c);
				_push(__edx);
				E004087C4( &_v8, __eax, 4, __ecx, __edx);
				E00405884( &_v76, 0x44);
				_v76.cb = 0x44;
				_t23 = CreateProcessW(0, E004084EC(_v8), 0, 0, 0, 0, 0, 0,  &_v76,  &_v92); // executed
				_t58 = _t23;
				if(_t23 == 0) {
					E004AF34C(0x83, _t41, 0, _t53, _t58);
				}
				CloseHandle(_v88);
				do {
					E004AF6FC();
				} while (MsgWaitForMultipleObjects(1,  &_v92, 0, 0xffffffff, 0x4ff) == 1);
				E004AF6FC();
				GetExitCodeProcess(_v92, _t51); // executed
				CloseHandle(_v92);
				_pop(_t49);
				 *[fs:eax] = _t49;
				_push(0x4af806);
				return E00407A20( &_v8);
			}

0x004af733
0x004af736
0x004af738
0x004af73a
0x004af73e
0x004af73f
0x004af744
0x004af747
0x004af74a
0x004af74f
0x004af750
0x004af755
0x004af75e
0x004af76d
0x004af772
0x004af798
0x004af79d
0x004af79f
0x004af7a5
0x004af7a5
0x004af7ae
0x004af7b3
0x004af7b3
0x004af7cc
0x004af7d1
0x004af7db
0x004af7e4
0x004af7eb
0x004af7ee
0x004af7f1
0x004af7fe

APIs

CreateProcessW.KERNEL32 ref: 004AF798
CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004AF82C,00000000,004AF81C,00000000), ref: 004AF7AE
MsgWaitForMultipleObjects.USER32 ref: 004AF7C7
GetExitCodeProcess.KERNEL32 ref: 004AF7DB
CloseHandle.KERNEL32(?,?,004BA44C,00000001,?,00000000,000000FF,000004FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004AF7E4

Part of subcall function 004AF34C: GetLastError.KERNEL32(00000000,004AF3F5,?,?,00000000), ref: 004AF36F

Strings

D, xrefs: 004AF772

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
String ID: D
API String ID: 3356880605-2746444292
Opcode ID: ad1163668f60b09aa263e635df1463f1e4b37e8a5aa9c4cbf2e159c77cef0046
Instruction ID: 88989adc3f1fa39a5a5eb6990527994e2deb527bcdcae90bffb7d35c0d41af56
Opcode Fuzzy Hash: ad1163668f60b09aa263e635df1463f1e4b37e8a5aa9c4cbf2e159c77cef0046
Instruction Fuzzy Hash: C01163716041096EEB00FBE68C42F9F77ACDF56714F50053AB604E72C5DA789905866D

Uniqueness

Uniqueness Score: -1.00%

Function 004B5A90 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E004B5A90(void* __ebx, void* __ecx, void* __edx, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _t16;
				intOrPtr _t32;
				intOrPtr _t41;

				_t27 = __ebx;
				_push(0);
				_push(0);
				_push(0);
				_push(_t41);
				_push(0x4b5b5a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t41;
				 *0x4c1124 =  *0x4c1124 - 1;
				if( *0x4c1124 < 0) {
					 *0x4c1128 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"Wow64DisableWow64FsRedirection");
					 *0x4c112c = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"Wow64RevertWow64FsRedirection");
					if( *0x4c1128 == 0 ||  *0x4c112c == 0) {
						_t16 = 0;
					} else {
						_t16 = 1;
					}
					 *0x4c1130 = _t16;
					E00422D44( &_v12);
					E00422660(_v12,  &_v8);
					E004086E4( &_v8, L"shell32.dll");
					E00421230(_v8, _t27, 0x8000); // executed
					E004232EC(0x4c783afb,  &_v16);
				}
				_pop(_t32);
				 *[fs:eax] = _t32;
				_push(0x4b5b61);
				return E00407A80( &_v16, 3);
			}

0x004b5a90
0x004b5a93
0x004b5a95
0x004b5a97
0x004b5a9b
0x004b5a9c
0x004b5aa1
0x004b5aa4
0x004b5aa7
0x004b5aae
0x004b5ac9
0x004b5ae3
0x004b5aef
0x004b5afa
0x004b5afe
0x004b5afe
0x004b5afe
0x004b5b00
0x004b5b08
0x004b5b13
0x004b5b20
0x004b5b2d
0x004b5b3a
0x004b5b3a
0x004b5b41
0x004b5b44
0x004b5b47
0x004b5b59

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004B5B5A,?,00000000,00000000,00000000), ref: 004B5ABE

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2

GetModuleHandleW.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004B5B5A,?,00000000,00000000,00000000), ref: 004B5AD8

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00000000), ref: 0040E20B

Strings

kernel32.dll, xrefs: 004B5AB9, 004B5AD3
Wow64RevertWow64FsRedirection, xrefs: 004B5ACE
shell32.dll, xrefs: 004B5B1B
Wow64DisableWow64FsRedirection, xrefs: 004B5AB4

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: 149d4641e6716bccfc7038b8b83dc43c2c59674e16c2d4af6eff100d23c955b7
Instruction ID: b56c6da1e02aeac4ac36a9fb763b3b3a2bfa4c382daca5c5ea2a5d16c2919690
Opcode Fuzzy Hash: 149d4641e6716bccfc7038b8b83dc43c2c59674e16c2d4af6eff100d23c955b7
Instruction Fuzzy Hash: DA11A730604704AFD744EB76DC02F9DB7B4E749704F64447BF500A6591CABC6A04CA3D

Uniqueness

Uniqueness Score: -1.00%

Function 00403EE8 Relevance: 9.0, APIs: 7, Instructions: 298
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E00403EE8(signed int __eax) {
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				void* _t96;
				void** _t99;
				signed int _t104;
				signed int _t109;
				signed int _t110;
				intOrPtr* _t114;
				void* _t116;
				void* _t121;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				unsigned int _t141;
				signed int _t142;
				void* _t144;
				void* _t147;
				intOrPtr _t148;
				signed int _t150;
				long _t156;
				intOrPtr _t159;
				signed int _t162;

				_t95 = __eax;
				_t129 =  *0x4bb059; // 0x0
				if(__eax > 0xa2c) {
					__eflags = __eax - 0x40a2c;
					if(__eax > 0x40a2c) {
						_pop(_t120);
						__eflags = __eax;
						if(__eax >= 0) {
							_push(_t120);
							_t162 = __eax;
							_t2 = _t162 + 0x10010; // 0x10110
							_t156 = _t2 - 0x00000001 + 0x00000004 & 0xffff0000;
							_t96 = VirtualAlloc(0, _t156, 0x101000, 4); // executed
							_t121 = _t96;
							if(_t121 != 0) {
								_t147 = _t121;
								 *((intOrPtr*)(_t147 + 8)) = _t162;
								 *(_t147 + 0xc) = _t156 | 0x00000004;
								E00403C48();
								_t99 =  *0x4bdb80; // 0x4bdb7c
								 *_t147 = 0x4bdb7c;
								 *0x4bdb80 = _t121;
								 *(_t147 + 4) = _t99;
								 *_t99 = _t121;
								 *0x4bdb78 = 0;
								_t121 = _t121 + 0x10;
							}
							return _t121;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t67 = _t95 + 0xd3; // 0x1d3
						_t125 = (_t67 & 0xffffff00) + 0x30;
						__eflags = _t129;
						if(__eflags != 0) {
							while(1) {
								asm("lock cmpxchg [0x4bbae8], ah");
								if(__eflags == 0) {
									goto L42;
								}
								asm("pause");
								__eflags =  *0x4bb989;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									asm("lock cmpxchg [0x4bbae8], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L42;
							}
						}
						L42:
						_t68 = _t125 - 0xb30; // -2445
						_t141 = _t68;
						_t142 = _t141 >> 0xd;
						_t131 = _t141 >> 8;
						_t104 = 0xffffffff << _t131 &  *(0x4bbaf8 + _t142 * 4);
						__eflags = 0xffffffff;
						if(0xffffffff == 0) {
							_t132 = _t142;
							__eflags = 0xfffffffe << _t132 &  *0x4bbaf4;
							if((0xfffffffe << _t132 &  *0x4bbaf4) == 0) {
								_t133 =  *0x4bbaf0; // 0x0
								_t134 = _t133 - _t125;
								__eflags = _t134;
								if(_t134 < 0) {
									_t109 = E00403BCC(_t125);
								} else {
									_t110 =  *0x4bbaec; // 0x2162ed0
									_t109 = _t110 - _t125;
									 *0x4bbaec = _t109;
									 *0x4bbaf0 = _t134;
									 *(_t109 - 4) = _t125 | 0x00000002;
								}
								 *0x4bbae8 = 0;
								return _t109;
							} else {
								asm("bsf edx, eax");
								asm("bsf ecx, eax");
								_t135 = _t132 | _t142 << 0x00000005;
								goto L50;
							}
						} else {
							asm("bsf eax, eax");
							_t135 = _t131 & 0xffffffe0 | _t104;
							L50:
							_push(_t152);
							_push(_t145);
							_t148 = 0x4bbb78 + _t135 * 8;
							_t159 =  *((intOrPtr*)(_t148 + 4));
							_t114 =  *((intOrPtr*)(_t159 + 4));
							 *((intOrPtr*)(_t148 + 4)) = _t114;
							 *_t114 = _t148;
							__eflags = _t148 - _t114;
							if(_t148 == _t114) {
								asm("rol eax, cl");
								_t80 = 0x4bbaf8 + _t142 * 4;
								 *_t80 =  *(0x4bbaf8 + _t142 * 4) & 0xfffffffe;
								__eflags =  *_t80;
								if( *_t80 == 0) {
									asm("btr [0x4bbaf4], edx");
								}
							}
							_t150 = 0xfffffff0 &  *(_t159 - 4);
							_t144 = 0xfffffff0 - _t125;
							__eflags = 0xfffffff0;
							if(0xfffffff0 == 0) {
								_t89 =  &((_t159 - 4)[0xfffffffffffffffc]);
								 *_t89 =  *(_t159 - 4 + _t150) & 0x000000f7;
								__eflags =  *_t89;
							} else {
								_t116 = _t125 + _t159;
								 *((intOrPtr*)(_t116 - 4)) = 0xfffffffffffffff3;
								 *(0xfffffff0 + _t116 - 8) = 0xfffffff0;
								__eflags = 0xfffffff0 - 0xb30;
								if(0xfffffff0 >= 0xb30) {
									E00403B00(_t116, 0xfffffffffffffff3, _t144);
								}
							}
							_t93 = _t125 + 2; // 0x1a5
							 *(_t159 - 4) = _t93;
							 *0x4bbae8 = 0;
							return _t159;
						}
					}
				} else {
					__eflags = __cl;
					_t6 = __edx + 0x4bb990; // 0xc8c8c8c8
					__eax =  *_t6 & 0x000000ff;
					__ebx = 0x4b7080 + ( *_t6 & 0x000000ff) * 8;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L5;
							}
							__ebx = __ebx + 0x20;
							__eflags = __ebx;
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__ebx != 0) {
								__ebx = __ebx + 0x20;
								__eflags = __ebx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__ebx != 0) {
									__ebx = __ebx - 0x40;
									asm("pause");
									__eflags =  *0x4bb989;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [ebx], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
								}
							}
							goto L5;
						}
					}
					L5:
					__edx =  *(__ebx + 8);
					__eax =  *(__edx + 0x10);
					__ecx = 0xfffffff8;
					__eflags = __edx - __ebx;
					if(__edx == __ebx) {
						__edx =  *(__ebx + 0x18);
						__ecx =  *(__ebx + 2) & 0x0000ffff;
						__ecx = ( *(__ebx + 2) & 0x0000ffff) + __eax;
						__eflags = __eax -  *(__ebx + 0x14);
						if(__eax >  *(__ebx + 0x14)) {
							_push(__esi);
							_push(__edi);
							__eflags =  *0x4bb059;
							if(__eflags != 0) {
								while(1) {
									__eax = 0x100;
									asm("lock cmpxchg [0x4bbae8], ah");
									if(__eflags == 0) {
										goto L22;
									}
									asm("pause");
									__eflags =  *0x4bb989;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [0x4bbae8], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
									goto L22;
								}
							}
							L22:
							 *(__ebx + 1) =  *(__ebx + 1) &  *0x4bbaf4;
							__eflags =  *(__ebx + 1) &  *0x4bbaf4;
							if(( *(__ebx + 1) &  *0x4bbaf4) == 0) {
								__ecx =  *(__ebx + 4) & 0x0000ffff;
								__edi =  *0x4bbaf0; // 0x0
								__eflags = __edi - ( *(__ebx + 4) & 0x0000ffff);
								if(__edi < ( *(__ebx + 4) & 0x0000ffff)) {
									__eax =  *(__ebx + 6) & 0x0000ffff;
									__edi = __eax;
									__eax = E00403BCC(__eax);
									__esi = __eax;
									__eflags = __eax;
									if(__eax != 0) {
										goto L35;
									} else {
										 *0x4bbae8 = __al;
										 *__ebx = __al;
										_pop(__edi);
										_pop(__esi);
										_pop(__ebx);
										return __eax;
									}
								} else {
									__esi =  *0x4bbaec; // 0x2162ed0
									__ecx =  *(__ebx + 6) & 0x0000ffff;
									__edx = __ecx + 0xb30;
									__eflags = __edi - __ecx + 0xb30;
									if(__edi >= __ecx + 0xb30) {
										__edi = __ecx;
									}
									__esi = __esi - __edi;
									 *0x4bbaf0 =  *0x4bbaf0 - __edi;
									 *0x4bbaec = __esi;
									goto L35;
								}
							} else {
								asm("bsf eax, esi");
								__esi = __eax * 8;
								__ecx =  *(0x4bbaf8 + __eax * 4);
								asm("bsf ecx, ecx");
								__ecx =  *(0x4bbaf8 + __eax * 4) + __eax * 8 * 4;
								__edi = 0x4bbb78 + ( *(0x4bbaf8 + __eax * 4) + __eax * 8 * 4) * 8;
								__esi =  *(__edi + 4);
								__edx =  *(__esi + 4);
								 *(__edi + 4) = __edx;
								 *__edx = __edi;
								__eflags = __edi - __edx;
								if(__edi == __edx) {
									__edx = 0xfffffffe;
									asm("rol edx, cl");
									_t38 = 0x4bbaf8 + __eax * 4;
									 *_t38 =  *(0x4bbaf8 + __eax * 4) & 0xfffffffe;
									__eflags =  *_t38;
									if( *_t38 == 0) {
										asm("btr [0x4bbaf4], eax");
									}
								}
								__edi = 0xfffffff0;
								__edi = 0xfffffff0 &  *(__esi - 4);
								__eflags = 0xfffffff0 - 0x10a60;
								if(0xfffffff0 < 0x10a60) {
									_t52 =  &((__esi - 4)[0xfffffffffffffffc]);
									 *_t52 = (__esi - 4)[0xfffffffffffffffc] & 0x000000f7;
									__eflags =  *_t52;
								} else {
									__edx = __edi;
									__edi =  *(__ebx + 6) & 0x0000ffff;
									__edx = __edx - __edi;
									__eax = __edi + __esi;
									__ecx = __edx + 3;
									 *(__eax - 4) = __ecx;
									 *(__edx + __eax - 8) = __edx;
									__eax = E00403B00(__eax, __ecx, __edx);
								}
								L35:
								_t56 = __edi + 6; // 0x6
								__ecx = _t56;
								 *(__esi - 4) = _t56;
								__eax = 0;
								 *0x4bbae8 = __al;
								 *__esi = __ebx;
								 *((intOrPtr*)(__esi + 0x10)) = 0;
								 *((intOrPtr*)(__esi + 0x14)) = 1;
								 *(__ebx + 0x18) = __esi;
								_t61 = __esi + 0x20; // 0x2162ef0
								__eax = _t61;
								__ecx =  *(__ebx + 2) & 0x0000ffff;
								__edx = __ecx + __eax;
								 *(__ebx + 0x10) = __ecx + __eax;
								__edi = __edi + __esi;
								__edi = __edi - __ecx;
								__eflags = __edi;
								 *(__ebx + 0x14) = __edi;
								 *__ebx = 0;
								 *(__eax - 4) = __esi;
								_pop(__edi);
								_pop(__esi);
								_pop(__ebx);
								return __eax;
							}
						} else {
							_t19 = __edx + 0x14;
							 *_t19 =  *(__edx + 0x14) + 1;
							__eflags =  *_t19;
							 *(__ebx + 0x10) = __ecx;
							 *__ebx = 0;
							 *(__eax - 4) = __edx;
							_pop(__ebx);
							return __eax;
						}
					} else {
						 *(__edx + 0x14) =  *(__edx + 0x14) + 1;
						__ecx = 0xfffffff8 &  *(__eax - 4);
						__eflags = 0xfffffff8;
						 *(__edx + 0x10) = 0xfffffff8 &  *(__eax - 4);
						 *(__eax - 4) = __edx;
						if(0xfffffff8 == 0) {
							__ecx =  *(__edx + 8);
							 *(__ecx + 0xc) = __ebx;
							 *(__ebx + 8) = __ecx;
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						} else {
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}

0x00403ee8
0x00403ef4
0x00403efa
0x00404148
0x0040414d
0x00404260
0x00404261
0x00404263
0x00403c94
0x00403c98
0x00403c9a
0x00403ca4
0x00403cb4
0x00403cb9
0x00403cbd
0x00403cbf
0x00403cc1
0x00403cc7
0x00403cca
0x00403ccf
0x00403cd4
0x00403cda
0x00403ce0
0x00403ce3
0x00403ce5
0x00403cec
0x00403cec
0x00403cf5
0x00404269
0x00404269
0x0040426b
0x0040426b
0x00404153
0x00404153
0x0040415f
0x00404162
0x00404164
0x0040410c
0x00404111
0x00404119
0x00000000
0x00000000
0x0040411b
0x0040411d
0x00404124
0x00000000
0x00404126
0x00404128
0x00404132
0x0040413a
0x0040413e
0x00000000
0x0040413e
0x0040413a
0x00000000
0x00404124
0x0040410c
0x00404166
0x00404166
0x00404166
0x0040416e
0x00404171
0x0040417b
0x0040417b
0x00404182
0x00404195
0x00404199
0x0040419f
0x004041b8
0x004041be
0x004041be
0x004041c0
0x004041de
0x004041c2
0x004041c2
0x004041c7
0x004041c9
0x004041ce
0x004041d7
0x004041d7
0x004041e3
0x004041eb
0x004041a1
0x004041a1
0x004041ab
0x004041b3
0x00000000
0x004041b3
0x00404184
0x00404187
0x0040418a
0x004041ec
0x004041ec
0x004041ed
0x004041ee
0x004041f5
0x004041f8
0x004041fb
0x004041fe
0x00404200
0x00404202
0x00404209
0x0040420b
0x0040420b
0x0040420b
0x00404212
0x00404214
0x00404214
0x00404212
0x00404220
0x00404225
0x00404225
0x00404227
0x00404248
0x00404248
0x00404248
0x00404229
0x00404229
0x0040422f
0x00404232
0x00404236
0x0040423c
0x0040423e
0x0040423e
0x0040423c
0x0040424d
0x00404250
0x00404253
0x0040425f
0x0040425f
0x00404182
0x00403f00
0x00403f00
0x00403f02
0x00403f02
0x00403f09
0x00403f10
0x00403f68
0x00403f68
0x00403f6d
0x00403f71
0x00000000
0x00000000
0x00403f73
0x00403f73
0x00403f76
0x00403f7b
0x00403f7f
0x00403f81
0x00403f81
0x00403f84
0x00403f89
0x00403f8d
0x00403f8f
0x00403f92
0x00403f94
0x00403f9b
0x00000000
0x00403f9d
0x00403f9f
0x00403fa4
0x00403fa9
0x00403fad
0x00403fb5
0x00000000
0x00403fb5
0x00403fad
0x00403f9b
0x00403f8d
0x00000000
0x00403f7f
0x00403f68
0x00403f12
0x00403f12
0x00403f15
0x00403f18
0x00403f1d
0x00403f1f
0x00403f38
0x00403f3b
0x00403f3f
0x00403f41
0x00403f44
0x00403fbc
0x00403fbd
0x00403fbe
0x00403fc5
0x00403fc7
0x00403fc7
0x00403fcc
0x00403fd4
0x00000000
0x00000000
0x00403fd6
0x00403fd8
0x00403fdf
0x00000000
0x00403fe1
0x00403fe3
0x00403fe8
0x00403fed
0x00403ff5
0x00403ff9
0x00000000
0x00403ff9
0x00403ff5
0x00000000
0x00403fdf
0x00403fc7
0x00404000
0x00404004
0x00404004
0x0040400a
0x0040407c
0x00404080
0x00404086
0x00404088
0x004040b0
0x004040b4
0x004040b6
0x004040bb
0x004040bd
0x004040bf
0x00000000
0x004040c1
0x004040c1
0x004040c6
0x004040c8
0x004040c9
0x004040ca
0x004040cb
0x004040cb
0x0040408a
0x0040408a
0x00404090
0x00404094
0x0040409a
0x0040409c
0x0040409e
0x0040409e
0x004040a0
0x004040a2
0x004040a8
0x00000000
0x004040a8
0x0040400c
0x0040400c
0x0040400f
0x00404016
0x0040401d
0x00404020
0x00404023
0x0040402a
0x0040402d
0x00404030
0x00404033
0x00404035
0x00404037
0x00404039
0x0040403e
0x00404040
0x00404040
0x00404040
0x00404047
0x00404049
0x00404049
0x00404047
0x00404050
0x00404055
0x00404058
0x0040405e
0x004040cc
0x004040cc
0x004040cc
0x00404060
0x00404060
0x00404062
0x00404066
0x00404068
0x0040406b
0x0040406e
0x00404071
0x00404075
0x00404075
0x004040d1
0x004040d1
0x004040d1
0x004040d4
0x004040d7
0x004040d9
0x004040de
0x004040e0
0x004040e3
0x004040ea
0x004040ed
0x004040ed
0x004040f0
0x004040f4
0x004040f7
0x004040fa
0x004040fc
0x004040fc
0x004040fe
0x00404101
0x00404104
0x00404107
0x00404108
0x00404109
0x0040410a
0x0040410a
0x00403f46
0x00403f46
0x00403f46
0x00403f46
0x00403f4a
0x00403f4d
0x00403f50
0x00403f53
0x00403f54
0x00403f54
0x00403f21
0x00403f21
0x00403f25
0x00403f25
0x00403f28
0x00403f2b
0x00403f2e
0x00403f58
0x00403f5b
0x00403f5e
0x00403f61
0x00403f64
0x00403f65
0x00403f30
0x00403f30
0x00403f33
0x00403f34
0x00403f34
0x00403f2e
0x00403f1f

APIs

Sleep.KERNEL32(00000000,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403F9F
Sleep.KERNEL32(0000000A,00000000,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403FB5
Sleep.KERNEL32(00000000,00000000,?,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403FE3
Sleep.KERNEL32(0000000A,00000000,00000000,?,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403FF9

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: a5f41a95b234689400651ffc7a7e648ad6c8ae29c578f3c4a4f7439c6b153684
Instruction ID: d98b69cfe0522def9def3360e9182a2a8bb24ce33fa39324cc86f3a67812f259
Opcode Fuzzy Hash: a5f41a95b234689400651ffc7a7e648ad6c8ae29c578f3c4a4f7439c6b153684
Instruction Fuzzy Hash: 99C123B2A002018BCB15CF69EC84356BFE4EB89311F1882BFE514AB3D5D7B89941C7D8

Uniqueness

Uniqueness Score: -1.00%

Function 00407750 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00407750() {
				void* _t20;
				void* _t23;
				intOrPtr _t31;
				intOrPtr* _t33;
				void* _t46;
				struct HINSTANCE__* _t49;
				void* _t56;

				if( *0x4b7004 != 0) {
					E00407630();
					E004076B8(_t46);
					 *0x4b7004 = 0;
				}
				if( *0x4bdbcc != 0 && GetCurrentThreadId() ==  *0x4bdbf4) {
					E00407388(0x4bdbc8);
					E0040768C(0x4bdbc8);
				}
				if( *0x004BDBC0 != 0 ||  *0x4bb054 == 0) {
					L8:
					if( *((char*)(0x4bdbc0)) == 2 &&  *0x4b7000 == 0) {
						 *0x004BDBA4 = 0;
					}
					if( *((char*)(0x4bdbc0)) != 0) {
						L14:
						E004073B0();
						if( *((char*)(0x4bdbc0)) <= 1 ||  *0x4b7000 != 0) {
							_t15 =  *0x004BDBA8;
							if( *0x004BDBA8 != 0) {
								E0040B40C(_t15);
								_t31 =  *((intOrPtr*)(0x4bdba8));
								_t8 = _t31 + 0x10; // 0x400000
								_t49 =  *_t8;
								_t9 = _t31 + 4; // 0x400000
								if(_t49 !=  *_t9 && _t49 != 0) {
									FreeLibrary(_t49);
								}
							}
						}
						E00407388(0x4bdb98);
						if( *((char*)(0x4bdbc0)) == 1) {
							 *0x004BDBBC();
						}
						if( *((char*)(0x4bdbc0)) != 0) {
							E0040768C(0x4bdb98);
						}
						if( *0x4bdb98 == 0) {
							if( *0x4bb038 != 0) {
								 *0x4bb038();
							}
							ExitProcess( *0x4b7000); // executed
						}
						memcpy(0x4bdb98,  *0x4bdb98, 0xc << 2);
						_t56 = _t56 + 0xc;
						0x4b7000 = 0x4b7000;
						0x4bdb98 = 0x4bdb98;
						goto L8;
					} else {
						_t20 = E004054B4();
						_t44 = _t20;
						if(_t20 == 0) {
							goto L14;
						} else {
							goto L13;
						}
						do {
							L13:
							E00405CE8(_t44);
							_t23 = E004054B4();
							_t44 = _t23;
						} while (_t23 != 0);
						goto L14;
					}
				} else {
					do {
						_t33 =  *0x4bb054; // 0x0
						 *0x4bb054 = 0;
						 *_t33();
					} while ( *0x4bb054 != 0);
					L8:
					while(1) {
					}
				}
			}

0x00407764
0x00407766
0x0040776b
0x00407772
0x00407772
0x0040777e
0x00407792
0x0040779c
0x0040779c
0x004077a5
0x004077c9
0x004077cd
0x004077d6
0x004077d6
0x004077dd
0x004077fc
0x004077fc
0x00407805
0x0040780c
0x00407811
0x00407813
0x00407818
0x0040781b
0x0040781b
0x0040781e
0x00407821
0x00407828
0x00407828
0x00407821
0x00407811
0x0040782f
0x00407838
0x0040783a
0x0040783a
0x00407841
0x00407845
0x00407845
0x0040784d
0x00407856
0x00407858
0x00407858
0x00407861
0x00407861
0x00407873
0x00407873
0x00407875
0x00407876
0x00000000
0x004077df
0x004077df
0x004077e4
0x004077e8
0x00000000
0x00000000
0x00000000
0x00000000
0x004077ea
0x004077ea
0x004077ec
0x004077f1
0x004077f6
0x004077f8
0x00000000
0x004077ea
0x004077b0
0x004077b0
0x004077b0
0x004077b9
0x004077be
0x004077c0
0x00000000
0x004077c9
0x00000000
0x004077c9

APIs

GetCurrentThreadId.KERNEL32 ref: 00407780
FreeLibrary.KERNEL32(00400000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407828
ExitProcess.KERNEL32(00000000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407861

Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?,0040555F), ref: 004076F1
Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?), ref: 004076F7
Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?), ref: 00407712
Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?), ref: 00407718

Strings

MZP, xrefs: 00407827

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID: MZP
API String ID: 3490077880-2889622443
Opcode ID: 1ba9ccdc5e5ec41ea7066db700fb32a50d39e50ecd0d58aa72eac7c5645d258d
Instruction ID: 4bb8ca2865ae45d0ec72c9e6ca862cba493d08d50c1d65b63798a8296780cd14
Opcode Fuzzy Hash: 1ba9ccdc5e5ec41ea7066db700fb32a50d39e50ecd0d58aa72eac7c5645d258d
Instruction Fuzzy Hash: 76317220E087415BE721BB7A888875B76E09B45315F14897FE541A33D2D77CB884CB6F

Uniqueness

Uniqueness Score: -1.00%

Function 00407748 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00407748() {
				intOrPtr* _t14;
				void* _t23;
				void* _t26;
				intOrPtr _t34;
				intOrPtr* _t36;
				void* _t50;
				struct HINSTANCE__* _t53;
				void* _t62;

				 *((intOrPtr*)(_t14 +  *_t14)) =  *((intOrPtr*)(_t14 +  *_t14)) + _t14 +  *_t14;
				if( *0x4b7004 != 0) {
					E00407630();
					E004076B8(_t50);
					 *0x4b7004 = 0;
				}
				if( *0x4bdbcc != 0 && GetCurrentThreadId() ==  *0x4bdbf4) {
					E00407388(0x4bdbc8);
					E0040768C(0x4bdbc8);
				}
				if( *0x004BDBC0 != 0 ||  *0x4bb054 == 0) {
					L9:
					if( *((char*)(0x4bdbc0)) == 2 &&  *0x4b7000 == 0) {
						 *0x004BDBA4 = 0;
					}
					if( *((char*)(0x4bdbc0)) != 0) {
						L15:
						E004073B0();
						if( *((char*)(0x4bdbc0)) <= 1 ||  *0x4b7000 != 0) {
							_t18 =  *0x004BDBA8;
							if( *0x004BDBA8 != 0) {
								E0040B40C(_t18);
								_t34 =  *((intOrPtr*)(0x4bdba8));
								_t8 = _t34 + 0x10; // 0x400000
								_t53 =  *_t8;
								_t9 = _t34 + 4; // 0x400000
								if(_t53 !=  *_t9 && _t53 != 0) {
									FreeLibrary(_t53);
								}
							}
						}
						E00407388(0x4bdb98);
						if( *((char*)(0x4bdbc0)) == 1) {
							 *0x004BDBBC();
						}
						if( *((char*)(0x4bdbc0)) != 0) {
							E0040768C(0x4bdb98);
						}
						if( *0x4bdb98 == 0) {
							if( *0x4bb038 != 0) {
								 *0x4bb038();
							}
							ExitProcess( *0x4b7000); // executed
						}
						memcpy(0x4bdb98,  *0x4bdb98, 0xc << 2);
						_t62 = _t62 + 0xc;
						0x4b7000 = 0x4b7000;
						0x4bdb98 = 0x4bdb98;
						goto L9;
					} else {
						_t23 = E004054B4();
						_t48 = _t23;
						if(_t23 == 0) {
							goto L15;
						} else {
							goto L14;
						}
						do {
							L14:
							E00405CE8(_t48);
							_t26 = E004054B4();
							_t48 = _t26;
						} while (_t26 != 0);
						goto L15;
					}
				} else {
					do {
						_t36 =  *0x4bb054; // 0x0
						 *0x4bb054 = 0;
						 *_t36();
					} while ( *0x4bb054 != 0);
					L9:
					while(1) {
					}
				}
			}

0x0040774a
0x00407764
0x00407766
0x0040776b
0x00407772
0x00407772
0x0040777e
0x00407792
0x0040779c
0x0040779c
0x004077a5
0x004077c9
0x004077cd
0x004077d6
0x004077d6
0x004077dd
0x004077fc
0x004077fc
0x00407805
0x0040780c
0x00407811
0x00407813
0x00407818
0x0040781b
0x0040781b
0x0040781e
0x00407821
0x00407828
0x00407828
0x00407821
0x00407811
0x0040782f
0x00407838
0x0040783a
0x0040783a
0x00407841
0x00407845
0x00407845
0x0040784d
0x00407856
0x00407858
0x00407858
0x00407861
0x00407861
0x00407873
0x00407873
0x00407875
0x00407876
0x00000000
0x004077df
0x004077df
0x004077e4
0x004077e8
0x00000000
0x00000000
0x00000000
0x00000000
0x004077ea
0x004077ea
0x004077ec
0x004077f1
0x004077f6
0x004077f8
0x00000000
0x004077ea
0x004077b0
0x004077b0
0x004077b0
0x004077b9
0x004077be
0x004077c0
0x00000000
0x004077c9
0x00000000
0x004077c9

APIs

GetCurrentThreadId.KERNEL32 ref: 00407780
FreeLibrary.KERNEL32(00400000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407828
ExitProcess.KERNEL32(00000000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407861

Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?,0040555F), ref: 004076F1
Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?), ref: 004076F7
Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?), ref: 00407712
Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?), ref: 00407718

Strings

MZP, xrefs: 00407827

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID: MZP
API String ID: 3490077880-2889622443
Opcode ID: 1e4888025ee955e8cc7e0f2d2f1a13e961f3985afae2446d4f356ca194078bac
Instruction ID: bfc25cbdcfe625b544084418af651039c1e49876b6b13a82c314e6a817d38f33
Opcode Fuzzy Hash: 1e4888025ee955e8cc7e0f2d2f1a13e961f3985afae2446d4f356ca194078bac
Instruction Fuzzy Hash: E3314D20E087419BE721BB7A888935B7BA09B05315F14897FE541A73D2D77CB884CB6F

Uniqueness

Uniqueness Score: -1.00%

Function 004B5000 Relevance: 6.0, APIs: 4, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E004B5000(void* __ecx, void* __edx) {
				intOrPtr _t19;
				intOrPtr _t22;

				_push(_t22);
				_push(0x4b50d7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t22;
				 *0x4bb98c =  *0x4bb98c - 1;
				if( *0x4bb98c < 0) {
					E00405B74();
					E004051A8();
					SetThreadLocale(0x400); // executed
					E0040A250();
					 *0x4b700c = 2;
					 *0x4bb01c = 0x4036b0;
					 *0x4bb020 = 0x4036b8;
					 *0x4bb05a = 2;
					 *0x4bb060 = E0040CAA4();
					 *0x4bb008 = 0x4095a0;
					E00405BCC(E00405BB0());
					 *0x4bb068 = 0xd7b0;
					 *0x4bb344 = 0xd7b0;
					 *0x4bb620 = 0xd7b0;
					 *0x4bb050 = GetCommandLineW();
					 *0x4bb04c = E00403810();
					 *0x4bb97c = GetACP();
					 *0x4bb980 = 0x4b0;
					 *0x4bb044 = GetCurrentThreadId();
					E0040CAB8();
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(0x4b50de);
				return 0;
			}

0x004b5005
0x004b5006
0x004b500b
0x004b500e
0x004b5011
0x004b5018
0x004b501e
0x004b5023
0x004b502d
0x004b5032
0x004b5037
0x004b503e
0x004b5048
0x004b5052
0x004b505e
0x004b5063
0x004b5072
0x004b5077
0x004b5080
0x004b5089
0x004b5097
0x004b50a1
0x004b50ab
0x004b50b0
0x004b50bf
0x004b50c4
0x004b50c4
0x004b50cb
0x004b50ce
0x004b50d1
0x004b50d6

APIs

SetThreadLocale.KERNEL32(00000400,00000000,004B50D7), ref: 004B502D

Part of subcall function 0040A250: InitializeCriticalSection.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A255
Part of subcall function 0040A250: GetVersion.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A263
Part of subcall function 0040A250: GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A28A
Part of subcall function 0040A250: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A290
Part of subcall function 0040A250: GetModuleHandleW.KERNEL32(kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2A4
Part of subcall function 0040A250: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2AA
Part of subcall function 0040A250: GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadUILanguage,00000000,kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2BE
Part of subcall function 0040A250: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2C4

Part of subcall function 0040CAA4: GetSystemInfo.KERNEL32 ref: 0040CAA8

GetCommandLineW.KERNEL32(00000400,00000000,004B50D7), ref: 004B5092

Part of subcall function 00403810: GetStartupInfoW.KERNEL32 ref: 00403821

GetACP.KERNEL32(00000400,00000000,004B50D7), ref: 004B50A6
GetCurrentThreadId.KERNEL32 ref: 004B50BA

Part of subcall function 0040CAB8: GetVersion.KERNEL32(004B50C9,00000400,00000000,004B50D7), ref: 0040CAB8

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: AddressHandleModuleProc$InfoThreadVersion$CommandCriticalCurrentInitializeLineLocaleSectionStartupSystem
String ID:
API String ID: 2740004594-0
Opcode ID: aeeb1ef19c021384e5e919f33d2f1f63d534ea4b25bb20b8f726cabb6b9d9f22
Instruction ID: 4c04e7183c3d5c6504f231a905193e891933426fc174ea8e71756e1f90614aff
Opcode Fuzzy Hash: aeeb1ef19c021384e5e919f33d2f1f63d534ea4b25bb20b8f726cabb6b9d9f22
Instruction Fuzzy Hash: 46111CB04047449FE311BF76A8062267BA8EB05309B508A7FE110662E2EBFD15048FEE

Uniqueness

Uniqueness Score: -1.00%

Function 004AEFE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E004AEFE8(void* __eax, long __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char* _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				int _t30;
				intOrPtr _t63;
				void* _t71;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t76;

				_t71 = __edi;
				_t54 = __ebx;
				_t75 = _t76;
				_t55 = 4;
				do {
					_push(0);
					_push(0);
					_t55 = _t55 - 1;
				} while (_t55 != 0);
				_push(_t55);
				_push(__ebx);
				_t73 = __eax;
				_t78 = 0;
				_push(_t75);
				_push(0x4af0e1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				while(1) {
					E00422D70( &_v12, _t54, _t55, _t78); // executed
					_t55 = L".tmp";
					E004AEEC8(0, _t54, L".tmp", _v12, _t71, _t73,  &_v8); // executed
					_t30 = CreateDirectoryW(E004084EC(_v8), 0); // executed
					if(_t30 != 0) {
						break;
					}
					_t54 = GetLastError();
					_t78 = _t54 - 0xb7;
					if(_t54 != 0xb7) {
						E00426F08(0x3d,  &_v32, _v8);
						_v28 = _v32;
						E00419E18( &_v36, _t54, 0);
						_v24 = _v36;
						E004232EC(_t54,  &_v40);
						_v20 = _v40;
						E00426ED8(0x81, 2,  &_v28,  &_v16);
						_t55 = _v16;
						E0041F264(_v16, 1);
						E0040711C();
					}
				}
				E00407E00(_t73, _v8);
				__eflags = 0;
				_pop(_t63);
				 *[fs:eax] = _t63;
				_push(E004AF0E8);
				E00407A80( &_v40, 3);
				return E00407A80( &_v16, 3);
			}

0x004aefe8
0x004aefe8
0x004aefe9
0x004aefeb
0x004aeff0
0x004aeff0
0x004aeff2
0x004aeff4
0x004aeff4
0x004aeff7
0x004aeff8
0x004aeffa
0x004aeffc
0x004aeffe
0x004aefff
0x004af004
0x004af007
0x004af00a
0x004af011
0x004af019
0x004af020
0x004af030
0x004af037
0x00000000
0x00000000
0x004af03e
0x004af040
0x004af046
0x004af056
0x004af05e
0x004af06a
0x004af072
0x004af07a
0x004af082
0x004af091
0x004af096
0x004af0a0
0x004af0a5
0x004af0a5
0x004af046
0x004af0b4
0x004af0b9
0x004af0bb
0x004af0be
0x004af0c1
0x004af0ce
0x004af0e0

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,004AF0E1,?,?,?,00000003,00000000,00000000,?,004B619F), ref: 004AF030
GetLastError.KERNEL32(00000000,00000000,?,00000000,004AF0E1,?,?,?,00000003,00000000,00000000,?,004B619F), ref: 004AF039

Strings

.tmp, xrefs: 004AF019

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: b866ae3ac5566b90e4d091c6d0119bd5c5d6e6cd69059738e462e2ab807557f0
Instruction ID: 89b964d67460c442e7c67535b057b8112791baa86db9a38931a927ffd746d2a8
Opcode Fuzzy Hash: b866ae3ac5566b90e4d091c6d0119bd5c5d6e6cd69059738e462e2ab807557f0
Instruction Fuzzy Hash: 3A218735A041089BDB00EBE1C842ADFB3B9EB49304F50447BF800F7381DA386E058BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040E450 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040E450(long __eax, WCHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32, long _a36) {
				WCHAR* _v8;
				void* _t13;
				struct HWND__* _t24;
				WCHAR* _t29;
				long _t32;

				_v8 = _t29;
				_t32 = __eax;
				_t13 = E00405740();
				_t24 = CreateWindowExW(_t32, __edx, _v8, _a36, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E00405730(_t13);
				return _t24;
			}

0x0040e457
0x0040e45c
0x0040e45e
0x0040e48f
0x0040e498
0x0040e4a4

APIs

CreateWindowExW.USER32 ref: 0040E48F

Strings

InnoSetupLdrWindow, xrefs: 0040E453
STATIC, xrefs: 0040E48D

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: CreateWindow
String ID: InnoSetupLdrWindow$STATIC
API String ID: 716092398-2209255943
Opcode ID: 4ba199ab3c1e041c72a50ebd66c3ee798d5f8225e8fee486b5eb3d70e3749009
Instruction ID: 770f17d29583ffea265d4876c6cd55b491c436ce5e2cc0b006eebdc9bc405b2a
Opcode Fuzzy Hash: 4ba199ab3c1e041c72a50ebd66c3ee798d5f8225e8fee486b5eb3d70e3749009
Instruction Fuzzy Hash: 73F07FB6600118AF9B84DE9EDC85E9B77ECEB4D264B05412ABA08E7201D634ED118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004AF1B4 Relevance: 5.0, APIs: 4, Instructions: 45
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004AF1B4(long __eax, intOrPtr __edx, long _a4, long _a8) {
				intOrPtr _v8;
				long _t5;
				long _t9;
				void* _t10;
				void* _t13;
				void* _t15;
				void* _t16;

				_t5 = __eax;
				_v8 = __edx;
				_t9 = __eax;
				_t15 = _t10 - 1;
				if(_t15 < 0) {
					L10:
					return _t5;
				}
				_t16 = _t15 + 1;
				_t13 = 0;
				while(1) {
					_t19 = _t13 - 1;
					if(_t13 != 1) {
						__eflags = _t13 - 1;
						if(__eflags > 0) {
							Sleep(_a4);
						}
					} else {
						Sleep(_a8);
					}
					_t5 = E00427154(_t9, _v8, _t19); // executed
					if(_t5 != 0) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 2) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 3) {
						goto L10;
					}
					_t13 = _t13 + 1;
					_t16 = _t16 - 1;
					if(_t16 != 0) {
						continue;
					}
					goto L10;
				}
				goto L10;
			}

0x004af1b4
0x004af1bb
0x004af1be
0x004af1c2
0x004af1c5
0x004af213
0x004af213
0x004af213
0x004af1c7
0x004af1c8
0x004af1ca
0x004af1ca
0x004af1cd
0x004af1da
0x004af1dd
0x004af1e3
0x004af1e3
0x004af1cf
0x004af1d3
0x004af1d3
0x004af1ed
0x004af1f4
0x00000000
0x00000000
0x004af1f6
0x004af1fe
0x00000000
0x00000000
0x004af200
0x004af208
0x00000000
0x00000000
0x004af20a
0x004af20b
0x004af20c
0x00000000
0x00000000
0x00000000
0x004af20c
0x00000000

APIs

Sleep.KERNEL32(?,?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1D3
Sleep.KERNEL32(?,?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1E3
GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1F6
GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF200

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 132a67e1d44d9774a6928004e5d8cee8820d44842addde93f31c36794548402b
Instruction ID: c6a2870ed3ca6a3ef6dac7de38143878fdab2d33d6efdb0808b7300bb595a527
Opcode Fuzzy Hash: 132a67e1d44d9774a6928004e5d8cee8820d44842addde93f31c36794548402b
Instruction Fuzzy Hash: 0CF02B37B04224A76724A5EBEC46D6FE298DEB33A8710457BFC04D7302C439CC4542A8

Uniqueness

Uniqueness Score: -1.00%

Function 0041FF94 Relevance: 4.6, APIs: 3, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E0041FF94(void* __eax, void* __ebx, signed int* __ecx, signed int* __edx, void* __edi, void* __esi, signed int* _a4) {
				char _v8;
				char _v9;
				int _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _t33;
				int _t43;
				int _t64;
				intOrPtr _t72;
				intOrPtr _t74;
				signed int* _t77;
				signed int* _t79;
				void* _t81;
				void* _t82;
				intOrPtr _t83;

				_t81 = _t82;
				_t83 = _t82 + 0xffffffe8;
				_v8 = 0;
				_t77 = __ecx;
				_t79 = __edx;
				_push(_t81);
				_push(0x420094);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83;
				_v9 = 0;
				E00407E48( &_v8, __eax);
				E00407FB0( &_v8);
				_t33 = GetFileVersionInfoSizeW(E004084EC(_v8),  &_v16); // executed
				_t64 = _t33;
				if(_t64 == 0) {
					_pop(_t72);
					 *[fs:eax] = _t72;
					_push(0x42009b);
					return E00407A20( &_v8);
				} else {
					_v20 = E004053F0(_t64);
					_push(_t81);
					_push(0x420077);
					_push( *[fs:edx]);
					 *[fs:edx] = _t83;
					_t43 = GetFileVersionInfoW(E004084EC(_v8), _v16, _t64, _v20); // executed
					if(_t43 != 0 && VerQueryValueW(_v20, 0x4200a8,  &_v24,  &_v28) != 0) {
						 *_t79 =  *(_v24 + 0x10) >> 0x00000010 & 0x0000ffff;
						 *_t77 =  *(_v24 + 0x10) & 0x0000ffff;
						 *_a4 =  *(_v24 + 0x14) >> 0x00000010 & 0x0000ffff;
						_v9 = 1;
					}
					_pop(_t74);
					 *[fs:eax] = _t74;
					_push(0x42007e);
					return E0040540C(_v20);
				}
			}

0x0041ff95
0x0041ff97
0x0041ff9f
0x0041ffa2
0x0041ffa4
0x0041ffaa
0x0041ffab
0x0041ffb0
0x0041ffb3
0x0041ffb6
0x0041ffbf
0x0041ffc7
0x0041ffd9
0x0041ffde
0x0041ffe2
0x00420080
0x00420083
0x00420086
0x00420093
0x0041ffe8
0x0041ffef
0x0041fff4
0x0041fff5
0x0041fffa
0x0041fffd
0x00420012
0x00420019
0x00420041
0x0042004a
0x0042005b
0x0042005d
0x0042005d
0x00420063
0x00420066
0x00420069
0x00420076
0x00420076

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,00000000,00420094), ref: 0041FFD9
GetFileVersionInfoW.VERSION(00000000,?,00000000,?,00000000,00420077,?,00000000,?,00000000,00420094), ref: 00420012
VerQueryValueW.VERSION(?,004200A8,?,?,00000000,?,00000000,?,00000000,00420077,?,00000000,?,00000000,00420094), ref: 0042002C

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue
String ID:
API String ID: 2179348866-0
Opcode ID: db1b7188df03ba7b3b32e0e3197f16d1bbb1710ebdecda22b0e2c2fca2e7d661
Instruction ID: 087fa93cc02b824bee97242c1a4c1e6fbe52d07f241be95d6751b2a9bfa32856
Opcode Fuzzy Hash: db1b7188df03ba7b3b32e0e3197f16d1bbb1710ebdecda22b0e2c2fca2e7d661
Instruction Fuzzy Hash: 19314771A042199FD710DFA9D941DAFB7F8EB48700B91447AF944E3252D778DD00C765

Uniqueness

Uniqueness Score: -1.00%

Function 0040B110 Relevance: 3.1, APIs: 2, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040B110(intOrPtr __eax, void* __ebx, signed int __ecx, signed int __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				signed int _t41;
				signed short _t43;
				signed short _t46;
				signed int _t60;
				intOrPtr _t68;
				void* _t79;
				signed int* _t81;
				intOrPtr _t84;

				_t79 = __edi;
				_t61 = __ecx;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t81 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00407B04(_v8);
				E00407B04(_v12);
				_push(_t84);
				_push(0x40b227);
				_push( *[fs:eax]);
				 *[fs:eax] = _t84;
				E00407A20(__ecx);
				if(_v12 == 0) {
					L14:
					_pop(_t68);
					 *[fs:eax] = _t68;
					_push(E0040B22E);
					return E00407A80( &_v28, 6);
				}
				E00407E48( &_v20, _v12);
				_t41 = _v12;
				if(_t41 != 0) {
					_t41 =  *(_t41 - 4);
				}
				_t60 = _t41;
				if(_t60 < 1) {
					L7:
					_t43 = E0040AE34(_v8, _t60, _t61,  &_v16, _t81); // executed
					if(_v16 == 0) {
						L00403730();
						E0040A7E4(_t43, _t60,  &_v24, _t79, _t81);
						_t46 = E0040AF60(_v20, _t60, _t81, _v24, _t79, _t81); // executed
						__eflags =  *_t81;
						if( *_t81 == 0) {
							__eflags =  *0x4bdc0c;
							if( *0x4bdc0c == 0) {
								L00403738();
								E0040A7E4(_t46, _t60,  &_v28, _t79, _t81);
								E0040AF60(_v20, _t60, _t81, _v28, _t79, _t81);
							}
						}
						__eflags =  *_t81;
						if(__eflags == 0) {
							E0040B044(_v20, _t60, _t81, __eflags); // executed
						}
					} else {
						E0040AF60(_v20, _t60, _t81, _v16, _t79, _t81);
					}
					goto L14;
				}
				while( *((short*)(_v12 + _t60 * 2 - 2)) != 0x2e) {
					_t60 = _t60 - 1;
					__eflags = _t60;
					if(_t60 != 0) {
						continue;
					}
					goto L7;
				}
				_t61 = _t60;
				E004088AC(_v12, _t60, 1,  &_v20);
				goto L7;
			}

0x0040b110
0x0040b110
0x0040b113
0x0040b115
0x0040b117
0x0040b119
0x0040b11b
0x0040b11d
0x0040b11f
0x0040b120
0x0040b121
0x0040b123
0x0040b126
0x0040b12c
0x0040b134
0x0040b13b
0x0040b13c
0x0040b141
0x0040b144
0x0040b149
0x0040b152
0x0040b20c
0x0040b20e
0x0040b211
0x0040b214
0x0040b226
0x0040b226
0x0040b15e
0x0040b163
0x0040b168
0x0040b16d
0x0040b16d
0x0040b16f
0x0040b174
0x0040b19b
0x0040b1a1
0x0040b1aa
0x0040b1bb
0x0040b1c3
0x0040b1d0
0x0040b1d5
0x0040b1d8
0x0040b1da
0x0040b1e1
0x0040b1e3
0x0040b1eb
0x0040b1f8
0x0040b1f8
0x0040b1e1
0x0040b1fd
0x0040b200
0x0040b207
0x0040b207
0x0040b1ac
0x0040b1b4
0x0040b1b4
0x00000000
0x0040b1aa
0x0040b176
0x0040b196
0x0040b197
0x0040b199
0x00000000
0x00000000
0x00000000
0x0040b199
0x0040b185
0x0040b18f
0x00000000

APIs

GetUserDefaultUILanguage.KERNEL32(00000000,0040B227,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040B2AE,00000000,?,00000105), ref: 0040B1BB
GetSystemDefaultUILanguage.KERNEL32(00000000,0040B227,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040B2AE,00000000,?,00000105), ref: 0040B1E3

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: DefaultLanguage$SystemUser
String ID:
API String ID: 384301227-0
Opcode ID: 8091743a5a45bbad2069f173d476493d8776fa257b9783c2651a700d4e0e0a8f
Instruction ID: e5bcb09f7540d0846d638ab8db7cc306f2a88a3609992180fc1e837192b0f5a6
Opcode Fuzzy Hash: 8091743a5a45bbad2069f173d476493d8776fa257b9783c2651a700d4e0e0a8f
Instruction Fuzzy Hash: B0313070A142499BDB10EBA5C891AAEB7B5EF48304F50857BE400B73D1DB7CAD41CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 0040B234 Relevance: 3.1, APIs: 2, Instructions: 55
libraryCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040B234(void* __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				short _v530;
				char _v536;
				char _v540;
				void* _t44;
				intOrPtr _t45;
				void* _t49;
				void* _t52;

				_v536 = 0;
				_v540 = 0;
				_v8 = 0;
				_t49 = __eax;
				_push(_t52);
				_push(0x40b2ee);
				_push( *[fs:eax]);
				 *[fs:eax] = _t52 + 0xfffffde8;
				GetModuleFileNameW(0,  &_v530, 0x105);
				E00408550( &_v536, _t49);
				_push(_v536);
				E0040858C( &_v540, 0x105,  &_v530);
				_pop(_t44); // executed
				E0040B110(_v540, 0,  &_v8, _t44, __edi, _t49); // executed
				if(_v8 != 0) {
					LoadLibraryExW(E004084EC(_v8), 0, 2);
				}
				_pop(_t45);
				 *[fs:eax] = _t45;
				_push(E0040B2F5);
				E00407A80( &_v540, 2);
				return E00407A20( &_v8);
			}

0x0040b241
0x0040b247
0x0040b24d
0x0040b250
0x0040b254
0x0040b255
0x0040b25a
0x0040b25d
0x0040b270
0x0040b27d
0x0040b288
0x0040b29a
0x0040b2a8
0x0040b2a9
0x0040b2b2
0x0040b2c1
0x0040b2c6
0x0040b2ca
0x0040b2cd
0x0040b2d0
0x0040b2e0
0x0040b2ed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B270
LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B2C1

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: FileLibraryLoadModuleName
String ID:
API String ID: 1159719554-0
Opcode ID: c89eb0a175d0b8486c29a163bc28afc1dff8206c8c77fc3926f93841ada109dc
Instruction ID: c66d7809fa1512833e1e01641763b0ecb7dd00f0751393a0e64d94d028879d96
Opcode Fuzzy Hash: c89eb0a175d0b8486c29a163bc28afc1dff8206c8c77fc3926f93841ada109dc
Instruction Fuzzy Hash: 35116070A4421CABDB10EB55CD86BDE77B8DB04304F5144BEE508B32C1DA785F848AA9

Uniqueness

Uniqueness Score: -1.00%

Function 00427154 Relevance: 3.0, APIs: 2, Instructions: 42
fileCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00427154(void* __eax, void* __edx, void* __eflags) {
				int _v8;
				char _v16;
				long _v20;
				int _t13;
				intOrPtr _t27;
				void* _t32;
				void* _t34;
				intOrPtr _t35;

				_t32 = _t34;
				_t35 = _t34 + 0xfffffff0;
				if(E00427108(__eax,  &_v16) != 0) {
					_push(_t32);
					_push(0x4271b1);
					_push( *[fs:eax]);
					 *[fs:eax] = _t35;
					_t13 = DeleteFileW(E004084EC(__edx)); // executed
					_v8 = _t13;
					_v20 = GetLastError();
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(E004271B8);
					return E00427144( &_v16);
				} else {
					_v8 = 0;
					return _v8;
				}
			}

0x00427155
0x00427157
0x0042716c
0x00427177
0x00427178
0x0042717d
0x00427180
0x0042718b
0x00427190
0x00427198
0x0042719d
0x004271a0
0x004271a3
0x004271b0
0x0042716e
0x00427170
0x004271c9
0x004271c9

APIs

DeleteFileW.KERNEL32(00000000,00000000,004271B1,?,0000000D,00000000), ref: 0042718B
GetLastError.KERNEL32(00000000,00000000,004271B1,?,0000000D,00000000), ref: 00427193

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: 6bce5fda464dbdacec63520f594f5bcb5d9fb2b97579abb83185b4526990ec2d
Instruction ID: b2b9a58b343adce66678156e8009272800f6ed28378062f2bcdc1a6b1bb3db77
Opcode Fuzzy Hash: 6bce5fda464dbdacec63520f594f5bcb5d9fb2b97579abb83185b4526990ec2d
Instruction Fuzzy Hash: 7AF0C831B08228ABDB01EFB5AC424AEB7E8DF0971479149BBE804E3341E6395D209698

Uniqueness

Uniqueness Score: -1.00%

Function 00421230 Relevance: 3.0, APIs: 2, Instructions: 33
libraryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00421230(void* __eax, void* __ebx, int __edx) {
				struct HINSTANCE__* _v12;
				int _v16;
				int _t4;
				struct HINSTANCE__* _t9;
				void* _t12;
				intOrPtr _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;

				_t18 = _t19;
				_t20 = _t19 + 0xfffffff4;
				_t12 = __eax;
				_t4 = SetErrorMode(__edx); // executed
				_v16 = _t4;
				_push(_t18);
				_push(0x4212a2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				asm("fnstcw word [ebp-0x2]");
				_push(_t18);
				_push(0x421284);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				_t9 = LoadLibraryW(E004084EC(_t12)); // executed
				_v12 = _t9;
				_pop(_t16);
				 *[fs:eax] = _t16;
				_push(0x42128b);
				asm("fclex");
				asm("fldcw word [ebp-0x2]");
				return 0;
			}

0x00421231
0x00421233
0x00421237
0x0042123a
0x0042123f
0x00421244
0x00421245
0x0042124a
0x0042124d
0x00421250
0x00421255
0x00421256
0x0042125b
0x0042125e
0x00421269
0x0042126e
0x00421273
0x00421276
0x00421279
0x0042127e
0x00421280
0x00421283

APIs

SetErrorMode.KERNEL32 ref: 0042123A
LoadLibraryW.KERNEL32(00000000,00000000,00421284,?,00000000,004212A2), ref: 00421269

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 5d62b3fe4766baadd73c675683546c7f58e01c4ce11fe1a914dda1a55ed8f36c
Instruction ID: 4174928c950a8c4d8a753a2a73b5e5f46ee32f9a8ef6f103d2b3a03bcfaff51e
Opcode Fuzzy Hash: 5d62b3fe4766baadd73c675683546c7f58e01c4ce11fe1a914dda1a55ed8f36c
Instruction Fuzzy Hash: 15F08270A14744BFDB115F779C5282BBAACE709B047A348BAF800F2691E53C48208574

Uniqueness

Uniqueness Score: -1.00%

Function 004052D4 Relevance: 2.6, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004052D4() {
				intOrPtr _t13;
				intOrPtr* _t14;
				int _t18;
				intOrPtr* _t23;
				void* _t25;
				void* _t26;
				void* _t28;
				void* _t31;

				_t28 =  *0x004BBADC;
				while(_t28 != 0x4bbad8) {
					_t2 = _t28 + 4; // 0x4bbad8
					VirtualFree(_t28, 0, 0x8000); // executed
					_t28 =  *_t2;
				}
				_t25 = 0x37;
				_t13 = 0x4b7080;
				do {
					 *((intOrPtr*)(_t13 + 0xc)) = _t13;
					 *((intOrPtr*)(_t13 + 8)) = _t13;
					 *((intOrPtr*)(_t13 + 0x10)) = 1;
					 *((intOrPtr*)(_t13 + 0x14)) = 0;
					_t13 = _t13 + 0x20;
					_t25 = _t25 - 1;
				} while (_t25 != 0);
				 *0x4bbad8 = 0x4bbad8;
				 *0x004BBADC = 0x4bbad8;
				_t26 = 0x400;
				_t23 = 0x4bbb78;
				do {
					_t14 = _t23;
					 *_t14 = _t14;
					_t8 = _t14 + 4; // 0x4bbb78
					 *_t8 = _t14;
					_t23 = _t23 + 8;
					_t26 = _t26 - 1;
				} while (_t26 != 0);
				 *0x4bbaf4 = 0;
				E00405884(0x4bbaf8, 0x80);
				_t18 = 0;
				 *0x4bbaf0 = 0;
				_t31 =  *0x004BDB80;
				while(_t31 != 0x4bdb7c) {
					_t10 = _t31 + 4; // 0x4bdb7c
					_t18 = VirtualFree(_t31, 0, 0x8000);
					_t31 =  *_t10;
				}
				 *0x4bdb7c = 0x4bdb7c;
				 *0x004BDB80 = 0x4bdb7c;
				return _t18;
			}

0x004052e2
0x004052f9
0x004052e7
0x004052f2
0x004052f7
0x004052f7
0x004052fd
0x00405302
0x00405307
0x00405309
0x0040530e
0x00405311
0x0040531a
0x0040531d
0x00405320
0x00405320
0x00405323
0x00405325
0x00405328
0x0040532d
0x00405332
0x00405332
0x00405334
0x00405336
0x00405336
0x00405339
0x0040533c
0x0040533c
0x00405341
0x00405352
0x00405357
0x00405359
0x0040535e
0x00405375
0x00405363
0x0040536e
0x00405373
0x00405373
0x00405379
0x0040537b
0x00405382

APIs

VirtualFree.KERNEL32(004BBAD8,00000000,00008000,?,?,?,?,004053D4,0040CB76,00000000,0040CB94), ref: 004052F2
VirtualFree.KERNEL32(004BDB7C,00000000,00008000,004BBAD8,00000000,00008000,?,?,?,?,004053D4,0040CB76,00000000,0040CB94), ref: 0040536E

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 2ac254642d4a9788115c799da738c06d3b344f11962515fad3d8dec7c1c1ac76
Instruction ID: 8dfda0fc8014d777c4f42bdf36328f4fb77b4e1ecbcf9529c7d2d9386e1eba40
Opcode Fuzzy Hash: 2ac254642d4a9788115c799da738c06d3b344f11962515fad3d8dec7c1c1ac76
Instruction Fuzzy Hash: A5116D71A046008FC7689F199840B67BBE4EB88754F15C0BFE549EB791D7B8AC018F9C

Uniqueness

Uniqueness Score: -1.00%

Function 004232EC Relevance: 1.5, APIs: 1, Instructions: 28
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004232EC(long __eax, void* __edx) {
				short _v2052;
				signed int _t7;
				void* _t10;
				signed int _t16;
				void* _t17;

				_t10 = __edx;
				_t7 = FormatMessageW(0x3200, 0, __eax, 0,  &_v2052, 0x400, 0); // executed
				while(_t7 > 0) {
					_t16 =  *(_t17 + _t7 * 2 - 2) & 0x0000ffff;
					if(_t16 <= 0x20) {
						L1:
						_t7 = _t7 - 1;
						__eflags = _t7;
						continue;
					} else {
						_t20 = _t16 - 0x2e;
						if(_t16 == 0x2e) {
							goto L1;
						}
					}
					break;
				}
				return E00407BA8(_t10, _t7, _t17, _t20);
			}

0x004232f3
0x0042330b
0x00423313
0x00423317
0x00423320
0x00423312
0x00423312
0x00423312
0x00000000
0x00423322
0x00423322
0x00423326
0x00000000
0x00000000
0x00423326
0x00000000
0x00423320
0x00423339

APIs

FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,00423C1E,00000000,00423C6F,?,00423E28), ref: 0042330B

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 8c28d4cd2feba8420b72e2c8323dac74420019247290cbce7f55a68a80108edc
Instruction ID: 75fedbff241bec6efc8727d26b236f8c34027f11b3bdd8370f626a5f6d270aaf
Opcode Fuzzy Hash: 8c28d4cd2feba8420b72e2c8323dac74420019247290cbce7f55a68a80108edc
Instruction Fuzzy Hash: 89E0D86075432121F624A9052C03B7B2129A7C0B12FE084367A80DE3D5DEADAF55525E

Uniqueness

Uniqueness Score: -1.00%

Function 00422A18 Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E00422A18(void* __eax, void* __ebx, void* __ecx, void* __eflags) {
				char _v8;
				intOrPtr _t21;
				intOrPtr _t24;

				_push(0);
				_push(_t24);
				_push(0x422a5e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t24;
				E004229AC(__eax, __ecx,  &_v8, __eflags);
				GetFileAttributesW(E004084EC(_v8)); // executed
				_pop(_t21);
				 *[fs:eax] = _t21;
				_push(E00422A65);
				return E00407A20( &_v8);
			}

0x00422a1b
0x00422a22
0x00422a23
0x00422a28
0x00422a2b
0x00422a33
0x00422a41
0x00422a4a
0x00422a4d
0x00422a50
0x00422a5d

APIs

GetFileAttributesW.KERNEL32(00000000,00000000,00422A5E,?,?,00000000,?,00422A71,00422DE2,00000000,00422E27,?,?,00000000,00000000), ref: 00422A41

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8cd9a521966ca01502d57987e2d96a70fbf8ec2bcb71e07358b87aea606a80f7
Instruction ID: ce0c41168f735205187e46b6c3e9294348714fcf51f30dd0002a5427be662740
Opcode Fuzzy Hash: 8cd9a521966ca01502d57987e2d96a70fbf8ec2bcb71e07358b87aea606a80f7
Instruction Fuzzy Hash: D7E09231704308BBD721EB76DE9291AB7ECD788700BA14876B500E7682E6B86E108418

Uniqueness

Uniqueness Score: -1.00%

Function 00423DA8 Relevance: 1.5, APIs: 1, Instructions: 26
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00423DA8(signed int __ecx, void* __edx, signed char _a4, signed char _a8) {
				void* _t17;

				_t17 = CreateFileW(E004084EC(__edx),  *(0x4b92e0 + (_a8 & 0x000000ff) * 4),  *(0x4b92ec + (_a4 & 0x000000ff) * 4), 0,  *(0x4b92fc + (__ecx & 0x000000ff) * 4), 0x80, 0); // executed
				return _t17;
			}

0x00423de5
0x00423ded

APIs

CreateFileW.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00423DE5

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: dd9159e21b70a0e7bcb8d3c3b5b03a1c2ffc365921e6ade8a7c7864e99aae5ed
Instruction ID: 37fe8146f2431012b4276926014d9d5fd10bf57e8855788e2bc853c5fce69268
Opcode Fuzzy Hash: dd9159e21b70a0e7bcb8d3c3b5b03a1c2ffc365921e6ade8a7c7864e99aae5ed
Instruction Fuzzy Hash: 81E048716441283FD6149ADE7C91F76779C9709754F404563F684D7281C4A59D1086FC

Uniqueness

Uniqueness Score: -1.00%

Function 00409FA8 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409FA8(void* __eax) {
				short _v532;
				void* __ebx;
				void* __esi;
				intOrPtr _t14;
				void* _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t16 = __eax;
				_t22 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					GetModuleFileNameW( *(__eax + 4),  &_v532, 0x20a);
					_t14 = E0040B234(_t21, _t16, _t18, _t19, _t22); // executed
					_t20 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t20;
					if(_t20 == 0) {
						 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t16 + 4));
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}

0x00409fb0
0x00409fb2
0x00409fb6
0x00409fc6
0x00409fcf
0x00409fd4
0x00409fd6
0x00409fdb
0x00409fe0
0x00409fe0
0x00409fdb
0x00409fee

APIs

GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 00409FC6

Part of subcall function 0040B234: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B270
Part of subcall function 0040B234: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B2C1

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: FileModuleName$LibraryLoad
String ID:
API String ID: 4113206344-0
Opcode ID: 2301add7ea149dd4fbebfdf59b7b3942b6e3d1df22e9777a155c308e994de31e
Instruction ID: 1beb63cefa55d3dba2b36e2095187d50c135a0cf4330adb642bee8d6847d8901
Opcode Fuzzy Hash: 2301add7ea149dd4fbebfdf59b7b3942b6e3d1df22e9777a155c308e994de31e
Instruction Fuzzy Hash: 7BE0C971A013119BCB10DE58C8C5A4A3798AB08754F044AA6AD24DF387D3B5DD1487D5

Uniqueness

Uniqueness Score: -1.00%

Function 00423ED8 Relevance: 1.5, APIs: 1, Instructions: 11
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00423ED8(intOrPtr* __eax) {
				int _t4;
				intOrPtr* _t7;

				_t7 = __eax;
				_t4 = SetEndOfFile( *(__eax + 4)); // executed
				if(_t4 == 0) {
					return E00423CAC( *_t7);
				}
				return _t4;
			}

0x00423ed9
0x00423edf
0x00423ee6
0x00000000
0x00423eea
0x00423ef0

APIs

SetEndOfFile.KERNEL32(?,7FBA0010,004B6358,00000000), ref: 00423EDF

Part of subcall function 00423CAC: GetLastError.KERNEL32(004237FC,00423D4F,?,?,00000000,?,004B5F76,00000001,00000000,00000002,00000000,004B659E,?,00000000,004B65E2), ref: 00423CAF

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: ErrorFileLast
String ID:
API String ID: 734332943-0
Opcode ID: 09339d9670a81d77462708df034512c3e9d7a5ee9c38b49a5b5d33688a33920b
Instruction ID: ae15968ab9cd064c61534cde2c099b4aac4a7b80231ae1acb8e6de6fcc6ca8bf
Opcode Fuzzy Hash: 09339d9670a81d77462708df034512c3e9d7a5ee9c38b49a5b5d33688a33920b
Instruction Fuzzy Hash: 58C04C61300210478B04EEBBD5C190666E85B582157414466B904DB216E67DD9158615

Uniqueness

Uniqueness Score: -1.00%

Function 0040CAA4 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CAA4() {
				intOrPtr _v16;
				struct _SYSTEM_INFO* _t3;

				GetSystemInfo(_t3); // executed
				return _v16;
			}

0x0040caa8
0x0040cab4

APIs

GetSystemInfo.KERNEL32 ref: 0040CAA8

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 9dd1f6b5bb1b0da35443b21aa4a452d0333aba70165927044b368234b0936b7a
Instruction ID: 4f21eec972071caf62eebbeb90550a79e4d7a8082c8b53f17589c9beddeb5e45
Opcode Fuzzy Hash: 9dd1f6b5bb1b0da35443b21aa4a452d0333aba70165927044b368234b0936b7a
Instruction Fuzzy Hash: CDA012984088002AC404AB194C4340F39C819C1114FC40224745CB62C2E61D866403DB

Uniqueness

Uniqueness Score: -1.00%

Function 00403BCC Relevance: 1.3, APIs: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403BCC(signed int __eax) {
				void* _t4;
				intOrPtr _t7;
				signed int _t8;
				void** _t10;
				void* _t12;
				void* _t14;

				_t8 = __eax;
				E00403B60(__eax);
				_t4 = VirtualAlloc(0, 0x13fff0, 0x1000, 4); // executed
				if(_t4 == 0) {
					 *0x4bbaf0 = 0;
					return 0;
				} else {
					_t10 =  *0x4bbadc; // 0x4bbad8
					_t14 = _t4;
					 *_t14 = 0x4bbad8;
					 *0x4bbadc = _t4;
					 *(_t14 + 4) = _t10;
					 *_t10 = _t4;
					_t12 = _t14 + 0x13fff0;
					 *((intOrPtr*)(_t12 - 4)) = 2;
					 *0x4bbaf0 = 0x13ffe0 - _t8;
					_t7 = _t12 - _t8;
					 *0x4bbaec = _t7;
					 *(_t7 - 4) = _t8 | 0x00000002;
					return _t7;
				}
			}

0x00403bce
0x00403bd0
0x00403be3
0x00403bea
0x00403c3c
0x00403c45
0x00403bec
0x00403bec
0x00403bf2
0x00403bf4
0x00403bfa
0x00403bff
0x00403c02
0x00403c06
0x00403c11
0x00403c1e
0x00403c26
0x00403c28
0x00403c35
0x00403c39
0x00403c39

APIs

VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,000001A3,004041E3,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000), ref: 00403BE3

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cb8f292e3956ad7a1a5e0c92f19b435d8be5366ce3ed5ca5418bf36ecf0e0e1a
Instruction ID: ee114c9f451a66722181258b66a673b4223530c98f306d9f720d31c7abdd50f3
Opcode Fuzzy Hash: cb8f292e3956ad7a1a5e0c92f19b435d8be5366ce3ed5ca5418bf36ecf0e0e1a
Instruction Fuzzy Hash: 71F087F2F002404FE7249F799D40742BAE8E709315B10827EE908EB799E7F488018B88

Uniqueness

Uniqueness Score: -1.00%

Function 00403CF6 Relevance: 1.3, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00403CF6(void* __eax) {
				struct _MEMORY_BASIC_INFORMATION _v44;
				void* _v48;
				void* _t13;
				int _t20;
				void* _t22;
				signed int _t26;
				signed int _t29;
				signed int _t30;
				void* _t34;
				intOrPtr _t35;
				signed int _t39;
				void* _t41;
				void* _t42;

				_push(_t29);
				_t42 = _t41 + 0xffffffdc;
				_t34 = __eax - 0x10;
				E00403C48();
				_t13 = _t34;
				 *_t42 =  *_t13;
				_v48 =  *((intOrPtr*)(_t13 + 4));
				_t26 =  *(_t13 + 0xc);
				if((_t26 & 0x00000008) != 0) {
					_t22 = _t34;
					_t39 = _t26 & 0xfffffff0;
					_t30 = 0;
					while(1) {
						VirtualQuery(_t22,  &_v44, 0x1c);
						if(VirtualFree(_t22, 0, 0x8000) == 0) {
							break;
						}
						_t35 = _v44.RegionSize;
						if(_t39 > _t35) {
							_t39 = _t39 - _t35;
							_t22 = _t22 + _t35;
							continue;
						}
						goto L10;
					}
					_t30 = _t30 | 0xffffffff;
				} else {
					_t20 = VirtualFree(_t34, 0, 0x8000); // executed
					if(_t20 == 0) {
						_t30 = _t29 | 0xffffffff;
					} else {
						_t30 = 0;
					}
				}
				L10:
				if(_t30 == 0) {
					 *_v48 =  *_t42;
					 *( *_t42 + 4) = _v48;
				}
				 *0x4bdb78 = 0;
				return _t30;
			}

0x00403cfa
0x00403cfc
0x00403d01
0x00403d04
0x00403d09
0x00403d0d
0x00403d13
0x00403d17
0x00403d1d
0x00403d39
0x00403d3d
0x00403d40
0x00403d42
0x00403d4a
0x00403d5e
0x00000000
0x00000000
0x00403d65
0x00403d6b
0x00403d6d
0x00403d6f
0x00000000
0x00403d6f
0x00000000
0x00403d6b
0x00403d60
0x00403d1f
0x00403d27
0x00403d2e
0x00403d34
0x00403d30
0x00403d30
0x00403d30
0x00403d2e
0x00403d73
0x00403d75
0x00403d7e
0x00403d87
0x00403d87
0x00403d8a
0x00403d9a

APIs

VirtualFree.KERNEL32(?,00000000,00008000), ref: 00403D27
VirtualQuery.KERNEL32(?,?,0000001C), ref: 00403D4A
VirtualFree.KERNEL32(?,00000000,00008000,?,?,0000001C), ref: 00403D57

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Virtual$Free$Query
String ID:
API String ID: 778034434-0
Opcode ID: 70118730a538275f8eba95c50282fe5a7e92951222106072b386c800723d93a4
Instruction ID: 6789628300bf7aa479fe1b8b627d7daf3441881ad106b622f2e79b23e4dc796b
Opcode Fuzzy Hash: 70118730a538275f8eba95c50282fe5a7e92951222106072b386c800723d93a4
Instruction Fuzzy Hash: C5F06D353046005FD311DF1AC844B17BBE9EFC5711F15C67AE888973A1E635DD018796

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040A928 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140
stringlibraryfileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040A928(short* __eax, intOrPtr __edx) {
				short* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				struct _WIN32_FIND_DATAW _v612;
				short _v1134;
				signed int _t50;
				signed int _t51;
				void* _t55;
				signed int _t88;
				signed int _t89;
				intOrPtr* _t90;
				signed int _t101;
				signed int _t102;
				short* _t112;
				struct HINSTANCE__* _t113;
				short* _t115;
				short* _t116;
				void* _t117;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t113 = GetModuleHandleW(L"kernel32.dll");
				if(_t113 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t115 = _v8 + 4;
						goto L10;
					} else {
						if( *((short*)(_v8 + 2)) == 0x5c) {
							_t116 = E0040A904(_v8 + 4);
							if( *_t116 != 0) {
								_t14 = _t116 + 2; // 0x2
								_t115 = E0040A904(_t14);
								if( *_t115 != 0) {
									L10:
									_t88 = _t115 - _v8;
									_t89 = _t88 >> 1;
									if(_t88 < 0) {
										asm("adc ebx, 0x0");
									}
									_t43 = _t89 + 1;
									if(_t89 + 1 <= 0x105) {
										E0040A34C( &_v1134, _v8, _t43);
										while( *_t115 != 0) {
											_t112 = E0040A904(_t115 + 2);
											_t50 = _t112 - _t115;
											_t51 = _t50 >> 1;
											if(_t50 < 0) {
												asm("adc eax, 0x0");
											}
											if(_t51 + _t89 + 1 <= 0x105) {
												_t55 =  &_v1134 + _t89 + _t89;
												_t101 = _t112 - _t115;
												_t102 = _t101 >> 1;
												if(_t101 < 0) {
													asm("adc edx, 0x0");
												}
												E0040A34C(_t55, _t115, _t102 + 1);
												_v20 = FindFirstFileW( &_v1134,  &_v612);
												if(_v20 != 0xffffffff) {
													FindClose(_v20);
													if(lstrlenW( &(_v612.cFileName)) + _t89 + 1 + 1 <= 0x105) {
														 *((short*)(_t117 + _t89 * 2 - 0x46a)) = 0x5c;
														E0040A34C( &_v1134 + _t89 + _t89 + 2,  &(_v612.cFileName), 0x105 - _t89 - 1);
														_t89 = _t89 + lstrlenW( &(_v612.cFileName)) + 1;
														_t115 = _t112;
														continue;
													}
												}
											}
											goto L24;
										}
										E0040A34C(_v8,  &_v1134, _v12);
									}
								}
							}
						}
					}
				} else {
					_t90 = GetProcAddress(_t113, "GetLongPathNameW");
					if(_t90 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v1134);
						_push(_v8);
						if( *_t90() == 0) {
							goto L4;
						} else {
							E0040A34C(_v8,  &_v1134, _v12);
						}
					}
				}
				L24:
				return _v16;
			}

0x0040a934
0x0040a937
0x0040a93d
0x0040a94a
0x0040a94e
0x0040a98d
0x0040a994
0x0040a9d4
0x00000000
0x0040a996
0x0040a99e
0x0040a9af
0x0040a9b5
0x0040a9bb
0x0040a9c3
0x0040a9c9
0x0040a9d7
0x0040a9d9
0x0040a9dc
0x0040a9de
0x0040a9e0
0x0040a9e0
0x0040a9e3
0x0040a9eb
0x0040a9fc
0x0040aac3
0x0040aa0e
0x0040aa12
0x0040aa14
0x0040aa16
0x0040aa18
0x0040aa18
0x0040aa23
0x0040aa33
0x0040aa37
0x0040aa39
0x0040aa3b
0x0040aa3d
0x0040aa3d
0x0040aa43
0x0040aa5b
0x0040aa62
0x0040aa68
0x0040aa84
0x0040aa86
0x0040aaad
0x0040aabf
0x0040aac1
0x00000000
0x0040aac1
0x0040aa84
0x0040aa62
0x00000000
0x0040aa23
0x0040aad9
0x0040aad9
0x0040a9eb
0x0040a9c9
0x0040a9b5
0x0040a99e
0x0040a950
0x0040a95b
0x0040a95f
0x00000000
0x0040a961
0x0040a961
0x0040a96c
0x0040a970
0x0040a975
0x00000000
0x0040a977
0x0040a983
0x0040a983
0x0040a975
0x0040a95f
0x0040aade
0x0040aae7

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,004162BC,?,?), ref: 0040A945
GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040A956
FindFirstFileW.KERNEL32(?,?,kernel32.dll,004162BC,?,?), ref: 0040AA56
FindClose.KERNEL32(?,?,?,kernel32.dll,004162BC,?,?), ref: 0040AA68
lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,004162BC,?,?), ref: 0040AA74
lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,004162BC,?,?), ref: 0040AAB9

Strings

kernel32.dll, xrefs: 0040A940
GetLongPathNameW, xrefs: 0040A950
\, xrefs: 0040AA86

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameW$\$kernel32.dll
API String ID: 1930782624-3908791685
Opcode ID: 2e7747c66ca0daf9bf73dcf24122f514d4f35ae2d915a4be054088bbf24f0c4d
Instruction ID: 0568a8f2c4c85ac628058e700237ad117df8c3680498263a44950cac296231c5
Opcode Fuzzy Hash: 2e7747c66ca0daf9bf73dcf24122f514d4f35ae2d915a4be054088bbf24f0c4d
Instruction Fuzzy Hash: 7841A071B003189BCB20DE98CD85A9EB3B5AB44310F1485B69945F72C1EB7CAE51CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 004AF110 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004AF110() {
				int _v4;
				struct _TOKEN_PRIVILEGES _v16;
				void* _v20;
				int _t7;

				if(E0041FF2C() != 2) {
					L5:
					_t7 = ExitWindowsEx(2, 0);
					asm("sbb eax, eax");
					return _t7 + 1;
				}
				if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v20) != 0) {
					LookupPrivilegeValueW(0, L"SeShutdownPrivilege",  &(_v16.Privileges));
					_v16.PrivilegeCount = 1;
					_v4 = 2;
					AdjustTokenPrivileges(_v20, 0,  &_v16, 0, 0, 0);
					if(GetLastError() == 0) {
						goto L5;
					}
					return 0;
				}
				return 0;
			}

0x004af11b
0x004af178
0x004af17c
0x004af184
0x00000000
0x004af186
0x004af12d
0x004af13f
0x004af144
0x004af14c
0x004af166
0x004af172
0x00000000
0x00000000
0x00000000
0x004af174
0x00000000

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 004AF120
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004AF126
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 004AF13F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 004AF166
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004AF16B
ExitWindowsEx.USER32 ref: 004AF17C

Strings

SeShutdownPrivilege, xrefs: 004AF138

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: dbd0b99069aff0d6788c9efc2bbd2c2bb6d4dae2a155ecb9c3cc528dabbfbf9f
Instruction ID: 15d82be9bc359c8987119149698676c325083c88dcd196a4f2f9cd1a299335ef
Opcode Fuzzy Hash: dbd0b99069aff0d6788c9efc2bbd2c2bb6d4dae2a155ecb9c3cc528dabbfbf9f
Instruction Fuzzy Hash: 75F06D70684301B5E610A6F2CD07F6B21C89B56B58FA00D3EBA84E91C2D7BDD81D42BF

Uniqueness

Uniqueness Score: -1.00%

Function 004AF9F0 Relevance: 6.0, APIs: 4, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004AF9F0() {
				struct HRSRC__* _t10;
				void* _t11;
				void* _t12;

				_t10 = FindResourceW(0, 0x2b67, 0xa);
				if(_t10 == 0) {
					E004AF834();
				}
				if(SizeofResource(0, _t10) != 0x2c) {
					E004AF834();
				}
				_t11 = LoadResource(0, _t10);
				if(_t11 == 0) {
					E004AF834();
				}
				_t12 = LockResource(_t11);
				if(_t12 == 0) {
					E004AF834();
				}
				return _t12;
			}

0x004af9ff
0x004afa03
0x004afa05
0x004afa05
0x004afa15
0x004afa17
0x004afa17
0x004afa24
0x004afa28
0x004afa2a
0x004afa2a
0x004afa35
0x004afa39
0x004afa3b
0x004afa3b
0x004afa43

APIs

FindResourceW.KERNEL32(00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002,00000000,004B659E,?,00000000,004B65E2), ref: 004AF9FA
SizeofResource.KERNEL32(00000000,00000000,00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002,00000000,004B659E), ref: 004AFA0D
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002,00000000), ref: 004AFA1F
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002), ref: 004AFA30

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 128b44542abe6d6e0e09835f67cf23f4a4e4be27e5836866f54195567a651b81
Instruction ID: 8c15b2061d88d30e204a2d131290402b8da5209396f43898e5d703764eea749b
Opcode Fuzzy Hash: 128b44542abe6d6e0e09835f67cf23f4a4e4be27e5836866f54195567a651b81
Instruction Fuzzy Hash: FCE07E8074634625FA6436F718D7BAE00084B36B4DF40593FFA08A92D2EEAC8C19522E

Uniqueness

Uniqueness Score: -1.00%

Function 0040A4CC Relevance: 4.6, APIs: 3, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0040A4CC(signed short __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				short _v182;
				short _v352;
				char _v356;
				char _v360;
				char _v364;
				int _t58;
				signed int _t61;
				intOrPtr _t70;
				signed short _t80;
				void* _t83;
				void* _t85;
				void* _t86;

				_t77 = __edi;
				_push(__edi);
				_v356 = 0;
				_v360 = 0;
				_v364 = 0;
				_v8 = __edx;
				_t80 = __eax;
				_push(_t83);
				_push(0x40a631);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83 + 0xfffffe98;
				E00407A20(_v8);
				_t85 = _t80 -  *0x4b7a08; // 0x404
				if(_t85 >= 0) {
					_t86 = _t80 -  *0x4b7c08; // 0x7c68
					if(_t86 <= 0) {
						_t77 = 0x40;
						_v12 = 0;
						if(0x40 >= _v12) {
							do {
								_t61 = _t77 + _v12 >> 1;
								if(_t80 >=  *((intOrPtr*)(0x4b7a08 + _t61 * 8))) {
									__eflags = _t80 -  *((intOrPtr*)(0x4b7a08 + _t61 * 8));
									if(__eflags <= 0) {
										E0040A3EC( *((intOrPtr*)(0x4b7a0c + _t61 * 8)), _t61, _v8, _t77, _t80, __eflags);
									} else {
										_v12 = _t61 + 1;
										goto L8;
									}
								} else {
									_t77 = _t61 - 1;
									goto L8;
								}
								goto L9;
								L8:
							} while (_t77 >= _v12);
						}
					}
				}
				L9:
				if( *_v8 == 0 && IsValidLocale(_t80 & 0x0000ffff, 2) != 0) {
					_t58 = _t80 & 0x0000ffff;
					GetLocaleInfoW(_t58, 0x59,  &_v182, 0x55);
					GetLocaleInfoW(_t58, 0x5a,  &_v352, 0x55);
					E0040858C( &_v356, 0x55,  &_v182);
					_push(_v356);
					_push(0x40a64c);
					E0040858C( &_v360, 0x55,  &_v352);
					_push(_v360);
					_push(E0040A65C);
					E0040858C( &_v364, 0x55,  &_v182);
					_push(_v364);
					E004087C4(_v8, _t58, 5, _t77, _t80);
				}
				_pop(_t70);
				 *[fs:eax] = _t70;
				_push(E0040A638);
				return E00407A80( &_v364, 3);
			}

0x0040a4cc
0x0040a4d7
0x0040a4da
0x0040a4e0
0x0040a4e6
0x0040a4ec
0x0040a4ef
0x0040a4f3
0x0040a4f4
0x0040a4f9
0x0040a4fc
0x0040a502
0x0040a507
0x0040a50e
0x0040a510
0x0040a517
0x0040a519
0x0040a520
0x0040a526
0x0040a528
0x0040a52d
0x0040a537
0x0040a53e
0x0040a546
0x0040a558
0x0040a548
0x0040a549
0x00000000
0x0040a549
0x0040a539
0x0040a53b
0x00000000
0x0040a53b
0x00000000
0x0040a55f
0x0040a55f
0x0040a528
0x0040a526
0x0040a517
0x0040a564
0x0040a56a
0x0040a58e
0x0040a592
0x0040a5a3
0x0040a5b9
0x0040a5be
0x0040a5c4
0x0040a5da
0x0040a5df
0x0040a5e5
0x0040a5fb
0x0040a600
0x0040a60e
0x0040a60e
0x0040a615
0x0040a618
0x0040a61b
0x0040a630

APIs

IsValidLocale.KERNEL32(?,00000002,00000000,0040A631,?,004162BC,?,00000000), ref: 0040A576
GetLocaleInfoW.KERNEL32(00000000,00000059,?,00000055,?,00000002,00000000,0040A631,?,004162BC,?,00000000), ref: 0040A592
GetLocaleInfoW.KERNEL32(00000000,0000005A,?,00000055,00000000,00000059,?,00000055,?,00000002,00000000,0040A631,?,004162BC,?,00000000), ref: 0040A5A3

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Locale$Info$Valid
String ID:
API String ID: 1826331170-0
Opcode ID: 62325bdbcd9f8bf22caa424e6d98428fadf2f4ef7d6ad95b5286de9b97f55654
Instruction ID: 92a11a0233c3b219485afac9e49f2dea99407596d6f7a83949ef3a6145fdf69e
Opcode Fuzzy Hash: 62325bdbcd9f8bf22caa424e6d98428fadf2f4ef7d6ad95b5286de9b97f55654
Instruction Fuzzy Hash: 3831AE70A00308ABDF20DB64DD81BDEBBB9FB48701F5005BBA508B32D1D6395E90CE1A

Uniqueness

Uniqueness Score: -1.00%

Function 0041A4DC Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A4DC(WCHAR* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				signed int _v28;
				WCHAR* _t25;
				int _t26;
				intOrPtr _t31;
				intOrPtr _t34;
				intOrPtr* _t37;
				intOrPtr* _t38;
				intOrPtr _t46;
				intOrPtr _t48;

				_t25 = _a4;
				if(_t25 == 0) {
					_t25 = 0;
				}
				_t26 = GetDiskFreeSpaceW(_t25,  &_v8,  &_v12,  &_v16,  &_v20);
				_v28 = _v8 * _v12;
				_v24 = 0;
				_t46 = _v24;
				_t31 = E004095A8(_v28, _t46, _v16, 0);
				_t37 = _a8;
				 *_t37 = _t31;
				 *((intOrPtr*)(_t37 + 4)) = _t46;
				_t48 = _v24;
				_t34 = E004095A8(_v28, _t48, _v20, 0);
				_t38 = _a12;
				 *_t38 = _t34;
				 *((intOrPtr*)(_t38 + 4)) = _t48;
				return _t26;
			}

0x0041a4e3
0x0041a4e8
0x0041a4ea
0x0041a4ea
0x0041a4fd
0x0041a50c
0x0041a50f
0x0041a51c
0x0041a51f
0x0041a524
0x0041a527
0x0041a529
0x0041a536
0x0041a539
0x0041a53e
0x0041a541
0x0041a543
0x0041a54c

APIs

GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?), ref: 0041A4FD

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: 35fab30d3ed47bb79bc7b5801678cd6b626cb6661b26d0a6d4a2aa78d0844cce
Instruction ID: 14c90aad059d6341cd8fbca9d1c94cd423dd62e4f1f0ed92fc39ecac232c4210
Opcode Fuzzy Hash: 35fab30d3ed47bb79bc7b5801678cd6b626cb6661b26d0a6d4a2aa78d0844cce
Instruction Fuzzy Hash: 7711C0B5A01209AFDB04CF9ACD819EFB7F9EFC8304B14C569A505E7255E6319E018B94

Uniqueness

Uniqueness Score: -1.00%

Function 0041E034 Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041E034(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				short _v516;
				void* __ebp;
				int _t5;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				_t5 = GetLocaleInfoW(__eax, __edx,  &_v516, 0x100);
				_t19 = _t5;
				if(_t5 <= 0) {
					return E00407E00(_t10, _t18);
				}
				return E00407BA8(_t10, _t5 - 1,  &_v516, _t19);
			}

0x0041e03f
0x0041e041
0x0041e052
0x0041e057
0x0041e059
0x00000000
0x0041e071
0x00000000

APIs

GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 0041E052

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: d1249f9bfb9152180de995f4510b089303b0330b3d36e5e1fa950d916a740853
Instruction ID: c90943d4e22265a1f7ecf9aede9ac9faa011377f579ac525cbc4109061889d1c
Opcode Fuzzy Hash: d1249f9bfb9152180de995f4510b089303b0330b3d36e5e1fa950d916a740853
Instruction Fuzzy Hash: C7E09235B0421427E314A55A9C86AE7725D9B48340F40457FBD05D7382EDB9AE8042E9

Uniqueness

Uniqueness Score: -1.00%

Function 0041E080 Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041E080(int __eax, signed int __ecx, int __edx) {
				short _v16;
				signed int _t5;
				signed int _t10;

				_push(__ecx);
				_t10 = __ecx;
				if(GetLocaleInfoW(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t10;
				} else {
					_t5 = _v16 & 0x0000ffff;
				}
				return _t5;
			}

0x0041e083
0x0041e084
0x0041e09a
0x0041e0a2
0x0041e09c
0x0041e09c
0x0041e09c
0x0041e0a8

APIs

GetLocaleInfoW.KERNEL32(?,0000000F,?,00000002,0000002C,?,?,?,0041E182,?,00000001,00000000,0041E391), ref: 0041E093

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: c2a2e253f202cad765f8f9b35123567cb33a3e9031303696ff7b3b42dc5ba059
Instruction ID: 961adf842b5e4829a7f1cb68f4be235500f18d0b61d537998bbd462cca006134
Opcode Fuzzy Hash: c2a2e253f202cad765f8f9b35123567cb33a3e9031303696ff7b3b42dc5ba059
Instruction Fuzzy Hash: 45D05EBA31923476E214915B6E85DB75ADCCBC87A2F14483BBE4CC6241D2A4CC46A275

Uniqueness

Uniqueness Score: -1.00%

Function 004AF218 Relevance: 1.5, APIs: 1, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004AF218(signed int __eax) {
				short _v8;
				signed int _t6;

				_t6 = GetLocaleInfoW(__eax & 0x0000ffff, 0x20001004,  &_v8, 2);
				if(_t6 <= 0) {
					return _t6 | 0xffffffff;
				}
				return _v8;
			}

0x004af22e
0x004af235
0x00000000
0x004af23c
0x00000000

APIs

GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,004AF318), ref: 004AF22E

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 91ef75d91c3bf0fbfb4c903f00eadddcc0e9dd42321a82c412adf8826a4a964a
Instruction ID: 3cbbb47bc5e3852376f83ef88ad8e7e21f22c900a58d153b56eed97a123c5839
Opcode Fuzzy Hash: 91ef75d91c3bf0fbfb4c903f00eadddcc0e9dd42321a82c412adf8826a4a964a
Instruction Fuzzy Hash: E8D0A5F55442087DF504C1DA5D82FB673DCD705374F500767F654C52C1D567EE015219

Uniqueness

Uniqueness Score: -1.00%

Function 0041C3D8 Relevance: 1.5, APIs: 1, Instructions: 6
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041C3D8() {
				struct _SYSTEMTIME* _t2;

				GetLocalTime(_t2);
				return _t2->wYear & 0x0000ffff;
			}

0x0041c3dc
0x0041c3e8

APIs

GetLocalTime.KERNEL32 ref: 0041C3DC

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 2bbd9f916a85fd19aaf3e135de3c6f6031220cebfdbc254b78c71648618a48a1
Instruction ID: 79eafb11b28f80ce797d6e9fe134e5764476c7cb5db39d72cf417c4d7be8b418
Opcode Fuzzy Hash: 2bbd9f916a85fd19aaf3e135de3c6f6031220cebfdbc254b78c71648618a48a1
Instruction Fuzzy Hash: DAA0122080582011D140331A0C0313530405900620FC40F55BCF8542D1E93D013440D7

Uniqueness

Uniqueness Score: -1.00%

Function 004255DC Relevance: .5, Instructions: 545
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E004255DC(intOrPtr* __eax, intOrPtr __ecx, intOrPtr __edx, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				char _v25;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				char _v64;
				char* _v68;
				void* _v72;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				signed int _v88;
				char _v89;
				char _v96;
				signed int _v100;
				signed int _v104;
				short* _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				char _v136;
				signed int _t370;
				void* _t375;
				signed int _t377;
				signed int _t381;
				signed int _t389;
				signed int _t395;
				signed int _t411;
				intOrPtr _t422;
				signed int _t426;
				signed int _t435;
				void* _t448;
				signed int _t458;
				char _t460;
				signed int _t474;
				char* _t503;
				signed int _t508;
				signed int _t616;
				signed int _t617;
				signed int _t618;
				signed int _t622;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 =  *((intOrPtr*)(_v8 + 0x10));
				_v24 = 0;
				_v32 = (1 <<  *(_v8 + 8)) - 1;
				_v36 = (1 <<  *(_v8 + 4)) - 1;
				_v40 =  *_v8;
				_t617 =  *((intOrPtr*)(_v8 + 0x34));
				_t474 =  *(_v8 + 0x44);
				_v44 =  *((intOrPtr*)(_v8 + 0x38));
				_v48 =  *((intOrPtr*)(_v8 + 0x3c));
				_v52 =  *((intOrPtr*)(_v8 + 0x40));
				_v56 =  *((intOrPtr*)(_v8 + 0x48));
				_v60 =  *((intOrPtr*)(_v8 + 0x2c));
				_v64 =  *((intOrPtr*)(_v8 + 0x30));
				_v68 =  *((intOrPtr*)(_v8 + 0x1c));
				_v72 =  *((intOrPtr*)(_v8 + 0xc));
				_t616 =  *((intOrPtr*)(_v8 + 0x28));
				_v128 =  *((intOrPtr*)(_v8 + 0x20));
				_v124 =  *((intOrPtr*)(_v8 + 0x24));
				_v120 = _v12;
				_v136 =  *((intOrPtr*)(_v8 + 0x14));
				_v132 =  *((intOrPtr*)(_v8 + 0x18));
				 *_a4 = 0;
				if(_v56 == 0xffffffff) {
					return 0;
				}
				__eflags = _v72;
				if(_v72 == 0) {
					_v68 =  &_v76;
					_v72 = 1;
					_v76 =  *((intOrPtr*)(_v8 + 0x4c));
				}
				__eflags = _v56 - 0xfffffffe;
				if(_v56 != 0xfffffffe) {
					L12:
					_v108 = _v16 + _v24;
					while(1) {
						__eflags = _v56;
						if(_v56 == 0) {
							break;
						}
						__eflags = _v24 - _a8;
						if(_v24 < _a8) {
							_t458 = _t616 - _t617;
							__eflags = _t458 - _v72;
							if(_t458 >= _v72) {
								_t458 = _t458 + _v72;
								__eflags = _t458;
							}
							_t460 =  *((intOrPtr*)(_v68 + _t458));
							 *((char*)(_v68 + _t616)) = _t460;
							 *_v108 = _t460;
							_v24 = _v24 + 1;
							_v108 = _v108 + 1;
							_t616 = _t616 + 1;
							__eflags = _t616 - _v72;
							if(_t616 == _v72) {
								_t616 = 0;
								__eflags = 0;
							}
							_t116 =  &_v56;
							 *_t116 = _v56 - 1;
							__eflags =  *_t116;
							continue;
						}
						break;
					}
					__eflags = _t616;
					if(_t616 != 0) {
						_v25 =  *((intOrPtr*)(_v68 + _t616 - 1));
					} else {
						_v25 =  *((intOrPtr*)(_v68 + _v72 - 1));
					}
					__eflags = 0;
					_v116 = 0;
					_v112 = 0;
					while(1) {
						L24:
						_v108 = _v16 + _v24;
						__eflags = _v24 - _a8;
						if(_v24 >= _a8) {
							break;
						} else {
							goto L25;
						}
						while(1) {
							L25:
							_v88 = _v24 + _v60 & _v32;
							__eflags = _v116;
							if(_v116 != 0) {
								break;
							}
							__eflags = _v112;
							if(_v112 == 0) {
								_t370 = E00425334((_t474 << 4) + (_t474 << 4) + _v20 + _v88 + _v88,  &_v136);
								__eflags = _t370;
								if(_t370 != 0) {
									_t375 = E00425334(_t474 + _t474 + _v20 + 0x180,  &_v136);
									__eflags = _t375 != 1;
									if(_t375 != 1) {
										_v52 = _v48;
										_v48 = _v44;
										_v44 = _t617;
										__eflags = _t474 - 7;
										if(__eflags >= 0) {
											_t377 = 0xa;
										} else {
											_t377 = 7;
										}
										_t474 = _t377;
										_v56 = E004254E4(_v20 + 0x664, _v88,  &_v136, __eflags);
										_t503 =  &_v136;
										__eflags = _v56 - 4;
										if(_v56 >= 4) {
											_t381 = 3;
										} else {
											_t381 = _v56;
										}
										_v100 = E004253BC((_t381 << 6) + (_t381 << 6) + _v20 + 0x360, _t503, 6);
										__eflags = _v100 - 4;
										if(_v100 < 4) {
											_t618 = _v100;
										} else {
											_v104 = (_v100 >> 1) - 1;
											_t524 = _v104;
											_t622 = (_v100 & 0x00000001 | 0x00000002) << _v104;
											__eflags = _v100 - 0xe;
											if(_v100 >= 0xe) {
												_t395 = E004252D4( &_v136, _t524, _v104 + 0xfffffffc);
												_t618 = _t622 + (_t395 << 4) + E00425400(_v20 + 0x644,  &_v136, 4);
											} else {
												_t618 = _t622 + E00425400(_t622 + _t622 + _v20 + 0x560 - _v100 + _v100 + 0xfffffffe,  &_v136, _v104);
											}
										}
										_t617 = _t618 + 1;
										__eflags = _t617;
										if(_t617 != 0) {
											L82:
											_v56 = _v56 + 2;
											__eflags = _t617 - _v64;
											if(_t617 <= _v64) {
												__eflags = _v72 - _v64 - _v56;
												if(_v72 - _v64 <= _v56) {
													_v64 = _v72;
												} else {
													_v64 = _v64 + _v56;
												}
												while(1) {
													_t389 = _t616 - _t617;
													__eflags = _t389 - _v72;
													if(_t389 >= _v72) {
														_t389 = _t389 + _v72;
														__eflags = _t389;
													}
													_v25 =  *((intOrPtr*)(_v68 + _t389));
													 *((char*)(_v68 + _t616)) = _v25;
													_t616 = _t616 + 1;
													__eflags = _t616 - _v72;
													if(_t616 == _v72) {
														_t616 = 0;
														__eflags = 0;
													}
													_v56 = _v56 - 1;
													 *_v108 = _v25;
													_v24 = _v24 + 1;
													_v108 = _v108 + 1;
													__eflags = _v56;
													if(_v56 == 0) {
														break;
													}
													__eflags = _v24 - _a8;
													if(_v24 < _a8) {
														continue;
													}
													break;
												}
												L93:
												__eflags = _v24 - _a8;
												if(_v24 < _a8) {
													continue;
												}
												goto L94;
											}
											return 1;
										} else {
											_v56 = 0xffffffff;
											goto L94;
										}
									}
									_t411 = E00425334(_t474 + _t474 + _v20 + 0x198,  &_v136);
									__eflags = _t411;
									if(_t411 != 0) {
										__eflags = E00425334(_t474 + _t474 + _v20 + 0x1b0,  &_v136);
										if(__eflags != 0) {
											__eflags = E00425334(_t474 + _t474 + _v20 + 0x1c8,  &_v136);
											if(__eflags != 0) {
												_t422 = _v52;
												_v52 = _v48;
											} else {
												_t422 = _v48;
											}
											_v48 = _v44;
										} else {
											_t422 = _v44;
										}
										_v44 = _t617;
										_t617 = _t422;
										L65:
										_v56 = E004254E4(_v20 + 0xa68, _v88,  &_v136, __eflags);
										__eflags = _t474 - 7;
										if(_t474 >= 7) {
											_t426 = 0xb;
										} else {
											_t426 = 8;
										}
										_t474 = _t426;
										goto L82;
									}
									__eflags = E00425334((_t474 << 4) + (_t474 << 4) + _v20 + _v88 + _v88 + 0x1e0,  &_v136);
									if(__eflags != 0) {
										goto L65;
									}
									__eflags = _v64;
									if(_v64 != 0) {
										__eflags = _t474 - 7;
										if(_t474 >= 7) {
											_t508 = 0xb;
										} else {
											_t508 = 9;
										}
										_t474 = _t508;
										_t435 = _t616 - _t617;
										__eflags = _t435 - _v72;
										if(_t435 >= _v72) {
											_t435 = _t435 + _v72;
											__eflags = _t435;
										}
										_v25 =  *((intOrPtr*)(_v68 + _t435));
										 *((char*)(_v68 + _t616)) = _v25;
										_t616 = _t616 + 1;
										__eflags = _t616 - _v72;
										if(_t616 == _v72) {
											_t616 = 0;
											__eflags = 0;
										}
										 *_v108 = _v25;
										_v24 = _v24 + 1;
										__eflags = _v64 - _v72;
										if(_v64 < _v72) {
											_v64 = _v64 + 1;
										}
										goto L24;
									}
									return 1;
								}
								_t448 = (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) * 2 + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) * 2 + _v20 + 0xe6c;
								__eflags = _t474 - 7;
								if(__eflags < 0) {
									_v25 = E00425444(_t448,  &_v136, __eflags);
								} else {
									_v96 = _t616 - _t617;
									__eflags = _v96 - _v72;
									if(__eflags >= 0) {
										_t161 =  &_v96;
										 *_t161 = _v96 + _v72;
										__eflags =  *_t161;
									}
									_v89 =  *((intOrPtr*)(_v68 + _v96));
									_v25 = E00425470(_t448, _v89,  &_v136, __eflags);
								}
								 *_v108 = _v25;
								_v24 = _v24 + 1;
								_v108 = _v108 + 1;
								__eflags = _v64 - _v72;
								if(_v64 < _v72) {
									_t180 =  &_v64;
									 *_t180 = _v64 + 1;
									__eflags =  *_t180;
								}
								 *((char*)(_v68 + _t616)) = _v25;
								_t616 = _t616 + 1;
								__eflags = _t616 - _v72;
								if(_t616 == _v72) {
									_t616 = 0;
									__eflags = 0;
								}
								__eflags = _t474 - 4;
								if(_t474 >= 4) {
									__eflags = _t474 - 0xa;
									if(_t474 >= 0xa) {
										_t474 = _t474 - 6;
									} else {
										_t474 = _t474 - 3;
									}
								} else {
									_t474 = 0;
								}
								goto L93;
							}
							return 1;
						}
						return _v116;
					}
					L94:
					 *((intOrPtr*)(_v8 + 0x20)) = _v128;
					 *((intOrPtr*)(_v8 + 0x24)) = _v124;
					 *((intOrPtr*)(_v8 + 0x28)) = _t616;
					 *((intOrPtr*)(_v8 + 0x2c)) = _v60 + _v24;
					 *((intOrPtr*)(_v8 + 0x30)) = _v64;
					 *((intOrPtr*)(_v8 + 0x34)) = _t617;
					 *((intOrPtr*)(_v8 + 0x38)) = _v44;
					 *((intOrPtr*)(_v8 + 0x3c)) = _v48;
					 *((intOrPtr*)(_v8 + 0x40)) = _v52;
					 *(_v8 + 0x44) = _t474;
					 *((intOrPtr*)(_v8 + 0x48)) = _v56;
					 *((char*)(_v8 + 0x4c)) = _v76;
					 *((intOrPtr*)(_v8 + 0x14)) = _v136;
					 *((intOrPtr*)(_v8 + 0x18)) = _v132;
					 *_a4 = _v24;
					__eflags = 0;
					return 0;
				}
				_v80 = (0x300 <<  *(_v8 + 4) + _v40) + 0x736;
				_v84 = 0;
				_v108 = _v20;
				__eflags = _v84 - _v80;
				if(_v84 >= _v80) {
					L7:
					_v52 = 1;
					_v48 = 1;
					_v44 = 1;
					_t617 = 1;
					_v60 = 0;
					_v64 = 0;
					_t474 = 0;
					_t616 = 0;
					 *((char*)(_v68 + _v72 - 1)) = 0;
					E00425294( &_v136);
					__eflags = _v116;
					if(_v116 != 0) {
						return _v116;
					}
					__eflags = _v112;
					if(_v112 == 0) {
						__eflags = 0;
						_v56 = 0;
						goto L12;
					} else {
						return 1;
					}
				} else {
					goto L6;
				}
				do {
					L6:
					 *_v108 = 0x400;
					_v84 = _v84 + 1;
					_v108 = _v108 + 2;
					__eflags = _v84 - _v80;
				} while (_v84 < _v80);
				goto L7;
			}

0x004255e8
0x004255eb
0x004255ee
0x004255f9
0x004255fc
0x0042560d
0x0042561e
0x00425626
0x0042562f
0x00425635
0x0042563b
0x00425644
0x0042564d
0x00425656
0x0042565f
0x00425668
0x00425671
0x0042567a
0x00425683
0x00425689
0x00425692
0x00425698
0x004256a1
0x004256af
0x004256b5
0x004256bb
0x00000000
0x004256bd
0x004256c4
0x004256c8
0x004256cd
0x004256d0
0x004256dd
0x004256dd
0x004256e0
0x004256e4
0x00425785
0x0042578e
0x004257c3
0x004257c3
0x004257c7
0x00000000
0x00000000
0x004257cc
0x004257cf
0x00425795
0x00425797
0x0042579a
0x0042579c
0x0042579c
0x0042579c
0x004257a9
0x004257aa
0x004257b0
0x004257b2
0x004257b5
0x004257b8
0x004257b9
0x004257bc
0x004257be
0x004257be
0x004257be
0x004257c0
0x004257c0
0x004257c0
0x00000000
0x004257c0
0x00000000
0x004257cf
0x004257d1
0x004257d3
0x004257eb
0x004257d5
0x004257df
0x004257df
0x004257f0
0x004257f2
0x004257f5
0x004257f8
0x004257f8
0x00425801
0x00425807
0x0042580a
0x00000000
0x00000000
0x00000000
0x00000000
0x00425810
0x00425810
0x00425819
0x0042581c
0x00425820
0x00000000
0x00000000
0x0042582a
0x0042582e
0x00425851
0x00425856
0x00425858
0x00425931
0x00425936
0x00425937
0x00425a77
0x00425a7d
0x00425a80
0x00425a83
0x00425a86
0x00425a8f
0x00425a88
0x00425a88
0x00425a88
0x00425a94
0x00425aac
0x00425aaf
0x00425ab5
0x00425ab9
0x00425ac0
0x00425abb
0x00425abb
0x00425abb
0x00425adc
0x00425adf
0x00425ae3
0x00425b5c
0x00425ae5
0x00425aeb
0x00425aee
0x00425afa
0x00425afc
0x00425b00
0x00425b36
0x00425b58
0x00425b02
0x00425b26
0x00425b26
0x00425b00
0x00425b5f
0x00425b5f
0x00425b60
0x00425b6b
0x00425b6b
0x00425b6f
0x00425b72
0x00425b84
0x00425b87
0x00425b94
0x00425b89
0x00425b8c
0x00425b8c
0x00425b97
0x00425b99
0x00425b9b
0x00425b9e
0x00425ba0
0x00425ba0
0x00425ba0
0x00425ba9
0x00425bb2
0x00425bb5
0x00425bb6
0x00425bb9
0x00425bbb
0x00425bbb
0x00425bbb
0x00425bbd
0x00425bc6
0x00425bc8
0x00425bcb
0x00425bce
0x00425bd2
0x00000000
0x00000000
0x00425bd7
0x00425bda
0x00000000
0x00000000
0x00000000
0x00425bda
0x00425bdc
0x00425bdf
0x00425be2
0x00000000
0x00000000
0x00000000
0x00425be2
0x00000000
0x00425b62
0x00425b62
0x00000000
0x00425b62
0x00425b60
0x0042594f
0x00425954
0x00425956
0x00425a06
0x00425a08
0x00425a26
0x00425a28
0x00425a2f
0x00425a35
0x00425a2a
0x00425a2a
0x00425a2a
0x00425a3b
0x00425a0a
0x00425a0a
0x00425a0a
0x00425a3e
0x00425a41
0x00425a43
0x00425a59
0x00425a5c
0x00425a5f
0x00425a68
0x00425a61
0x00425a61
0x00425a61
0x00425a6d
0x00000000
0x00425a6d
0x0042597d
0x0042597f
0x00000000
0x00000000
0x00425985
0x00425989
0x00425995
0x00425998
0x004259a1
0x0042599a
0x0042599a
0x0042599a
0x004259a6
0x004259aa
0x004259ac
0x004259af
0x004259b1
0x004259b1
0x004259b1
0x004259ba
0x004259c3
0x004259c6
0x004259c7
0x004259ca
0x004259cc
0x004259cc
0x004259cc
0x004259d4
0x004259d6
0x004259dc
0x004259df
0x004259e5
0x004259e5
0x00000000
0x004259df
0x00000000
0x0042598b
0x00425888
0x0042588d
0x00425890
0x004258d1
0x00425892
0x00425896
0x0042589c
0x0042589f
0x004258a4
0x004258a4
0x004258a4
0x004258a4
0x004258b0
0x004258c1
0x004258c1
0x004258da
0x004258dc
0x004258df
0x004258e5
0x004258e8
0x004258ea
0x004258ea
0x004258ea
0x004258ea
0x004258f3
0x004258f6
0x004258f7
0x004258fa
0x004258fc
0x004258fc
0x004258fc
0x004258fe
0x00425901
0x0042590a
0x0042590d
0x00425917
0x0042590f
0x0042590f
0x0042590f
0x00425903
0x00425903
0x00425903
0x00000000
0x00425901
0x00000000
0x00425830
0x00000000
0x00425822
0x00425be8
0x00425bee
0x00425bf7
0x00425bfd
0x00425c09
0x00425c12
0x00425c18
0x00425c21
0x00425c2a
0x00425c33
0x00425c39
0x00425c42
0x00425c4b
0x00425c57
0x00425c60
0x00425c69
0x00425c6b
0x00000000
0x00425c6b
0x00425701
0x00425704
0x0042570c
0x00425712
0x00425715
0x0042572e
0x00425735
0x00425738
0x0042573b
0x0042573e
0x00425740
0x00425745
0x00425748
0x00425750
0x00425752
0x0042575d
0x00425762
0x00425766
0x00000000
0x00425768
0x00425770
0x00425774
0x00425780
0x00425782
0x00000000
0x00425776
0x00000000
0x00425776
0x00000000
0x00000000
0x00000000
0x00425717
0x00425717
0x0042571a
0x0042571f
0x00425722
0x00425729
0x00425729
0x00000000

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
Instruction ID: 61b87226b6134f121ca287378b5d435c32ef56f555bf4f4916e7d2b2d6d49e77
Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
Instruction Fuzzy Hash: E932E274E00629DFCB14CF99D981AEDBBB2BF88314F64816AD815AB341D734AE42CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004323DC Relevance: .4, Instructions: 408
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E004323DC(signed int* __eax, intOrPtr __ecx, signed int __edx) {
				signed int* _v8;
				signed int* _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				unsigned int* _t96;
				unsigned int* _t106;
				signed int* _t108;
				signed int _t109;

				_t109 = __edx;
				_v16 = __ecx;
				_v12 = __eax;
				_t106 =  &_v24;
				_t108 =  &_v28;
				_t96 =  &_v20;
				 *_t96 = __edx + 0xdeadbeef + _v16;
				 *_t106 =  *_t96;
				 *_t108 =  *_t96;
				_v8 = _v12;
				if((_v8 & 0x00000003) != 0) {
					if(__edx <= 0xc) {
						L20:
						if(_t109 > 0xc) {
							L23:
							 *_t108 =  *_t108 + ((_v8[2] & 0x000000ff) << 0x18);
							L24:
							 *_t108 =  *_t108 + ((_v8[2] & 0x000000ff) << 0x10);
							L25:
							 *_t108 =  *_t108 + ((_v8[2] & 0x000000ff) << 8);
							L26:
							 *_t108 =  *_t108 + (_v8[2] & 0x000000ff);
							L27:
							 *_t106 =  *_t106 + ((_v8[1] & 0x000000ff) << 0x18);
							L28:
							 *_t106 =  *_t106 + ((_v8[1] & 0x000000ff) << 0x10);
							L29:
							 *_t106 =  *_t106 + ((_v8[1] & 0x000000ff) << 8);
							L30:
							 *_t106 =  *_t106 + (_v8[1] & 0x000000ff);
							L31:
							 *_t96 =  *_t96 + ((_v8[0] & 0x000000ff) << 0x18);
							L32:
							 *_t96 =  *_t96 + ((_v8[0] & 0x000000ff) << 0x10);
							L33:
							 *_t96 =  *_t96 + ((_v8[0] & 0x000000ff) << 8);
							L34:
							 *_t96 =  *_t96 + ( *_v8 & 0x000000ff);
							L35:
							 *_t108 =  *_t108 ^  *_t106;
							 *_t108 =  *_t108 - ( *_t106 << 0x0000000e |  *_t106 >> 0x00000012);
							 *_t96 =  *_t96 ^  *_t108;
							 *_t96 =  *_t96 - ( *_t108 << 0x0000000b |  *_t108 >> 0x00000015);
							 *_t106 =  *_t106 ^  *_t96;
							 *_t106 =  *_t106 - ( *_t96 << 0x00000019 |  *_t96 >> 0x00000007);
							 *_t108 =  *_t108 ^  *_t106;
							 *_t108 =  *_t108 - ( *_t106 << 0x00000010 |  *_t106 >> 0x00000010);
							 *_t96 =  *_t96 ^  *_t108;
							 *_t96 =  *_t96 - ( *_t108 << 0x00000004 |  *_t108 >> 0x0000001c);
							 *_t106 =  *_t106 ^  *_t96;
							 *_t106 =  *_t106 - ( *_t96 << 0x0000000e |  *_t96 >> 0x00000012);
							 *_t108 =  *_t108 ^  *_t106;
							 *_t108 =  *_t108 - ( *_t106 << 0x00000018 |  *_t106 >> 0x00000008);
							return  *_t108;
						}
						switch( *((intOrPtr*)(_t109 * 4 +  &M00432749))) {
							case 0:
								return  *_t108;
							case 1:
								goto L34;
							case 2:
								goto L33;
							case 3:
								goto L32;
							case 4:
								goto L31;
							case 5:
								goto L30;
							case 6:
								goto L29;
							case 7:
								goto L28;
							case 8:
								goto L27;
							case 9:
								goto L26;
							case 0xa:
								goto L25;
							case 0xb:
								goto L24;
							case 0xc:
								goto L23;
						}
					} else {
						goto L19;
					}
					do {
						L19:
						 *_t96 =  *_t96 + ( *_v8 & 0x000000ff) + ((_v8[0] & 0x000000ff) << 8) + ((_v8[0] & 0x000000ff) << 0x10) + ((_v8[0] & 0x000000ff) << 0x18);
						 *_t106 =  *_t106 + (_v8[1] & 0x000000ff) + ((_v8[1] & 0x000000ff) << 8) + ((_v8[1] & 0x000000ff) << 0x10) + ((_v8[1] & 0x000000ff) << 0x18);
						 *_t108 =  *_t108 + (_v8[2] & 0x000000ff) + ((_v8[2] & 0x000000ff) << 8) + ((_v8[2] & 0x000000ff) << 0x10) + ((_v8[2] & 0x000000ff) << 0x18);
						 *_t96 =  *_t96 -  *_t108;
						 *_t96 =  *_t96 ^ ( *_t108 << 0x00000004 |  *_t108 >> 0x0000001c);
						 *_t108 =  *_t108 +  *_t106;
						 *_t106 =  *_t106 -  *_t96;
						 *_t106 =  *_t106 ^ ( *_t96 << 0x00000006 |  *_t96 >> 0x0000001a);
						 *_t96 =  *_t96 +  *_t108;
						 *_t108 =  *_t108 -  *_t106;
						 *_t108 =  *_t108 ^ ( *_t106 << 0x00000008 |  *_t106 >> 0x00000018);
						 *_t106 =  *_t106 +  *_t96;
						 *_t96 =  *_t96 -  *_t108;
						 *_t96 =  *_t96 ^ ( *_t108 << 0x00000010 |  *_t108 >> 0x00000010);
						 *_t108 =  *_t108 +  *_t106;
						 *_t106 =  *_t106 -  *_t96;
						 *_t106 =  *_t106 ^ ( *_t96 << 0x00000013 |  *_t96 >> 0x0000000d);
						 *_t96 =  *_t96 +  *_t108;
						 *_t108 =  *_t108 -  *_t106;
						 *_t108 =  *_t108 ^ ( *_t106 << 0x00000004 |  *_t106 >> 0x0000001c);
						 *_t106 =  *_t106 +  *_t96;
						_t109 = _t109 - 0xc;
						_v8 =  &(_v8[3]);
					} while (_t109 > 0xc);
					goto L20;
				}
				if(__edx <= 0xc) {
					L3:
					if(_t109 > 0xc) {
						goto L35;
					}
					switch( *((intOrPtr*)(_t109 * 4 +  &M004324DD))) {
						case 0:
							return  *_t108;
						case 1:
							_v8 =  *_v8;
							__edx =  *_v8 & 0x000000ff;
							 *__eax =  *__eax + ( *_v8 & 0x000000ff);
							goto L35;
						case 2:
							_v8 =  *_v8;
							__edx =  *_v8 & 0x0000ffff;
							 *__eax =  *__eax + ( *_v8 & 0x0000ffff);
							goto L35;
						case 3:
							_v8 =  *_v8;
							__edx =  *_v8 & 0x00ffffff;
							 *__eax =  *__eax + ( *_v8 & 0x00ffffff);
							goto L35;
						case 4:
							_v8 =  *_v8;
							 *__eax =  *__eax +  *_v8;
							goto L35;
						case 5:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							__edx =  *(__edx + 4);
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 6:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							__edx =  *(__edx + 4);
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 7:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							__edx =  *(__edx + 4);
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 8:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 9:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							__edx =  *(__edx + 8);
							 *__ecx =  *__ecx + __edx;
							goto L35;
						case 0xa:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							__edx =  *(__edx + 8);
							 *__ecx =  *__ecx + __edx;
							goto L35;
						case 0xb:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							__edx =  *(__edx + 8);
							 *__ecx =  *__ecx + __edx;
							goto L35;
						case 0xc:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							 *__ecx =  *__ecx + __edx;
							goto L35;
					}
				} else {
					goto L2;
				}
				do {
					L2:
					 *_t96 =  *_t96 +  *_v8;
					 *_t106 =  *_t106 + _v8[1];
					 *_t108 =  *_t108 + _v8[2];
					 *_t96 =  *_t96 -  *_t108;
					 *_t96 =  *_t96 ^ ( *_t108 << 0x00000004 |  *_t108 >> 0x0000001c);
					 *_t108 =  *_t108 +  *_t106;
					 *_t106 =  *_t106 -  *_t96;
					 *_t106 =  *_t106 ^ ( *_t96 << 0x00000006 |  *_t96 >> 0x0000001a);
					 *_t96 =  *_t96 +  *_t108;
					 *_t108 =  *_t108 -  *_t106;
					 *_t108 =  *_t108 ^ ( *_t106 << 0x00000008 |  *_t106 >> 0x00000018);
					 *_t106 =  *_t106 +  *_t96;
					 *_t96 =  *_t96 -  *_t108;
					 *_t96 =  *_t96 ^ ( *_t108 << 0x00000010 |  *_t108 >> 0x00000010);
					 *_t108 =  *_t108 +  *_t106;
					 *_t106 =  *_t106 -  *_t96;
					 *_t106 =  *_t106 ^ ( *_t96 << 0x00000013 |  *_t96 >> 0x0000000d);
					 *_t96 =  *_t96 +  *_t108;
					 *_t108 =  *_t108 -  *_t106;
					 *_t108 =  *_t108 ^ ( *_t106 << 0x00000004 |  *_t106 >> 0x0000001c);
					 *_t106 =  *_t106 +  *_t96;
					_t109 = _t109 - 0xc;
					_v8 = _v8 + 0xc;
				} while (_t109 > 0xc);
				goto L3;
			}

0x004323dc
0x004323e5
0x004323e8
0x004323eb
0x004323ee
0x004323f1
0x004323ff
0x00432403
0x00432407
0x0043240c
0x00432413
0x0043261d
0x0043273d
0x00432740
0x00432784
0x0043278e
0x00432790
0x0043279a
0x0043279c
0x004327a6
0x004327a8
0x004327af
0x004327b1
0x004327bb
0x004327bd
0x004327c7
0x004327c9
0x004327d3
0x004327d5
0x004327dc
0x004327de
0x004327e8
0x004327ea
0x004327f4
0x004327f6
0x00432800
0x00432802
0x00432808
0x0043280a
0x0043280c
0x0043281a
0x0043281e
0x0043282c
0x00432830
0x0043283e
0x00432842
0x00432850
0x00432854
0x00432862
0x00432866
0x00432874
0x00432878
0x00432886
0x00000000
0x00432888
0x00432742
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00432623
0x00432623
0x0043264d
0x0043267a
0x004326a7
0x004326ab
0x004326b9
0x004326bd
0x004326c1
0x004326cf
0x004326d3
0x004326d7
0x004326e5
0x004326e9
0x004326ed
0x004326fb
0x004326ff
0x00432703
0x00432711
0x00432715
0x00432719
0x00432727
0x0043272b
0x0043272d
0x00432730
0x00432734
0x00000000
0x00432623
0x0043241c
0x004324cd
0x004324d0
0x00000000
0x00000000
0x004324d6
0x00000000
0x00000000
0x00000000
0x0043251b
0x0043251d
0x00432523
0x00000000
0x00000000
0x0043252d
0x0043252f
0x00432535
0x00000000
0x00000000
0x0043253f
0x00432541
0x00432547
0x00000000
0x00000000
0x00432551
0x00432553
0x00000000
0x00000000
0x0043255a
0x0043255f
0x00432561
0x0043256a
0x00000000
0x00000000
0x00432571
0x00432576
0x00432578
0x00432581
0x00000000
0x00000000
0x00432588
0x0043258d
0x0043258f
0x00432598
0x00000000
0x00000000
0x0043259f
0x004325a4
0x004325a9
0x00000000
0x00000000
0x004325b0
0x004325b5
0x004325ba
0x004325bc
0x004325c5
0x00000000
0x00000000
0x004325cc
0x004325d1
0x004325d6
0x004325d8
0x004325e1
0x00000000
0x00000000
0x004325e8
0x004325ed
0x004325f2
0x004325f4
0x004325fd
0x00000000
0x00000000
0x00432604
0x00432609
0x0043260e
0x00432613
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00432422
0x00432422
0x00432427
0x0043242f
0x00432437
0x0043243b
0x00432449
0x0043244d
0x00432451
0x0043245f
0x00432463
0x00432467
0x00432475
0x00432479
0x0043247d
0x0043248b
0x0043248f
0x00432493
0x004324a1
0x004324a5
0x004324a9
0x004324b7
0x004324bb
0x004324bd
0x004324c0
0x004324c4
0x00000000

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33b0767fec04d2cc36286a41c43eb0d38f805e6e14f2767db37a63931b683382
Instruction ID: db30b7f2ad9068286955554028b9aaa685d7675e6c5eb7ed9f8bac599936a457
Opcode Fuzzy Hash: 33b0767fec04d2cc36286a41c43eb0d38f805e6e14f2767db37a63931b683382
Instruction Fuzzy Hash: 9402E032900235DFDB96CF69C140149B7B6FF8A32472A82D2D854AB229D270BE52DFD1

Uniqueness

Uniqueness Score: -1.00%

Function 0040E9C4 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3027258f69a45e47f11e6ef411682183d8681a3ba960b00656adada6bea5bd6d
Instruction ID: d9bdd0ffc78bce1da46a164adb44ca0a352dc4e9e15995579375b7a7492e944c
Opcode Fuzzy Hash: 3027258f69a45e47f11e6ef411682183d8681a3ba960b00656adada6bea5bd6d
Instruction Fuzzy Hash: FB61A7456AE7C66FCB07C33008B81D6AF61AE9325478B53EFC8C58A493D10D281EE363

Uniqueness

Uniqueness Score: -1.00%

Function 00405AE0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f1654813ed5821a00b8b7144780f614f73eea8c4dc557e3c0d17b55d1bda45a
Instruction ID: c1f34be03cf0569538104f0038f02cfb84df381903d0011f2ebedd3a3241928c
Opcode Fuzzy Hash: 1f1654813ed5821a00b8b7144780f614f73eea8c4dc557e3c0d17b55d1bda45a
Instruction Fuzzy Hash: 76C0E9B550D6066E975C8F1AB480815FBE5FAC8324364C22EA01C83644D73154518A64

Uniqueness

Uniqueness Score: -1.00%

Function 00427874 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00427874() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleW(L"oleaut32.dll");
				 *0x4c1134 = E00427848("VariantChangeTypeEx", E00427264, _t91);
				 *0x4c1138 = E00427848("VarNeg", E004272AC, _t91);
				 *0x4c113c = E00427848("VarNot", E004272AC, _t91);
				 *0x4c1140 = E00427848("VarAdd", E004272B8, _t91);
				 *0x4c1144 = E00427848("VarSub", E004272B8, _t91);
				 *0x4c1148 = E00427848("VarMul", E004272B8, _t91);
				 *0x4c114c = E00427848("VarDiv", E004272B8, _t91);
				 *0x4c1150 = E00427848("VarIdiv", E004272B8, _t91);
				 *0x4c1154 = E00427848("VarMod", E004272B8, _t91);
				 *0x4c1158 = E00427848("VarAnd", E004272B8, _t91);
				 *0x4c115c = E00427848("VarOr", E004272B8, _t91);
				 *0x4c1160 = E00427848("VarXor", E004272B8, _t91);
				 *0x4c1164 = E00427848("VarCmp", E004272C4, _t91);
				 *0x4c1168 = E00427848("VarI4FromStr", E004272D0, _t91);
				 *0x4c116c = E00427848("VarR4FromStr", E0042733C, _t91);
				 *0x4c1170 = E00427848("VarR8FromStr", E004273AC, _t91);
				 *0x4c1174 = E00427848("VarDateFromStr", E0042741C, _t91);
				 *0x4c1178 = E00427848("VarCyFromStr", E0042748C, _t91);
				 *0x4c117c = E00427848("VarBoolFromStr", E004274FC, _t91);
				 *0x4c1180 = E00427848("VarBstrFromCy", E0042757C, _t91);
				 *0x4c1184 = E00427848("VarBstrFromDate", E00427624, _t91);
				_t46 = E00427848("VarBstrFromBool", E004277B4, _t91);
				 *0x4c1188 = _t46;
				return _t46;
			}

0x00427882
0x00427896
0x004278ac
0x004278c2
0x004278d8
0x004278ee
0x00427904
0x0042791a
0x00427930
0x00427946
0x0042795c
0x00427972
0x00427988
0x0042799e
0x004279b4
0x004279ca
0x004279e0
0x004279f6
0x00427a0c
0x00427a22
0x00427a38
0x00427a4e
0x00427a5e
0x00427a64
0x00427a6b

APIs

GetModuleHandleW.KERNEL32(oleaut32.dll), ref: 0042787D

Part of subcall function 00427848: GetProcAddress.KERNEL32(00000000), ref: 00427861

Strings

VarAnd, xrefs: 00427951
VarXor, xrefs: 0042797D
VarBoolFromStr, xrefs: 00427A17
VarCmp, xrefs: 00427993
VarBstrFromDate, xrefs: 00427A43
VarNeg, xrefs: 004278A1
VarBstrFromCy, xrefs: 00427A2D
VarNot, xrefs: 004278B7
VarCyFromStr, xrefs: 00427A01
VarOr, xrefs: 00427967
VarBstrFromBool, xrefs: 00427A59
VarMul, xrefs: 004278F9
VarIdiv, xrefs: 00427925
VarSub, xrefs: 004278E3
VarDiv, xrefs: 0042790F
VariantChangeTypeEx, xrefs: 0042788B
VarR4FromStr, xrefs: 004279BF
VarDateFromStr, xrefs: 004279EB
oleaut32.dll, xrefs: 00427878
VarAdd, xrefs: 004278CD
VarMod, xrefs: 0042793B
VarR8FromStr, xrefs: 004279D5
VarI4FromStr, xrefs: 004279A9

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: 3edd394f2c42f1ee7728dbbd964d2d48b2f407ea9c7b21d0b846acf91e36c10d
Instruction ID: afb448a43cf45882875cbd5333393c9475fd06a837c60371df2c799b3a2ca9d5
Opcode Fuzzy Hash: 3edd394f2c42f1ee7728dbbd964d2d48b2f407ea9c7b21d0b846acf91e36c10d
Instruction Fuzzy Hash: 4741442078D2689A53007BAA3C0692A7B9CD64A7243E0E07FF5048B766DF7CAC40867D

Uniqueness

Uniqueness Score: -1.00%

Function 0041E7CC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 194
threadCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041E7CC(void* __eax, void* __ebx, signed int __edx, void* __edi, void* __esi, long long __fp0) {
				signed int _v8;
				char _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr* _t32;
				signed int _t53;
				signed int _t56;
				signed int _t71;
				signed int _t78;
				signed int* _t82;
				signed int _t85;
				void* _t93;
				signed int _t94;
				signed int _t95;
				signed int _t98;
				signed int _t99;
				void* _t105;
				intOrPtr _t106;
				signed int _t109;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t131;
				void* _t132;
				signed int _t134;
				void* _t136;
				void* _t137;
				void* _t139;
				void* _t140;
				intOrPtr _t141;
				void* _t142;
				long long _t161;

				_t161 = __fp0;
				_t126 = __edi;
				_t109 = __edx;
				_t139 = _t140;
				_t141 = _t140 + 0xfffffff0;
				_push(__edi);
				_v12 = 0;
				_v8 = __edx;
				_t93 = __eax;
				_push(_t139);
				_push(0x41ea61);
				_push( *[fs:eax]);
				 *[fs:eax] = _t141;
				_t32 =  *0x4ba590; // 0x4bb8f8
				_t144 =  *_t32;
				if( *_t32 == 0) {
					E0040554C(0x1a);
				}
				E00406688(E0040690C( *0x4be7e4, 0, _t126), _t109 | 0xffffffff, _t144);
				_push(_t139);
				_push(0x41ea44);
				_push( *[fs:edx]);
				 *[fs:edx] = _t141;
				 *0x4be7dc = 0;
				_push(0);
				E00409C00();
				_t142 = _t141 + 4;
				E0041E034(_t93, 0x41ea7c, 0x100b,  &_v12);
				_t127 = E0041A1C4(0x41ea7c, 1, _t144);
				if(_t127 + 0xfffffffd - 3 >= 0) {
					__eflags = _t127 - 0xffffffffffffffff;
					if(_t127 - 0xffffffffffffffff < 0) {
						 *0x4be7dc = 1;
						_push(1);
						E00409C00();
						_t142 = _t142 + 4;
						E00407E00( *0x4be7e0, L"B.C.");
						 *((intOrPtr*)( *0x4be7e0 + 4)) = 0;
						_t71 =  *0x4be7e0;
						 *((intOrPtr*)(_t71 + 8)) = 0xffc00000;
						 *((intOrPtr*)(_t71 + 0xc)) = 0xc1dfffff;
						E0041C1C4(1, 1, 1, __eflags, _t161);
						_v20 = E00405790();
						_v16 = 1;
						asm("fild qword [ebp-0x10]");
						 *((long long*)( *0x4be7e0 + 0x10)) = _t161;
						asm("wait");
						EnumCalendarInfoW(E0041E6A4, GetThreadLocale(), _t127, 4);
						_t78 =  *0x4be7e0;
						__eflags = _t78;
						if(_t78 != 0) {
							_t82 = _t78 - 4;
							__eflags = _t82;
							_t78 =  *_t82;
						}
						_t134 = _t78 - 1;
						__eflags = _t134;
						if(_t134 > 0) {
							_t98 = 1;
							do {
								 *((intOrPtr*)( *0x4be7e0 + 4 + (_t98 + _t98 * 2) * 8)) = 0xffffffff;
								_t98 = _t98 + 1;
								_t134 = _t134 - 1;
								__eflags = _t134;
							} while (_t134 != 0);
						}
						EnumCalendarInfoW(E0041E73C, GetThreadLocale(), _t127, 3);
					}
				} else {
					EnumCalendarInfoW(E0041E6A4, GetThreadLocale(), _t127, 4);
					_t85 =  *0x4be7e0;
					if(_t85 != 0) {
						_t85 =  *(_t85 - 4);
					}
					_t136 = _t85 - 1;
					if(_t136 >= 0) {
						_t137 = _t136 + 1;
						_t99 = 0;
						do {
							 *((intOrPtr*)( *0x4be7e0 + 4 + (_t99 + _t99 * 2) * 8)) = 0xffffffff;
							_t99 = _t99 + 1;
							_t137 = _t137 - 1;
						} while (_t137 != 0);
					}
					EnumCalendarInfoW(E0041E73C, GetThreadLocale(), _t127, 3);
				}
				_t94 =  *0x4be7e0;
				if(_t94 != 0) {
					_t94 =  *(_t94 - 4);
				}
				_push(_t94);
				E00409C00();
				_t53 =  *0x4be7e0;
				if(_t53 != 0) {
					_t53 =  *(_t53 - 4);
				}
				_t131 = _t53 - 1;
				if(_t131 >= 0) {
					_t132 = _t131 + 1;
					_t95 = 0;
					do {
						_t127 = _t95 + _t95 * 2;
						_t106 =  *0x416e18; // 0x416e1c
						E00408F5C( *((intOrPtr*)(_v8 + 0xbc)) + (_t95 + _t95 * 2) * 8, _t106,  *0x4be7e0 + (_t95 + _t95 * 2) * 8);
						_t95 = _t95 + 1;
						_t132 = _t132 - 1;
					} while (_t132 != 0);
				}
				_t116 =  *0x41e600; // 0x41e604
				E00409D24(0x4be7e0, _t116);
				_t56 =  *0x4be7e0;
				if(_t56 != 0) {
					_t56 =  *(_t56 - 4);
				}
				 *0x4be7dc = _t56;
				_pop(_t117);
				_pop(_t105);
				 *[fs:eax] = _t117;
				_push(0x41ea4b);
				return E00406868( *0x4be7e4, _t105, _t127);
			}

0x0041e7cc
0x0041e7cc
0x0041e7cc
0x0041e7cd
0x0041e7cf
0x0041e7d4
0x0041e7d7
0x0041e7da
0x0041e7dd
0x0041e7e1
0x0041e7e2
0x0041e7e7
0x0041e7ea
0x0041e7ed
0x0041e7f2
0x0041e7f5
0x0041e7f9
0x0041e7f9
0x0041e80b
0x0041e812
0x0041e813
0x0041e818
0x0041e81b
0x0041e820
0x0041e826
0x0041e837
0x0041e83c
0x0041e84f
0x0041e861
0x0041e86b
0x0041e8c8
0x0041e8cb
0x0041e8d6
0x0041e8dc
0x0041e8ed
0x0041e8f2
0x0041e8ff
0x0041e90b
0x0041e90e
0x0041e913
0x0041e91a
0x0041e92d
0x0041e937
0x0041e93a
0x0041e93d
0x0041e945
0x0041e948
0x0041e957
0x0041e95c
0x0041e961
0x0041e963
0x0041e965
0x0041e965
0x0041e968
0x0041e968
0x0041e96c
0x0041e96d
0x0041e96f
0x0041e971
0x0041e976
0x0041e97f
0x0041e987
0x0041e988
0x0041e988
0x0041e988
0x0041e976
0x0041e999
0x0041e999
0x0041e86d
0x0041e87b
0x0041e880
0x0041e887
0x0041e88c
0x0041e88c
0x0041e890
0x0041e893
0x0041e895
0x0041e896
0x0041e898
0x0041e8a1
0x0041e8a9
0x0041e8aa
0x0041e8aa
0x0041e898
0x0041e8bb
0x0041e8bb
0x0041e9a3
0x0041e9a7
0x0041e9ac
0x0041e9ac
0x0041e9ae
0x0041e9c2
0x0041e9ca
0x0041e9d1
0x0041e9d6
0x0041e9d6
0x0041e9da
0x0041e9dd
0x0041e9df
0x0041e9e0
0x0041e9e2
0x0041e9e2
0x0041e9fa
0x0041ea00
0x0041ea05
0x0041ea06
0x0041ea06
0x0041e9e2
0x0041ea0e
0x0041ea14
0x0041ea19
0x0041ea20
0x0041ea25
0x0041ea25
0x0041ea27
0x0041ea2e
0x0041ea30
0x0041ea31
0x0041ea34
0x0041ea43

APIs

GetThreadLocale.KERNEL32(00000000,00000004), ref: 0041E870
EnumCalendarInfoW.KERNEL32(0041E6A4,00000000,00000000,00000004), ref: 0041E87B
GetThreadLocale.KERNEL32(00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E8B0
EnumCalendarInfoW.KERNEL32(0041E73C,00000000,00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E8BB
GetThreadLocale.KERNEL32(00000000,00000004), ref: 0041E94C
EnumCalendarInfoW.KERNEL32(0041E6A4,00000000,00000000,00000004), ref: 0041E957
GetThreadLocale.KERNEL32(00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E98E
EnumCalendarInfoW.KERNEL32(0041E73C,00000000,00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E999

Strings

K, xrefs: 0041EA09
K, xrefs: 0041E827
B.C., xrefs: 0041E8FA
K, xrefs: 0041E8DD
ToA, xrefs: 0041E9BC

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: CalendarEnumInfoLocaleThread
String ID: B.C.$ToA$K$K$K
API String ID: 683597275-1724967715
Opcode ID: 30548e6079ac2033bf0e04708f2267278c7844b43060e3a4cc9a960100252a35
Instruction ID: 5f9a2d1895d99171d8daf0119b8bb3b5d98f795b9e196a74a36fcd0882631485
Opcode Fuzzy Hash: 30548e6079ac2033bf0e04708f2267278c7844b43060e3a4cc9a960100252a35
Instruction Fuzzy Hash: 3061D7786002009FD710EF2BCC85AD677A9FB84354B518A7AFC019B3A6CB78DC41CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040A250 Relevance: 21.0, APIs: 8, Strings: 4, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A250() {
				signed int _t2;
				_Unknown_base(*)()* _t8;

				InitializeCriticalSection(0x4bdc10);
				 *0x4bdc28 = 0x7f;
				_t2 = GetVersion() & 0x000000ff;
				 *0x4bdc0c = _t2 - 6 >= 0;
				if( *0x4bdc0c != 0) {
					 *0x4bdc00 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetThreadPreferredUILanguages");
					 *0x4bdc04 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "SetThreadPreferredUILanguages");
					_t8 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetThreadUILanguage");
					 *0x4bdc08 = _t8;
					return _t8;
				}
				return _t2;
			}

0x0040a255
0x0040a25a
0x0040a268
0x0040a270
0x0040a27e
0x0040a295
0x0040a2af
0x0040a2c4
0x0040a2c9
0x00000000
0x0040a2c9
0x0040a2ce

APIs

InitializeCriticalSection.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A255
GetVersion.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A263
GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A28A
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A290
GetModuleHandleW.KERNEL32(kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2A4
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2AA
GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadUILanguage,00000000,kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2BE
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2C4

Strings

SetThreadPreferredUILanguages, xrefs: 0040A29A
kernel32.dll, xrefs: 0040A285, 0040A29F, 0040A2B9
GetThreadPreferredUILanguages, xrefs: 0040A280
GetThreadUILanguage, xrefs: 0040A2B4

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: AddressHandleModuleProc$CriticalInitializeSectionVersion
String ID: GetThreadPreferredUILanguages$GetThreadUILanguage$SetThreadPreferredUILanguages$kernel32.dll
API String ID: 74573329-1403180336
Opcode ID: 58d327082e64ef42c945ef42cd8e374577ec01c28157982806072b66866d47a0
Instruction ID: d84369935ce7e940d286def53580bf621e493dc20acbcc0033f4522394103be5
Opcode Fuzzy Hash: 58d327082e64ef42c945ef42cd8e374577ec01c28157982806072b66866d47a0
Instruction Fuzzy Hash: F9F098A49853413DD6207F769D07B292D685A0170AF644AFFB410763D3EEFE4190E71E

Uniqueness

Uniqueness Score: -1.00%

Function 0041E0AC Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 216
threadCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0041E0AC(int __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				int _t55;
				void* _t121;
				void* _t128;
				void* _t151;
				void* _t152;
				intOrPtr _t172;
				intOrPtr _t204;
				signed short _t212;
				int _t214;
				intOrPtr _t216;
				intOrPtr _t217;
				void* _t224;

				_t224 = __fp0;
				_t211 = __edi;
				_t216 = _t217;
				_t152 = 7;
				do {
					_push(0);
					_push(0);
					_t152 = _t152 - 1;
				} while (_t152 != 0);
				_push(__edi);
				_t151 = __edx;
				_t214 = __eax;
				_push(_t216);
				_push(0x41e391);
				_push( *[fs:eax]);
				 *[fs:eax] = _t217;
				_t55 = IsValidLocale(__eax, 1);
				_t219 = _t55;
				if(_t55 == 0) {
					_t214 = GetThreadLocale();
				}
				_t172 =  *0x416f50; // 0x416f54
				E00409D24(_t151 + 0xbc, _t172);
				E0041E7CC(_t214, _t151, _t151, _t211, _t214, _t224);
				E0041E4A0(_t214, _t151, _t151, _t211, _t214);
				E0041E55C(_t214, _t151, _t151, _t211, _t214);
				E0041E034(_t214, 0, 0x14,  &_v20);
				E00407E00(_t151, _v20);
				E0041E034(_t214, 0x41e3ac, 0x1b,  &_v24);
				 *((char*)(_t151 + 4)) = E0041A1C4(0x41e3ac, 0, _t219);
				E0041E034(_t214, 0x41e3ac, 0x1c,  &_v28);
				 *((char*)(_t151 + 0xc6)) = E0041A1C4(0x41e3ac, 0, _t219);
				 *((short*)(_t151 + 0xc0)) = E0041E080(_t214, 0x2c, 0xf);
				 *((short*)(_t151 + 0xc2)) = E0041E080(_t214, 0x2e, 0xe);
				E0041E034(_t214, 0x41e3ac, 0x19,  &_v32);
				 *((char*)(_t151 + 5)) = E0041A1C4(0x41e3ac, 0, _t219);
				_t212 = E0041E080(_t214, 0x2f, 0x1d);
				 *(_t151 + 6) = _t212;
				_push(_t212);
				E0041EB18(_t214, _t151, L"m/d/yy", 0x1f, _t212, _t214, _t219,  &_v36);
				E00407E00(_t151 + 0xc, _v36);
				_push( *(_t151 + 6) & 0x0000ffff);
				E0041EB18(_t214, _t151, L"mmmm d, yyyy", 0x20, _t212, _t214, _t219,  &_v40);
				E00407E00(_t151 + 0x10, _v40);
				 *((short*)(_t151 + 8)) = E0041E080(_t214, 0x3a, 0x1e);
				E0041E034(_t214, 0x41e400, 0x28,  &_v44);
				E00407E00(_t151 + 0x14, _v44);
				E0041E034(_t214, 0x41e414, 0x29,  &_v48);
				E00407E00(_t151 + 0x18, _v48);
				E00407A20( &_v12);
				E00407A20( &_v16);
				E0041E034(_t214, 0x41e3ac, 0x25,  &_v52);
				_t121 = E0041A1C4(0x41e3ac, 0, _t219);
				_t220 = _t121;
				if(_t121 != 0) {
					E00407E48( &_v8, 0x41e438);
				} else {
					E00407E48( &_v8, 0x41e428);
				}
				E0041E034(_t214, 0x41e3ac, 0x23,  &_v56);
				_t128 = E0041A1C4(0x41e3ac, 0, _t220);
				_t221 = _t128;
				if(_t128 == 0) {
					E0041E034(_t214, 0x41e3ac, 0x1005,  &_v60);
					if(E0041A1C4(0x41e3ac, 0, _t221) != 0) {
						E00407E48( &_v12, L"AMPM ");
					} else {
						E00407E48( &_v16, L" AMPM");
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E004087C4(_t151 + 0x1c, _t151, 4, _t212, _t214);
				_push(_v12);
				_push(_v8);
				_push(L":mm:ss");
				_push(_v16);
				E004087C4(_t151 + 0x20, _t151, 4, _t212, _t214);
				 *((short*)(_t151 + 0xa)) = E0041E080(_t214, 0x2c, 0xc);
				 *((short*)(_t151 + 0xc4)) = 0x32;
				_pop(_t204);
				 *[fs:eax] = _t204;
				_push(0x41e398);
				return E00407A80( &_v60, 0xe);
			}

0x0041e0ac
0x0041e0ac
0x0041e0ad
0x0041e0af
0x0041e0b4
0x0041e0b4
0x0041e0b6
0x0041e0b8
0x0041e0b8
0x0041e0bd
0x0041e0be
0x0041e0c0
0x0041e0c4
0x0041e0c5
0x0041e0ca
0x0041e0cd
0x0041e0d3
0x0041e0d8
0x0041e0da
0x0041e0e1
0x0041e0e1
0x0041e0e9
0x0041e0ef
0x0041e0f8
0x0041e101
0x0041e10a
0x0041e11c
0x0041e126
0x0041e13b
0x0041e14a
0x0041e15d
0x0041e16c
0x0041e182
0x0041e199
0x0041e1b0
0x0041e1bf
0x0041e1d2
0x0041e1d4
0x0041e1d8
0x0041e1e9
0x0041e1f4
0x0041e1fd
0x0041e20e
0x0041e219
0x0041e22e
0x0041e242
0x0041e24d
0x0041e262
0x0041e26d
0x0041e275
0x0041e27d
0x0041e292
0x0041e29c
0x0041e2a1
0x0041e2a3
0x0041e2bc
0x0041e2a5
0x0041e2ad
0x0041e2ad
0x0041e2d1
0x0041e2db
0x0041e2e0
0x0041e2e2
0x0041e2f4
0x0041e305
0x0041e31e
0x0041e307
0x0041e30f
0x0041e30f
0x0041e305
0x0041e323
0x0041e326
0x0041e329
0x0041e32e
0x0041e339
0x0041e33e
0x0041e341
0x0041e344
0x0041e349
0x0041e354
0x0041e369
0x0041e36d
0x0041e378
0x0041e37b
0x0041e37e
0x0041e390

APIs

IsValidLocale.KERNEL32(?,00000001,00000000,0041E391,?,?,?,?,00000000,00000000), ref: 0041E0D3
GetThreadLocale.KERNEL32(?,00000001,00000000,0041E391,?,?,?,?,00000000,00000000), ref: 0041E0DC

Part of subcall function 0041E080: GetLocaleInfoW.KERNEL32(?,0000000F,?,00000002,0000002C,?,?,?,0041E182,?,00000001,00000000,0041E391), ref: 0041E093

Part of subcall function 0041E034: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 0041E052

Strings

AMPM, xrefs: 0041E30A
AMPM , xrefs: 0041E319
m/d/yy, xrefs: 0041E1DD
:mm:ss, xrefs: 0041E344
mmmm d, yyyy, xrefs: 0041E202
:mm, xrefs: 0041E329
ToA, xrefs: 0041E0E9
2, xrefs: 0041E36D

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Locale$Info$ThreadValid
String ID: AMPM$2$:mm$:mm:ss$AMPM $ToA$m/d/yy$mmmm d, yyyy
API String ID: 233154393-2808312488
Opcode ID: 89dbd54baef797781c63ab5ee0a362cfcea0ac090ff54d53303b749289e312d8
Instruction ID: 756c878950b08f5201d8436663b045c7a1b9734561897f0b9d621fb0846820d7
Opcode Fuzzy Hash: 89dbd54baef797781c63ab5ee0a362cfcea0ac090ff54d53303b749289e312d8
Instruction Fuzzy Hash: 887134387011199BDB05EB67C841BDE76AADF88304F50807BF904AB246DB3DDD82879E

Uniqueness

Uniqueness Score: -1.00%

Function 0040A7E4 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0040A7E4(signed short __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v8;
				void* _t18;
				signed short _t28;
				intOrPtr _t35;
				intOrPtr* _t44;
				intOrPtr _t47;

				_t42 = __edi;
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t44 = __edx;
				_t28 = __eax;
				_push(_t47);
				_push(0x40a8e8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t47;
				EnterCriticalSection(0x4bdc10);
				if(_t28 !=  *0x4bdc28) {
					LeaveCriticalSection(0x4bdc10);
					E00407A20(_t44);
					if(IsValidLocale(_t28 & 0x0000ffff, 2) != 0) {
						if( *0x4bdc0c == 0) {
							_t18 = E0040A4CC(_t28, _t28, _t44, __edi, _t44);
							L00403738();
							if(_t28 != _t18) {
								if( *_t44 != 0) {
									_t18 = E004086E4(_t44, E0040A900);
								}
								L00403738();
								E0040A4CC(_t18, _t28,  &_v8, _t42, _t44);
								E004086E4(_t44, _v8);
							}
						} else {
							E0040A6C8(_t28, _t44);
						}
					}
					EnterCriticalSection(0x4bdc10);
					 *0x4bdc28 = _t28;
					E0040A34C(0x4bdc2a, E004084EC( *_t44), 0xaa);
					LeaveCriticalSection(0x4bdc10);
				} else {
					E0040858C(_t44, 0x55, 0x4bdc2a);
					LeaveCriticalSection(0x4bdc10);
				}
				_pop(_t35);
				 *[fs:eax] = _t35;
				_push(E0040A8EF);
				return E00407A20( &_v8);
			}

0x0040a7e4
0x0040a7e7
0x0040a7e9
0x0040a7ea
0x0040a7eb
0x0040a7ed
0x0040a7f1
0x0040a7f2
0x0040a7f7
0x0040a7fa
0x0040a802
0x0040a80e
0x0040a835
0x0040a83c
0x0040a84e
0x0040a857
0x0040a868
0x0040a86d
0x0040a875
0x0040a87a
0x0040a883
0x0040a883
0x0040a888
0x0040a890
0x0040a89a
0x0040a89a
0x0040a859
0x0040a85d
0x0040a85d
0x0040a857
0x0040a8a4
0x0040a8a9
0x0040a8c3
0x0040a8cd
0x0040a810
0x0040a81c
0x0040a826
0x0040a826
0x0040a8d4
0x0040a8d7
0x0040a8da
0x0040a8e7

APIs

EnterCriticalSection.KERNEL32(004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227,?,?,00000000,00000000,00000000), ref: 0040A802
LeaveCriticalSection.KERNEL32(004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227,?,?,00000000,00000000), ref: 0040A826
LeaveCriticalSection.KERNEL32(004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227,?,?,00000000,00000000), ref: 0040A835
IsValidLocale.KERNEL32(00000000,00000002,004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227), ref: 0040A847
EnterCriticalSection.KERNEL32(004BDC10,00000000,00000002,004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227), ref: 0040A8A4
LeaveCriticalSection.KERNEL32(004BDC10,004BDC10,00000000,00000002,004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227), ref: 0040A8CD

Strings

en-US,en,, xrefs: 0040A812, 0040A8B9

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$LocaleValid
String ID: en-US,en,
API String ID: 975949045-3579323720
Opcode ID: e3721d42ea745a9edd8ebaecb4ab5b2828546a05d0e92c0f55165f56426ca85b
Instruction ID: af4c48ae6f9d4b9345a2e7437780db60bfff4a38cfd5d6d0e3948ff18df55379
Opcode Fuzzy Hash: e3721d42ea745a9edd8ebaecb4ab5b2828546a05d0e92c0f55165f56426ca85b
Instruction Fuzzy Hash: 31218461B1031077DA11BB668C03B5E29A89B44705BA0887BB140B32D2EEBD8D52D66F

Uniqueness

Uniqueness Score: -1.00%

Function 0042301C Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82
registryCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E0042301C(void* __ebx, void* __esi, void* __eflags) {
				char _v8;
				void* _v12;
				char _v16;
				char _v20;
				intOrPtr* _t21;
				intOrPtr _t61;
				void* _t68;

				_push(__ebx);
				_v20 = 0;
				_v8 = 0;
				_push(_t68);
				_push(0x423116);
				_push( *[fs:eax]);
				 *[fs:eax] = _t68 + 0xfffffff0;
				_t21 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"GetUserDefaultUILanguage");
				if(_t21 == 0) {
					if(E0041FF2C() != 2) {
						if(E00422FF4(0, L"Control Panel\\Desktop\\ResourceLocale", 0x80000001,  &_v12, 1, 0) == 0) {
							E00422FE8();
							RegCloseKey(_v12);
						}
					} else {
						if(E00422FF4(0, L".DEFAULT\\Control Panel\\International", 0x80000003,  &_v12, 1, 0) == 0) {
							E00422FE8();
							RegCloseKey(_v12);
						}
					}
					E0040873C( &_v20, _v8, 0x42322c);
					E00405920(_v20,  &_v16);
					if(_v16 != 0) {
					}
				} else {
					 *_t21();
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E0042311D);
				E00407A20( &_v20);
				return E00407A20( &_v8);
			}

0x00423022
0x00423025
0x00423028
0x0042302d
0x0042302e
0x00423033
0x00423036
0x00423049
0x00423050
0x00423063
0x004230b8
0x004230c5
0x004230ce
0x004230ce
0x00423065
0x00423080
0x0042308d
0x00423096
0x00423096
0x00423080
0x004230de
0x004230e9
0x004230f4
0x004230f4
0x00423052
0x00423052
0x00423054
0x004230fa
0x004230fd
0x00423100
0x00423108
0x00423115

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00423116), ref: 00423043

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00423116), ref: 00423096

Strings

Locale, xrefs: 00423085
.DEFAULT\Control Panel\International, xrefs: 0042306D
Control Panel\Desktop\ResourceLocale, xrefs: 004230A5
GetUserDefaultUILanguage, xrefs: 00423039
kernel32.dll, xrefs: 0042303E

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 4190037839-2401316094
Opcode ID: 0c53a133d6644a1b94ef3c959f72937b5652b11bdcaf1ce6cf384129006bdbe5
Instruction ID: 05790bdd6973bc135d390eb6e5b6569f0703c8ea8b4006eead18837270f0a894
Opcode Fuzzy Hash: 0c53a133d6644a1b94ef3c959f72937b5652b11bdcaf1ce6cf384129006bdbe5
Instruction Fuzzy Hash: 39217930B00228ABDB10EEB5DD42A9F73F4EB44345FA04477A500E3281DB7CAB41962D

Uniqueness

Uniqueness Score: -1.00%

Function 0040D218 Relevance: 13.8, APIs: 9, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040D218(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				long _v8;
				signed int _v12;
				long _v16;
				void* _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				struct HINSTANCE__** _v48;
				CHAR* _v52;
				void _v56;
				long _v60;
				_Unknown_base(*)()* _v64;
				struct HINSTANCE__* _v68;
				CHAR* _v72;
				signed int _v76;
				CHAR* _v80;
				intOrPtr* _v84;
				void* _v88;
				void _v92;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				long _t113;
				intOrPtr* _t119;
				void* _t124;
				void _t126;
				long _t128;
				struct HINSTANCE__* _t142;
				long _t166;
				signed int* _t190;
				_Unknown_base(*)()* _t191;
				void* _t194;
				intOrPtr _t196;

				_push(_a4);
				memcpy( &_v56, 0x4b7c40, 8 << 2);
				_pop(_t194);
				_v56 =  *0x4b7c40;
				_v52 = E0040D6C8( *0x004B7C44);
				_v48 = E0040D6D8( *0x004B7C48);
				_v44 = E0040D6E8( *0x004B7C4C);
				_v40 = E0040D6F8( *0x004B7C50);
				_v36 = E0040D6F8( *0x004B7C54);
				_v32 = E0040D6F8( *0x004B7C58);
				_v28 =  *0x004B7C5C;
				memcpy( &_v92, 0x4b7c60, 9 << 2);
				_t196 = _t194;
				_v88 = 0x4b7c60;
				_v84 = _a8;
				_v80 = _v52;
				if((_v56 & 0x00000001) == 0) {
					_t166 =  *0x4b7c84; // 0x0
					_v8 = _t166;
					_v8 =  &_v92;
					RaiseException(0xc06d0057, 0, 1,  &_v8);
					return 0;
				}
				_t104 = _a8 - _v44;
				_t142 =  *_v48;
				if(_t104 < 0) {
					_t104 = _t104 + 3;
				}
				_v12 = _t104 >> 2;
				_t106 = _v12;
				_t190 = (_t106 << 2) + _v40;
				_t108 = (_t106 & 0xffffff00 | (_t190[0] & 0x00000080) == 0x00000000) & 0x00000001;
				_v76 = _t108;
				if(_t108 == 0) {
					_v72 =  *_t190 & 0x0000ffff;
				} else {
					_v72 = E0040D708( *_t190) + 2;
				}
				_t191 = 0;
				if( *0x4be640 == 0) {
					L10:
					if(_t142 != 0) {
						L25:
						_v68 = _t142;
						if( *0x4be640 != 0) {
							_t191 =  *0x4be640(2,  &_v92);
						}
						if(_t191 != 0) {
							L36:
							if(_t191 == 0) {
								_v60 = GetLastError();
								if( *0x4be644 != 0) {
									_t191 =  *0x4be644(4,  &_v92);
								}
								if(_t191 == 0) {
									_t113 =  *0x4b7c8c; // 0x0
									_v24 = _t113;
									_v24 =  &_v92;
									RaiseException(0xc06d007f, 0, 1,  &_v24);
									_t191 = _v64;
								}
							}
							goto L41;
						} else {
							if( *((intOrPtr*)(_t196 + 0x14)) == 0 ||  *((intOrPtr*)(_t196 + 0x1c)) == 0) {
								L35:
								_t191 = GetProcAddress(_t142, _v72);
								goto L36;
							} else {
								_t119 =  *((intOrPtr*)(_t142 + 0x3c)) + _t142;
								if( *_t119 != 0x4550 ||  *((intOrPtr*)(_t119 + 8)) != _v28 || (( *(_t119 + 0x34) & 0xffffff00 |  *(_t119 + 0x34) == _t142) & 0x00000001) == 0) {
									goto L35;
								} else {
									_t191 =  *((intOrPtr*)(_v36 + _v12 * 4));
									if(_t191 == 0) {
										goto L35;
									}
									L41:
									 *_a8 = _t191;
									goto L42;
								}
							}
						}
					}
					if( *0x4be640 != 0) {
						_t142 =  *0x4be640(1,  &_v92);
					}
					if(_t142 == 0) {
						_t142 = LoadLibraryA(_v80);
					}
					if(_t142 != 0) {
						L20:
						if(_t142 == E0040CBA0(_v48, _t142)) {
							FreeLibrary(_t142);
						} else {
							if( *((intOrPtr*)(_t196 + 0x18)) != 0) {
								_t124 = LocalAlloc(0x40, 8);
								_v20 = _t124;
								if(_t124 != 0) {
									 *((intOrPtr*)(_v20 + 4)) = _t196;
									_t126 =  *0x4b7c3c; // 0x0
									 *_v20 = _t126;
									 *0x4b7c3c = _v20;
								}
							}
						}
						goto L25;
					} else {
						_v60 = GetLastError();
						if( *0x4be644 != 0) {
							_t142 =  *0x4be644(3,  &_v92);
						}
						if(_t142 != 0) {
							goto L20;
						} else {
							_t128 =  *0x4b7c88; // 0x0
							_v16 = _t128;
							_v16 =  &_v92;
							RaiseException(0xc06d007e, 0, 1,  &_v16);
							return _v64;
						}
					}
				} else {
					_t191 =  *0x4be640(0,  &_v92);
					if(_t191 == 0) {
						goto L10;
					} else {
						L42:
						if( *0x4be640 != 0) {
							_v60 = 0;
							_v68 = _t142;
							_v64 = _t191;
							 *0x4be640(5,  &_v92);
						}
						return _t191;
					}
				}
			}

0x0040d22c
0x0040d232
0x0040d234
0x0040d237
0x0040d244
0x0040d251
0x0040d25e
0x0040d26b
0x0040d278
0x0040d285
0x0040d28e
0x0040d29c
0x0040d29e
0x0040d29f
0x0040d2a5
0x0040d2ab
0x0040d2b2
0x0040d2b4
0x0040d2ba
0x0040d2c0
0x0040d2d0
0x00000000
0x0040d2d5
0x0040d2e2
0x0040d2e7
0x0040d2e9
0x0040d2eb
0x0040d2eb
0x0040d2f1
0x0040d2f4
0x0040d2fc
0x0040d306
0x0040d309
0x0040d30e
0x0040d329
0x0040d310
0x0040d31c
0x0040d31c
0x0040d32c
0x0040d335
0x0040d34e
0x0040d350
0x0040d412
0x0040d412
0x0040d41c
0x0040d42a
0x0040d42a
0x0040d42e
0x0040d47b
0x0040d47d
0x0040d484
0x0040d48e
0x0040d49c
0x0040d49c
0x0040d4a0
0x0040d4a2
0x0040d4a7
0x0040d4ad
0x0040d4bd
0x0040d4c2
0x0040d4c2
0x0040d4a0
0x00000000
0x0040d430
0x0040d434
0x0040d46f
0x0040d479
0x00000000
0x0040d43c
0x0040d43f
0x0040d447
0x00000000
0x0040d460
0x0040d466
0x0040d46b
0x00000000
0x00000000
0x0040d4c5
0x0040d4c8
0x00000000
0x0040d4c8
0x0040d447
0x0040d434
0x0040d42e
0x0040d35d
0x0040d36b
0x0040d36b
0x0040d36f
0x0040d37a
0x0040d37a
0x0040d37e
0x0040d3cb
0x0040d3d7
0x0040d40d
0x0040d3d9
0x0040d3dd
0x0040d3e3
0x0040d3e8
0x0040d3ed
0x0040d3f4
0x0040d3fa
0x0040d3ff
0x0040d404
0x0040d404
0x0040d3ed
0x0040d3dd
0x00000000
0x0040d380
0x0040d385
0x0040d38f
0x0040d39d
0x0040d39d
0x0040d3a1
0x00000000
0x0040d3a3
0x0040d3a3
0x0040d3a8
0x0040d3ae
0x0040d3be
0x00000000
0x0040d3c3
0x0040d3a1
0x0040d337
0x0040d343
0x0040d347
0x00000000
0x0040d349
0x0040d4ca
0x0040d4d1
0x0040d4d5
0x0040d4d8
0x0040d4db
0x0040d4e4
0x0040d4e4
0x00000000
0x0040d4ea
0x0040d347

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0040D2D0

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 4fdbadfbff537c598349848257c7330453a14fb024132e1a583ffc8385a63ee1
Instruction ID: 6bdc8742f8c12d3c05e6aa795b4e0fa0c425ed74332de7fca684440f38d882f1
Opcode Fuzzy Hash: 4fdbadfbff537c598349848257c7330453a14fb024132e1a583ffc8385a63ee1
Instruction Fuzzy Hash: 7CA16F75D002089FDB14DFE9D881BAEB7B5BB88300F14423AE505B73C1DB78A949CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004047B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51
fileCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E004047B0(int __eax, void* __ecx, void* __edx) {
				long _v12;
				int _t4;
				long _t7;
				void* _t11;
				long _t12;
				void* _t13;
				long _t18;

				_t4 = __eax;
				_t24 = __edx;
				_t20 = __eax;
				if( *0x4bb058 == 0) {
					_push(0x2010);
					_push(__edx);
					_push(__eax);
					_push(0);
					L00403780();
				} else {
					_t7 = E00407EF0(__edx);
					WriteFile(GetStdHandle(0xfffffff4), _t24, _t7,  &_v12, 0);
					_t11 =  *0x4b7078; // 0x403920
					_t12 = E00407EF0(_t11);
					_t13 =  *0x4b7078; // 0x403920
					WriteFile(GetStdHandle(0xfffffff4), _t13, _t12,  &_v12, 0);
					_t18 = E00407EF0(_t20);
					_t4 = WriteFile(GetStdHandle(0xfffffff4), _t20, _t18,  &_v12, 0);
				}
				return _t4;
			}

0x004047b0
0x004047b3
0x004047b5
0x004047be
0x00404821
0x00404826
0x00404827
0x00404828
0x0040482a
0x004047c0
0x004047c9
0x004047d8
0x004047e4
0x004047e9
0x004047ef
0x004047fd
0x0040480b
0x0040481a
0x0040481a
0x00404832

APIs

GetStdHandle.KERNEL32(000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047D2
WriteFile.KERNEL32(00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047D8
GetStdHandle.KERNEL32(000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047F7
WriteFile.KERNEL32(00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047FD
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?), ref: 00404814
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000), ref: 0040481A

Strings

9@, xrefs: 004047E4, 004047EF

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: FileHandleWrite
String ID: 9@
API String ID: 3320372497-3209974744
Opcode ID: 5f8d133322f34133c732956f1222a9d0eafcb790ac979970e9ef56a2ae19cd1b
Instruction ID: 9b3b4e35e49a927b8991458b20a1a8ec0ccf5b925403b1971dfbe1b0899ab5f0
Opcode Fuzzy Hash: 5f8d133322f34133c732956f1222a9d0eafcb790ac979970e9ef56a2ae19cd1b
Instruction Fuzzy Hash: 2001AEE25492103DE110F7A69C85F57168C8B4472AF10467F7218F35D2C9395D44927E

Uniqueness

Uniqueness Score: -1.00%

Function 0041F0F4 Relevance: 12.1, APIs: 8, Instructions: 97
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E0041F0F4(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char* _v8;
				long _v12;
				short _v140;
				short _v2188;
				void* _t15;
				char* _t17;
				intOrPtr _t19;
				intOrPtr _t30;
				long _t48;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t61;
				void* _t64;

				_push(__ebx);
				_push(__esi);
				_v8 = 0;
				_push(_t64);
				_push(0x41f219);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t64 + 0xfffff778;
				_t61 = E0041EEFC(_t15, __ebx,  &_v2188, __edx, __edi, __esi, 0x400);
				_t17 =  *0x4ba6c0; // 0x4bb058
				if( *_t17 == 0) {
					_t19 =  *0x4ba4f8; // 0x40e710
					_t11 = _t19 + 4; // 0xffed
					LoadStringW(E00409FF0( *0x4be634),  *_t11,  &_v140, 0x40);
					MessageBoxW(0,  &_v2188,  &_v140, 0x2010);
				} else {
					_t30 =  *0x4ba524; // 0x4bb340
					E00405564(E00405820(_t30));
					_t48 = WideCharToMultiByte(1, 0,  &_v2188, _t61, 0, 0, 0, 0);
					_push(_t48);
					E00409C00();
					WideCharToMultiByte(1, 0,  &_v2188, _t61, _v8, _t48, 0, 0);
					WriteFile(GetStdHandle(0xfffffff4), _v8, _t48,  &_v12, 0);
					WriteFile(GetStdHandle(0xfffffff4), 0x41f234, 2,  &_v12, 0);
				}
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(0x41f220);
				_t57 =  *0x41f0c4; // 0x41f0c8
				return E00409D24( &_v8, _t57);
			}

0x0041f0fd
0x0041f0fe
0x0041f101
0x0041f106
0x0041f107
0x0041f10c
0x0041f10f
0x0041f122
0x0041f124
0x0041f12c
0x0041f1ca
0x0041f1cf
0x0041f1de
0x0041f1f8
0x0041f132
0x0041f132
0x0041f13c
0x0041f15a
0x0041f15c
0x0041f16b
0x0041f188
0x0041f1a0
0x0041f1ba
0x0041f1ba
0x0041f1ff
0x0041f202
0x0041f205
0x0041f20d
0x0041f218

APIs

Part of subcall function 0041EEFC: VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F0A8), ref: 0041EF2F
Part of subcall function 0041EEFC: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF53
Part of subcall function 0041EEFC: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF6E
Part of subcall function 0041EEFC: LoadStringW.USER32(00000000,0000FFEC,?,00000100), ref: 0041F009

WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,00000400,00000000,0041F219), ref: 0041F155
WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F188
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F19A
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F1A0
GetStdHandle.KERNEL32(000000F4,0041F234,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?), ref: 0041F1B4
WriteFile.KERNEL32(00000000,000000F4,0041F234,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000), ref: 0041F1BA
LoadStringW.USER32(00000000,0000FFED,?,00000040), ref: 0041F1DE
MessageBoxW.USER32(00000000,?,?,00002010), ref: 0041F1F8

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: File$ByteCharHandleLoadModuleMultiNameStringWideWrite$MessageQueryVirtual
String ID:
API String ID: 135118572-0
Opcode ID: 7bf27a680bd44ec5315003c7bd75f7b580991028cc1534cfff61cb99441fed85
Instruction ID: 441773961034998e17761d3334fa1b60ae8bad0ad03d42d5622a75f3c8f76c28
Opcode Fuzzy Hash: 7bf27a680bd44ec5315003c7bd75f7b580991028cc1534cfff61cb99441fed85
Instruction Fuzzy Hash: 7D31CF75640204BFE714E796CC42FDA77ACEB08704F9044BABA04F71D2DA786E548B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00404464 Relevance: 10.9, APIs: 7, Instructions: 406
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00404464(signed int __eax, intOrPtr __edx, void* __edi) {
				signed int __ebx;
				void* __esi;
				signed int _t69;
				signed int _t78;
				signed int _t93;
				long _t94;
				void* _t100;
				signed int _t102;
				signed int _t109;
				signed int _t115;
				signed int _t123;
				signed int _t129;
				void* _t131;
				signed int _t140;
				unsigned int _t148;
				signed int _t150;
				long _t152;
				signed int _t156;
				intOrPtr _t161;
				signed int _t166;
				signed int _t170;
				unsigned int _t171;
				intOrPtr _t174;
				intOrPtr _t192;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t205;
				unsigned int _t207;
				intOrPtr _t213;
				void* _t225;
				intOrPtr _t227;
				void* _t228;
				signed int _t230;
				void* _t232;
				signed int _t233;
				signed int _t234;
				signed int _t238;
				signed int _t241;
				void* _t243;
				intOrPtr* _t244;

				_t176 = __edx;
				_t66 = __eax;
				_t166 =  *(__eax - 4);
				_t217 = __eax;
				if((_t166 & 0x00000007) != 0) {
					__eflags = _t166 & 0x00000005;
					if((_t166 & 0x00000005) != 0) {
						_pop(_t217);
						_pop(_t145);
						__eflags = _t166 & 0x00000003;
						if((_t166 & 0x00000003) == 0) {
							_push(_t145);
							_push(__eax);
							_push(__edi);
							_push(_t225);
							_t244 = _t243 + 0xffffffe0;
							_t218 = __edx;
							_t202 = __eax;
							_t69 =  *(__eax - 4);
							_t148 = (0xfffffff0 & _t69) - 0x14;
							if(0xfffffff0 >= __edx) {
								__eflags = __edx - _t148 >> 1;
								if(__edx < _t148 >> 1) {
									_t150 = E00403EE8(__edx);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t218 - 0x40a2c;
										if(_t218 > 0x40a2c) {
											_t78 = _t202 - 0x10;
											__eflags = _t78;
											 *((intOrPtr*)(_t78 + 8)) = _t218;
										}
										E00403AA4(_t202, _t218, _t150);
										E0040426C(_t202, _t202, _t225);
									}
								} else {
									_t150 = __eax;
									 *((intOrPtr*)(__eax - 0x10 + 8)) = __edx;
								}
							} else {
								if(0xfffffff0 <= __edx) {
									_t227 = __edx;
								} else {
									_t227 = 0xbadb9d;
								}
								 *_t244 = _t202 - 0x10 + (_t69 & 0xfffffff0);
								VirtualQuery( *(_t244 + 8), _t244 + 8, 0x1c);
								if( *((intOrPtr*)(_t244 + 0x14)) != 0x10000) {
									L12:
									_t150 = E00403EE8(_t227);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t227 - 0x40a2c;
										if(_t227 > 0x40a2c) {
											_t93 = _t150 - 0x10;
											__eflags = _t93;
											 *((intOrPtr*)(_t93 + 8)) = _t218;
										}
										E00403A74(_t202,  *((intOrPtr*)(_t202 - 0x10 + 8)), _t150);
										E0040426C(_t202, _t202, _t227);
									}
								} else {
									 *(_t244 + 0x10) =  *(_t244 + 0x10) & 0xffff0000;
									_t94 =  *(_t244 + 0x10);
									if(_t218 - _t148 >= _t94) {
										goto L12;
									} else {
										_t152 = _t227 - _t148 + 0x00010000 - 0x00000001 & 0xffff0000;
										if(_t94 < _t152) {
											_t152 = _t94;
										}
										if(VirtualAlloc( *(_t244 + 0xc), _t152, 0x2000, 4) == 0 || VirtualAlloc( *(_t244 + 0xc), _t152, 0x1000, 4) == 0) {
											goto L12;
										} else {
											_t100 = _t202 - 0x10;
											 *((intOrPtr*)(_t100 + 8)) = _t218;
											 *(_t100 + 0xc) = _t152 +  *(_t100 + 0xc) | 0x00000008;
											_t150 = _t202;
										}
									}
								}
							}
							return _t150;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t170 = _t166 & 0xfffffff0;
						_push(__edi);
						_t205 = _t170 + __eax;
						_t171 = _t170 - 4;
						_t156 = _t166 & 0x0000000f;
						__eflags = __edx - _t171;
						_push(_t225);
						if(__edx > _t171) {
							_t102 =  *(_t205 - 4);
							__eflags = _t102 & 0x00000001;
							if((_t102 & 0x00000001) == 0) {
								L75:
								asm("adc edi, 0xffffffff");
								_t228 = ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176;
								_t207 = _t171;
								_t109 = E00403EE8(((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176);
								_t192 = _t176;
								__eflags = _t109;
								if(_t109 == 0) {
									goto L73;
								} else {
									__eflags = _t228 - 0x40a2c;
									if(_t228 > 0x40a2c) {
										 *((intOrPtr*)(_t109 - 8)) = _t192;
									}
									_t230 = _t109;
									E00403A74(_t217, _t207, _t109);
									E0040426C(_t217, _t207, _t230);
									return _t230;
								}
							} else {
								_t115 = _t102 & 0xfffffff0;
								_t232 = _t171 + _t115;
								__eflags = __edx - _t232;
								if(__edx > _t232) {
									goto L75;
								} else {
									__eflags =  *0x4bb059;
									if(__eflags == 0) {
										L66:
										__eflags = _t115 - 0xb30;
										if(_t115 >= 0xb30) {
											E00403AC0(_t205);
											_t176 = _t176;
											_t171 = _t171;
										}
										asm("adc edi, 0xffffffff");
										_t123 = (_t176 + ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + 0x000000d3 & 0xffffff00) + 0x30;
										_t195 = _t232 + 4 - _t123;
										__eflags = _t195;
										if(_t195 > 0) {
											 *(_t217 + _t232 - 4) = _t195;
											 *((intOrPtr*)(_t217 - 4 + _t123)) = _t195 + 3;
											_t233 = _t123;
											__eflags = _t195 - 0xb30;
											if(_t195 >= 0xb30) {
												__eflags = _t123 + _t217;
												E00403B00(_t123 + _t217, _t171, _t195);
											}
										} else {
											 *(_t217 + _t232) =  *(_t217 + _t232) & 0xfffffff7;
											_t233 = _t232 + 4;
										}
										_t234 = _t233 | _t156;
										__eflags = _t234;
										 *(_t217 - 4) = _t234;
										 *0x4bbae8 = 0;
										_t109 = _t217;
										L73:
										return _t109;
									} else {
										while(1) {
											asm("lock cmpxchg [0x4bbae8], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x4bb989;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t176 = _t176;
												_t171 = _t171;
												asm("lock cmpxchg [0x4bbae8], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t176 = _t176;
													_t171 = _t171;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t217 - 4);
										_t129 =  *(_t205 - 4);
										__eflags = _t129 & 0x00000001;
										if((_t129 & 0x00000001) == 0) {
											L74:
											 *0x4bbae8 = 0;
											goto L75;
										} else {
											_t115 = _t129 & 0xfffffff0;
											_t232 = _t171 + _t115;
											__eflags = _t176 - _t232;
											if(_t176 > _t232) {
												goto L74;
											} else {
												goto L66;
											}
										}
									}
								}
							}
						} else {
							__eflags = __edx + __edx - _t171;
							if(__edx + __edx < _t171) {
								__eflags = __edx - 0xb2c;
								if(__edx >= 0xb2c) {
									L41:
									_t32 = _t176 + 0xd3; // 0xbff
									_t238 = (_t32 & 0xffffff00) + 0x30;
									_t174 = _t171 + 4 - _t238;
									__eflags =  *0x4bb059;
									if(__eflags != 0) {
										while(1) {
											asm("lock cmpxchg [0x4bbae8], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x4bb989;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t174 = _t174;
												asm("lock cmpxchg [0x4bbae8], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t174 = _t174;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t217 - 4);
										__eflags = 0xf;
									}
									 *(_t217 - 4) = _t156 | _t238;
									_t161 = _t174;
									_t196 =  *(_t205 - 4);
									__eflags = _t196 & 0x00000001;
									if((_t196 & 0x00000001) != 0) {
										_t131 = _t205;
										_t197 = _t196 & 0xfffffff0;
										_t161 = _t161 + _t197;
										_t205 = _t205 + _t197;
										__eflags = _t197 - 0xb30;
										if(_t197 >= 0xb30) {
											E00403AC0(_t131);
										}
									} else {
										 *(_t205 - 4) = _t196 | 0x00000008;
									}
									 *((intOrPtr*)(_t205 - 8)) = _t161;
									 *((intOrPtr*)(_t217 + _t238 - 4)) = _t161 + 3;
									__eflags = _t161 - 0xb30;
									if(_t161 >= 0xb30) {
										E00403B00(_t217 + _t238, _t174, _t161);
									}
									 *0x4bbae8 = 0;
									return _t217;
								} else {
									__eflags = __edx - 0x2cc;
									if(__edx < 0x2cc) {
										_t213 = __edx;
										_t140 = E00403EE8(__edx);
										__eflags = _t140;
										if(_t140 != 0) {
											_t241 = _t140;
											E00403AA4(_t217, _t213, _t140);
											E0040426C(_t217, _t213, _t241);
											_t140 = _t241;
										}
										return _t140;
									} else {
										_t176 = 0xb2c;
										__eflags = _t171 - 0xb2c;
										if(_t171 <= 0xb2c) {
											goto L37;
										} else {
											goto L41;
										}
									}
								}
							} else {
								L37:
								return _t66;
							}
						}
					}
				} else {
					__ebx =  *__ecx;
					__ecx =  *(__ebx + 2) & 0x0000ffff;
					__ecx = ( *(__ebx + 2) & 0x0000ffff) - 4;
					__eflags = __ecx - __edx;
					if(__ecx < __edx) {
						__ecx = __ecx + __ecx + 0x20;
						_push(__edi);
						__edi = __edx;
						__eax = 0;
						__ecx = __ecx - __edx;
						asm("adc eax, 0xffffffff");
						__eax = 0 & __ecx;
						__eax = (0 & __ecx) + __edx;
						__eax = E00403EE8((0 & __ecx) + __edx);
						__eflags = __eax;
						if(__eax != 0) {
							__eflags = __edi - 0x40a2c;
							if(__edi > 0x40a2c) {
								 *(__eax - 8) = __edi;
							}
							 *(__ebx + 2) & 0x0000ffff = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__eflags = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__edx = __eax;
							__edi = __eax;
							 *((intOrPtr*)(__ebx + 0x1c))() = E0040426C(__esi, __edi, __ebp);
							__eax = __edi;
						}
						_pop(__edi);
						_pop(__esi);
						_pop(__ebx);
						return __eax;
					} else {
						__ebx = 0x40 + __edx * 4;
						__eflags = 0x40 + __edx * 4 - __ecx;
						if(0x40 + __edx * 4 < __ecx) {
							__ebx = __edx;
							__eax = __edx;
							__eax = E00403EE8(__edx);
							__eflags = __eax;
							if(__eax != 0) {
								__ecx = __ebx;
								__edx = __eax;
								__ebx = __eax;
								__esi = E0040426C(__esi, __edi, __ebp);
								__eax = __ebx;
							}
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						} else {
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}

0x00404464
0x00404464
0x00404464
0x0040446c
0x0040446e
0x004044fc
0x004044ff
0x0040476c
0x0040476d
0x0040476e
0x00404771
0x00403d9c
0x00403d9d
0x00403d9e
0x00403d9f
0x00403da0
0x00403da3
0x00403da5
0x00403dac
0x00403db5
0x00403dba
0x00403ea1
0x00403ea3
0x00403eb6
0x00403eb8
0x00403eba
0x00403ebc
0x00403ec2
0x00403ec6
0x00403ec6
0x00403ec9
0x00403ec9
0x00403ed2
0x00403ed9
0x00403ed9
0x00403ea5
0x00403ea5
0x00403eaa
0x00403eaa
0x00403dc0
0x00403dc9
0x00403dcf
0x00403dcb
0x00403dcb
0x00403dcb
0x00403ddb
0x00403dea
0x00403df7
0x00403e67
0x00403e6e
0x00403e70
0x00403e72
0x00403e74
0x00403e7a
0x00403e7e
0x00403e7e
0x00403e81
0x00403e81
0x00403e91
0x00403e98
0x00403e98
0x00403df9
0x00403df9
0x00403e05
0x00403e0b
0x00000000
0x00403e0d
0x00403e1e
0x00403e22
0x00403e24
0x00403e24
0x00403e3a
0x00000000
0x00403e52
0x00403e54
0x00403e57
0x00403e60
0x00403e63
0x00403e63
0x00403e3a
0x00403e0b
0x00403df7
0x00403ee7
0x00404777
0x00404777
0x00404779
0x00404779
0x00404505
0x00404507
0x0040450a
0x0040450b
0x0040450e
0x00404511
0x00404514
0x00404516
0x00404517
0x0040462c
0x0040462f
0x00404631
0x00404724
0x0040472f
0x00404736
0x00404738
0x0040473b
0x00404740
0x00404741
0x00404743
0x00000000
0x00404745
0x00404745
0x0040474b
0x0040474d
0x0040474d
0x00404750
0x00404758
0x0040475f
0x0040476a
0x0040476a
0x00404637
0x00404637
0x0040463a
0x0040463d
0x0040463f
0x00000000
0x00404645
0x00404645
0x0040464c
0x004046a9
0x004046a9
0x004046ae
0x004046b4
0x004046b9
0x004046ba
0x004046ba
0x004046c6
0x004046d7
0x004046dd
0x004046dd
0x004046df
0x004046ec
0x004046f3
0x004046f7
0x004046f9
0x004046ff
0x00404701
0x00404703
0x00404703
0x004046e1
0x004046e1
0x004046e5
0x004046e5
0x00404708
0x00404708
0x0040470a
0x0040470d
0x00404714
0x00404716
0x0040471a
0x0040464e
0x0040464e
0x00404653
0x0040465b
0x00000000
0x00000000
0x0040465d
0x0040465f
0x00404666
0x00000000
0x00404668
0x0040466c
0x00404671
0x00404672
0x00404678
0x00404680
0x00404686
0x0040468b
0x0040468c
0x00000000
0x0040468c
0x00404680
0x00000000
0x00404666
0x00404695
0x00404698
0x0040469b
0x0040469d
0x0040471d
0x0040471d
0x00000000
0x0040469f
0x0040469f
0x004046a2
0x004046a5
0x004046a7
0x00000000
0x00000000
0x00000000
0x00000000
0x004046a7
0x0040469d
0x0040464c
0x0040463f
0x0040451d
0x00404520
0x00404522
0x0040452c
0x00404532
0x00404549
0x00404549
0x00404555
0x0040455b
0x0040455d
0x00404564
0x00404566
0x0040456b
0x00404573
0x00000000
0x00000000
0x00404575
0x00404577
0x0040457e
0x00000000
0x00404580
0x00404583
0x00404588
0x0040458e
0x00404596
0x0040459b
0x004045a0
0x00000000
0x004045a0
0x00404596
0x00000000
0x0040457e
0x004045a9
0x004045a9
0x004045a9
0x004045ae
0x004045b1
0x004045b3
0x004045b6
0x004045b9
0x004045c4
0x004045c6
0x004045c9
0x004045cb
0x004045cd
0x004045d3
0x004045d5
0x004045d5
0x004045bb
0x004045be
0x004045be
0x004045da
0x004045e0
0x004045e4
0x004045ea
0x004045f1
0x004045f1
0x004045f6
0x00404603
0x00404534
0x00404534
0x0040453a
0x00404604
0x00404608
0x0040460d
0x0040460f
0x00404611
0x00404619
0x00404620
0x00404625
0x00404625
0x0040462b
0x00404540
0x00404540
0x00404545
0x00404547
0x00000000
0x00000000
0x00000000
0x00000000
0x00404547
0x0040453a
0x00404524
0x00404524
0x00404528
0x00404528
0x00404522
0x00404517
0x00404474
0x00404474
0x00404476
0x0040447a
0x0040447d
0x0040447f
0x004044b8
0x004044bc
0x004044bd
0x004044bf
0x004044c1
0x004044c3
0x004044c6
0x004044c8
0x004044ca
0x004044cf
0x004044d1
0x004044d3
0x004044d9
0x004044db
0x004044db
0x004044e2
0x004044e2
0x004044e5
0x004044e7
0x004044f0
0x004044f5
0x004044f5
0x004044f7
0x004044f8
0x004044f9
0x004044fa
0x00404481
0x00404481
0x00404488
0x0040448a
0x00404490
0x00404492
0x00404494
0x00404499
0x0040449b
0x0040449d
0x0040449f
0x004044a1
0x004044ac
0x004044b1
0x004044b1
0x004044b3
0x004044b4
0x004044b5
0x0040448c
0x0040448c
0x0040448d
0x0040448e
0x0040448e
0x0040448a
0x0040447f

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec1625ffc2fe51f8c31513aba64e24c59fd6eccf0fed4d7fd9cb209259156b9f
Instruction ID: a6f3f7862a5743fd60f07ae337b35688b7a953487e66f12862dc3ba09d14b1d9
Opcode Fuzzy Hash: ec1625ffc2fe51f8c31513aba64e24c59fd6eccf0fed4d7fd9cb209259156b9f
Instruction Fuzzy Hash: 8CC115A27106000BD714AE7DDD8476AB68A9BC5716F28827FF244EB3D6DB7CCD418388

Uniqueness

Uniqueness Score: -1.00%

Function 0041F7A0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041F7A0(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				short _v558;
				char _v564;
				intOrPtr _v568;
				char _v572;
				char _v576;
				char _v580;
				intOrPtr _v584;
				char _v588;
				void* _v592;
				char _v596;
				char _v600;
				char _v604;
				char _v608;
				intOrPtr _v612;
				char _v616;
				char _v620;
				char _v624;
				void* _v628;
				char _v632;
				void* _t64;
				intOrPtr _t65;
				long _t76;
				intOrPtr _t82;
				intOrPtr _t103;
				intOrPtr _t107;
				intOrPtr _t110;
				intOrPtr _t112;
				intOrPtr _t115;
				intOrPtr _t127;
				void* _t136;
				intOrPtr _t138;
				void* _t141;
				void* _t143;

				_t136 = __edi;
				_t140 = _t141;
				_v632 = 0;
				_v596 = 0;
				_v604 = 0;
				_v600 = 0;
				_v8 = 0;
				_push(_t141);
				_push(0x41f9a6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t141 + 0xfffffd8c;
				_t64 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x14)) - 1;
				_t143 = _t64;
				if(_t143 < 0) {
					_t65 =  *0x4ba798; // 0x40e730
					E0040C9F0(_t65,  &_v8, _t140);
				} else {
					if(_t143 == 0) {
						_t107 =  *0x4ba670; // 0x40e738
						E0040C9F0(_t107,  &_v8, _t140);
					} else {
						if(_t64 == 7) {
							_t110 =  *0x4ba4d0; // 0x40e740
							E0040C9F0(_t110,  &_v8, _t140);
						} else {
							_t112 =  *0x4ba5c8; // 0x40e748
							E0040C9F0(_t112,  &_v8, _t140);
						}
					}
				}
				_t115 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x18));
				VirtualQuery( *( *((intOrPtr*)(_a4 - 4)) + 0xc),  &_v36, 0x1c);
				_t138 = _v36.State;
				if(_t138 == 0x1000 || _t138 == 0x10000) {
					_t76 = GetModuleFileNameW(_v36.AllocationBase,  &_v558, 0x105);
					_t147 = _t76;
					if(_t76 == 0) {
						goto L12;
					} else {
						_v592 =  *( *((intOrPtr*)(_a4 - 4)) + 0xc);
						_v588 = 5;
						E0040858C( &_v600, 0x105,  &_v558);
						E0041A418(_v600, _t115,  &_v596, _t136, _t138, _t147);
						_v584 = _v596;
						_v580 = 0x11;
						_v576 = _v8;
						_v572 = 0x11;
						_v568 = _t115;
						_v564 = 5;
						_push( &_v592);
						_t103 =  *0x4ba6e0; // 0x40e810
						E0040C9F0(_t103,  &_v604, _t140, 3);
						E0041F2A0(_t115, _v604, 1, _t136, _t138);
					}
				} else {
					L12:
					_v628 =  *( *((intOrPtr*)(_a4 - 4)) + 0xc);
					_v624 = 5;
					_v620 = _v8;
					_v616 = 0x11;
					_v612 = _t115;
					_v608 = 5;
					_push( &_v628);
					_t82 =  *0x4ba67c; // 0x40e6d8
					E0040C9F0(_t82,  &_v632, _t140, 2);
					E0041F2A0(_t115, _v632, 1, _t136, _t138);
				}
				_pop(_t127);
				 *[fs:eax] = _t127;
				_push(0x41f9ad);
				E00407A20( &_v632);
				E00407A80( &_v604, 3);
				return E00407A20( &_v8);
			}

0x0041f7a0
0x0041f7a1
0x0041f7ad
0x0041f7b3
0x0041f7b9
0x0041f7bf
0x0041f7c5
0x0041f7ca
0x0041f7cb
0x0041f7d0
0x0041f7d3
0x0041f7df
0x0041f7df
0x0041f7e2
0x0041f7f0
0x0041f7f5
0x0041f7e4
0x0041f7e4
0x0041f7ff
0x0041f804
0x0041f7e6
0x0041f7e9
0x0041f80e
0x0041f813
0x0041f7eb
0x0041f81d
0x0041f822
0x0041f822
0x0041f7e9
0x0041f7e4
0x0041f82d
0x0041f840
0x0041f845
0x0041f84e
0x0041f86c
0x0041f871
0x0041f873
0x00000000
0x0041f879
0x0041f882
0x0041f888
0x0041f8a0
0x0041f8b1
0x0041f8bc
0x0041f8c2
0x0041f8cc
0x0041f8d2
0x0041f8d9
0x0041f8df
0x0041f8ec
0x0041f8f5
0x0041f8fa
0x0041f90c
0x0041f911
0x0041f915
0x0041f915
0x0041f91e
0x0041f924
0x0041f92e
0x0041f934
0x0041f93b
0x0041f941
0x0041f94e
0x0041f957
0x0041f95c
0x0041f96e
0x0041f973
0x0041f977
0x0041f97a
0x0041f97d
0x0041f988
0x0041f998
0x0041f9a5

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F9A6), ref: 0041F840
GetModuleFileNameW.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0041F9A6), ref: 0041F86C

Part of subcall function 0040C9F0: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 0040CA35

Strings

H@, xrefs: 0041F81D
0@, xrefs: 0041F7F0
8@, xrefs: 0041F7FF
@@, xrefs: 0041F80E

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: FileLoadModuleNameQueryStringVirtual
String ID: 0@$8@$@@$H@
API String ID: 902310565-4161625419
Opcode ID: 2bcb5d97eafe9ae16bdb5e5d20f221eb3d58e794d65a866e62d276be447e8c2a
Instruction ID: bbc3c026f35d1d6bea3ad9012fddeafd4c483e803022796d8e8ef386e34d3195
Opcode Fuzzy Hash: 2bcb5d97eafe9ae16bdb5e5d20f221eb3d58e794d65a866e62d276be447e8c2a
Instruction Fuzzy Hash: 69511874A04258DFCB10EF69CC89BCDB7F4AB48304F0042E6A808A7351D778AE85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00406688 Relevance: 10.6, APIs: 7, Instructions: 130
threadCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00406688(signed char* __eax, void* __edx, void* __eflags) {
				void* _t49;
				signed char _t56;
				intOrPtr _t57;
				signed char _t59;
				void* _t70;
				signed char* _t71;
				intOrPtr _t72;
				signed char* _t73;

				_t70 = __edx;
				_t71 = __eax;
				_t72 =  *((intOrPtr*)(__eax + 0x10));
				while(1) {
					L1:
					 *_t73 = E00406B30(_t71);
					if( *_t73 != 0 || _t70 == 0) {
						break;
					}
					_t73[1] = 0;
					if(_t72 <= 0) {
						while(1) {
							L17:
							_t56 =  *_t71;
							if(_t56 == 0) {
								goto L1;
							}
							asm("lock cmpxchg [esi], edx");
							if(_t56 != _t56) {
								continue;
							} else {
								goto L19;
							}
							do {
								L19:
								_t73[4] = GetTickCount();
								E0040688C(_t71);
								_t57 =  *0x4bb8f8; // 0x4b9284
								 *((intOrPtr*)(_t57 + 0x10))();
								 *_t73 = 0 == 0;
								if(_t70 != 0xffffffff) {
									_t73[8] = GetTickCount();
									if(_t70 <= _t73[8] - _t73[4]) {
										_t70 = 0;
									} else {
										_t70 = _t70 - _t73[8] - _t73[4];
									}
								}
								if( *_t73 == 0) {
									do {
										asm("lock cmpxchg [esi], edx");
									} while ( *_t71 !=  *_t71);
									_t73[1] = 1;
								} else {
									while(1) {
										_t59 =  *_t71;
										if((_t59 & 0x00000001) != 0) {
											goto L29;
										}
										asm("lock cmpxchg [esi], edx");
										if(_t59 != _t59) {
											continue;
										}
										_t73[1] = 1;
										goto L29;
									}
								}
								L29:
							} while (_t73[1] == 0);
							if( *_t73 != 0) {
								_t71[8] = GetCurrentThreadId();
								_t71[4] = 1;
							}
							goto L32;
						}
						continue;
					}
					_t73[4] = GetTickCount();
					_t73[0xc] = 0;
					if(_t72 <= 0) {
						L13:
						if(_t70 == 0xffffffff) {
							goto L17;
						}
						_t73[8] = GetTickCount();
						_t49 = _t73[8] - _t73[4];
						if(_t70 > _t49) {
							_t70 = _t70 - _t49;
							goto L17;
						}
						 *_t73 = 0;
						break;
					}
					L5:
					L5:
					if(_t70 == 0xffffffff || _t70 > GetTickCount() - _t73[4]) {
						goto L8;
					} else {
						 *_t73 = 0;
					}
					break;
					L8:
					if( *_t71 > 1) {
						goto L13;
					}
					if( *_t71 != 0) {
						L12:
						E00406368( &(_t73[0xc]));
						_t72 = _t72 - 1;
						if(_t72 > 0) {
							goto L5;
						}
						goto L13;
					}
					asm("lock cmpxchg [esi], edx");
					if(0 != 0) {
						goto L12;
					}
					_t71[8] = GetCurrentThreadId();
					_t71[4] = 1;
					 *_t73 = 1;
					break;
				}
				L32:
				return  *_t73 & 0x000000ff;
			}

0x0040668f
0x00406691
0x00406693
0x00406696
0x00406696
0x0040669d
0x004066a4
0x00000000
0x00000000
0x004066b2
0x004066b9
0x00406751
0x00406751
0x00406751
0x00406755
0x00000000
0x00000000
0x00406760
0x00406766
0x00000000
0x00000000
0x00000000
0x00000000
0x00406768
0x00406768
0x0040676d
0x00406773
0x0040677a
0x00406784
0x00406789
0x00406790
0x00406797
0x004067a5
0x004067b3
0x004067a7
0x004067af
0x004067af
0x004067a5
0x004067b9
0x004067db
0x004067e4
0x004067e8
0x004067ec
0x00000000
0x004067bb
0x004067bb
0x004067c0
0x00000000
0x00000000
0x004067cc
0x004067d2
0x00000000
0x00000000
0x004067d4
0x00000000
0x004067d4
0x004067bb
0x004067f1
0x004067f1
0x00406800
0x00406807
0x0040680a
0x0040680a
0x00000000
0x00406800
0x00000000
0x00406751
0x004066c4
0x004066ca
0x004066d0
0x0040672c
0x0040672f
0x00000000
0x00000000
0x00406736
0x0040673e
0x00406744
0x0040674f
0x00000000
0x0040674f
0x00406746
0x00000000
0x00406746
0x00000000
0x004066d2
0x004066d5
0x00000000
0x004066e4
0x004066e4
0x004066e4
0x00000000
0x004066ed
0x004066f0
0x00000000
0x00000000
0x004066f5
0x0040671e
0x00406722
0x00406727
0x0040672a
0x00000000
0x00000000
0x00000000
0x0040672a
0x004066fe
0x00406704
0x00000000
0x00000000
0x0040670b
0x0040670e
0x00406715
0x00000000
0x00406715
0x00406811
0x0040681c

APIs

Part of subcall function 00406B30: GetCurrentThreadId.KERNEL32 ref: 00406B33

GetTickCount.KERNEL32 ref: 004066BF
GetTickCount.KERNEL32 ref: 004066D7
GetCurrentThreadId.KERNEL32 ref: 00406706
GetTickCount.KERNEL32 ref: 00406731
GetTickCount.KERNEL32 ref: 00406768
GetTickCount.KERNEL32 ref: 00406792
GetCurrentThreadId.KERNEL32 ref: 00406802

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: CountTick$CurrentThread
String ID:
API String ID: 3968769311-0
Opcode ID: d68569389b1874426944dbdaf855cb9de5dde29c2ee803ff208aff5c928e2b2c
Instruction ID: 4198438d609b3d92ee1caba3903e9c970ac06421e97b93dd9799f90313ce3de1
Opcode Fuzzy Hash: d68569389b1874426944dbdaf855cb9de5dde29c2ee803ff208aff5c928e2b2c
Instruction Fuzzy Hash: 664182712083419ED721AE3CC58431BBAD5AF80358F16C93ED4DA973C1EB7988958756

Uniqueness

Uniqueness Score: -1.00%

Function 004971AC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 87
threadCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E004971AC(void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v5;
				char _v12;
				char _v16;
				char _v20;
				void* _t23;
				char _t29;
				void* _t50;
				intOrPtr _t55;
				char _t57;
				intOrPtr _t59;
				void* _t64;
				void* _t66;
				void* _t68;
				void* _t69;
				intOrPtr _t70;

				_t64 = __edi;
				_t57 = __edx;
				_t50 = __ecx;
				_t68 = _t69;
				_t70 = _t69 + 0xfffffff0;
				_v20 = 0;
				if(__edx != 0) {
					_t70 = _t70 + 0xfffffff0;
					_t23 = E004062B0(_t23, _t68);
				}
				_t49 = _t50;
				_v5 = _t57;
				_t66 = _t23;
				_push(_t68);
				_push(0x4972a5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t70;
				E00405CB8(0);
				_t3 = _t66 + 0x2c; // 0x266461
				 *(_t66 + 0xf) =  *_t3 & 0x000000ff ^ 0x00000001;
				if(_t50 == 0 ||  *(_t66 + 0x2c) != 0) {
					_t29 = 0;
				} else {
					_t29 = 1;
				}
				 *((char*)(_t66 + 0xd)) = _t29;
				if( *(_t66 + 0x2c) != 0) {
					 *((intOrPtr*)(_t66 + 8)) = GetCurrentThread();
					 *((intOrPtr*)(_t66 + 4)) = GetCurrentThreadId();
				} else {
					if(_a4 == 0) {
						_t12 = _t66 + 4; // 0x495548
						 *((intOrPtr*)(_t66 + 8)) = E004078E0(0, E004970B8, 0, _t12, 4, _t66);
					} else {
						_t9 = _t66 + 4; // 0x495548
						 *((intOrPtr*)(_t66 + 8)) = E004078E0(0, E004970B8, _a4, _t9, 0x10004, _t66);
					}
					if( *((intOrPtr*)(_t66 + 8)) == 0) {
						E0041DFB0(GetLastError(), _t49, 0, _t66);
						_v16 = _v20;
						_v12 = 0x11;
						_t55 =  *0x4ba740; // 0x40ea6c
						E0041F35C(_t49, _t55, 1, _t64, _t66, 0,  &_v16);
						E0040711C();
					}
				}
				_pop(_t59);
				 *[fs:eax] = _t59;
				_push(0x4972ac);
				return E00407A20( &_v20);
			}

0x004971ac
0x004971ac
0x004971ac
0x004971ad
0x004971af
0x004971b6
0x004971bb
0x004971bd
0x004971c0
0x004971c0
0x004971c5
0x004971c7
0x004971ca
0x004971ce
0x004971cf
0x004971d4
0x004971d7
0x004971de
0x004971e3
0x004971e9
0x004971ee
0x004971f6
0x004971fa
0x004971fa
0x004971fa
0x004971fc
0x00497203
0x00497284
0x0049728c
0x00497205
0x00497209
0x0049722c
0x0049723e
0x0049720b
0x00497211
0x00497224
0x00497224
0x00497245
0x00497251
0x00497259
0x0049725c
0x00497266
0x00497273
0x00497278
0x00497278
0x00497245
0x00497291
0x00497294
0x00497297
0x004972a4

APIs

GetLastError.KERNEL32(00000000,004972A5,?,00495544,00000000), ref: 00497247

Part of subcall function 004078E0: CreateThread.KERNEL32 ref: 0040793A

GetCurrentThread.KERNEL32 ref: 0049727F
GetCurrentThreadId.KERNEL32 ref: 00497287

Strings

XtI, xrefs: 00497214, 0049722F
l@, xrefs: 00497266
0@G, xrefs: 0049726E

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Thread$Current$CreateErrorLast
String ID: 0@G$XtI$l@
API String ID: 3539746228-385768319
Opcode ID: a4dc03de5b91be95089a9569e035fcfb45136a4f5e23dfed5c7514759ebadc63
Instruction ID: 1159262e71bebd7e921a745d602ab6fc0c684f98ff6f66721209a3575415716a
Opcode Fuzzy Hash: a4dc03de5b91be95089a9569e035fcfb45136a4f5e23dfed5c7514759ebadc63
Instruction Fuzzy Hash: 2B31E2309287449EDB10EBB68C427AB7FE49F09304F40C87EE455973C1DA3CA545C799

Uniqueness

Uniqueness Score: -1.00%

Function 00406424 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E00406424(void* __edx) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				char* _t23;
				intOrPtr _t29;
				intOrPtr _t39;
				void* _t41;
				void* _t43;
				intOrPtr _t44;

				_t41 = _t43;
				_t44 = _t43 + 0xfffffff4;
				_v16 = 0;
				if(GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetLogicalProcessorInformation") == 0) {
					L10:
					_v8 = 0x40;
					goto L11;
				} else {
					_t23 =  &_v16;
					_push(_t23);
					_push(0);
					L00403808();
					if(_t23 != 0 || GetLastError() != 0x7a) {
						goto L10;
					} else {
						_v12 = E004053F0(_v16);
						_push(_t41);
						_push(E004064D2);
						_push( *[fs:edx]);
						 *[fs:edx] = _t44;
						_push( &_v16);
						_push(_v12);
						L00403808();
						_t29 = _v12;
						if(_v16 <= 0) {
							L8:
							_pop(_t39);
							 *[fs:eax] = _t39;
							_push(E004064D9);
							return E0040540C(_v12);
						} else {
							while( *((short*)(_t29 + 4)) != 2 ||  *((char*)(_t29 + 8)) != 1) {
								_t29 = _t29 + 0x18;
								_v16 = _v16 - 0x18;
								if(_v16 > 0) {
									continue;
								} else {
									goto L8;
								}
								goto L12;
							}
							_v8 =  *(_t29 + 0xa) & 0x0000ffff;
							E00407210();
							L11:
							return _v8;
						}
					}
				}
				L12:
			}

0x00406425
0x00406427
0x0040642c
0x00406446
0x004064d9
0x004064d9
0x00000000
0x0040644c
0x0040644c
0x0040644f
0x00406450
0x00406452
0x00406459
0x00000000
0x00406465
0x0040646d
0x00406472
0x00406473
0x00406478
0x0040647b
0x00406481
0x00406485
0x00406486
0x0040648b
0x00406492
0x004064bc
0x004064be
0x004064c1
0x004064c4
0x004064d1
0x00406494
0x00406494
0x004064af
0x004064b2
0x004064ba
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004064ba
0x004064a5
0x004064a8
0x004064e0
0x004064e6
0x004064e6
0x00406492
0x00406459
0x00000000

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 00406439
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040643F
GetLastError.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 0040645B

Strings

GetLogicalProcessorInformation, xrefs: 0040642F
kernel32.dll, xrefs: 00406434
@, xrefs: 004064D9

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: @$GetLogicalProcessorInformation$kernel32.dll
API String ID: 4275029093-79381301
Opcode ID: 60cbd49ddd200d6d95d4e054eb85e0ada012a2fb0b751d352b1ba5f8ec496b5f
Instruction ID: 8f5f9a4eb212fab3c4852abc810e80ead921d34dcce11bc4c58bc7a6251dba94
Opcode Fuzzy Hash: 60cbd49ddd200d6d95d4e054eb85e0ada012a2fb0b751d352b1ba5f8ec496b5f
Instruction Fuzzy Hash: 52116371D00208BEDB20EFA5D84576EBBA8EB40705F1184BBF815F32C1D67D9A908B1D

Uniqueness

Uniqueness Score: -1.00%

Function 004076B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40
fileCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E004076B8(void* __ecx) {
				long _v4;
				void* _t3;
				void* _t9;

				if( *0x4bb058 == 0) {
					if( *0x4b7032 == 0) {
						_push(0);
						_push("Error");
						_push("Runtime error     at 00000000");
						_push(0);
						L00403780();
					}
					return _t3;
				} else {
					if( *0x4bb344 == 0xd7b2 &&  *0x4bb34c > 0) {
						 *0x4bb35c();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1d,  &_v4, 0);
					_t9 = E00408240(0x40774c);
					return WriteFile(GetStdHandle(0xfffffff5), _t9, 2,  &_v4, 0);
				}
			}

0x004076c0
0x00407726
0x00407728
0x0040772a
0x0040772f
0x00407734
0x00407736
0x00407736
0x0040773c
0x004076c2
0x004076cb
0x004076db
0x004076db
0x004076f7
0x0040770a
0x0040771e
0x0040771e

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?,0040555F), ref: 004076F1
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?), ref: 004076F7
GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?), ref: 00407712
WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?), ref: 00407718

Strings

Error, xrefs: 0040772A
Runtime error at 00000000, xrefs: 004076EA, 0040772F

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: FileHandleWrite
String ID: Error$Runtime error at 00000000
API String ID: 3320372497-2970929446
Opcode ID: 06894f85802f1aca0c877f66b17294aabd6ee15dfccdef8be12070d3d0c4ead6
Instruction ID: db14fa18f2a627875cbdcf208ba1e0af1765c14dc112cf76e17f9611cef7a876
Opcode Fuzzy Hash: 06894f85802f1aca0c877f66b17294aabd6ee15dfccdef8be12070d3d0c4ead6
Instruction Fuzzy Hash: DFF0C2A1A8C24079FA2077A94C47F5A269C8740B16F108A3FF610B61D1C7FD6584937E

Uniqueness

Uniqueness Score: -1.00%

Function 00420524 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00420524(void* __ebx, void* __esi) {
				intOrPtr _t4;
				intOrPtr _t6;

				if(E0041FF68(6, 0) == 0) {
					_t4 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"NTDLL.DLL"), L"RtlCompareUnicodeString");
					 *0x4be914 = _t4;
					 *0x4be910 = E00420428;
					return _t4;
				} else {
					_t6 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"CompareStringOrdinal");
					 *0x4be910 = _t6;
					return _t6;
				}
			}

0x00420532
0x0042055f
0x00420564
0x00420569
0x00420573
0x00420534
0x00420544
0x00420549
0x0042054e
0x0042054e

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,CompareStringOrdinal,004B5A2E,00000000,004B5A41), ref: 0042053E

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2

GetModuleHandleW.KERNEL32(NTDLL.DLL,RtlCompareUnicodeString,004B5A2E,00000000,004B5A41), ref: 00420559

Strings

CompareStringOrdinal, xrefs: 00420534
RtlCompareUnicodeString, xrefs: 0042054F
kernel32.dll, xrefs: 00420539
NTDLL.DLL, xrefs: 00420554

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: CompareStringOrdinal$NTDLL.DLL$RtlCompareUnicodeString$kernel32.dll
API String ID: 1883125708-3870080525
Opcode ID: b7bf267469631706014ef5b6a976724c1e29590bd579973413919bb6c8384525
Instruction ID: 4ba185d4141586243d2650af69d43cb091b5da9faf927984522c9bbe9ad7037f
Opcode Fuzzy Hash: b7bf267469631706014ef5b6a976724c1e29590bd579973413919bb6c8384525
Instruction Fuzzy Hash: 04E08CF0B4232036E644FB672C0769929C51B85709BD04A3F7004BA1D7DBBE42659E2E

Uniqueness

Uniqueness Score: -1.00%

Function 0042931C Relevance: 9.1, APIs: 6, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0042931C(short* __eax, intOrPtr __ecx, signed short* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				signed short* _v808;
				void* __ebp;
				signed char _t55;
				signed int _t64;
				void* _t72;
				intOrPtr* _t83;
				void* _t103;
				void* _t105;
				void* _t108;
				void* _t109;
				intOrPtr* _t118;
				void* _t122;
				intOrPtr _t123;
				char* _t124;
				void* _t125;

				_t110 = __ecx;
				_v780 = __ecx;
				_v808 = __edx;
				_v776 = __eax;
				if((_v808[0] & 0x00000020) == 0) {
					E00428FDC(0x80070057);
				}
				_t55 =  *_v808 & 0x0000ffff;
				if((_t55 & 0x00000fff) != 0xc) {
					_push(_v808);
					_push(_v776);
					L00427254();
					return E00428FDC(_v776);
				} else {
					if((_t55 & 0x00000040) == 0) {
						_v792 = _v808[4];
					} else {
						_v792 =  *(_v808[4]);
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t103 = _v788 - 1;
					if(_t103 < 0) {
						L9:
						_push( &_v772);
						_t64 = _v788;
						_push(_t64);
						_push(0xc);
						L00427828();
						_t123 = _t64;
						if(_t123 == 0) {
							E00428D34(_t110);
						}
						E00429278(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t123;
						_t105 = _v788 - 1;
						if(_t105 < 0) {
							L14:
							_t107 = _v788 - 1;
							if(E00429294(_v788 - 1, _t125) != 0) {
								L00427840();
								E00428FDC(_v792);
								L00427840();
								E00428FDC( &_v260);
								_v780(_t123,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t72 = E004292C4(_t107, _t125);
						} else {
							_t108 = _t105 + 1;
							_t83 =  &_v768;
							_t118 =  &_v260;
							do {
								 *_t118 =  *_t83;
								_t118 = _t118 + 4;
								_t83 = _t83 + 8;
								_t108 = _t108 - 1;
							} while (_t108 != 0);
							do {
								goto L14;
							} while (_t72 != 0);
							return _t72;
						}
					} else {
						_t109 = _t103 + 1;
						_t122 = 0;
						_t124 =  &_v772;
						do {
							_v804 = _t124;
							_push(_v804 + 4);
							_t23 = _t122 + 1; // 0x1
							_push(_v792);
							L00427830();
							E00428FDC(_v792);
							_push( &_v784);
							_t26 = _t122 + 1; // 0x1
							_push(_v792);
							L00427838();
							E00428FDC(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t122 = _t122 + 1;
							_t124 = _t124 + 8;
							_t109 = _t109 - 1;
						} while (_t109 != 0);
						goto L9;
					}
				}
			}

0x0042931c
0x00429328
0x0042932e
0x00429334
0x00429344
0x0042934b
0x0042934b
0x00429356
0x00429364
0x004294ef
0x004294f6
0x004294f7
0x00000000
0x0042936a
0x0042936d
0x0042938b
0x0042936f
0x0042937a
0x0042937a
0x0042939a
0x004293a6
0x004293a9
0x00429416
0x0042941c
0x0042941d
0x00429423
0x00429424
0x00429426
0x0042942b
0x0042942f
0x00429431
0x00429431
0x0042943c
0x00429447
0x00429452
0x0042945b
0x0042945e
0x0042947a
0x00429481
0x0042948c
0x004294a3
0x004294a8
0x004294bc
0x004294c1
0x004294d4
0x004294d4
0x004294dd
0x00429460
0x00429460
0x00429461
0x00429467
0x0042946d
0x0042946f
0x00429471
0x00429474
0x00429477
0x00429477
0x0042947a
0x00000000
0x00000000
0x00000000
0x0042947a
0x004293ab
0x004293ab
0x004293ac
0x004293ae
0x004293b4
0x004293b6
0x004293c5
0x004293c6
0x004293d0
0x004293d1
0x004293d6
0x004293e1
0x004293e2
0x004293ec
0x004293ed
0x004293f2
0x0042940d
0x0042940f
0x00429410
0x00429413
0x00429413
0x00000000
0x004293b4
0x004293a9

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004293D1
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 004293ED
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 00429426
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004294A3
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004294BC
VariantCopy.OLEAUT32(?,?), ref: 004294F7

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: 098dc979d013d57468a629589b458cb88fc05e19e5f0a5a7df6b54d31b1502c0
Instruction ID: 2fed5c09d90993a71d142947efe00684c7910c2ed580f9cb9a97fb5731140b2d
Opcode Fuzzy Hash: 098dc979d013d57468a629589b458cb88fc05e19e5f0a5a7df6b54d31b1502c0
Instruction Fuzzy Hash: 4B51EE75A012299FCB21DB59D981BDAB3FCAF0C304F8041DAF548E7211D634AF858F65

Uniqueness

Uniqueness Score: -1.00%

Function 004AFA44 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 44
windowCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E004AFA44(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void* _t24;
				intOrPtr _t28;
				void* _t31;
				void* _t32;
				intOrPtr _t35;

				_t32 = __esi;
				_t31 = __edi;
				_push(0);
				_push(0);
				_t24 = __eax;
				_push(_t35);
				_push(0x4aface);
				_push( *[fs:eax]);
				 *[fs:eax] = _t35;
				if(( *0x4c1d61 & 0x00000001) == 0) {
					E00407A20( &_v8);
				} else {
					E00407E48( &_v8, L"/ALLUSERS\r\nInstructs Setup to install in administrative install mode.\r\n/CURRENTUSER\r\nInstructs Setup to install in non administrative install mode.\r\n");
				}
				_push(L"The Setup program accepts optional command line parameters.\r\n\r\n/HELP, /?\r\nShows this information.\r\n/SP-\r\nDisables the This will install... Do you wish to continue? prompt at the beginning of Setup.\r\n/SILENT, /VERYSILENT\r\nInstructs Setup to be silent or very silent.\r\n/SUPPRESSMSGBOXES\r\nInstructs Setup to suppress message boxes.\r\n/LOG\r\nCauses Setup to create a log file in the user\'s TEMP directory.\r\n/LOG=\"filename\"\r\nSame as /LOG, except it allows you to specify a fixed path/filename to use for the log file.\r\n/NOCANCEL\r\nPrevents the user from cancelling during the installation process.\r\n/NORESTART\r\nPrevents Setup from restarting the system following a successful installation, or after a Preparing to Install failure that requests a restart.\r\n/RESTARTEXITCODE=exit code\r\nSpecifies a custom exit code that Setup is to return when the system needs to be restarted.\r\n/CLOSEAPPLICATIONS\r\nInstructs Setup to close applications using files that need to be updated.\r\n/NOCLOSEAPPLICATIONS\r\nPrevents Setup from closing applications using files that need to be updated.\r\n/FORCECLOSEAPPLICATIONS\r\nInstructs Setup to force close when closing applications.\r\n/FORCENOCLOSEAPPLICATIONS\r\nPrevents Setup from force closing when closing applications.\r\n/LOGCLOSEAPPLICATIONS\r\nInstructs Setup to create extra logging when closing applications for debugging purposes.\r\n/RESTARTAPPLICATIONS\r\nInstructs Setup to restart applications.\r\n/NORESTARTAPPLICATIONS\r\nPrevents Setup from restarting applications.\r\n/LOADINF=\"filename\"\r\nInstructs Setup to load the settings from the specified file after having checked the command line.\r\n/SAVEINF=\"filename\"\r\nInstructs Setup to save installation settings to the specified file.\r\n/LANG=language\r\nSpecifies the internal name of the language to use.\r\n/DIR=\"x:\\dirname\"\r\nOverrides the default directory name.\r\n/GROUP=\"folder name\"\r\nOverrides the default folder name.\r\n/NOICONS\r\nInstructs Setup to initially check the Don\'t create a Start Menu folder check box.\r\n/TYPE=type name\r\nOverrides the default setup type.\r\n/COMPONENTS=\"comma separated list of component names\"\r\nOverrides the default component settings.\r\n/TASKS=\"comma separated list of task names\"\r\nSpecifies a list of tasks that should be initially selected.\r\n/MERGETASKS=\"comma separated list of task names\"\r\nLike the /TASKS parameter, except the specified tasks will be merged with the set of tasks that would have otherwise been selected by default.\r\n/PASSWORD=password\r\nSpecifies the password to use.\r\n");
				_push(_v8);
				_push(_t24);
				_push(0x4b0f94);
				_push(L"For more detailed information, please visit https://jrsoftware.org/ishelp/index.php?topic=setupcmdline");
				E004087C4( &_v12, _t24, 5, _t31, _t32);
				MessageBoxW(0, E004084EC(_v12), L"Setup", 0x10);
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E004AFAD5);
				return E00407A80( &_v12, 2);
			}

0x004afa44
0x004afa44
0x004afa47
0x004afa49
0x004afa4c
0x004afa50
0x004afa51
0x004afa56
0x004afa59
0x004afa63
0x004afa77
0x004afa65
0x004afa6d
0x004afa6d
0x004afa7c
0x004afa81
0x004afa84
0x004afa85
0x004afa8a
0x004afa97
0x004afaae
0x004afab5
0x004afab8
0x004afabb
0x004afacd

APIs

MessageBoxW.USER32(00000000,00000000,Setup,00000010), ref: 004AFAAE

Strings

Setup, xrefs: 004AFA9E
The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will in, xrefs: 004AFA7C
For more detailed information, please visit https://jrsoftware.org/ishelp/index.php?topic=setupcmdline, xrefs: 004AFA8A
/ALLUSERSInstructs Setup to install in administrative install mode./CURRENTUSERInstructs Setup to install in non administrat, xrefs: 004AFA68

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Message
String ID: /ALLUSERSInstructs Setup to install in administrative install mode./CURRENTUSERInstructs Setup to install in non administrat$For more detailed information, please visit https://jrsoftware.org/ishelp/index.php?topic=setupcmdline$Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will in
API String ID: 2030045667-3391638011
Opcode ID: 66245cf56300a1c7c541050b9d52e7f7cee767bf73c9c42da64b4bca2bf40a85
Instruction ID: 307a18092975e57fce7d36cb0845ad1ef4e0a75d88e156d2955b45763d379f25
Opcode Fuzzy Hash: 66245cf56300a1c7c541050b9d52e7f7cee767bf73c9c42da64b4bca2bf40a85
Instruction Fuzzy Hash: D701A230748308BBE711E7D1CD52FDEB6A8D74AB04FA0047BB904B25D1D6BC6A09852D

Uniqueness

Uniqueness Score: -1.00%

Function 0042F9B8 Relevance: 7.8, APIs: 5, Instructions: 335
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0042F9B8(signed short* __eax, signed int __ecx, signed short* __edx, void* __edi, void* __fp0) {
				signed int _v8;
				signed char _v9;
				signed int _v12;
				signed int _v14;
				void* _v20;
				void* _v24;
				signed short* _v28;
				signed short* _v32;
				signed int _v48;
				void* __ebx;
				void* __ebp;
				signed int _t150;
				signed int _t272;
				intOrPtr _t328;
				intOrPtr _t331;
				intOrPtr _t339;
				intOrPtr _t347;
				intOrPtr _t355;
				void* _t360;
				void* _t362;
				intOrPtr _t363;

				_t367 = __fp0;
				_t358 = __edi;
				_t360 = _t362;
				_t363 = _t362 + 0xffffffd4;
				_v8 = __ecx;
				_v32 = __edx;
				_v28 = __eax;
				_v9 = 1;
				_t272 =  *_v28 & 0x0000ffff;
				if((_t272 & 0x00000fff) >= 0x10f) {
					_t150 =  *_v32 & 0x0000ffff;
					if(_t150 != 0) {
						if(_t150 != 1) {
							if(E00430860(_t272,  &_v20) != 0) {
								_push( &_v14);
								_t273 =  *_v20;
								if( *((intOrPtr*)( *_v20 + 8))() == 0) {
									_t275 =  *_v32 & 0x0000ffff;
									if(( *_v32 & 0xfff) >= 0x10f) {
										if(E00430860(_t275,  &_v24) != 0) {
											_push( &_v12);
											_t276 =  *_v24;
											if( *((intOrPtr*)( *_v24 + 4))() == 0) {
												E00428BF0(0xb);
												goto L41;
											} else {
												if(( *_v28 & 0x0000ffff) == _v12) {
													_t143 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
													_v9 =  *(0x4b93d2 + _v8 * 2 + _t143) & 0x000000ff;
													goto L41;
												} else {
													_push( &_v48);
													L00427244();
													_push(_t360);
													_push(0x42fdb0);
													_push( *[fs:eax]);
													 *[fs:eax] = _t363;
													_t289 = _v12 & 0x0000ffff;
													E004299A4( &_v48, _t276, _v12 & 0x0000ffff, _v28, __edi, __fp0);
													if((_v48 & 0x0000ffff) != _v12) {
														E00428AF8(_t289);
													}
													_t131 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
													_v9 =  *(0x4b93d2 + _v8 * 2 + _t131) & 0x000000ff;
													_pop(_t328);
													 *[fs:eax] = _t328;
													_push(0x42fde5);
													return E00429278( &_v48);
												}
											}
										} else {
											E00428BF0(0xb);
											goto L41;
										}
									} else {
										_push( &_v48);
										L00427244();
										_push(_t360);
										_push(0x42fcf7);
										_push( *[fs:eax]);
										 *[fs:eax] = _t363;
										_t294 =  *_v32 & 0x0000ffff;
										E004299A4( &_v48, _t275,  *_v32 & 0x0000ffff, _v28, __edi, __fp0);
										if(( *_v32 & 0x0000ffff) != _v48) {
											E00428AF8(_t294);
										}
										_v9 = E0042F7D0( &_v48, _v8, _v32, _t358, _t360, _t367);
										_pop(_t331);
										 *[fs:eax] = _t331;
										_push(0x42fde5);
										return E00429278( &_v48);
									}
								} else {
									if(( *_v32 & 0x0000ffff) == _v14) {
										_t95 = ( *((intOrPtr*)( *_v20 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t95) & 0x000000ff;
										goto L41;
									} else {
										_push( &_v48);
										L00427244();
										_push(_t360);
										_push(0x42fc52);
										_push( *[fs:eax]);
										 *[fs:eax] = _t363;
										_t299 = _v14 & 0x0000ffff;
										E004299A4( &_v48, _t273, _v14 & 0x0000ffff, _v32, __edi, __fp0);
										if((_v48 & 0x0000ffff) != _v14) {
											E00428AF8(_t299);
										}
										_t83 = ( *((intOrPtr*)( *_v20 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t83) & 0x000000ff;
										_pop(_t339);
										 *[fs:eax] = _t339;
										_push(0x42fde5);
										return E00429278( &_v48);
									}
								}
							} else {
								E00428BF0(__ecx);
								goto L41;
							}
						} else {
							_v9 = E0042F550(_v8, 2);
							goto L41;
						}
					} else {
						_v9 = E0042F53C(0, 1);
						goto L41;
					}
				} else {
					if(_t272 != 0) {
						if(_t272 != 1) {
							if(E00430860( *_v32 & 0x0000ffff,  &_v24) != 0) {
								_push( &_v12);
								_t282 =  *_v24;
								if( *((intOrPtr*)( *_v24 + 4))() == 0) {
									_push( &_v48);
									L00427244();
									_push(_t360);
									_push(0x42fb63);
									_push( *[fs:eax]);
									 *[fs:eax] = _t363;
									_t306 =  *_v28 & 0x0000ffff;
									E004299A4( &_v48, _t282,  *_v28 & 0x0000ffff, _v32, __edi, __fp0);
									if((_v48 & 0xfff) !=  *_v28) {
										E00428AF8(_t306);
									}
									_v9 = E0042F7D0(_v28, _v8,  &_v48, _t358, _t360, _t367);
									_pop(_t347);
									 *[fs:eax] = _t347;
									_push(0x42fde5);
									return E00429278( &_v48);
								} else {
									if(( *_v28 & 0x0000ffff) == _v12) {
										_t44 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t44) & 0x000000ff;
										goto L41;
									} else {
										_push( &_v48);
										L00427244();
										_push(_t360);
										_push(0x42facc);
										_push( *[fs:eax]);
										 *[fs:eax] = _t363;
										_t311 = _v12 & 0x0000ffff;
										E004299A4( &_v48, _t282, _v12 & 0x0000ffff, _v28, __edi, __fp0);
										if((_v48 & 0xfff) != _v12) {
											E00428AF8(_t311);
										}
										_t32 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t32) & 0x000000ff;
										_pop(_t355);
										 *[fs:eax] = _t355;
										_push(0x42fde5);
										return E00429278( &_v48);
									}
								}
							} else {
								E00428BF0(__ecx);
								goto L41;
							}
						} else {
							_v9 = E0042F550(_v8, 0);
							goto L41;
						}
					} else {
						_v9 = E0042F53C(1, 0);
						L41:
						return _v9 & 0x000000ff;
					}
				}
			}

0x0042f9b8
0x0042f9b8
0x0042f9b9
0x0042f9bb
0x0042f9bf
0x0042f9c2
0x0042f9c5
0x0042f9c8
0x0042f9cf
0x0042f9dc
0x0042fb6d
0x0042fb73
0x0042fb8a
0x0042fbac
0x0042fbbb
0x0042fbc7
0x0042fbce
0x0042fc88
0x0042fc95
0x0042fd0a
0x0042fd19
0x0042fd25
0x0042fd2c
0x0042fde0
0x00000000
0x0042fd32
0x0042fd3c
0x0042fdd6
0x0042fddb
0x00000000
0x0042fd3e
0x0042fd41
0x0042fd42
0x0042fd49
0x0042fd4a
0x0042fd4f
0x0042fd52
0x0042fd55
0x0042fd5f
0x0042fd6c
0x0042fd6e
0x0042fd6e
0x0042fd92
0x0042fd97
0x0042fd9c
0x0042fd9f
0x0042fda2
0x0042fdaf
0x0042fdaf
0x0042fd3c
0x0042fd0c
0x0042fd0c
0x00000000
0x0042fd0c
0x0042fc97
0x0042fc9a
0x0042fc9b
0x0042fca2
0x0042fca3
0x0042fca8
0x0042fcab
0x0042fcb1
0x0042fcba
0x0042fcc9
0x0042fccb
0x0042fccb
0x0042fcde
0x0042fce3
0x0042fce6
0x0042fce9
0x0042fcf6
0x0042fcf6
0x0042fbd4
0x0042fbde
0x0042fc78
0x0042fc7d
0x00000000
0x0042fbe0
0x0042fbe3
0x0042fbe4
0x0042fbeb
0x0042fbec
0x0042fbf1
0x0042fbf4
0x0042fbf7
0x0042fc01
0x0042fc0e
0x0042fc10
0x0042fc10
0x0042fc34
0x0042fc39
0x0042fc3e
0x0042fc41
0x0042fc44
0x0042fc51
0x0042fc51
0x0042fbde
0x0042fbae
0x0042fbae
0x00000000
0x0042fbae
0x0042fb8c
0x0042fb98
0x00000000
0x0042fb98
0x0042fb75
0x0042fb7e
0x00000000
0x0042fb7e
0x0042f9e2
0x0042f9e5
0x0042f9fc
0x0042fa22
0x0042fa31
0x0042fa3d
0x0042fa44
0x0042fb02
0x0042fb03
0x0042fb0a
0x0042fb0b
0x0042fb10
0x0042fb13
0x0042fb19
0x0042fb22
0x0042fb35
0x0042fb37
0x0042fb37
0x0042fb4a
0x0042fb4f
0x0042fb52
0x0042fb55
0x0042fb62
0x0042fa4a
0x0042fa54
0x0042faf2
0x0042faf7
0x00000000
0x0042fa56
0x0042fa59
0x0042fa5a
0x0042fa61
0x0042fa62
0x0042fa67
0x0042fa6a
0x0042fa6d
0x0042fa77
0x0042fa88
0x0042fa8a
0x0042fa8a
0x0042faae
0x0042fab3
0x0042fab8
0x0042fabb
0x0042fabe
0x0042facb
0x0042facb
0x0042fa54
0x0042fa24
0x0042fa24
0x00000000
0x0042fa24
0x0042f9fe
0x0042fa0a
0x00000000
0x0042fa0a
0x0042f9e7
0x0042f9f0
0x0042fde5
0x0042fded
0x0042fded
0x0042f9e5

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6922fb93c990c72bf9a49bf3daa94017bfe3b7264ddd93f55e738123a9900a9
Instruction ID: 1b6310f250808118d38827de8a535e3b6e70e535f73b2508e71121fbf0c58563
Opcode Fuzzy Hash: c6922fb93c990c72bf9a49bf3daa94017bfe3b7264ddd93f55e738123a9900a9
Instruction Fuzzy Hash: 41D19D75E0011A9FCB00EFA9D4919FEB7B5EF48300BD080B6E801A7245D638AD4ADB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041C790 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77
threadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0041C790(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				short _v536;
				short* _t32;
				intOrPtr* _t47;
				intOrPtr _t56;
				void* _t61;
				intOrPtr _t63;
				void* _t67;

				_v8 = 0;
				_t47 = __edx;
				_t61 = __eax;
				_push(_t67);
				_push(0x41c873);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67 + 0xfffffdec;
				E00407A20(__edx);
				_v24 =  *(_a4 - 2) & 0x0000ffff;
				_v22 =  *(_a4 - 4) & 0x0000ffff;
				_v18 =  *(_a4 - 6) & 0x0000ffff;
				if(_t61 > 2) {
					E00407E48( &_v8, L"yyyy");
				} else {
					E00407E48( &_v8, 0x41c88c);
				}
				_t32 = E004084EC(_v8);
				if(GetDateFormatW(GetThreadLocale(), 4,  &_v24, _t32,  &_v536, 0x200) != 0) {
					E0040858C(_t47, 0x100,  &_v536);
					if(_t61 == 1 &&  *((short*)( *_t47)) == 0x30) {
						_t63 =  *_t47;
						if(_t63 != 0) {
							_t63 =  *((intOrPtr*)(_t63 - 4));
						}
						E004088AC( *_t47, _t63 - 1, 2, _t47);
					}
				}
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(0x41c87a);
				return E00407A20( &_v8);
			}

0x0041c79d
0x0041c7a0
0x0041c7a2
0x0041c7a6
0x0041c7a7
0x0041c7ac
0x0041c7af
0x0041c7b4
0x0041c7c0
0x0041c7cb
0x0041c7d6
0x0041c7dd
0x0041c7f6
0x0041c7df
0x0041c7e7
0x0041c7e7
0x0041c80a
0x0041c823
0x0041c832
0x0041c838
0x0041c842
0x0041c846
0x0041c84b
0x0041c84b
0x0041c858
0x0041c858
0x0041c838
0x0041c85f
0x0041c862
0x0041c865
0x0041c872

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000200,00000000,0041C873), ref: 0041C816
GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000200,00000000,0041C873), ref: 0041C81C

Strings

yyyy, xrefs: 0041C7F1
, xrefs: 0041C7E2

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: $yyyy
API String ID: 3303714858-404527807
Opcode ID: 9b84cafd13c5b3a76178dd7a5deb0e6d63fe676c73d736d950a9ec0585647aa0
Instruction ID: d4c72dfe3e93bc103dd676e1b73ac12d517b544291048ec360f079cc1ca068dc
Opcode Fuzzy Hash: 9b84cafd13c5b3a76178dd7a5deb0e6d63fe676c73d736d950a9ec0585647aa0
Instruction Fuzzy Hash: 9A215335A442189BDB11EF95CDC1AAEB3B8EF08701F5144BBFC45E7281D7789E4087AA

Uniqueness

Uniqueness Score: -1.00%

Function 0041EEFC Relevance: 6.1, APIs: 4, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0041EEFC(intOrPtr* __eax, void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v534;
				short _v1056;
				short _v1568;
				struct _MEMORY_BASIC_INFORMATION _v1596;
				char _v1600;
				intOrPtr _v1604;
				char _v1608;
				intOrPtr _v1612;
				char _v1616;
				intOrPtr _v1620;
				char _v1624;
				char* _v1628;
				char _v1632;
				char _v1636;
				char _v1640;
				intOrPtr _t55;
				signed int _t76;
				void* _t82;
				intOrPtr _t83;
				intOrPtr _t95;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr* _t102;
				void* _t105;

				_v1640 = 0;
				_v8 = __ecx;
				_t82 = __edx;
				_t102 = __eax;
				_push(_t105);
				_push(0x41f0a8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t105 + 0xfffff99c;
				VirtualQuery(__edx,  &_v1596, 0x1c);
				if(_v1596.State != 0x1000 || GetModuleFileNameW(_v1596.AllocationBase,  &_v1056, 0x105) == 0) {
					GetModuleFileNameW( *0x4be634,  &_v1056, 0x105);
					_v12 = E0041EEF0(_t82);
				} else {
					_v12 = _t82 - _v1596.AllocationBase;
				}
				E0041A57C( &_v534, 0x104, E00420608() + 2);
				_t83 = 0x41f0bc;
				_t100 = 0x41f0bc;
				_t95 =  *0x414db8; // 0x414e10
				if(E00405F30(_t102, _t95) != 0) {
					_t83 = E004084EC( *((intOrPtr*)(_t102 + 4)));
					_t76 = E00407F04(_t83);
					if(_t76 != 0 &&  *((short*)(_t83 + _t76 * 2 - 2)) != 0x2e) {
						_t100 = 0x41f0c0;
					}
				}
				_t55 =  *0x4ba774; // 0x40e708
				_t18 = _t55 + 4; // 0xffec
				LoadStringW(E00409FF0( *0x4be634),  *_t18,  &_v1568, 0x100);
				E00405BE8( *_t102,  &_v1640);
				_v1636 = _v1640;
				_v1632 = 0x11;
				_v1628 =  &_v534;
				_v1624 = 0xa;
				_v1620 = _v12;
				_v1616 = 5;
				_v1612 = _t83;
				_v1608 = 0xa;
				_v1604 = _t100;
				_v1600 = 0xa;
				E0041A814(4,  &_v1636);
				E00407F04(_v8);
				_pop(_t98);
				 *[fs:eax] = _t98;
				_push(0x41f0af);
				return E00407A20( &_v1640);
			}

0x0041ef0a
0x0041ef10
0x0041ef13
0x0041ef15
0x0041ef19
0x0041ef1a
0x0041ef1f
0x0041ef22
0x0041ef2f
0x0041ef3e
0x0041ef6e
0x0041ef7a
0x0041ef7f
0x0041ef85
0x0041ef85
0x0041efa7
0x0041efac
0x0041efb1
0x0041efb8
0x0041efc5
0x0041efcf
0x0041efd3
0x0041efda
0x0041efe4
0x0041efe4
0x0041efda
0x0041eff5
0x0041effa
0x0041f009
0x0041f016
0x0041f021
0x0041f027
0x0041f034
0x0041f03a
0x0041f044
0x0041f04a
0x0041f051
0x0041f057
0x0041f05e
0x0041f064
0x0041f080
0x0041f088
0x0041f091
0x0041f094
0x0041f097
0x0041f0a7

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F0A8), ref: 0041EF2F
GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF53
GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF6E
LoadStringW.USER32(00000000,0000FFEC,?,00000100), ref: 0041F009

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: b8be0fea34dc80bb7553a8da0885c656d5cafed23f6e23429f91232411ad397e
Instruction ID: 1578eb45e464442e6080653f6025888c356fcaddc808aab3f6789ba0ce71ce89
Opcode Fuzzy Hash: b8be0fea34dc80bb7553a8da0885c656d5cafed23f6e23429f91232411ad397e
Instruction Fuzzy Hash: 3E412374A002589FDB20DF59CC81BCAB7F9AB58304F4044FAE508E7242D7799E95CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6C8 Relevance: 6.1, APIs: 4, Instructions: 95
threadCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040A6C8(signed short __eax, void* __edx) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				signed int _v20;
				short _v22;
				short _v24;
				char _v26;
				char _v32;
				void* __ebp;
				void* _t39;
				void* _t55;
				void* _t59;
				short* _t62;
				signed short _t66;
				void* _t67;
				void* _t68;
				signed short _t79;
				void* _t81;

				_t81 = __edx;
				_t66 = __eax;
				_v16 = 0;
				if(__eax !=  *0x4bdc08()) {
					_v16 = E0040A684( &_v8);
					_t79 = _t66;
					_v20 = 3;
					_t62 =  &_v26;
					do {
						 *_t62 =  *(0xf + "0123456789ABCDEF") & 0x000000ff;
						_t79 = (_t79 & 0x0000ffff) >> 4;
						_v20 = _v20 - 1;
						_t62 = _t62 - 2;
					} while (_v20 != 0xffffffff);
					_v24 = 0;
					_v22 = 0;
					 *0x4bdc04(4,  &_v32,  &_v20);
				}
				_t39 = E0040A684( &_v12);
				_t67 = _t39;
				if(_t67 != 0) {
					_t55 = _v12 - 2;
					if(_t55 >= 0) {
						_t59 = _t55 + 1;
						_v20 = 0;
						do {
							if( *((short*)(_t67 + _v20 * 2)) == 0) {
								 *((short*)(_t67 + _v20 * 2)) = 0x2c;
							}
							_v20 = _v20 + 1;
							_t59 = _t59 - 1;
						} while (_t59 != 0);
					}
					E00408550(_t81, _t67);
					_t39 = E0040540C(_t67);
				}
				if(_v16 != 0) {
					 *0x4bdc04(0, 0,  &_v20);
					_t68 = E0040A684( &_v12);
					if(_v8 != _v12 || E0040A660(_v16, _v12, _t68) != 0) {
						 *0x4bdc04(8, _v16,  &_v20);
					}
					E0040540C(_t68);
					return E0040540C(_v16);
				}
				return _t39;
			}

0x0040a6d0
0x0040a6d2
0x0040a6d6
0x0040a6e2
0x0040a6ec
0x0040a6ef
0x0040a6f1
0x0040a6f8
0x0040a6fb
0x0040a70c
0x0040a712
0x0040a715
0x0040a718
0x0040a71b
0x0040a721
0x0040a727
0x0040a737
0x0040a737
0x0040a740
0x0040a745
0x0040a749
0x0040a74e
0x0040a753
0x0040a755
0x0040a756
0x0040a75d
0x0040a765
0x0040a76a
0x0040a76a
0x0040a770
0x0040a773
0x0040a773
0x0040a75d
0x0040a77a
0x0040a781
0x0040a781
0x0040a78a
0x0040a794
0x0040a7a2
0x0040a7aa
0x0040a7c7
0x0040a7c7
0x0040a7cf
0x00000000
0x0040a7d7
0x0040a7e1

APIs

GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040A6D9
SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040A737
SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040A794
SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040A7C7

Part of subcall function 0040A684: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040A745), ref: 0040A69B
Part of subcall function 0040A684: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040A745), ref: 0040A6B8

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Thread$LanguagesPreferred$Language
String ID:
API String ID: 2255706666-0
Opcode ID: 4c514f641868e752fd40307e4922e2f5a84495159d338bc2b006041d37f1dfb0
Instruction ID: 64ac70e7ec2a8712ea9b0e83aabe60772fb1db60419ab041f5eb1837937ee239
Opcode Fuzzy Hash: 4c514f641868e752fd40307e4922e2f5a84495159d338bc2b006041d37f1dfb0
Instruction Fuzzy Hash: 97317070E0021A9BDB10DFA9C884AAFB7B8EF04304F00867AE555E7291EB789E05CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00420BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00420BD8() {
				void* __ebx;
				struct HINSTANCE__* _t1;
				void* _t4;

				_t1 = GetModuleHandleW(L"kernel32.dll");
				_t3 = _t1;
				if(_t1 != 0) {
					_t1 = E0040E1A8(_t3, _t4, _t3, L"GetDiskFreeSpaceExW");
					 *0x4b7e30 = _t1;
				}
				if( *0x4b7e30 == 0) {
					 *0x4b7e30 = E0041A4DC;
					return E0041A4DC;
				}
				return _t1;
			}

0x00420bde
0x00420be3
0x00420be7
0x00420bef
0x00420bf4
0x00420bf4
0x00420c00
0x00420c07
0x00000000
0x00420c07
0x00420c0d

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00420CB4,00000000,00420CCC,?,?,00420C69), ref: 00420BDE

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2

Strings

GetDiskFreeSpaceExW, xrefs: 00420BE9
kernel32.dll, xrefs: 00420BD9

Memory Dump Source

Source File: 00000000.00000002.408873022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.408864577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409100576.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409115454.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409128043.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.409135279.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExW$kernel32.dll
API String ID: 1646373207-1127948838
Opcode ID: f76785e0005e833dd4a9f921d8d2e36157eed1af70da7a881872f52b203e86d0
Instruction ID: d69f2d486575a746b5ffe9d6a82661523d0842203aaa5c8b8dd0cb43f1f92830
Opcode Fuzzy Hash: f76785e0005e833dd4a9f921d8d2e36157eed1af70da7a881872f52b203e86d0
Instruction Fuzzy Hash: 31D05EB03143165FE7056BB2ACC561636C6AB86304B900B7BA5046A243CBFDDC50434C

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: YogaDNSSetup.tmpPID: 6828, Parent PID: 6768COMMON

Execution Graph

Execution Coverage:	9.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.7%
Total number of Nodes:	1617
Total number of Limit Nodes:	94

Executed Functions

Function 005C7CE0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 43%

			E005C7CE0(long __eax) {
				signed char _v5;
				void* _v12;
				char _v16;
				void* _v20;
				long _v24;
				void* _v28;
				struct _SID_IDENTIFIER_AUTHORITY* _v32;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t89;
				long _t97;
				signed int _t100;
				intOrPtr _t105;
				intOrPtr _t106;
				void* _t107;
				void* _t110;
				void* _t111;
				void* _t113;
				void* _t115;
				intOrPtr _t116;

				_t113 = _t115;
				_t116 = _t115 + 0xffffffe4;
				_push(_t107);
				_t97 = __eax;
				if(E00429D18() == 2) {
					_v5 = 0;
					_v32 = 0x6ccce0;
					if(AllocateAndInitializeSid(_v32, 2, 0x20, _t97, 0, 0, 0, 0, 0, 0,  &_v12) == 0) {
						goto L26;
					} else {
						_push(_t113);
						_push(0x5c7ecb);
						_push( *[fs:eax]);
						 *[fs:eax] = _t116;
						_t99 = 0;
						if((GetVersion() & 0x000000ff) >= 5) {
							_t99 = E00414020(0, _t107, GetModuleHandleW(L"advapi32.dll"), L"CheckTokenMembership");
						}
						if(_t99 == 0) {
							_v28 = 0;
							if(OpenThreadToken(GetCurrentThread(), 8, 0xffffffff,  &_v20) != 0) {
								L13:
								_push(_t113);
								_push(0x5c7ead);
								_push( *[fs:eax]);
								 *[fs:eax] = _t116;
								_v24 = 0;
								if(GetTokenInformation(_v20, 2, 0, 0,  &_v24) != 0 || GetLastError() == 0x7a) {
									_v28 = E00406F0C(_v24);
									if(GetTokenInformation(_v20, 2, _v28, _v24,  &_v24) != 0) {
										_t110 =  *_v28 - 1;
										if(_t110 >= 0) {
											_t111 = _t110 + 1;
											_t100 = 0;
											while(EqualSid(_v12,  *(_v28 + 4 + _t100 * 8)) == 0 || ( *(_v28 + 8 + _t100 * 8) & 0x00000014) != 4) {
												_t100 = _t100 + 1;
												_t111 = _t111 - 1;
												if(_t111 != 0) {
													continue;
												}
												goto L24;
											}
											_v5 = 1;
										}
										L24:
										_pop(_t105);
										 *[fs:eax] = _t105;
										_push(E005C7EB4);
										E00406F28(_v28);
										return CloseHandle(_v20);
									} else {
										E004099B8();
										E004099B8();
										goto L26;
									}
								} else {
									E004099B8();
									E004099B8();
									goto L26;
								}
							} else {
								if(GetLastError() == 0x3f0) {
									if(OpenProcessToken(GetCurrentProcess(), 8,  &_v20) != 0) {
										goto L13;
									} else {
										E004099B8();
										goto L26;
									}
								} else {
									E004099B8();
									goto L26;
								}
							}
						} else {
							_t89 =  *_t99(0, _v12,  &_v16); // executed
							if(_t89 != 0) {
								asm("sbb eax, eax");
								_v5 = _t89 + 1;
							}
							_pop(_t106);
							 *[fs:eax] = _t106;
							_push(E005C7ED2);
							return FreeSid(_v12);
						}
					}
				} else {
					_v5 = 1;
					L26:
					return _v5 & 0x000000ff;
				}
			}

0x005c7ce1
0x005c7ce3
0x005c7ce7
0x005c7ce8
0x005c7cf2
0x005c7cfd
0x005c7d06
0x005c7d29
0x00000000
0x005c7d2f
0x005c7d31
0x005c7d32
0x005c7d37
0x005c7d3a
0x005c7d3d
0x005c7d4d
0x005c7d64
0x005c7d64
0x005c7d68
0x005c7d8f
0x005c7da7
0x005c7dde
0x005c7de0
0x005c7de1
0x005c7de6
0x005c7de9
0x005c7dee
0x005c7e06
0x005c7e29
0x005c7e45
0x005c7e58
0x005c7e5b
0x005c7e5d
0x005c7e5e
0x005c7e60
0x005c7e8a
0x005c7e8b
0x005c7e8c
0x00000000
0x00000000
0x00000000
0x005c7e8c
0x005c7e84
0x005c7e84
0x005c7e8e
0x005c7e90
0x005c7e93
0x005c7e96
0x005c7e9e
0x005c7eac
0x005c7e47
0x005c7e47
0x005c7e4c
0x00000000
0x005c7e4c
0x005c7e12
0x005c7e12
0x005c7e17
0x00000000
0x005c7e17
0x005c7da9
0x005c7db3
0x005c7dd2
0x00000000
0x005c7dd4
0x005c7dd4
0x00000000
0x005c7dd4
0x005c7db5
0x005c7db5
0x00000000
0x005c7db5
0x005c7db3
0x005c7d6a
0x005c7d74
0x005c7d78
0x005c7d82
0x005c7d85
0x005c7d85
0x005c7eb6
0x005c7eb9
0x005c7ebc
0x005c7eca
0x005c7eca
0x005c7d68
0x005c7cf4
0x005c7cf4
0x005c7ed2
0x005c7edb
0x005c7edb

APIs

AllocateAndInitializeSid.ADVAPI32(00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C7D22
GetVersion.KERNEL32(00000000,005C7ECB,?,00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C7D3F
GetModuleHandleW.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,005C7ECB,?,00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C7D59
CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,005C7ECB,?,00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C7D74
FreeSid.ADVAPI32(00000000,005C7ED2,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C7EC5

Strings

advapi32.dll, xrefs: 005C7D54
CheckTokenMembership, xrefs: 005C7D4F

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: AllocateCheckFreeHandleInitializeMembershipModuleTokenVersion
String ID: CheckTokenMembership$advapi32.dll
API String ID: 2691416632-1888249752
Opcode ID: 1e224452f98f28684b28cd542a9aef5b7292b81c784e0a64638696cbd7ae50c3
Instruction ID: 9e47304f2c2519385998e5d426bc562542af73c677c294aaacd6cf1c30b33c32
Opcode Fuzzy Hash: 1e224452f98f28684b28cd542a9aef5b7292b81c784e0a64638696cbd7ae50c3
Instruction Fuzzy Hash: A2514472A0830D6EDB11EAF98D42FBE7BACBF1C705F1044AEF501E6681D6789D408B65

Uniqueness

Uniqueness Score: -1.00%

Function 0040E7F0 Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0040E7F0(char __eax, void* __ebx, intOrPtr* __edx, void* __eflags) {
				char _v8;
				short _v12;
				void* _v16;
				char _v20;
				char _v24;
				void* _t29;
				void* _t40;
				intOrPtr* _t44;
				intOrPtr _t55;
				void* _t61;

				_push(__ebx);
				_v24 = 0;
				_v20 = 0;
				_t44 = __edx;
				_v8 = __eax;
				E0040A2AC(_v8);
				_push(_t61);
				_push(0x40e8b0);
				_push( *[fs:eax]);
				 *[fs:eax] = _t61 + 0xffffffec;
				_t21 =  &_v16;
				L0040524C();
				GetLocaleInfoW( &_v16 & 0x0000ffff, 3, _t21, 4);
				E0040B318( &_v20, 4,  &_v16);
				E0040B4C8(_t44, _v20, _v8);
				_t29 = E0040E6A0( *_t44, _t44); // executed
				if(_t29 == 0) {
					_v12 = 0;
					E0040B318( &_v24, 4,  &_v16);
					E0040B4C8(_t44, _v24, _v8);
					_t40 = E0040E6A0( *_t44, _t44); // executed
					if(_t40 == 0) {
						E0040A1C8(_t44);
					}
				}
				_pop(_t55);
				 *[fs:eax] = _t55;
				_push(E0040E8B7);
				E0040A228( &_v24, 2);
				return E0040A1C8( &_v8);
			}

0x0040e7f6
0x0040e7f9
0x0040e7fc
0x0040e7ff
0x0040e801
0x0040e807
0x0040e80e
0x0040e80f
0x0040e814
0x0040e817
0x0040e81c
0x0040e822
0x0040e82b
0x0040e83b
0x0040e848
0x0040e84f
0x0040e856
0x0040e858
0x0040e869
0x0040e876
0x0040e87d
0x0040e884
0x0040e888
0x0040e888
0x0040e884
0x0040e88f
0x0040e892
0x0040e895
0x0040e8a2
0x0040e8af

APIs

GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040E8B0,?,?), ref: 0040E822
GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040E8B0,?,?), ref: 0040E82B

Part of subcall function 0040E6A0: FindFirstFileW.KERNEL32(00000000,?,00000000,0040E6FE,?,?), ref: 0040E6D3
Part of subcall function 0040E6A0: FindClose.KERNEL32(00000000,00000000,?,00000000,0040E6FE,?,?), ref: 0040E6E3

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
String ID:
API String ID: 3216391948-0
Opcode ID: 4f4e845a1bd2874fd9ef47becd123c76b58742bb5706f28c9b712a7f9af8110b
Instruction ID: 1e50cd0e94847efb8cb05e6df71b151ee34378a03d53e12baea26e8823c5d93b
Opcode Fuzzy Hash: 4f4e845a1bd2874fd9ef47becd123c76b58742bb5706f28c9b712a7f9af8110b
Instruction Fuzzy Hash: 71114270A002099BDB04EF96D982AAEB3B9EF45304F90487EF904B73C1D7395E148B6D

Uniqueness

Uniqueness Score: -1.00%

Function 0062CFB8 Relevance: 3.1, APIs: 2, Instructions: 52
comCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E0062CFB8(void* __ebx) {
				void* _v8;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr* _t22;
				intOrPtr* _t25;
				intOrPtr _t34;
				intOrPtr _t38;

				_push(0);
				_push(_t38);
				_push(0x62d04e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t38;
				if( *0x6d63b4 != 0) {
					L6:
					_pop(_t34);
					 *[fs:eax] = _t34;
					_push(E0062D055);
					return E0040EC28( &_v8);
				}
				if(GetVersion() >= 0x601) {
					_push(E0040EC28( &_v8));
					_t20 =  *0x6ce1cc; // 0x6cd0d4
					_push(_t20);
					_push(1);
					_push(0);
					_t21 =  *0x6cdad4; // 0x6cd0c4
					_push(_t21); // executed
					L0043C1EC(); // executed
					if(_t21 == 0) {
						_t22 = _v8;
						_push(_t22);
						if( *((intOrPtr*)( *_t22 + 0xc))() == 0) {
							_t25 = _v8;
							 *((intOrPtr*)( *_t25 + 4))(_t25);
							E0040EC40(0x6d63b8, _v8);
						}
					}
				}
				 *0x6d63b4 = 1;
				goto L6;
			}

0x0062cfbb
0x0062cfc0
0x0062cfc1
0x0062cfc6
0x0062cfc9
0x0062cfd3
0x0062d02e
0x0062d03a
0x0062d03d
0x0062d040
0x0062d04d
0x0062d04d
0x0062cfe0
0x0062cfea
0x0062cfeb
0x0062cff0
0x0062cff1
0x0062cff3
0x0062cff5
0x0062cffa
0x0062cffb
0x0062d002
0x0062d004
0x0062d007
0x0062d00f
0x0062d011
0x0062d017
0x0062d022
0x0062d022
0x0062d00f
0x0062d002
0x0062d027
0x00000000

APIs

GetVersion.KERNEL32(00000000,0062D04E,?,00000000,00000000,?,0062D064,?,0068E013), ref: 0062CFD5
CoCreateInstance.OLE32(006CD0C4,00000000,00000001,006CD0D4,00000000,00000000,0062D04E,?,00000000,00000000,?,0062D064,?,0068E013), ref: 0062CFFB

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: CreateInstanceVersion
String ID:
API String ID: 1462612201-0
Opcode ID: cbb049565a1867f24a50483da30d8e7f142d0e73d3a7e9700637a94f81e4e663
Instruction ID: 9475dfad4fa877b1df6a840545b6a6068a8d92e7f1f871649489f85859f50de3
Opcode Fuzzy Hash: cbb049565a1867f24a50483da30d8e7f142d0e73d3a7e9700637a94f81e4e663
Instruction Fuzzy Hash: F511D231648A04AFEB10EF69ED4AF5A77EEEB45308F4214BAF400D7AA1C775AD10CB15

Uniqueness

Uniqueness Score: -1.00%

Function 0060C2B0 Relevance: 3.0, APIs: 2, Instructions: 45
fileCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E0060C2B0(void* __eax, struct _WIN32_FIND_DATAW* __ecx, void* __edx, void* __eflags) {
				void* _v8;
				char _v16;
				long _v20;
				void* _t13;
				intOrPtr _t27;
				void* _t35;
				void* _t37;
				intOrPtr _t38;

				_t35 = _t37;
				_t38 = _t37 + 0xfffffff0;
				if(E0060BF74(__eax,  &_v16) != 0) {
					_push(_t35);
					_push(0x60c313);
					_push( *[fs:eax]);
					 *[fs:eax] = _t38;
					_t13 = FindFirstFileW(E0040B278(__edx), __ecx); // executed
					_v8 = _t13;
					_v20 = GetLastError();
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(E0060C31A);
					return E0060BFB0( &_v16);
				} else {
					_v8 = 0xffffffff;
					return _v8;
				}
			}

0x0060c2b1
0x0060c2b3
0x0060c2cb
0x0060c2d8
0x0060c2d9
0x0060c2de
0x0060c2e1
0x0060c2ed
0x0060c2f2
0x0060c2fa
0x0060c2ff
0x0060c302
0x0060c305
0x0060c312
0x0060c2cd
0x0060c2cd
0x0060c32c
0x0060c32c

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,0060C313,?,?,?,00000000), ref: 0060C2ED
GetLastError.KERNEL32(00000000,?,00000000,0060C313,?,?,?,00000000), ref: 0060C2F5

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: ErrorFileFindFirstLast
String ID:
API String ID: 873889042-0
Opcode ID: 48cb86c36632e8c72cb41299c80d55c8f2305584a3cc239000e223bcc48676ca
Instruction ID: 0e0656a6fbe86c5836fc78b0efda7e26b232c5910eabf30e6ebd6b813bae866c
Opcode Fuzzy Hash: 48cb86c36632e8c72cb41299c80d55c8f2305584a3cc239000e223bcc48676ca
Instruction Fuzzy Hash: 1BF0F931A84208ABCB14DFBA9C0189FF7ADEB4533075147BAF814D32D1DB744E004598

Uniqueness

Uniqueness Score: -1.00%

Function 0040E6A0 Relevance: 3.0, APIs: 2, Instructions: 33
fileCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0040E6A0(char __eax, signed int __ebx) {
				char _v8;
				struct _WIN32_FIND_DATAW _v600;
				void* _t15;
				intOrPtr _t24;
				void* _t27;

				_push(__ebx);
				_v8 = __eax;
				E0040A2AC(_v8);
				_push(_t27);
				_push(0x40e6fe);
				_push( *[fs:eax]);
				 *[fs:eax] = _t27 + 0xfffffdac;
				_t15 = FindFirstFileW(E0040B278(_v8),  &_v600); // executed
				if((__ebx & 0xffffff00 | _t15 != 0xffffffff) != 0) {
					FindClose(_t15);
				}
				_pop(_t24);
				 *[fs:eax] = _t24;
				_push(E0040E705);
				return E0040A1C8( &_v8);
			}

0x0040e6a9
0x0040e6aa
0x0040e6b0
0x0040e6b7
0x0040e6b8
0x0040e6bd
0x0040e6c0
0x0040e6d3
0x0040e6e0
0x0040e6e3
0x0040e6e3
0x0040e6ea
0x0040e6ed
0x0040e6f0
0x0040e6fd

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,0040E6FE,?,?), ref: 0040E6D3
FindClose.KERNEL32(00000000,00000000,?,00000000,0040E6FE,?,?), ref: 0040E6E3

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 45566dd6d5ea1f2d432aa336e5a60c1e3a8d7bb9a7f17ca8116a3bd58dd3b41d
Instruction ID: dec86fcb97929b74413189edb203bd87f329489ef31ab21fd3caa719f1a03e71
Opcode Fuzzy Hash: 45566dd6d5ea1f2d432aa336e5a60c1e3a8d7bb9a7f17ca8116a3bd58dd3b41d
Instruction Fuzzy Hash: 95F0B430540608AFCB10EBB6DC4295EB3ACEB4431479009B6F400F32D1EB395E10995C

Uniqueness

Uniqueness Score: -1.00%

Function 0040E2C4 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E0040E2C4(char __eax, void* __ebx, void* __ecx, void* __edx) {
				char _v8;
				char* _v12;
				void* _v16;
				int _v20;
				short _v542;
				long _t51;
				long _t85;
				long _t87;
				long _t89;
				long _t91;
				long _t93;
				void* _t97;
				intOrPtr _t106;
				intOrPtr _t108;
				void* _t112;
				void* _t113;
				intOrPtr _t114;

				_t112 = _t113;
				_t114 = _t113 + 0xfffffde4;
				_t97 = __edx;
				_v8 = __eax;
				E0040A2AC(_v8);
				_push(_t112);
				_push(0x40e4e9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t114;
				if(_v8 != 0) {
					E0040DAF8( &_v542, E0040B278(_v8), 0x105);
				} else {
					GetModuleFileNameW(0,  &_v542, 0x105);
				}
				if(_v542 == 0) {
					L18:
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(E0040E4F0);
					return E0040A1C8( &_v8);
				} else {
					_v12 = 0;
					_t51 = RegOpenKeyExW(0x80000001, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16); // executed
					if(_t51 == 0) {
						L10:
						_push(_t112);
						_push(0x40e4cc);
						_push( *[fs:eax]);
						 *[fs:eax] = _t114;
						E0040E0D4( &_v542, 0x105);
						if(RegQueryValueExW(_v16,  &_v542, 0, 0, 0,  &_v20) != 0) {
							if(RegQueryValueExW(_v16, E0040E5DC, 0, 0, 0,  &_v20) == 0) {
								_v12 = E00406F0C(_v20);
								RegQueryValueExW(_v16, E0040E5DC, 0, 0, _v12,  &_v20);
								E0040B2DC(_t97, _v12);
							}
						} else {
							_v12 = E00406F0C(_v20);
							RegQueryValueExW(_v16,  &_v542, 0, 0, _v12,  &_v20);
							E0040B2DC(_t97, _v12);
						}
						_pop(_t108);
						 *[fs:eax] = _t108;
						_push(E0040E4D3);
						if(_v12 != 0) {
							E00406F28(_v12);
						}
						return RegCloseKey(_v16);
					} else {
						_t85 = RegOpenKeyExW(0x80000002, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16); // executed
						if(_t85 == 0) {
							goto L10;
						} else {
							_t87 = RegOpenKeyExW(0x80000001, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
							if(_t87 == 0) {
								goto L10;
							} else {
								_t89 = RegOpenKeyExW(0x80000002, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
								if(_t89 == 0) {
									goto L10;
								} else {
									_t91 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Locales", 0, 0xf0019,  &_v16); // executed
									if(_t91 == 0) {
										goto L10;
									} else {
										_t93 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v16); // executed
										if(_t93 != 0) {
											goto L18;
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				}
			}

0x0040e2c5
0x0040e2c7
0x0040e2ce
0x0040e2d0
0x0040e2d6
0x0040e2dd
0x0040e2de
0x0040e2e3
0x0040e2e6
0x0040e2ed
0x0040e319
0x0040e2ef
0x0040e2fd
0x0040e2fd
0x0040e326
0x0040e4d3
0x0040e4d5
0x0040e4d8
0x0040e4db
0x0040e4e8
0x0040e32c
0x0040e32e
0x0040e346
0x0040e34d
0x0040e3ed
0x0040e3ef
0x0040e3f0
0x0040e3f5
0x0040e3f8
0x0040e406
0x0040e427
0x0040e476
0x0040e480
0x0040e498
0x0040e4a2
0x0040e4a2
0x0040e429
0x0040e431
0x0040e44b
0x0040e455
0x0040e455
0x0040e4a9
0x0040e4ac
0x0040e4af
0x0040e4b8
0x0040e4bd
0x0040e4bd
0x0040e4cb
0x0040e353
0x0040e368
0x0040e36f
0x00000000
0x0040e371
0x0040e386
0x0040e38d
0x00000000
0x0040e38f
0x0040e3a4
0x0040e3ab
0x00000000
0x0040e3ad
0x0040e3c2
0x0040e3c9
0x00000000
0x0040e3cb
0x0040e3e0
0x0040e3e7
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e3e7
0x0040e3c9
0x0040e3ab
0x0040e38d
0x0040e36f
0x0040e34d

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040E4E9,?,?), ref: 0040E2FD
RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040E4E9,?,?), ref: 0040E346
RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040E4E9,?,?), ref: 0040E368
RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0040E386
RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040E3A4
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040E3C2
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040E3E0
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040E4CC,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040E4E9), ref: 0040E420
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040E4CC,?,80000001), ref: 0040E44B
RegCloseKey.ADVAPI32(?,0040E4D3,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040E4CC,?,80000001,Software\Embarcadero\Locales), ref: 0040E4C6

Strings

Software\Embarcadero\Locales, xrefs: 0040E33C, 0040E35E
Software\Borland\Delphi\Locales, xrefs: 0040E3D6
Software\Borland\Locales, xrefs: 0040E3B8
Software\CodeGear\Locales, xrefs: 0040E37C, 0040E39A

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Open$QueryValue$CloseFileModuleName
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
API String ID: 2701450724-3496071916
Opcode ID: 5aa5f0f4598f069c7b6180d6d0362751deb9bd023370fd1abe4087e628624bde
Instruction ID: 4455e1c2a3f30db0af6e145a4bce986524b579b5894be5bc8a3c80d05520e853
Opcode Fuzzy Hash: 5aa5f0f4598f069c7b6180d6d0362751deb9bd023370fd1abe4087e628624bde
Instruction Fuzzy Hash: 5C51F775A40608BEEB10DAA6CC42FAF77BCDB08704F5044BBBA14F61C2D6789A50DB5D

Uniqueness

Uniqueness Score: -1.00%

Function 006AC23C Relevance: 26.5, APIs: 6, Strings: 9, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 65%

			E006AC23C(void* __ebx, void* __edx, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				char _v60;
				void* _t54;
				intOrPtr _t65;
				intOrPtr _t73;
				unsigned int _t77;
				void* _t80;
				char _t82;
				char _t84;
				intOrPtr _t89;
				intOrPtr _t94;
				intOrPtr _t99;
				intOrPtr _t112;
				intOrPtr _t118;
				void* _t129;
				intOrPtr _t158;
				intOrPtr _t163;
				intOrPtr _t165;
				intOrPtr _t167;
				intOrPtr _t174;
				intOrPtr _t182;
				intOrPtr _t183;

				_t128 = __ebx;
				_t182 = _t183;
				_t129 = 7;
				do {
					_push(0);
					_push(0);
					_t129 = _t129 - 1;
					_t184 = _t129;
				} while (_t129 != 0);
				_push(_t182);
				_push(0x6ac586);
				_push( *[fs:eax]);
				 *[fs:eax] = _t183;
				E005C7430( &_v12);
				E0040A5A8(0x6d6534, _v12);
				E005C745C( &_v16);
				E0040A5A8(0x6d6538, _v16);
				E005C7488( &_v20, __esi, _t182, _t184);
				E0040A5A8(0x6d653c, _v20);
				E005C7530( *0x6d67dd & 0x000000ff, __ebx,  &_v24, __esi);
				E0040A5A8(0x6d6540, _v24);
				_t54 = E00429D18();
				_t185 = _t54 - 2;
				if(_t54 != 2) {
					E0040A1C8(0x6d6544);
				} else {
					E005C6D5C(L"SystemDrive", _t129,  &_v28, _t185);
					E0040A5A8(0x6d6544, _v28);
				}
				if( *0x6d6544 == 0) {
					_t118 =  *0x6d6534; // 0x0
					E005C53A0(_t118,  &_v32);
					E0040A5A8(0x6d6544, _v32);
					_t187 =  *0x6d6544;
					if( *0x6d6544 == 0) {
						E0040A5A8(0x6d6544, 0x6ac5c4);
					}
				}
				E006AC0D0(1, L"ProgramFilesDir", _t187); // executed
				E0040A5A8(0x6d6548, _v36);
				_t188 =  *0x6d6548;
				if( *0x6d6548 == 0) {
					_t174 =  *0x6d6544; // 0x0
					E0040B4C8(0x6d6548, L"\\Program Files", _t174);
				}
				E006AC0D0(1, L"CommonFilesDir", _t188); // executed
				E0040A5A8(0x6d654c, _v40);
				if( *0x6d654c == 0) {
					_t112 =  *0x6d6548; // 0x0
					E005C4EA4(_t112,  &_v44);
					E0040B4C8(0x6d654c, L"Common Files", _v44);
				}
				_t190 =  *0x6d67dd;
				if( *0x6d67dd != 0) {
					E006AC0D0(2, L"ProgramFilesDir", _t190); // executed
					E0040A5A8(0x6d6550, _v48);
					_t191 =  *0x6d6550;
					if( *0x6d6550 == 0) {
						E0060CD28(L"Failed to get path of 64-bit Program Files directory", _t128);
					}
					E006AC0D0(2, L"CommonFilesDir", _t191); // executed
					E0040A5A8(0x6d6554, _v52);
					if( *0x6d6554 == 0) {
						E0060CD28(L"Failed to get path of 64-bit Common Files directory", _t128);
					}
				}
				if( *0x6d68ac == 0) {
					L25:
					__eflags =  *0x6d67dc;
					if( *0x6d67dc == 0) {
						_t65 =  *0x6d6534; // 0x0
						E005C4EA4(_t65,  &_v60);
						E0040B4C8(0x6d6564, L"COMMAND.COM", _v60); // executed
					} else {
						_t73 =  *0x6d6538; // 0x0
						E005C4EA4(_t73,  &_v56);
						E0040B4C8(0x6d6564, L"cmd.exe", _v56);
					}
					E006AC180(); // executed
					__eflags = 0;
					_pop(_t158);
					 *[fs:eax] = _t158;
					_push(E006AC58D);
					return E0040A228( &_v60, 0xd);
				} else {
					_t77 =  *0x6d67f0; // 0xa0042ee
					if(_t77 >> 0x10 < 0x600) {
						goto L25;
					} else {
						_t80 =  *0x6d68ac(0x6cd7f4, 0x8000, 0,  &_v8); // executed
						if(_t80 != 0) {
							_t82 =  *0x6d68ac(0x6cd804, 0x8000, 0,  &_v8); // executed
							__eflags = _t82;
							if(_t82 != 0) {
								_t84 =  *0x6d68ac(0x6cd814, 0x8000, 0,  &_v8); // executed
								__eflags = _t84;
								if(_t84 != 0) {
									goto L25;
								} else {
									_push(_t182);
									_push(0x6ac516);
									_push( *[fs:eax]);
									 *[fs:eax] = _t183;
									E0040C8BC();
									__eflags = 0;
									_pop(_t163);
									 *[fs:eax] = _t163;
									_push(E006AC51D);
									_t89 = _v8;
									_push(_t89);
									L0043C214();
									return _t89;
								}
							} else {
								_push(_t182);
								_push(0x6ac4c3);
								_push( *[fs:eax]);
								 *[fs:eax] = _t183;
								E0040C8BC();
								__eflags = 0;
								_pop(_t165);
								 *[fs:eax] = _t165;
								_push(E006AC4CA);
								_t94 = _v8;
								_push(_t94);
								L0043C214();
								return _t94;
							}
						} else {
							_push(_t182);
							_push(0x6ac470);
							_push( *[fs:eax]);
							 *[fs:eax] = _t183;
							E0040C8BC();
							_pop(_t167);
							 *[fs:eax] = _t167;
							_push(E006AC477);
							_t99 = _v8;
							_push(_t99);
							L0043C214();
							return _t99;
						}
					}
				}
			}

0x006ac23c
0x006ac23d
0x006ac23f
0x006ac244
0x006ac244
0x006ac246
0x006ac248
0x006ac248
0x006ac248
0x006ac24d
0x006ac24e
0x006ac253
0x006ac256
0x006ac25c
0x006ac269
0x006ac271
0x006ac27e
0x006ac286
0x006ac293
0x006ac2a2
0x006ac2af
0x006ac2b4
0x006ac2b9
0x006ac2bc
0x006ac2df
0x006ac2be
0x006ac2c6
0x006ac2d3
0x006ac2d3
0x006ac2eb
0x006ac2f0
0x006ac2f5
0x006ac302
0x006ac307
0x006ac30e
0x006ac31a
0x006ac31a
0x006ac30e
0x006ac329
0x006ac336
0x006ac33b
0x006ac342
0x006ac34e
0x006ac354
0x006ac354
0x006ac363
0x006ac370
0x006ac37c
0x006ac381
0x006ac386
0x006ac398
0x006ac398
0x006ac39d
0x006ac3a4
0x006ac3b0
0x006ac3bd
0x006ac3c2
0x006ac3c9
0x006ac3d0
0x006ac3d0
0x006ac3df
0x006ac3ec
0x006ac3f8
0x006ac3ff
0x006ac3ff
0x006ac3f8
0x006ac40b
0x006ac51d
0x006ac51d
0x006ac524
0x006ac54a
0x006ac54f
0x006ac561
0x006ac526
0x006ac529
0x006ac52e
0x006ac540
0x006ac540
0x006ac566
0x006ac56b
0x006ac56d
0x006ac570
0x006ac573
0x006ac585
0x006ac411
0x006ac411
0x006ac41e
0x00000000
0x006ac424
0x006ac434
0x006ac43c
0x006ac487
0x006ac48d
0x006ac48f
0x006ac4da
0x006ac4e0
0x006ac4e2
0x00000000
0x006ac4e4
0x006ac4e6
0x006ac4e7
0x006ac4ec
0x006ac4ef
0x006ac4fa
0x006ac4ff
0x006ac501
0x006ac504
0x006ac507
0x006ac50c
0x006ac50f
0x006ac510
0x006ac515
0x006ac515
0x006ac491
0x006ac493
0x006ac494
0x006ac499
0x006ac49c
0x006ac4a7
0x006ac4ac
0x006ac4ae
0x006ac4b1
0x006ac4b4
0x006ac4b9
0x006ac4bc
0x006ac4bd
0x006ac4c2
0x006ac4c2
0x006ac43e
0x006ac440
0x006ac441
0x006ac446
0x006ac449
0x006ac454
0x006ac45b
0x006ac45e
0x006ac461
0x006ac466
0x006ac469
0x006ac46a
0x006ac46f
0x006ac46f
0x006ac43c
0x006ac41e

APIs

SHGetKnownFolderPath.SHELL32(006CD7F4,00008000,00000000,?,00000000,006AC586,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A), ref: 006AC434
CoTaskMemFree.OLE32(?,006AC477,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC46A
SHGetKnownFolderPath.SHELL32(006CD804,00008000,00000000,?,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC487
CoTaskMemFree.OLE32(?,006AC4CA,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC4BD

Strings

COMMAND.COM, xrefs: 006AC55C
SystemDrive, xrefs: 006AC2C1
Failed to get path of 64-bit Common Files directory, xrefs: 006AC3FA
ProgramFilesDir, xrefs: 006AC322, 006AC3A9
CommonFilesDir, xrefs: 006AC35C, 006AC3D8
Common Files, xrefs: 006AC393
cmd.exe, xrefs: 006AC53B
Failed to get path of 64-bit Program Files directory, xrefs: 006AC3CB
\Program Files, xrefs: 006AC349

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: FolderFreeKnownPathTask
String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
API String ID: 969438705-544719455
Opcode ID: 7984a636196e105601b5bae3f4cd8b715fa2ccf315e8b131d7c1a39997f32fcf
Instruction ID: b9958020655176fa4da1f40778f72373ecd7cbade583b9d7093994fb637c8e1d
Opcode Fuzzy Hash: 7984a636196e105601b5bae3f4cd8b715fa2ccf315e8b131d7c1a39997f32fcf
Instruction Fuzzy Hash: A281D530E012049FDB10FFA4E852BAD7BA7EB8A714F50447AF400A7395C678AD51CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00410BF4 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E00410BF4(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				long _v8;
				signed int _v12;
				long _v16;
				void* _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				struct HINSTANCE__** _v48;
				CHAR* _v52;
				void _v56;
				long _v60;
				_Unknown_base(*)()* _v64;
				struct HINSTANCE__* _v68;
				CHAR* _v72;
				signed int _v76;
				CHAR* _v80;
				intOrPtr* _v84;
				void* _v88;
				void _v92;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				long _t113;
				intOrPtr* _t119;
				void* _t124;
				void _t126;
				long _t128;
				struct HINSTANCE__* _t133;
				struct HINSTANCE__* _t142;
				long _t166;
				signed int* _t190;
				_Unknown_base(*)()* _t191;
				void* _t194;
				intOrPtr _t196;

				_push(_a4);
				memcpy( &_v56, 0x6c5c50, 8 << 2);
				_pop(_t194);
				_v56 =  *0x6c5c50;
				_v52 = E004110A4( *0x006C5C54);
				_v48 = E004110B4( *0x006C5C58);
				_v44 = E004110C4( *0x006C5C5C);
				_v40 = E004110D4( *0x006C5C60);
				_v36 = E004110D4( *0x006C5C64);
				_v32 = E004110D4( *0x006C5C68);
				_v28 =  *0x006C5C6C;
				memcpy( &_v92, 0x6c5c70, 9 << 2);
				_t196 = _t194;
				_v88 = 0x6c5c70;
				_v84 = _a8;
				_v80 = _v52;
				if((_v56 & 0x00000001) == 0) {
					_t166 =  *0x6c5c94; // 0x0
					_v8 = _t166;
					_v8 =  &_v92;
					RaiseException(0xc06d0057, 0, 1,  &_v8);
					return 0;
				}
				_t104 = _a8 - _v44;
				_t142 =  *_v48;
				if(_t104 < 0) {
					_t104 = _t104 + 3;
				}
				_v12 = _t104 >> 2;
				_t106 = _v12;
				_t190 = (_t106 << 2) + _v40;
				_t108 = (_t106 & 0xffffff00 | (_t190[0] & 0x00000080) == 0x00000000) & 0x00000001;
				_v76 = _t108;
				if(_t108 == 0) {
					_v72 =  *_t190 & 0x0000ffff;
				} else {
					_v72 = E004110E4( *_t190) + 2;
				}
				_t191 = 0;
				if( *0x6d2644 == 0) {
					L10:
					if(_t142 != 0) {
						L25:
						_v68 = _t142;
						if( *0x6d2644 != 0) {
							_t191 =  *0x6d2644(2,  &_v92);
						}
						if(_t191 != 0) {
							L36:
							if(_t191 == 0) {
								_v60 = GetLastError();
								if( *0x6d2648 != 0) {
									_t191 =  *0x6d2648(4,  &_v92);
								}
								if(_t191 == 0) {
									_t113 =  *0x6c5c9c; // 0x0
									_v24 = _t113;
									_v24 =  &_v92;
									RaiseException(0xc06d007f, 0, 1,  &_v24);
									_t191 = _v64;
								}
							}
							goto L41;
						} else {
							if( *((intOrPtr*)(_t196 + 0x14)) == 0 ||  *((intOrPtr*)(_t196 + 0x1c)) == 0) {
								L35:
								_t191 = GetProcAddress(_t142, _v72);
								goto L36;
							} else {
								_t119 =  *((intOrPtr*)(_t142 + 0x3c)) + _t142;
								if( *_t119 != 0x4550 ||  *((intOrPtr*)(_t119 + 8)) != _v28 || (( *(_t119 + 0x34) & 0xffffff00 |  *(_t119 + 0x34) == _t142) & 0x00000001) == 0) {
									goto L35;
								} else {
									_t191 =  *((intOrPtr*)(_v36 + _v12 * 4));
									if(_t191 == 0) {
										goto L35;
									}
									L41:
									 *_a8 = _t191;
									goto L42;
								}
							}
						}
					}
					if( *0x6d2644 != 0) {
						_t142 =  *0x6d2644(1,  &_v92);
					}
					if(_t142 == 0) {
						_t133 = LoadLibraryA(_v80); // executed
						_t142 = _t133;
					}
					if(_t142 != 0) {
						L20:
						if(_t142 == E0041057C(_v48, _t142)) {
							FreeLibrary(_t142);
						} else {
							if( *((intOrPtr*)(_t196 + 0x18)) != 0) {
								_t124 = LocalAlloc(0x40, 8);
								_v20 = _t124;
								if(_t124 != 0) {
									 *((intOrPtr*)(_v20 + 4)) = _t196;
									_t126 =  *0x6c5c4c; // 0x0
									 *_v20 = _t126;
									 *0x6c5c4c = _v20;
								}
							}
						}
						goto L25;
					} else {
						_v60 = GetLastError();
						if( *0x6d2648 != 0) {
							_t142 =  *0x6d2648(3,  &_v92);
						}
						if(_t142 != 0) {
							goto L20;
						} else {
							_t128 =  *0x6c5c98; // 0x0
							_v16 = _t128;
							_v16 =  &_v92;
							RaiseException(0xc06d007e, 0, 1,  &_v16);
							return _v64;
						}
					}
				} else {
					_t191 =  *0x6d2644(0,  &_v92);
					if(_t191 == 0) {
						goto L10;
					} else {
						L42:
						if( *0x6d2644 != 0) {
							_v60 = 0;
							_v68 = _t142;
							_v64 = _t191;
							 *0x6d2644(5,  &_v92);
						}
						return _t191;
					}
				}
			}

0x00410c08
0x00410c0e
0x00410c10
0x00410c13
0x00410c20
0x00410c2d
0x00410c3a
0x00410c47
0x00410c54
0x00410c61
0x00410c6a
0x00410c78
0x00410c7a
0x00410c7b
0x00410c81
0x00410c87
0x00410c8e
0x00410c90
0x00410c96
0x00410c9c
0x00410cac
0x00000000
0x00410cb1
0x00410cbe
0x00410cc3
0x00410cc5
0x00410cc7
0x00410cc7
0x00410ccd
0x00410cd0
0x00410cd8
0x00410ce2
0x00410ce5
0x00410cea
0x00410d05
0x00410cec
0x00410cf8
0x00410cf8
0x00410d08
0x00410d11
0x00410d2a
0x00410d2c
0x00410dee
0x00410dee
0x00410df8
0x00410e06
0x00410e06
0x00410e0a
0x00410e57
0x00410e59
0x00410e60
0x00410e6a
0x00410e78
0x00410e78
0x00410e7c
0x00410e7e
0x00410e83
0x00410e89
0x00410e99
0x00410e9e
0x00410e9e
0x00410e7c
0x00000000
0x00410e0c
0x00410e10
0x00410e4b
0x00410e55
0x00000000
0x00410e18
0x00410e1b
0x00410e23
0x00000000
0x00410e3c
0x00410e42
0x00410e47
0x00000000
0x00000000
0x00410ea1
0x00410ea4
0x00000000
0x00410ea4
0x00410e23
0x00410e10
0x00410e0a
0x00410d39
0x00410d47
0x00410d47
0x00410d4b
0x00410d51
0x00410d56
0x00410d56
0x00410d5a
0x00410da7
0x00410db3
0x00410de9
0x00410db5
0x00410db9
0x00410dbf
0x00410dc4
0x00410dc9
0x00410dd0
0x00410dd6
0x00410ddb
0x00410de0
0x00410de0
0x00410dc9
0x00410db9
0x00000000
0x00410d5c
0x00410d61
0x00410d6b
0x00410d79
0x00410d79
0x00410d7d
0x00000000
0x00410d7f
0x00410d7f
0x00410d84
0x00410d8a
0x00410d9a
0x00000000
0x00410d9f
0x00410d7d
0x00410d13
0x00410d1f
0x00410d23
0x00000000
0x00410d25
0x00410ea6
0x00410ead
0x00410eb1
0x00410eb4
0x00410eb7
0x00410ec0
0x00410ec0
0x00000000
0x00410ec6
0x00410d23

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00410CAC

Strings

p\l, xrefs: 00410C6E
P\l, xrefs: 00410C09

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: ExceptionRaise
String ID: P\l$p\l
API String ID: 3997070919-2963016475
Opcode ID: aa0e87082271f6f024034dc3e0c9ed7691aad24ca827c03d937f00bb865530d3
Instruction ID: dea4787ea8a346106a271a8220094215500c3d30852de538169348a6bce77c0f
Opcode Fuzzy Hash: aa0e87082271f6f024034dc3e0c9ed7691aad24ca827c03d937f00bb865530d3
Instruction Fuzzy Hash: EDA18D75A003099FDB24CFA9D881BEEBBB6EB58310F14452AE505A7390DBB4E9C1CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00405D88 Relevance: 12.2, APIs: 8, Instructions: 221
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00405D88(void* __eax, signed int __edi, void* __ebp) {
				struct _MEMORY_BASIC_INFORMATION _v44;
				void* _v48;
				signed int __ebx;
				void* _t58;
				signed int _t61;
				int _t65;
				signed int _t67;
				void _t70;
				int _t71;
				signed int _t78;
				void* _t79;
				signed int _t81;
				intOrPtr _t82;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				signed int _t92;
				void* _t96;
				signed int _t99;
				void* _t103;
				intOrPtr _t104;
				void* _t106;
				void* _t108;
				signed int _t113;
				void* _t115;
				void* _t116;

				_t56 = __eax;
				_t89 =  *(__eax - 4);
				_t78 =  *0x6cf05d; // 0x0
				if((_t89 & 0x00000007) != 0) {
					__eflags = _t89 & 0x00000005;
					if((_t89 & 0x00000005) != 0) {
						_pop(_t78);
						__eflags = _t89 & 0x00000003;
						if((_t89 & 0x00000003) == 0) {
							_push(_t78);
							_push(__edi);
							_t116 = _t115 + 0xffffffdc;
							_t103 = __eax - 0x10;
							E00405764();
							_t58 = _t103;
							 *_t116 =  *_t58;
							_v48 =  *((intOrPtr*)(_t58 + 4));
							_t92 =  *(_t58 + 0xc);
							if((_t92 & 0x00000008) != 0) {
								_t79 = _t103;
								_t113 = _t92 & 0xfffffff0;
								_t99 = 0;
								__eflags = 0;
								while(1) {
									VirtualQuery(_t79,  &_v44, 0x1c);
									_t61 = VirtualFree(_t79, 0, 0x8000); // executed
									__eflags = _t61;
									if(_t61 == 0) {
										_t99 = _t99 | 0xffffffff;
										goto L10;
									}
									_t104 = _v44.RegionSize;
									__eflags = _t113 - _t104;
									if(_t113 > _t104) {
										_t113 = _t113 - _t104;
										_t79 = _t79 + _t104;
										continue;
									}
									goto L10;
								}
							} else {
								_t65 = VirtualFree(_t103, 0, 0x8000); // executed
								if(_t65 == 0) {
									_t99 = __edi | 0xffffffff;
								} else {
									_t99 = 0;
								}
							}
							L10:
							if(_t99 == 0) {
								 *_v48 =  *_t116;
								 *( *_t116 + 4) = _v48;
							}
							 *0x6d1b7c = 0;
							return _t99;
						} else {
							return 0xffffffff;
						}
					} else {
						goto L31;
					}
				} else {
					__eflags = __bl;
					__ebx =  *__edx;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L14;
							}
							asm("pause");
							__eflags =  *0x6cf98d;
							if(__eflags != 0) {
								continue;
							} else {
								Sleep(0);
								__edx = __edx;
								__ecx = __ecx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__eflags != 0) {
									Sleep(0xa);
									__edx = __edx;
									__ecx = __ecx;
									continue;
								}
							}
							goto L14;
						}
					}
					L14:
					_t14 = __edx + 0x14;
					 *_t14 =  *(__edx + 0x14) - 1;
					__eflags =  *_t14;
					__eax =  *(__edx + 0x10);
					if( *_t14 == 0) {
						__eflags = __eax;
						if(__eax == 0) {
							L20:
							 *(__ebx + 0x14) = __eax;
						} else {
							__eax =  *(__edx + 0xc);
							__ecx =  *(__edx + 8);
							 *(__eax + 8) = __ecx;
							 *(__ecx + 0xc) = __eax;
							__eax = 0;
							__eflags =  *((intOrPtr*)(__ebx + 0x18)) - __edx;
							if( *((intOrPtr*)(__ebx + 0x18)) == __edx) {
								goto L20;
							}
						}
						 *__ebx = __al;
						__eax = __edx;
						__edx =  *(__edx - 4);
						__bl =  *0x6cf05d; // 0x0
						L31:
						__eflags = _t78;
						_t81 = _t89 & 0xfffffff0;
						_push(_t101);
						_t106 = _t56;
						if(__eflags != 0) {
							while(1) {
								_t67 = 0x100;
								asm("lock cmpxchg [0x6cfaec], ah");
								if(__eflags == 0) {
									goto L32;
								}
								asm("pause");
								__eflags =  *0x6cf98d;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									_t67 = 0x100;
									asm("lock cmpxchg [0x6cfaec], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L32;
							}
						}
						L32:
						__eflags = (_t106 - 4)[_t81] & 0x00000001;
						_t87 = (_t106 - 4)[_t81];
						if(((_t106 - 4)[_t81] & 0x00000001) != 0) {
							_t67 = _t81 + _t106;
							_t88 = _t87 & 0xfffffff0;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E004055DC(_t67);
							}
						} else {
							_t88 = _t87 | 0x00000008;
							__eflags = _t88;
							(_t106 - 4)[_t81] = _t88;
						}
						__eflags =  *(_t106 - 4) & 0x00000008;
						if(( *(_t106 - 4) & 0x00000008) != 0) {
							_t88 =  *(_t106 - 8);
							_t106 = _t106 - _t88;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E004055DC(_t106);
							}
						}
						__eflags = _t81 - 0x13ffe0;
						if(_t81 == 0x13ffe0) {
							__eflags =  *0x6cfaf4 - 0x13ffe0;
							if( *0x6cfaf4 != 0x13ffe0) {
								_t82 = _t106 + 0x13ffe0;
								E0040567C(_t67);
								 *((intOrPtr*)(_t82 - 4)) = 2;
								 *0x6cfaf4 = 0x13ffe0;
								 *0x6cfaf0 = _t82;
								 *0x6cfaec = 0;
								__eflags = 0;
								return 0;
							} else {
								_t108 = _t106 - 0x10;
								_t70 =  *_t108;
								_t96 =  *(_t108 + 4);
								 *(_t70 + 4) = _t96;
								 *_t96 = _t70;
								 *0x6cfaec = 0;
								_t71 = VirtualFree(_t108, 0, 0x8000);
								__eflags = _t71 - 1;
								asm("sbb eax, eax");
								return _t71;
							}
						} else {
							 *(_t106 - 4) = _t81 + 3;
							 *(_t106 - 8 + _t81) = _t81;
							E0040561C(_t106, _t88, _t81);
							 *0x6cfaec = 0;
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags = __eax;
						 *(__edx + 0x10) = __ecx;
						 *(__ecx - 4) = __eax;
						if(__eflags == 0) {
							__ecx =  *(__ebx + 8);
							 *(__edx + 0xc) = __ebx;
							 *(__edx + 8) = __ecx;
							 *(__ecx + 0xc) = __edx;
							 *(__ebx + 8) = __edx;
							 *__ebx = 0;
							__eax = 0;
							__eflags = 0;
							_pop(__ebx);
							return 0;
						} else {
							__eax = 0;
							__eflags = 0;
							 *__ebx = __al;
							_pop(__ebx);
							return 0;
						}
					}
				}
			}

0x00405d88
0x00405d88
0x00405d91
0x00405d97
0x00405e80
0x00405e83
0x00405f70
0x00405f71
0x00405f74
0x00405814
0x00405816
0x00405818
0x0040581d
0x00405820
0x00405825
0x00405829
0x0040582f
0x00405833
0x00405839
0x00405855
0x00405859
0x0040585c
0x0040585c
0x0040585e
0x00405866
0x00405873
0x00405878
0x0040587a
0x0040587c
0x0040587f
0x0040587f
0x00405881
0x00405885
0x00405887
0x00405889
0x0040588b
0x00000000
0x0040588b
0x00000000
0x00405887
0x0040583b
0x00405843
0x0040584a
0x00405850
0x0040584c
0x0040584c
0x0040584c
0x0040584a
0x0040588f
0x00405891
0x0040589a
0x004058a3
0x004058a3
0x004058a6
0x004058b6
0x00405f7a
0x00405f7f
0x00405f7f
0x00000000
0x00000000
0x00000000
0x00405d9d
0x00405d9d
0x00405d9f
0x00405da1
0x00405e04
0x00405e04
0x00405e09
0x00405e0d
0x00000000
0x00000000
0x00405e0f
0x00405e11
0x00405e18
0x00000000
0x00405e1a
0x00405e1e
0x00405e23
0x00405e24
0x00405e25
0x00405e2a
0x00405e2e
0x00405e38
0x00405e3d
0x00405e3e
0x00000000
0x00405e3e
0x00405e2e
0x00000000
0x00405e18
0x00405e04
0x00405da3
0x00405da3
0x00405da3
0x00405da3
0x00405da7
0x00405daa
0x00405dd8
0x00405dda
0x00405def
0x00405def
0x00405ddc
0x00405ddc
0x00405ddf
0x00405de2
0x00405de5
0x00405de8
0x00405dea
0x00405ded
0x00000000
0x00000000
0x00405ded
0x00405df2
0x00405df4
0x00405df6
0x00405df9
0x00405e89
0x00405e8c
0x00405e8e
0x00405e90
0x00405e91
0x00405e93
0x00405e44
0x00405e44
0x00405e49
0x00405e51
0x00000000
0x00000000
0x00405e53
0x00405e55
0x00405e5c
0x00000000
0x00405e5e
0x00405e60
0x00405e65
0x00405e6a
0x00405e72
0x00405e76
0x00000000
0x00405e76
0x00405e72
0x00000000
0x00405e5c
0x00405e44
0x00405e95
0x00405e95
0x00405e9d
0x00405ea1
0x00405ed8
0x00405edb
0x00405ede
0x00405ee0
0x00405ee6
0x00405ee8
0x00405ee8
0x00405ea3
0x00405ea3
0x00405ea3
0x00405ea6
0x00405ea6
0x00405eaa
0x00405eae
0x00405ef0
0x00405ef3
0x00405ef5
0x00405ef7
0x00405efd
0x00405f01
0x00405f01
0x00405efd
0x00405eb0
0x00405eb6
0x00405f08
0x00405f12
0x00405f40
0x00405f46
0x00405f4b
0x00405f52
0x00405f5c
0x00405f62
0x00405f69
0x00405f6d
0x00405f14
0x00405f14
0x00405f17
0x00405f19
0x00405f1c
0x00405f1f
0x00405f21
0x00405f30
0x00405f35
0x00405f38
0x00405f3c
0x00405f3c
0x00405eb8
0x00405ebb
0x00405ebe
0x00405ec6
0x00405ecb
0x00405ed2
0x00405ed6
0x00405ed6
0x00405dac
0x00405dac
0x00405dae
0x00405db4
0x00405db7
0x00405dc0
0x00405dc3
0x00405dc6
0x00405dc9
0x00405dcc
0x00405dcf
0x00405dd2
0x00405dd2
0x00405dd4
0x00405dd5
0x00405db9
0x00405db9
0x00405db9
0x00405dbb
0x00405dbd
0x00405dbe
0x00405dbe
0x00405db7
0x00405daa

APIs

Sleep.KERNEL32(00000000,?,?,00000000,0040F300,0040F366,?,00000000,?,?,0040F689,00000000,?,00000000,0040FB8A,00000000), ref: 00405E1E
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,0040F300,0040F366,?,00000000,?,?,0040F689,00000000,?,00000000,0040FB8A), ref: 00405E38

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: d1f42db9d12138cdecdca87d68e48a81541cc59cd0f269c0ee0c41ffaf02f020
Instruction ID: 71ad01a6e0dc675f4130d8d0918bf11407b14d9ec69c5e02b41b8aae26145368
Opcode Fuzzy Hash: d1f42db9d12138cdecdca87d68e48a81541cc59cd0f269c0ee0c41ffaf02f020
Instruction Fuzzy Hash: 2871C031604A008FD715DB69C989B27BBD5EF85314F18C17FE888AB3D2D6B88941CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00405F80 Relevance: 10.9, APIs: 7, Instructions: 406
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E00405F80(signed int __eax, intOrPtr __edx, void* __edi) {
				signed int __ebx;
				void* __esi;
				signed int _t69;
				signed int _t78;
				signed int _t93;
				long _t94;
				void* _t96;
				void* _t98;
				void* _t100;
				signed int _t102;
				signed int _t109;
				signed int _t115;
				signed int _t123;
				signed int _t129;
				void* _t131;
				signed int _t140;
				unsigned int _t148;
				signed int _t150;
				long _t152;
				signed int _t156;
				intOrPtr _t161;
				signed int _t166;
				signed int _t170;
				unsigned int _t171;
				intOrPtr _t174;
				intOrPtr _t192;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t205;
				unsigned int _t207;
				intOrPtr _t213;
				void* _t225;
				intOrPtr _t227;
				void* _t228;
				signed int _t230;
				void* _t232;
				signed int _t233;
				signed int _t234;
				signed int _t238;
				signed int _t241;
				void* _t243;
				intOrPtr* _t244;

				_t176 = __edx;
				_t66 = __eax;
				_t166 =  *(__eax - 4);
				_t217 = __eax;
				if((_t166 & 0x00000007) != 0) {
					__eflags = _t166 & 0x00000005;
					if((_t166 & 0x00000005) != 0) {
						_pop(_t217);
						_pop(_t145);
						__eflags = _t166 & 0x00000003;
						if((_t166 & 0x00000003) == 0) {
							_push(_t145);
							_push(__eax);
							_push(__edi);
							_push(_t225);
							_t244 = _t243 + 0xffffffe0;
							_t218 = __edx;
							_t202 = __eax;
							_t69 =  *(__eax - 4);
							_t148 = (0xfffffff0 & _t69) - 0x14;
							if(0xfffffff0 >= __edx) {
								__eflags = __edx - _t148 >> 1;
								if(__edx < _t148 >> 1) {
									_t150 = E00405A04(__edx);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t218 - 0x40a2c;
										if(_t218 > 0x40a2c) {
											_t78 = _t202 - 0x10;
											__eflags = _t78;
											 *((intOrPtr*)(_t78 + 8)) = _t218;
										}
										E004055C0(_t202, _t218, _t150);
										E00405D88(_t202, _t202, _t225);
									}
								} else {
									_t150 = __eax;
									 *((intOrPtr*)(__eax - 0x10 + 8)) = __edx;
								}
							} else {
								if(0xfffffff0 <= __edx) {
									_t227 = __edx;
								} else {
									_t227 = 0xbadb9d;
								}
								 *_t244 = _t202 - 0x10 + (_t69 & 0xfffffff0);
								VirtualQuery( *(_t244 + 8), _t244 + 8, 0x1c);
								if( *((intOrPtr*)(_t244 + 0x14)) != 0x10000) {
									L12:
									_t150 = E00405A04(_t227);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t227 - 0x40a2c;
										if(_t227 > 0x40a2c) {
											_t93 = _t150 - 0x10;
											__eflags = _t93;
											 *((intOrPtr*)(_t93 + 8)) = _t218;
										}
										E00405590(_t202,  *((intOrPtr*)(_t202 - 0x10 + 8)), _t150);
										E00405D88(_t202, _t202, _t227);
									}
								} else {
									 *(_t244 + 0x10) =  *(_t244 + 0x10) & 0xffff0000;
									_t94 =  *(_t244 + 0x10);
									if(_t218 - _t148 >= _t94) {
										goto L12;
									} else {
										_t152 = _t227 - _t148 + 0x00010000 - 0x00000001 & 0xffff0000;
										if(_t94 < _t152) {
											_t152 = _t94;
										}
										_t96 = VirtualAlloc( *(_t244 + 0xc), _t152, 0x2000, 4); // executed
										if(_t96 == 0) {
											goto L12;
										} else {
											_t98 = VirtualAlloc( *(_t244 + 0xc), _t152, 0x1000, 4); // executed
											if(_t98 == 0) {
												goto L12;
											} else {
												_t100 = _t202 - 0x10;
												 *((intOrPtr*)(_t100 + 8)) = _t218;
												 *(_t100 + 0xc) = _t152 +  *(_t100 + 0xc) | 0x00000008;
												_t150 = _t202;
											}
										}
									}
								}
							}
							return _t150;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t170 = _t166 & 0xfffffff0;
						_push(__edi);
						_t205 = _t170 + __eax;
						_t171 = _t170 - 4;
						_t156 = _t166 & 0x0000000f;
						__eflags = __edx - _t171;
						_push(_t225);
						if(__edx > _t171) {
							_t102 =  *(_t205 - 4);
							__eflags = _t102 & 0x00000001;
							if((_t102 & 0x00000001) == 0) {
								L75:
								asm("adc edi, 0xffffffff");
								_t228 = ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176;
								_t207 = _t171;
								_t109 = E00405A04(((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176);
								_t192 = _t176;
								__eflags = _t109;
								if(_t109 == 0) {
									goto L73;
								} else {
									__eflags = _t228 - 0x40a2c;
									if(_t228 > 0x40a2c) {
										 *((intOrPtr*)(_t109 - 8)) = _t192;
									}
									_t230 = _t109;
									E00405590(_t217, _t207, _t109);
									E00405D88(_t217, _t207, _t230);
									return _t230;
								}
							} else {
								_t115 = _t102 & 0xfffffff0;
								_t232 = _t171 + _t115;
								__eflags = __edx - _t232;
								if(__edx > _t232) {
									goto L75;
								} else {
									__eflags =  *0x6cf05d;
									if(__eflags == 0) {
										L66:
										__eflags = _t115 - 0xb30;
										if(_t115 >= 0xb30) {
											E004055DC(_t205);
											_t176 = _t176;
											_t171 = _t171;
										}
										asm("adc edi, 0xffffffff");
										_t123 = (_t176 + ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + 0x000000d3 & 0xffffff00) + 0x30;
										_t195 = _t232 + 4 - _t123;
										__eflags = _t195;
										if(_t195 > 0) {
											 *(_t217 + _t232 - 4) = _t195;
											 *((intOrPtr*)(_t217 - 4 + _t123)) = _t195 + 3;
											_t233 = _t123;
											__eflags = _t195 - 0xb30;
											if(_t195 >= 0xb30) {
												__eflags = _t123 + _t217;
												E0040561C(_t123 + _t217, _t171, _t195);
											}
										} else {
											 *(_t217 + _t232) =  *(_t217 + _t232) & 0xfffffff7;
											_t233 = _t232 + 4;
										}
										_t234 = _t233 | _t156;
										__eflags = _t234;
										 *(_t217 - 4) = _t234;
										 *0x6cfaec = 0;
										_t109 = _t217;
										L73:
										return _t109;
									} else {
										while(1) {
											asm("lock cmpxchg [0x6cfaec], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x6cf98d;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t176 = _t176;
												_t171 = _t171;
												asm("lock cmpxchg [0x6cfaec], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t176 = _t176;
													_t171 = _t171;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t217 - 4);
										_t129 =  *(_t205 - 4);
										__eflags = _t129 & 0x00000001;
										if((_t129 & 0x00000001) == 0) {
											L74:
											 *0x6cfaec = 0;
											goto L75;
										} else {
											_t115 = _t129 & 0xfffffff0;
											_t232 = _t171 + _t115;
											__eflags = _t176 - _t232;
											if(_t176 > _t232) {
												goto L74;
											} else {
												goto L66;
											}
										}
									}
								}
							}
						} else {
							__eflags = __edx + __edx - _t171;
							if(__edx + __edx < _t171) {
								__eflags = __edx - 0xb2c;
								if(__edx >= 0xb2c) {
									L41:
									_t32 = _t176 + 0xd3; // 0xbff
									_t238 = (_t32 & 0xffffff00) + 0x30;
									_t174 = _t171 + 4 - _t238;
									__eflags =  *0x6cf05d;
									if(__eflags != 0) {
										while(1) {
											asm("lock cmpxchg [0x6cfaec], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x6cf98d;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t174 = _t174;
												asm("lock cmpxchg [0x6cfaec], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t174 = _t174;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t217 - 4);
										__eflags = 0xf;
									}
									 *(_t217 - 4) = _t156 | _t238;
									_t161 = _t174;
									_t196 =  *(_t205 - 4);
									__eflags = _t196 & 0x00000001;
									if((_t196 & 0x00000001) != 0) {
										_t131 = _t205;
										_t197 = _t196 & 0xfffffff0;
										_t161 = _t161 + _t197;
										_t205 = _t205 + _t197;
										__eflags = _t197 - 0xb30;
										if(_t197 >= 0xb30) {
											E004055DC(_t131);
										}
									} else {
										 *(_t205 - 4) = _t196 | 0x00000008;
									}
									 *((intOrPtr*)(_t205 - 8)) = _t161;
									 *((intOrPtr*)(_t217 + _t238 - 4)) = _t161 + 3;
									__eflags = _t161 - 0xb30;
									if(_t161 >= 0xb30) {
										E0040561C(_t217 + _t238, _t174, _t161);
									}
									 *0x6cfaec = 0;
									return _t217;
								} else {
									__eflags = __edx - 0x2cc;
									if(__edx < 0x2cc) {
										_t213 = __edx;
										_t140 = E00405A04(__edx);
										__eflags = _t140;
										if(_t140 != 0) {
											_t241 = _t140;
											E004055C0(_t217, _t213, _t140);
											E00405D88(_t217, _t213, _t241);
											_t140 = _t241;
										}
										return _t140;
									} else {
										_t176 = 0xb2c;
										__eflags = _t171 - 0xb2c;
										if(_t171 <= 0xb2c) {
											goto L37;
										} else {
											goto L41;
										}
									}
								}
							} else {
								L37:
								return _t66;
							}
						}
					}
				} else {
					__ebx =  *__ecx;
					__ecx =  *(__ebx + 2) & 0x0000ffff;
					__ecx = ( *(__ebx + 2) & 0x0000ffff) - 4;
					__eflags = __ecx - __edx;
					if(__ecx < __edx) {
						__ecx = __ecx + __ecx + 0x20;
						_push(__edi);
						__edi = __edx;
						__eax = 0;
						__ecx = __ecx - __edx;
						asm("adc eax, 0xffffffff");
						__eax = 0 & __ecx;
						__eax = (0 & __ecx) + __edx;
						__eax = E00405A04((0 & __ecx) + __edx);
						__eflags = __eax;
						if(__eax != 0) {
							__eflags = __edi - 0x40a2c;
							if(__edi > 0x40a2c) {
								 *(__eax - 8) = __edi;
							}
							 *(__ebx + 2) & 0x0000ffff = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__eflags = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__edx = __eax;
							__edi = __eax;
							 *((intOrPtr*)(__ebx + 0x1c))() = E00405D88(__esi, __edi, __ebp);
							__eax = __edi;
						}
						_pop(__edi);
						_pop(__esi);
						_pop(__ebx);
						return __eax;
					} else {
						__ebx = 0x40 + __edx * 4;
						__eflags = 0x40 + __edx * 4 - __ecx;
						if(0x40 + __edx * 4 < __ecx) {
							__ebx = __edx;
							__eax = __edx;
							__eax = E00405A04(__edx);
							__eflags = __eax;
							if(__eax != 0) {
								__ecx = __ebx;
								__edx = __eax;
								__ebx = __eax;
								__esi = E00405D88(__esi, __edi, __ebp);
								__eax = __ebx;
							}
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						} else {
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}

0x00405f80
0x00405f80
0x00405f80
0x00405f88
0x00405f8a
0x00406018
0x0040601b
0x00406288
0x00406289
0x0040628a
0x0040628d
0x004058b8
0x004058b9
0x004058ba
0x004058bb
0x004058bc
0x004058bf
0x004058c1
0x004058c8
0x004058d1
0x004058d6
0x004059bd
0x004059bf
0x004059d2
0x004059d4
0x004059d6
0x004059d8
0x004059de
0x004059e2
0x004059e2
0x004059e5
0x004059e5
0x004059ee
0x004059f5
0x004059f5
0x004059c1
0x004059c1
0x004059c6
0x004059c6
0x004058dc
0x004058e5
0x004058eb
0x004058e7
0x004058e7
0x004058e7
0x004058f7
0x00405906
0x00405913
0x00405983
0x0040598a
0x0040598c
0x0040598e
0x00405990
0x00405996
0x0040599a
0x0040599a
0x0040599d
0x0040599d
0x004059ad
0x004059b4
0x004059b4
0x00405915
0x00405915
0x00405921
0x00405927
0x00000000
0x00405929
0x0040593a
0x0040593e
0x00405940
0x00405940
0x0040594f
0x00405956
0x00000000
0x00405958
0x00405965
0x0040596c
0x00000000
0x0040596e
0x00405970
0x00405973
0x0040597c
0x0040597f
0x0040597f
0x0040596c
0x00405956
0x00405927
0x00405913
0x00405a03
0x00406293
0x00406293
0x00406295
0x00406295
0x00406021
0x00406023
0x00406026
0x00406027
0x0040602a
0x0040602d
0x00406030
0x00406032
0x00406033
0x00406148
0x0040614b
0x0040614d
0x00406240
0x0040624b
0x00406252
0x00406254
0x00406257
0x0040625c
0x0040625d
0x0040625f
0x00000000
0x00406261
0x00406261
0x00406267
0x00406269
0x00406269
0x0040626c
0x00406274
0x0040627b
0x00406286
0x00406286
0x00406153
0x00406153
0x00406156
0x00406159
0x0040615b
0x00000000
0x00406161
0x00406161
0x00406168
0x004061c5
0x004061c5
0x004061ca
0x004061d0
0x004061d5
0x004061d6
0x004061d6
0x004061e2
0x004061f3
0x004061f9
0x004061f9
0x004061fb
0x00406208
0x0040620f
0x00406213
0x00406215
0x0040621b
0x0040621d
0x0040621f
0x0040621f
0x004061fd
0x004061fd
0x00406201
0x00406201
0x00406224
0x00406224
0x00406226
0x00406229
0x00406230
0x00406232
0x00406236
0x0040616a
0x0040616a
0x0040616f
0x00406177
0x00000000
0x00000000
0x00406179
0x0040617b
0x00406182
0x00000000
0x00406184
0x00406188
0x0040618d
0x0040618e
0x00406194
0x0040619c
0x004061a2
0x004061a7
0x004061a8
0x00000000
0x004061a8
0x0040619c
0x00000000
0x00406182
0x004061b1
0x004061b4
0x004061b7
0x004061b9
0x00406239
0x00406239
0x00000000
0x004061bb
0x004061bb
0x004061be
0x004061c1
0x004061c3
0x00000000
0x00000000
0x00000000
0x00000000
0x004061c3
0x004061b9
0x00406168
0x0040615b
0x00406039
0x0040603c
0x0040603e
0x00406048
0x0040604e
0x00406065
0x00406065
0x00406071
0x00406077
0x00406079
0x00406080
0x00406082
0x00406087
0x0040608f
0x00000000
0x00000000
0x00406091
0x00406093
0x0040609a
0x00000000
0x0040609c
0x0040609f
0x004060a4
0x004060aa
0x004060b2
0x004060b7
0x004060bc
0x00000000
0x004060bc
0x004060b2
0x00000000
0x0040609a
0x004060c5
0x004060c5
0x004060c5
0x004060ca
0x004060cd
0x004060cf
0x004060d2
0x004060d5
0x004060e0
0x004060e2
0x004060e5
0x004060e7
0x004060e9
0x004060ef
0x004060f1
0x004060f1
0x004060d7
0x004060da
0x004060da
0x004060f6
0x004060fc
0x00406100
0x00406106
0x0040610d
0x0040610d
0x00406112
0x0040611f
0x00406050
0x00406050
0x00406056
0x00406120
0x00406124
0x00406129
0x0040612b
0x0040612d
0x00406135
0x0040613c
0x00406141
0x00406141
0x00406147
0x0040605c
0x0040605c
0x00406061
0x00406063
0x00000000
0x00000000
0x00000000
0x00000000
0x00406063
0x00406056
0x00406040
0x00406040
0x00406044
0x00406044
0x0040603e
0x00406033
0x00405f90
0x00405f90
0x00405f92
0x00405f96
0x00405f99
0x00405f9b
0x00405fd4
0x00405fd8
0x00405fd9
0x00405fdb
0x00405fdd
0x00405fdf
0x00405fe2
0x00405fe4
0x00405fe6
0x00405feb
0x00405fed
0x00405fef
0x00405ff5
0x00405ff7
0x00405ff7
0x00405ffe
0x00405ffe
0x00406001
0x00406003
0x0040600c
0x00406011
0x00406011
0x00406013
0x00406014
0x00406015
0x00406016
0x00405f9d
0x00405f9d
0x00405fa4
0x00405fa6
0x00405fac
0x00405fae
0x00405fb0
0x00405fb5
0x00405fb7
0x00405fb9
0x00405fbb
0x00405fbd
0x00405fc8
0x00405fcd
0x00405fcd
0x00405fcf
0x00405fd0
0x00405fd1
0x00405fa8
0x00405fa8
0x00405fa9
0x00405faa
0x00405faa
0x00405fa6
0x00405f9b

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833c993916d0d18284627c8ebcb851e0d3f6b00a19ef6d1fc725f28c20042ba8
Instruction ID: 5d66737b0d4da92f98c0db807105cf356bd4b4b1c4874a50b8b8aa415a59ee3b
Opcode Fuzzy Hash: 833c993916d0d18284627c8ebcb851e0d3f6b00a19ef6d1fc725f28c20042ba8
Instruction Fuzzy Hash: D1C134A2710A004BD714AB7D9C8476FB286DBC5324F19823FE645EB3D6DA7CCC558B88

Uniqueness

Uniqueness Score: -1.00%

Function 0060F06C Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E0060F06C(signed char __eax, void* __ebx, char __ecx, void* __edx, void* __edi, void* __esi, void* __fp0, intOrPtr* _a4, void* _a8, signed short _a12, signed char _a16, char _a20) {
				char _v8;
				signed char _v9;
				short _v32;
				intOrPtr _v36;
				char _v80;
				void* _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t75;
				intOrPtr _t107;
				char _t114;
				intOrPtr _t132;
				void* _t142;
				intOrPtr* _t144;
				void* _t147;

				_t116 = __ecx;
				_v116 = 0;
				_v120 = 0;
				_v108 = 0;
				_v112 = 0;
				_v104 = 0;
				_v100 = 0;
				_v8 = 0;
				_t114 = __ecx;
				_t142 = __edx;
				_v9 = __eax;
				_t144 = _a4;
				E0040A2AC(_a20);
				_push(_t147);
				_push(0x60f26e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t147 + 0xffffff8c;
				E0040B660(_t142, 0x60f28c);
				if(0 != 0) {
					_push(0x60f29c);
					_push(_t142);
					_push(0x60f29c);
					E0040B550( &_v8, _t114, 3, _t142, _t144);
					__eflags = _t114;
					if(_t114 != 0) {
						_push(_v8);
						_push(0x60f2ac);
						_push(_t114);
						E0040B550( &_v8, _t114, 3, _t142, _t144);
					}
					E005C53D0(_t142,  &_v100);
					_t63 = E00422368(_v100, _t116, L".bat");
					__eflags = _t63;
					if(_t63 == 0) {
						L6:
						_t64 = E005C77E8();
						__eflags = _t64;
						if(_t64 == 0) {
							_push(0x60f29c);
							E005C7430( &_v120);
							E005C4EA4(_v120,  &_v116);
							_push(_v116);
							_push(L"COMMAND.COM\" /C ");
							_push(_v8);
							E0040B550( &_v8, _t114, 4, _t142, _t144);
						} else {
							_push(0x60f29c);
							E005C745C( &_v112);
							E005C4EA4(_v112,  &_v108);
							_push(_v108);
							_push(L"cmd.exe\" /C \"");
							_push(_v8);
							_push(0x60f29c);
							E0040B550( &_v8, _t114, 5, _t142, _t144);
						}
						goto L9;
					} else {
						E005C53D0(_t142,  &_v104);
						_t107 = E00422368(_v104, _t116, L".cmd");
						__eflags = _t107;
						if(_t107 != 0) {
							L9:
							__eflags = _a20;
							if(_a20 == 0) {
								E005C5378(_t142, _t116,  &_a20);
							}
							goto L11;
						}
						goto L6;
					}
				} else {
					E0040A5F0( &_v8, _t114);
					L11:
					E00407760( &_v80, 0x44);
					_v80 = 0x44;
					_v36 = 1;
					_v32 = _a12 & 0x0000ffff;
					_t150 = _a20;
					if(_a20 == 0) {
						E005C745C( &_a20);
					}
					_t75 = E0040B278(_a20);
					E0060C038(_v9 & 0x000000ff, E0040B278(_v8), 0, _t150,  &_v96,  &_v80, _t75, 0, 0x4000000, 0, 0, 0); // executed
					asm("sbb ebx, ebx");
					_t115 = _t114 + 1;
					if(_t114 + 1 != 0) {
						CloseHandle(_v92);
						E0060EFD8(_v96, _t115, _a16 & 0x000000ff, _t142, _t144, _t144); // executed
					} else {
						 *_t144 = GetLastError();
					}
					_pop(_t132);
					 *[fs:eax] = _t132;
					_push(E0060F275);
					E0040A228( &_v120, 6);
					E0040A1C8( &_v8);
					return E0040A1C8( &_a20);
				}
			}

0x0060f06c
0x0060f077
0x0060f07a
0x0060f07d
0x0060f080
0x0060f083
0x0060f086
0x0060f089
0x0060f08c
0x0060f08e
0x0060f090
0x0060f093
0x0060f099
0x0060f0a0
0x0060f0a1
0x0060f0a6
0x0060f0a9
0x0060f0b3
0x0060f0b8
0x0060f0c9
0x0060f0ce
0x0060f0cf
0x0060f0dc
0x0060f0e1
0x0060f0e3
0x0060f0e5
0x0060f0e8
0x0060f0ed
0x0060f0f6
0x0060f0f6
0x0060f100
0x0060f10d
0x0060f112
0x0060f114
0x0060f131
0x0060f131
0x0060f136
0x0060f138
0x0060f171
0x0060f179
0x0060f184
0x0060f189
0x0060f18c
0x0060f191
0x0060f19c
0x0060f13a
0x0060f13a
0x0060f142
0x0060f14d
0x0060f152
0x0060f155
0x0060f15a
0x0060f15d
0x0060f16a
0x0060f16a
0x00000000
0x0060f116
0x0060f11b
0x0060f128
0x0060f12d
0x0060f12f
0x0060f1a1
0x0060f1a1
0x0060f1a5
0x0060f1ac
0x0060f1ac
0x00000000
0x0060f1a5
0x00000000
0x0060f12f
0x0060f0ba
0x0060f0bf
0x0060f1b1
0x0060f1bb
0x0060f1c0
0x0060f1c7
0x0060f1d2
0x0060f1d6
0x0060f1da
0x0060f1df
0x0060f1df
0x0060f1f4
0x0060f212
0x0060f21a
0x0060f21c
0x0060f21f
0x0060f22e
0x0060f23e
0x0060f221
0x0060f226
0x0060f226
0x0060f245
0x0060f248
0x0060f24b
0x0060f258
0x0060f260
0x0060f26d
0x0060f26d

APIs

GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0060F29C,0060F29C,?,0060F29C,00000000), ref: 0060F221
CloseHandle.KERNEL32(006B7E1B,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0060F29C,0060F29C,?,0060F29C), ref: 0060F22E

Part of subcall function 0060EFD8: WaitForInputIdle.USER32 ref: 0060F004
Part of subcall function 0060EFD8: MsgWaitForMultipleObjects.USER32 ref: 0060F026
Part of subcall function 0060EFD8: GetExitCodeProcess.KERNEL32 ref: 0060F037
Part of subcall function 0060EFD8: CloseHandle.KERNEL32(00000001,0060F064,0060F05D,?,?,?,00000001,?,?,0060F406,?,00000000,0060F41C,?,?,?), ref: 0060F057

Strings

.bat, xrefs: 0060F108
.cmd, xrefs: 0060F123
COMMAND.COM" /C , xrefs: 0060F18C
D, xrefs: 0060F1C0
cmd.exe" /C ", xrefs: 0060F155

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
API String ID: 854858120-615399546
Opcode ID: 6066c1e172dc0d99cc31431a10fc3eed621d142c344beddd96f3c6e48ba0f8e2
Instruction ID: 0730013a778409a59d543d7128fc9cae65caf948aa4e6a3f37707057903c9a02
Opcode Fuzzy Hash: 6066c1e172dc0d99cc31431a10fc3eed621d142c344beddd96f3c6e48ba0f8e2
Instruction Fuzzy Hash: 69512134A8030DABDB14EFE5C892ADEBBBAFF44304F60447AB404A76C1D7749E059B95

Uniqueness

Uniqueness Score: -1.00%

Function 005B85F0 Relevance: 10.6, APIs: 7, Instructions: 105
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E005B85F0(void* __eax, void* __ecx, struct tagMSG* __edx) {
				char _v19;
				int _t10;
				char _t12;
				int _t13;
				void* _t14;
				int _t30;
				int _t32;
				MSG* _t43;
				void* _t44;
				char* _t46;

				_t43 = __edx;
				_t44 = __eax;
				_t32 = 0;
				_t10 = PeekMessageW(__edx, 0, 0, 0, 0); // executed
				if(_t10 != 0) {
					_v19 = _t12;
					if(_v19 == 0) {
						_t13 = PeekMessageA(_t43, 0, 0, 0, 1);
						asm("sbb eax, eax");
						_t14 = _t13 + 1;
					} else {
						_t30 = PeekMessageW(_t43, 0, 0, 0, 1); // executed
						asm("sbb eax, eax");
						_t14 = _t30 + 1;
					}
					if(_t14 != 0) {
						_t32 = 1;
						if(_t43->message == 0x12) {
							 *((char*)(_t44 + 0xbc)) = 1;
						} else {
							 *_t46 = 0;
							if( *((short*)(_t44 + 0x122)) != 0) {
								 *((intOrPtr*)(_t44 + 0x120))();
							}
							if(E005BA368(_t44, _t43) == 0 && E005B8488(_t44, _t43) == 0 &&  *_t46 == 0 && E005B8340(_t44, _t43) == 0 && E005B8390(_t44, _t43) == 0 && E005B82F8(_t44, _t43) == 0) {
								TranslateMessage(_t43);
								if(_v19 == 0) {
									DispatchMessageA(_t43);
								} else {
									DispatchMessageW(_t43); // executed
								}
							}
						}
					}
				}
				return _t32;
			}

0x005b85f5
0x005b85f7
0x005b85f9
0x005b8604
0x005b860b
0x005b8627
0x005b8630
0x005b8651
0x005b8659
0x005b865b
0x005b8632
0x005b863b
0x005b8643
0x005b8645
0x005b8645
0x005b865e
0x005b8664
0x005b866a
0x005b86f2
0x005b8670
0x005b8670
0x005b867c
0x005b8688
0x005b8688
0x005b8699
0x005b86d6
0x005b86e0
0x005b86eb
0x005b86e2
0x005b86e3
0x005b86e3
0x005b86e0
0x005b8699
0x005b866a
0x005b865e
0x005b8700

APIs

PeekMessageW.USER32 ref: 005B8604
IsWindowUnicode.USER32 ref: 005B8618
PeekMessageW.USER32 ref: 005B863B
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 005B8651
TranslateMessage.USER32 ref: 005B86D6
DispatchMessageW.USER32 ref: 005B86E3
DispatchMessageA.USER32 ref: 005B86EB

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Message$Peek$Dispatch$TranslateUnicodeWindow
String ID:
API String ID: 2190272339-0
Opcode ID: 2f195b20c59e7edbc16b7d2fd048cba63cfdff170111f45a03f5aac70044babc
Instruction ID: 67b3953643da56f9c200822127d0531685f000c00b35d7cfb42a732a483186e2
Opcode Fuzzy Hash: 2f195b20c59e7edbc16b7d2fd048cba63cfdff170111f45a03f5aac70044babc
Instruction Fuzzy Hash: 4921D83034478065EA312D2A1C15BFE9FDD6FF1B49F14545EF58197282CEA9F846C21E

Uniqueness

Uniqueness Score: -1.00%

Function 006AC8CC Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E006AC8CC(long __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char* _t40;
				intOrPtr _t41;
				int _t47;
				intOrPtr _t77;
				void* _t80;
				intOrPtr _t81;
				intOrPtr _t94;
				intOrPtr _t107;
				intOrPtr _t108;

				_t105 = __esi;
				_t104 = __edi;
				_t79 = __ebx;
				_t107 = _t108;
				_t80 = 6;
				do {
					_push(0);
					_push(0);
					_t80 = _t80 - 1;
				} while (_t80 != 0);
				_push(_t80);
				_push(__ebx);
				_push(_t107);
				_push(0x6aca22);
				_push( *[fs:eax]);
				 *[fs:eax] = _t108;
				E0060D530( &_v20, __ebx, __edx, __edi, __esi); // executed
				E0040A5A8(0x6d6530, _v20);
				_t81 =  *0x6d6530; // 0x0
				E0040B4C8( &_v24, _t81, L"Created temporary directory: ");
				E00616130(_v24, _t79, __edi, __esi);
				_t40 =  *0x6cdfdc; // 0x6d62e4
				if( *_t40 != 0) {
					_t77 =  *0x6d6530; // 0x0
					E0061583C(_t77);
				}
				_t41 =  *0x6d6530; // 0x0
				E005C4EA4(_t41,  &_v28);
				E0040B4C8( &_v8, L"_isetup", _v28);
				_t47 = CreateDirectoryW(E0040B278(_v8), 0); // executed
				if(_t47 == 0) {
					_t79 = GetLastError();
					E005CD508(0x3d,  &_v48, _v8);
					_v44 = _v48;
					E0042302C( &_v52, _t61, 0);
					_v40 = _v52;
					E005C857C(_t79,  &_v56);
					_v36 = _v56;
					E005CD4D8(0x81, 2,  &_v44,  &_v32);
					E00429008(_v32, 1);
					E004098C4();
				}
				E0062554C( &_v12);
				_t113 = _v12;
				if(_v12 != 0) {
					E0040B4C8( &_v16, L"\\_setup64.tmp", _v8);
					E006AC874(_v12, _t79, _v16, _t104, _t105, _t113); // executed
					E006255A4(_v16);
				}
				_pop(_t94);
				 *[fs:eax] = _t94;
				_push(E006ACA29);
				E0040A228( &_v56, 3);
				return E0040A228( &_v32, 7);
			}

0x006ac8cc
0x006ac8cc
0x006ac8cc
0x006ac8cd
0x006ac8cf
0x006ac8d4
0x006ac8d4
0x006ac8d6
0x006ac8d8
0x006ac8d8
0x006ac8db
0x006ac8dc
0x006ac8df
0x006ac8e0
0x006ac8e5
0x006ac8e8
0x006ac8ee
0x006ac8fb
0x006ac903
0x006ac90e
0x006ac916
0x006ac91b
0x006ac923
0x006ac925
0x006ac92a
0x006ac92a
0x006ac932
0x006ac937
0x006ac947
0x006ac957
0x006ac95e
0x006ac965
0x006ac975
0x006ac97d
0x006ac989
0x006ac991
0x006ac999
0x006ac9a1
0x006ac9b0
0x006ac9bf
0x006ac9c4
0x006ac9c4
0x006ac9cc
0x006ac9d1
0x006ac9d5
0x006ac9e2
0x006ac9ed
0x006ac9f5
0x006ac9f5
0x006ac9fc
0x006ac9ff
0x006aca02
0x006aca0f
0x006aca21

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,00000000,006ACA22,?,?,00000005,00000000,00000000,?,006B92B5,00000000,006B946A,?,00000000,006B94CE), ref: 006AC957
GetLastError.KERNEL32(00000000,00000000,00000000,006ACA22,?,?,00000005,00000000,00000000,?,006B92B5,00000000,006B946A,?,00000000,006B94CE), ref: 006AC960

Strings

Created temporary directory: , xrefs: 006AC909
\_setup64.tmp, xrefs: 006AC9DA
_isetup, xrefs: 006AC942
bm, xrefs: 006AC91B

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: Created temporary directory: $\_setup64.tmp$_isetup$bm
API String ID: 1375471231-4222912607
Opcode ID: f7a217e2c30815a74382ced212125fa0efd95f934c7959fdcee1df4dfdec5075
Instruction ID: fab29f73b12df9647497e51388a78cad5e0a4b86d3a417c00642db4583a337af
Opcode Fuzzy Hash: f7a217e2c30815a74382ced212125fa0efd95f934c7959fdcee1df4dfdec5075
Instruction Fuzzy Hash: 00412E34A102099BDB01FBA4D891AEEB7B6FF89704F50417AF501B7391DA34AE458B64

Uniqueness

Uniqueness Score: -1.00%

Function 005C92C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E005C92C8(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				void* _t10;
				intOrPtr _t17;
				intOrPtr _t24;
				intOrPtr* _t27;
				struct HWND__* _t33;
				void* _t42;
				intOrPtr _t44;
				void* _t49;
				intOrPtr _t51;
				struct HWND__* _t52;
				intOrPtr _t54;
				intOrPtr _t55;

				_t50 = __esi;
				_t42 = __edx;
				_t54 = _t55;
				_push(0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				if(__edx != 0) {
					_t55 = _t55 + 0xfffffff0;
					_t10 = E00408A40(_t10, _t54);
				}
				_t49 = _t10;
				_push(_t54);
				_push(0x5c93da);
				_push( *[fs:eax]);
				 *[fs:eax] = _t55;
				E00408414(0);
				 *((intOrPtr*)(_t49 + 0xc)) = GetActiveWindow();
				 *((intOrPtr*)(_t49 + 0x10)) = GetFocus();
				_t17 = E005ABB4C(0, _t42, _t49, _t50); // executed
				 *((intOrPtr*)(_t49 + 0x14)) = _t17;
				if( *0x6d5822 == 0) {
					 *0x6d5822 = RegisterClassW(0x6ccd0c);
				}
				if( *0x6d5822 != 0) {
					_t24 = E00414DA0(0, L"TWindowDisabler-Window", 0,  *0x6d2634, 0, 0, 0, 0, 0, 0, 0x88000000); // executed
					_t51 = _t24;
					 *((intOrPtr*)(_t49 + 8)) = _t51;
					if(_t51 != 0) {
						_t5 = _t49 + 8; // 0x4134a000
						_t27 =  *0x6cdec4; // 0x6d579c
						E005B8044( *_t27,  &_v8);
						E0040B278(_v8);
						_t33 = E00414DA0(0, L"TWindowDisabler-Window", 0,  *0x6d2634, 0,  *_t5, 0, 0, 0, 0, 0x80000000); // executed
						_t52 = _t33;
						 *(_t49 + 4) = _t52;
						if(_t52 != 0) {
							ShowWindow(_t52, 8); // executed
						}
					}
				}
				SetFocus(0);
				_pop(_t44);
				 *[fs:eax] = _t44;
				_push(E005C93E1);
				return E0040A1C8( &_v8);
			}

0x005c92c8
0x005c92c8
0x005c92c9
0x005c92cb
0x005c92cd
0x005c92ce
0x005c92cf
0x005c92d2
0x005c92d4
0x005c92d7
0x005c92d7
0x005c92de
0x005c92e2
0x005c92e3
0x005c92e8
0x005c92eb
0x005c92f2
0x005c92fc
0x005c9304
0x005c9309
0x005c930e
0x005c9319
0x005c9325
0x005c9325
0x005c9333
0x005c935e
0x005c9363
0x005c9365
0x005c936a
0x005c9379
0x005c938a
0x005c9391
0x005c9399
0x005c93a7
0x005c93ac
0x005c93ae
0x005c93b3
0x005c93b8
0x005c93b8
0x005c93b3
0x005c936a
0x005c93bf
0x005c93c6
0x005c93c9
0x005c93cc
0x005c93d9

APIs

GetActiveWindow.USER32 ref: 005C92F7
GetFocus.USER32(00000000,005C93DA,?,?,?,00000001,00000000,?,00624EAB,006D579C,?,006B93C5,?,?,00000000,006B9450), ref: 005C92FF
RegisterClassW.USER32 ref: 005C9320
ShowWindow.USER32(00000000,00000008,00000000,?,00000000,4134A000,00000000,00000000,00000000,00000000,80000000,00000000,?,00000000,00000000,00000000), ref: 005C93B8
SetFocus.USER32(00000000,00000000,005C93DA,?,?,?,00000001,00000000,?,00624EAB,006D579C,?,006B93C5,?,?,00000000), ref: 005C93BF

Strings

TWindowDisabler-Window, xrefs: 005C9357, 005C93A0

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: FocusWindow$ActiveClassRegisterShow
String ID: TWindowDisabler-Window
API String ID: 495420250-1824977358
Opcode ID: f6024229119579bb9558f94a5f3e2433b374e9a692c523404650e8e6a3f60a8b
Instruction ID: 15dfa4f4c92537cee7ed1e4bf608ea9bac44f034fc845b592ccaf34af6f1c1de
Opcode Fuzzy Hash: f6024229119579bb9558f94a5f3e2433b374e9a692c523404650e8e6a3f60a8b
Instruction Fuzzy Hash: 1321E570A41700AFD710EBA59C56F5ABBA5FB85B00F51452DF900EB6D1EB78AC40C7D8

Uniqueness

Uniqueness Score: -1.00%

Function 006C4660 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 65%

			_entry_() {
				intOrPtr* _t12;
				signed int _t15;
				intOrPtr _t21;
				intOrPtr* _t22;
				intOrPtr* _t28;
				intOrPtr* _t31;
				intOrPtr* _t35;
				intOrPtr _t36;
				void* _t61;
				void* _t62;
				intOrPtr* _t73;
				intOrPtr* _t76;
				intOrPtr _t77;
				intOrPtr _t79;
				intOrPtr _t81;
				intOrPtr _t82;
				intOrPtr _t83;
				void* _t84;
				void* _t86;
				intOrPtr* _t88;
				intOrPtr _t89;
				void* _t90;
				intOrPtr _t92;
				void* _t93;

				E00410BA8(0x6b9a98);
				_t12 =  *0x6cdec4; // 0x6d579c
				_t15 = GetWindowLongW( *( *_t12 + 0x188), 0xffffffec);
				_t73 =  *0x6cdec4; // 0x6d579c
				SetWindowLongW( *( *_t73 + 0x188), 0xffffffec, _t15 & 0xffffff7f); // executed
				_push(_t88);
				_push(0x6c46f1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t89;
				SetErrorMode(1); // executed
				E006B9800(_t90);
				_t21 =  *0x6b96c0; // 0x6b9718
				_t22 =  *0x6cdec4; // 0x6d579c
				E005B8740( *_t22, E006B9758, _t21);
				_t76 =  *0x6cdd3c; // 0x6d57d8
				 *_t76 = 0x6b4380;
				E006B9870(_t62, _t84, _t86, _t90, _t93);
				_pop(_t77);
				 *[fs:eax] = _t77;
				_t28 =  *0x6cdec4; // 0x6d579c
				E005B8250( *_t28, L"Setup", _t90);
				_t31 =  *0x6cdec4; // 0x6d579c
				ShowWindow( *( *_t31 + 0x188), 5);
				_t35 =  *0x6cdec4; // 0x6d579c
				_t36 =  *_t35;
				_t79 =  *0x6a6ef4; // 0x6a6f4c
				 *((intOrPtr*)(_t36 + 0x10c)) = _t79;
				 *((intOrPtr*)(_t36 + 0x108)) = 0x6b3994;
				_push(_t88);
				_push(0x6c479a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t89;
				E005B881C(); // executed
				L006B09B0(_t62, _t84, _t86, _t93);
				L005B8834( *((intOrPtr*)( *0x6cdec4)), _t62,  *0x6cdab4,  *0x6a6ef4, _t84, _t86);
				L006B3B64(_t90, _t93);
				_pop(_t81);
				 *[fs:eax] = _t81;
				_push(_t88);
				_push(0x6c481d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t89;
				L005B8990( *((intOrPtr*)( *0x6cdec4)), _t62, _t84, _t86);
				_pop(_t82);
				 *[fs:eax] = _t82;
				_push(_t88);
				_push(0x6c4854);
				_push( *[fs:eax]);
				 *[fs:eax] = _t89;
				L006B2AB0( *0x6cdcd4 & 0xffffff00 |  *( *0x6cdcd4) == 0x00000000, _t62, _t84, _t86,  *( *0x6cdcd4));
				_pop(_t83);
				 *[fs:eax] = _t83;
				_t61 = E0040A028( *( *0x6cdcd4));
				E00409EF8();
				 *((intOrPtr*)(_t61 - 0xfffdfc)) =  *((intOrPtr*)(_t61 - 0xfffdfc)) + _t83;
				asm("invalid");
				 *0x53000000 =  *0x53000000 + 1;
				 *_t88 =  *_t88 + _t61;
				_t92 =  *_t88;
				if (_t92 == 0) goto L5;
				if (_t92 != 0) goto L6;
				if (_t92 < 0) goto 0x6c488e;
			}

0x006c466e
0x006c4673
0x006c4683
0x006c4688
0x006c469f
0x006c46a6
0x006c46a7
0x006c46ac
0x006c46af
0x006c46b4
0x006c46b9
0x006c46be
0x006c46c9
0x006c46d0
0x006c46da
0x006c46e0
0x006c46e2
0x006c46e9
0x006c46ec
0x006c470a
0x006c4716
0x006c471d
0x006c472b
0x006c4730
0x006c4735
0x006c4737
0x006c473d
0x006c4743
0x006c474f
0x006c4750
0x006c4755
0x006c4758
0x006c4762
0x006c4767
0x006c477f
0x006c478b
0x006c4792
0x006c4795
0x006c47fb
0x006c47fc
0x006c4801
0x006c4804
0x006c480e
0x006c4815
0x006c4818
0x006c482e
0x006c482f
0x006c4834
0x006c4837
0x006c4845
0x006c484c
0x006c484f
0x006c486a
0x006c4872
0x006c4877
0x006c487d
0x006c487f
0x006c4885
0x006c4885
0x006c4888
0x006c488a
0x006c488c

APIs

Part of subcall function 00410BA8: GetModuleHandleW.KERNEL32(00000000,?,006C4673), ref: 00410BB4

GetWindowLongW.USER32(?,000000EC), ref: 006C4683
SetWindowLongW.USER32(?,000000EC,00000000), ref: 006C469F
SetErrorMode.KERNEL32(00000001,00000000,006C46F1), ref: 006C46B4

Part of subcall function 006B9800: GetModuleHandleW.KERNEL32(user32.dll,DisableProcessWindowsGhosting,006C46BE,00000001,00000000,006C46F1), ref: 006B980A

Part of subcall function 005B8740: SendMessageW.USER32(?,0000B020,00000000,?), ref: 005B8765

Part of subcall function 005B8250: SetWindowTextW.USER32(?,00000000), ref: 005B8281

ShowWindow.USER32(?,00000005,00000000,006C46F1), ref: 006C472B

Strings

Setup, xrefs: 006C4711
Loj, xrefs: 006C4737

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Window$HandleLongModule$ErrorMessageModeSendShowText
String ID: Loj$Setup
API String ID: 1533765661-1180797960
Opcode ID: 3d0304c784d3bd607acd89935b1016d88a71efec8a9d6f2a7abca0b2f7454e11
Instruction ID: d4d45baa3e9a68820d1f8b3b63154724c7fffc608bd47f906fb52fcab16a7fb3
Opcode Fuzzy Hash: 3d0304c784d3bd607acd89935b1016d88a71efec8a9d6f2a7abca0b2f7454e11
Instruction Fuzzy Hash: BE216D782046009FD700EF29DC91DA67BFAEB9E71071145B8F9008B3A2CE74BC80CB64

Uniqueness

Uniqueness Score: -1.00%

Function 005CE26C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E005CE26C(void* __eax, void* __ebx, long* __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				struct HDC__* _v8;
				struct tagSIZE _v16;
				struct tagTEXTMETRICW _v76;
				signed int _t26;
				signed int _t27;
				void* _t36;
				intOrPtr _t43;
				long* _t45;
				signed int* _t47;
				void* _t50;

				_t37 = __ecx;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t45 = __ecx;
				_t47 = __edx;
				_t36 = __eax;
				_v8 = GetDC(0);
				_push(_t50);
				_push(0x5ce2f8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t50 + 0xffffffb8;
				SelectObject(_v8, E004EE238(_t36, _t36, _t37, _t45, _t47));
				GetTextExtentPointW(_v8, L"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz", 0x34,  &_v16); // executed
				asm("cdq");
				_t26 = _v16.cx / 0x1a + 1;
				_t27 = _t26 >> 1;
				if(_t26 < 0) {
					asm("adc eax, 0x0");
				}
				 *_t47 = _t27;
				GetTextMetricsW(_v8,  &_v76);
				 *_t45 = _v76.tmHeight;
				_pop(_t43);
				 *[fs:eax] = _t43;
				_push(E005CE2FF);
				return ReleaseDC(0, _v8);
			}

0x005ce26c
0x005ce272
0x005ce273
0x005ce274
0x005ce275
0x005ce277
0x005ce279
0x005ce282
0x005ce287
0x005ce288
0x005ce28d
0x005ce290
0x005ce29f
0x005ce2b3
0x005ce2c0
0x005ce2c3
0x005ce2c4
0x005ce2c6
0x005ce2c8
0x005ce2c8
0x005ce2cb
0x005ce2d5
0x005ce2dd
0x005ce2e1
0x005ce2e4
0x005ce2e7
0x005ce2f7

APIs

GetDC.USER32(00000000), ref: 005CE27D

Part of subcall function 004EE238: EnterCriticalSection.KERNEL32(?,00000000,004EE4A7,?,?), ref: 004EE280

SelectObject.GDI32(00000001,00000000), ref: 005CE29F
GetTextExtentPointW.GDI32(00000001,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,?), ref: 005CE2B3
GetTextMetricsW.GDI32(00000001,?,00000000,005CE2F8,?,00000000,?,0068D5D0,00000001), ref: 005CE2D5
ReleaseDC.USER32 ref: 005CE2F2

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 005CE2AA

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Text$CriticalEnterExtentMetricsObjectPointReleaseSectionSelect
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
API String ID: 1334710084-222967699
Opcode ID: 325bd83ac94b98e0ccaeb91b867b8168358bc3f43770baf6a1d651e33ba30b3f
Instruction ID: 68d2e7468c57547273e36bf030651d7f5f3d68c5ac32077f2b8cb66f1dd3ef54
Opcode Fuzzy Hash: 325bd83ac94b98e0ccaeb91b867b8168358bc3f43770baf6a1d651e33ba30b3f
Instruction Fuzzy Hash: 8E01847AA14204BFE704DEE9CC42F9EB7ECEB49704F510469F604E7280D678AD008724

Uniqueness

Uniqueness Score: -1.00%

Function 00405A04 Relevance: 9.0, APIs: 7, Instructions: 298
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E00405A04(signed int __eax) {
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				void* _t96;
				void** _t99;
				signed int _t104;
				signed int _t109;
				signed int _t110;
				intOrPtr* _t114;
				void* _t116;
				void* _t121;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				unsigned int _t141;
				signed int _t142;
				void* _t144;
				void* _t147;
				intOrPtr _t148;
				signed int _t150;
				long _t156;
				intOrPtr _t159;
				signed int _t162;

				_t95 = __eax;
				_t129 =  *0x6cf05d; // 0x0
				if(__eax > 0xa2c) {
					__eflags = __eax - 0x40a2c;
					if(__eax > 0x40a2c) {
						_pop(_t120);
						__eflags = __eax;
						if(__eax >= 0) {
							_push(_t120);
							_t162 = __eax;
							_t2 = _t162 + 0x10010; // 0x10110
							_t156 = _t2 - 0x00000001 + 0x00000004 & 0xffff0000;
							_t96 = VirtualAlloc(0, _t156, 0x101000, 4); // executed
							_t121 = _t96;
							if(_t121 != 0) {
								_t147 = _t121;
								 *((intOrPtr*)(_t147 + 8)) = _t162;
								 *(_t147 + 0xc) = _t156 | 0x00000004;
								E00405764();
								_t99 =  *0x6d1b84; // 0x6d1b80
								 *_t147 = 0x6d1b80;
								 *0x6d1b84 = _t121;
								 *(_t147 + 4) = _t99;
								 *_t99 = _t121;
								 *0x6d1b7c = 0;
								_t121 = _t121 + 0x10;
							}
							return _t121;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t67 = _t95 + 0xd3; // 0x1d3
						_t125 = (_t67 & 0xffffff00) + 0x30;
						__eflags = _t129;
						if(__eflags != 0) {
							while(1) {
								asm("lock cmpxchg [0x6cfaec], ah");
								if(__eflags == 0) {
									goto L42;
								}
								asm("pause");
								__eflags =  *0x6cf98d;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									asm("lock cmpxchg [0x6cfaec], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L42;
							}
						}
						L42:
						_t68 = _t125 - 0xb30; // -2445
						_t141 = _t68;
						_t142 = _t141 >> 0xd;
						_t131 = _t141 >> 8;
						_t104 = 0xffffffff << _t131 &  *(0x6cfafc + _t142 * 4);
						__eflags = 0xffffffff;
						if(0xffffffff == 0) {
							_t132 = _t142;
							__eflags = 0xfffffffe << _t132 &  *0x6cfaf8;
							if((0xfffffffe << _t132 &  *0x6cfaf8) == 0) {
								_t133 =  *0x6cfaf4; // 0x0
								_t134 = _t133 - _t125;
								__eflags = _t134;
								if(_t134 < 0) {
									_t109 = E004056E8(_t125);
								} else {
									_t110 =  *0x6cfaf0; // 0x36ad610
									_t109 = _t110 - _t125;
									 *0x6cfaf0 = _t109;
									 *0x6cfaf4 = _t134;
									 *(_t109 - 4) = _t125 | 0x00000002;
								}
								 *0x6cfaec = 0;
								return _t109;
							} else {
								asm("bsf edx, eax");
								asm("bsf ecx, eax");
								_t135 = _t132 | _t142 << 0x00000005;
								goto L50;
							}
						} else {
							asm("bsf eax, eax");
							_t135 = _t131 & 0xffffffe0 | _t104;
							L50:
							_push(_t152);
							_push(_t145);
							_t148 = 0x6cfb7c + _t135 * 8;
							_t159 =  *((intOrPtr*)(_t148 + 4));
							_t114 =  *((intOrPtr*)(_t159 + 4));
							 *((intOrPtr*)(_t148 + 4)) = _t114;
							 *_t114 = _t148;
							__eflags = _t148 - _t114;
							if(_t148 == _t114) {
								asm("rol eax, cl");
								_t80 = 0x6cfafc + _t142 * 4;
								 *_t80 =  *(0x6cfafc + _t142 * 4) & 0xfffffffe;
								__eflags =  *_t80;
								if( *_t80 == 0) {
									asm("btr [0x6cfaf8], edx");
								}
							}
							_t150 = 0xfffffff0 &  *(_t159 - 4);
							_t144 = 0xfffffff0 - _t125;
							__eflags = 0xfffffff0;
							if(0xfffffff0 == 0) {
								_t89 =  &((_t159 - 4)[0xfffffffffffffffc]);
								 *_t89 =  *(_t159 - 4 + _t150) & 0x000000f7;
								__eflags =  *_t89;
							} else {
								_t116 = _t125 + _t159;
								 *((intOrPtr*)(_t116 - 4)) = 0xfffffffffffffff3;
								 *(0xfffffff0 + _t116 - 8) = 0xfffffff0;
								__eflags = 0xfffffff0 - 0xb30;
								if(0xfffffff0 >= 0xb30) {
									E0040561C(_t116, 0xfffffffffffffff3, _t144);
								}
							}
							_t93 = _t125 + 2; // 0x1a5
							 *(_t159 - 4) = _t93;
							 *0x6cfaec = 0;
							return _t159;
						}
					}
				} else {
					__eflags = __cl;
					_t6 = __edx + 0x6cf994; // 0xc8c8c8c8
					__eax =  *_t6 & 0x000000ff;
					__ebx = 0x6c5084 + ( *_t6 & 0x000000ff) * 8;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L5;
							}
							__ebx = __ebx + 0x20;
							__eflags = __ebx;
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__ebx != 0) {
								__ebx = __ebx + 0x20;
								__eflags = __ebx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__ebx != 0) {
									__ebx = __ebx - 0x40;
									asm("pause");
									__eflags =  *0x6cf98d;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [ebx], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
								}
							}
							goto L5;
						}
					}
					L5:
					__edx =  *(__ebx + 8);
					__eax =  *(__edx + 0x10);
					__ecx = 0xfffffff8;
					__eflags = __edx - __ebx;
					if(__edx == __ebx) {
						__edx =  *(__ebx + 0x18);
						__ecx =  *(__ebx + 2) & 0x0000ffff;
						__ecx = ( *(__ebx + 2) & 0x0000ffff) + __eax;
						__eflags = __eax -  *(__ebx + 0x14);
						if(__eax >  *(__ebx + 0x14)) {
							_push(__esi);
							_push(__edi);
							__eflags =  *0x6cf05d;
							if(__eflags != 0) {
								while(1) {
									__eax = 0x100;
									asm("lock cmpxchg [0x6cfaec], ah");
									if(__eflags == 0) {
										goto L22;
									}
									asm("pause");
									__eflags =  *0x6cf98d;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [0x6cfaec], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
									goto L22;
								}
							}
							L22:
							 *(__ebx + 1) =  *(__ebx + 1) &  *0x6cfaf8;
							__eflags =  *(__ebx + 1) &  *0x6cfaf8;
							if(( *(__ebx + 1) &  *0x6cfaf8) == 0) {
								__ecx =  *(__ebx + 4) & 0x0000ffff;
								__edi =  *0x6cfaf4; // 0x0
								__eflags = __edi - ( *(__ebx + 4) & 0x0000ffff);
								if(__edi < ( *(__ebx + 4) & 0x0000ffff)) {
									__eax =  *(__ebx + 6) & 0x0000ffff;
									__edi = __eax;
									__eax = E004056E8(__eax);
									__esi = __eax;
									__eflags = __eax;
									if(__eax != 0) {
										goto L35;
									} else {
										 *0x6cfaec = __al;
										 *__ebx = __al;
										_pop(__edi);
										_pop(__esi);
										_pop(__ebx);
										return __eax;
									}
								} else {
									__esi =  *0x6cfaf0; // 0x36ad610
									__ecx =  *(__ebx + 6) & 0x0000ffff;
									__edx = __ecx + 0xb30;
									__eflags = __edi - __ecx + 0xb30;
									if(__edi >= __ecx + 0xb30) {
										__edi = __ecx;
									}
									__esi = __esi - __edi;
									 *0x6cfaf4 =  *0x6cfaf4 - __edi;
									 *0x6cfaf0 = __esi;
									goto L35;
								}
							} else {
								asm("bsf eax, esi");
								__esi = __eax * 8;
								__ecx =  *(0x6cfafc + __eax * 4);
								asm("bsf ecx, ecx");
								__ecx =  *(0x6cfafc + __eax * 4) + __eax * 8 * 4;
								__edi = 0x6cfb7c + ( *(0x6cfafc + __eax * 4) + __eax * 8 * 4) * 8;
								__esi =  *(__edi + 4);
								__edx =  *(__esi + 4);
								 *(__edi + 4) = __edx;
								 *__edx = __edi;
								__eflags = __edi - __edx;
								if(__edi == __edx) {
									__edx = 0xfffffffe;
									asm("rol edx, cl");
									_t38 = 0x6cfafc + __eax * 4;
									 *_t38 =  *(0x6cfafc + __eax * 4) & 0xfffffffe;
									__eflags =  *_t38;
									if( *_t38 == 0) {
										asm("btr [0x6cfaf8], eax");
									}
								}
								__edi = 0xfffffff0;
								__edi = 0xfffffff0 &  *(__esi - 4);
								__eflags = 0xfffffff0 - 0x10a60;
								if(0xfffffff0 < 0x10a60) {
									_t52 =  &((__esi - 4)[0xfffffffffffffffc]);
									 *_t52 = (__esi - 4)[0xfffffffffffffffc] & 0x000000f7;
									__eflags =  *_t52;
								} else {
									__edx = __edi;
									__edi =  *(__ebx + 6) & 0x0000ffff;
									__edx = __edx - __edi;
									__eax = __edi + __esi;
									__ecx = __edx + 3;
									 *(__eax - 4) = __ecx;
									 *(__edx + __eax - 8) = __edx;
									__eax = E0040561C(__eax, __ecx, __edx);
								}
								L35:
								_t56 = __edi + 6; // 0x6
								__ecx = _t56;
								 *(__esi - 4) = _t56;
								__eax = 0;
								 *0x6cfaec = __al;
								 *__esi = __ebx;
								 *((intOrPtr*)(__esi + 0x10)) = 0;
								 *((intOrPtr*)(__esi + 0x14)) = 1;
								 *(__ebx + 0x18) = __esi;
								_t61 = __esi + 0x20; // 0x36ad630
								__eax = _t61;
								__ecx =  *(__ebx + 2) & 0x0000ffff;
								__edx = __ecx + __eax;
								 *(__ebx + 0x10) = __ecx + __eax;
								__edi = __edi + __esi;
								__edi = __edi - __ecx;
								__eflags = __edi;
								 *(__ebx + 0x14) = __edi;
								 *__ebx = 0;
								 *(__eax - 4) = __esi;
								_pop(__edi);
								_pop(__esi);
								_pop(__ebx);
								return __eax;
							}
						} else {
							_t19 = __edx + 0x14;
							 *_t19 =  *(__edx + 0x14) + 1;
							__eflags =  *_t19;
							 *(__ebx + 0x10) = __ecx;
							 *__ebx = 0;
							 *(__eax - 4) = __edx;
							_pop(__ebx);
							return __eax;
						}
					} else {
						 *(__edx + 0x14) =  *(__edx + 0x14) + 1;
						__ecx = 0xfffffff8 &  *(__eax - 4);
						__eflags = 0xfffffff8;
						 *(__edx + 0x10) = 0xfffffff8 &  *(__eax - 4);
						 *(__eax - 4) = __edx;
						if(0xfffffff8 == 0) {
							__ecx =  *(__edx + 8);
							 *(__ecx + 0xc) = __ebx;
							 *(__ebx + 8) = __ecx;
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						} else {
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}

0x00405a04
0x00405a10
0x00405a16
0x00405c64
0x00405c69
0x00405d7c
0x00405d7d
0x00405d7f
0x004057b0
0x004057b4
0x004057b6
0x004057c0
0x004057d0
0x004057d5
0x004057d9
0x004057db
0x004057dd
0x004057e3
0x004057e6
0x004057eb
0x004057f0
0x004057f6
0x004057fc
0x004057ff
0x00405801
0x00405808
0x00405808
0x00405811
0x00405d85
0x00405d85
0x00405d87
0x00405d87
0x00405c6f
0x00405c6f
0x00405c7b
0x00405c7e
0x00405c80
0x00405c28
0x00405c2d
0x00405c35
0x00000000
0x00000000
0x00405c37
0x00405c39
0x00405c40
0x00000000
0x00405c42
0x00405c44
0x00405c4e
0x00405c56
0x00405c5a
0x00000000
0x00405c5a
0x00405c56
0x00000000
0x00405c40
0x00405c28
0x00405c82
0x00405c82
0x00405c82
0x00405c8a
0x00405c8d
0x00405c97
0x00405c97
0x00405c9e
0x00405cb1
0x00405cb5
0x00405cbb
0x00405cd4
0x00405cda
0x00405cda
0x00405cdc
0x00405cfa
0x00405cde
0x00405cde
0x00405ce3
0x00405ce5
0x00405cea
0x00405cf3
0x00405cf3
0x00405cff
0x00405d07
0x00405cbd
0x00405cbd
0x00405cc7
0x00405ccf
0x00000000
0x00405ccf
0x00405ca0
0x00405ca3
0x00405ca6
0x00405d08
0x00405d08
0x00405d09
0x00405d0a
0x00405d11
0x00405d14
0x00405d17
0x00405d1a
0x00405d1c
0x00405d1e
0x00405d25
0x00405d27
0x00405d27
0x00405d27
0x00405d2e
0x00405d30
0x00405d30
0x00405d2e
0x00405d3c
0x00405d41
0x00405d41
0x00405d43
0x00405d64
0x00405d64
0x00405d64
0x00405d45
0x00405d45
0x00405d4b
0x00405d4e
0x00405d52
0x00405d58
0x00405d5a
0x00405d5a
0x00405d58
0x00405d69
0x00405d6c
0x00405d6f
0x00405d7b
0x00405d7b
0x00405c9e
0x00405a1c
0x00405a1c
0x00405a1e
0x00405a1e
0x00405a25
0x00405a2c
0x00405a84
0x00405a84
0x00405a89
0x00405a8d
0x00000000
0x00000000
0x00405a8f
0x00405a8f
0x00405a92
0x00405a97
0x00405a9b
0x00405a9d
0x00405a9d
0x00405aa0
0x00405aa5
0x00405aa9
0x00405aab
0x00405aae
0x00405ab0
0x00405ab7
0x00000000
0x00405ab9
0x00405abb
0x00405ac0
0x00405ac5
0x00405ac9
0x00405ad1
0x00000000
0x00405ad1
0x00405ac9
0x00405ab7
0x00405aa9
0x00000000
0x00405a9b
0x00405a84
0x00405a2e
0x00405a2e
0x00405a31
0x00405a34
0x00405a39
0x00405a3b
0x00405a54
0x00405a57
0x00405a5b
0x00405a5d
0x00405a60
0x00405ad8
0x00405ad9
0x00405ada
0x00405ae1
0x00405ae3
0x00405ae3
0x00405ae8
0x00405af0
0x00000000
0x00000000
0x00405af2
0x00405af4
0x00405afb
0x00000000
0x00405afd
0x00405aff
0x00405b04
0x00405b09
0x00405b11
0x00405b15
0x00000000
0x00405b15
0x00405b11
0x00000000
0x00405afb
0x00405ae3
0x00405b1c
0x00405b20
0x00405b20
0x00405b26
0x00405b98
0x00405b9c
0x00405ba2
0x00405ba4
0x00405bcc
0x00405bd0
0x00405bd2
0x00405bd7
0x00405bd9
0x00405bdb
0x00000000
0x00405bdd
0x00405bdd
0x00405be2
0x00405be4
0x00405be5
0x00405be6
0x00405be7
0x00405be7
0x00405ba6
0x00405ba6
0x00405bac
0x00405bb0
0x00405bb6
0x00405bb8
0x00405bba
0x00405bba
0x00405bbc
0x00405bbe
0x00405bc4
0x00000000
0x00405bc4
0x00405b28
0x00405b28
0x00405b2b
0x00405b32
0x00405b39
0x00405b3c
0x00405b3f
0x00405b46
0x00405b49
0x00405b4c
0x00405b4f
0x00405b51
0x00405b53
0x00405b55
0x00405b5a
0x00405b5c
0x00405b5c
0x00405b5c
0x00405b63
0x00405b65
0x00405b65
0x00405b63
0x00405b6c
0x00405b71
0x00405b74
0x00405b7a
0x00405be8
0x00405be8
0x00405be8
0x00405b7c
0x00405b7c
0x00405b7e
0x00405b82
0x00405b84
0x00405b87
0x00405b8a
0x00405b8d
0x00405b91
0x00405b91
0x00405bed
0x00405bed
0x00405bed
0x00405bf0
0x00405bf3
0x00405bf5
0x00405bfa
0x00405bfc
0x00405bff
0x00405c06
0x00405c09
0x00405c09
0x00405c0c
0x00405c10
0x00405c13
0x00405c16
0x00405c18
0x00405c18
0x00405c1a
0x00405c1d
0x00405c20
0x00405c23
0x00405c24
0x00405c25
0x00405c26
0x00405c26
0x00405a62
0x00405a62
0x00405a62
0x00405a62
0x00405a66
0x00405a69
0x00405a6c
0x00405a6f
0x00405a70
0x00405a70
0x00405a3d
0x00405a3d
0x00405a41
0x00405a41
0x00405a44
0x00405a47
0x00405a4a
0x00405a74
0x00405a77
0x00405a7a
0x00405a7d
0x00405a80
0x00405a81
0x00405a4c
0x00405a4c
0x00405a4f
0x00405a50
0x00405a50
0x00405a4a
0x00405a3b

APIs

Sleep.KERNEL32(00000000,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000,0040FBAD), ref: 00405ABB
Sleep.KERNEL32(0000000A,00000000,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000,0040FBAD), ref: 00405AD1
Sleep.KERNEL32(00000000,00000000,?,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000,0040FBAD), ref: 00405AFF
Sleep.KERNEL32(0000000A,00000000,00000000,?,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000,0040FBAD), ref: 00405B15

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: d5c76b6411e5b1297fee21c622a9732816c4700a6e5391fd7fe9993b0e9394e2
Instruction ID: 7a051e160dd760b70f5de690832b1da94a718f6c47d0b95a7d4eebd5f387ad29
Opcode Fuzzy Hash: d5c76b6411e5b1297fee21c622a9732816c4700a6e5391fd7fe9993b0e9394e2
Instruction Fuzzy Hash: BCC1F272601B118BDB15CF69E884B27BBA2EB85310F18827FD4599F3D5C7B4A841CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00423A20 Relevance: 7.5, APIs: 5, Instructions: 41
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00423A20(void* __eax) {
				signed char _t10;
				void* _t14;
				void* _t15;
				long _t16;
				void* _t17;
				WCHAR* _t18;

				_t17 = __eax;
				_t18 = E0040B278(__eax);
				DeleteFileW(_t18); // executed
				asm("sbb ebx, ebx");
				_t15 = _t14 + 1;
				if(_t15 == 0) {
					_t16 = GetLastError();
					_t10 = GetFileAttributesW(_t18); // executed
					if(_t10 == 0xffffffff || (_t10 & 0x00000004) == 0 || (_t10 & 0x00000010) == 0) {
						SetLastError(_t16);
					} else {
						RemoveDirectoryW(E0040B278(_t17));
						asm("sbb ebx, ebx");
						_t15 = _t15 + 1;
					}
				}
				return _t15;
			}

0x00423a24
0x00423a2d
0x00423a30
0x00423a38
0x00423a3a
0x00423a3d
0x00423a44
0x00423a47
0x00423a4f
0x00423a70
0x00423a5a
0x00423a62
0x00423a6a
0x00423a6c
0x00423a6c
0x00423a4f
0x00423a7b

APIs

DeleteFileW.KERNEL32(00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00423A30
GetLastError.KERNEL32(00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00423A3F
GetFileAttributesW.KERNEL32(00000000,00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000), ref: 00423A47
RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000), ref: 00423A62
SetLastError.KERNEL32(00000000,00000000,00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000), ref: 00423A70

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: ErrorFileLast$AttributesDeleteDirectoryRemove
String ID:
API String ID: 2814369299-0
Opcode ID: df722b0e1309f9a81f5fce9d005c1b6d287d6fd7d419b4baf17ebfa420ffd0ff
Instruction ID: b6ddb16581f5c3c7179c90d7d3f79c6d55466118c1baf1b24a27a0798ed1e7de
Opcode Fuzzy Hash: df722b0e1309f9a81f5fce9d005c1b6d287d6fd7d419b4baf17ebfa420ffd0ff
Instruction Fuzzy Hash: FAF0A7613803241999203DBE28C9ABF115CC9427AFB54077FF994D22D2D62D5F87415D

Uniqueness

Uniqueness Score: -1.00%

Function 00409EF8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00409EF8() {
				void* _t20;
				void* _t23;
				intOrPtr _t31;
				intOrPtr* _t33;
				void* _t46;
				struct HINSTANCE__* _t49;
				void* _t56;

				if( *0x6c5004 != 0) {
					E00409DD8();
					E00409E60(_t46);
					 *0x6c5004 = 0;
				}
				if( *0x6d1bd0 != 0 && GetCurrentThreadId() ==  *0x6d1bf8) {
					E00409B30(0x6d1bcc);
					E00409E34(0x6d1bcc);
				}
				if( *0x006D1BC4 != 0 ||  *0x6cf058 == 0) {
					L8:
					if( *((char*)(0x6d1bc4)) == 2 &&  *0x6c5000 == 0) {
						 *0x006D1BA8 = 0;
					}
					if( *((char*)(0x6d1bc4)) != 0) {
						L14:
						E00409B58(); // executed
						if( *((char*)(0x6d1bc4)) <= 1 ||  *0x6c5000 != 0) {
							_t15 =  *0x006D1BAC;
							if( *0x006D1BAC != 0) {
								E0040EBB8(_t15);
								_t31 =  *((intOrPtr*)(0x6d1bac));
								_t8 = _t31 + 0x10; // 0x400000
								_t49 =  *_t8;
								_t9 = _t31 + 4; // 0x400000
								if(_t49 !=  *_t9 && _t49 != 0) {
									FreeLibrary(_t49);
								}
							}
						}
						E00409B30(0x6d1b9c);
						if( *((char*)(0x6d1bc4)) == 1) {
							 *0x006D1BC0();
						}
						if( *((char*)(0x6d1bc4)) != 0) {
							E00409E34(0x6d1b9c);
						}
						if( *0x6d1b9c == 0) {
							if( *0x6cf038 != 0) {
								 *0x6cf038();
							}
							ExitProcess( *0x6c5000); // executed
						}
						memcpy(0x6d1b9c,  *0x6d1b9c, 0xc << 2);
						_t56 = _t56 + 0xc;
						0x6c5000 = 0x6c5000;
						0x6d1b9c = 0x6d1b9c;
						goto L8;
					} else {
						_t20 = E00406FD0();
						_t44 = _t20;
						if(_t20 == 0) {
							goto L14;
						} else {
							goto L13;
						}
						do {
							L13:
							E00408444(_t44);
							_t23 = E00406FD0();
							_t44 = _t23;
						} while (_t23 != 0);
						goto L14;
					}
				} else {
					do {
						_t33 =  *0x6cf058; // 0x0
						 *0x6cf058 = 0;
						 *_t33();
					} while ( *0x6cf058 != 0);
					L8:
					while(1) {
					}
				}
			}

0x00409f0c
0x00409f0e
0x00409f13
0x00409f1a
0x00409f1a
0x00409f26
0x00409f3a
0x00409f44
0x00409f44
0x00409f4d
0x00409f71
0x00409f75
0x00409f7e
0x00409f7e
0x00409f85
0x00409fa4
0x00409fa4
0x00409fad
0x00409fb4
0x00409fb9
0x00409fbb
0x00409fc0
0x00409fc3
0x00409fc3
0x00409fc6
0x00409fc9
0x00409fd0
0x00409fd0
0x00409fc9
0x00409fb9
0x00409fd7
0x00409fe0
0x00409fe2
0x00409fe2
0x00409fe9
0x00409fed
0x00409fed
0x00409ff5
0x00409ffe
0x0040a000
0x0040a000
0x0040a009
0x0040a009
0x0040a01b
0x0040a01b
0x0040a01d
0x0040a01e
0x00000000
0x00409f87
0x00409f87
0x00409f8c
0x00409f90
0x00000000
0x00000000
0x00000000
0x00000000
0x00409f92
0x00409f92
0x00409f94
0x00409f99
0x00409f9e
0x00409fa0
0x00000000
0x00409f92
0x00409f58
0x00409f58
0x00409f58
0x00409f61
0x00409f66
0x00409f68
0x00000000
0x00409f71
0x00000000
0x00409f71

APIs

GetCurrentThreadId.KERNEL32 ref: 00409F28
FreeLibrary.KERNEL32(00400000,?,?,?,0040A032,0040701B,00407062,?,?,0040707B,?,?,?,?,004B58EA,00000000), ref: 00409FD0
ExitProcess.KERNEL32(00000000,?,?,?,0040A032,0040701B,00407062,?,?,0040707B,?,?,?,?,004B58EA,00000000), ref: 0040A009

Part of subcall function 00409E60: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?,0040707B), ref: 00409E99
Part of subcall function 00409E60: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?), ref: 00409E9F
Part of subcall function 00409E60: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?), ref: 00409EBA
Part of subcall function 00409E60: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?), ref: 00409EC0

Strings

MZP, xrefs: 00409FCF

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID: MZP
API String ID: 3490077880-2889622443
Opcode ID: 19759392ed06106502a1c1b2e6486d6f2820d04f59653749a07cc7070f676968
Instruction ID: e2cc099636b1ff89dc3d2fe7d8b391202ea9480b4d839bd65efd70e323d436a8
Opcode Fuzzy Hash: 19759392ed06106502a1c1b2e6486d6f2820d04f59653749a07cc7070f676968
Instruction Fuzzy Hash: 60316F20B006429AD720AB7A9484B2777E66B44328F14053FE449E62E3D7BCDCC4C75D

Uniqueness

Uniqueness Score: -1.00%

Function 00409EF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86
threadCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00409EF0() {
				intOrPtr* _t14;
				void* _t23;
				void* _t26;
				intOrPtr _t34;
				intOrPtr* _t36;
				void* _t50;
				struct HINSTANCE__* _t53;
				void* _t62;

				 *((intOrPtr*)(_t14 +  *_t14)) =  *((intOrPtr*)(_t14 +  *_t14)) + _t14 +  *_t14;
				if( *0x6c5004 != 0) {
					E00409DD8();
					E00409E60(_t50);
					 *0x6c5004 = 0;
				}
				if( *0x6d1bd0 != 0 && GetCurrentThreadId() ==  *0x6d1bf8) {
					E00409B30(0x6d1bcc);
					E00409E34(0x6d1bcc);
				}
				if( *0x006D1BC4 != 0 ||  *0x6cf058 == 0) {
					L9:
					if( *((char*)(0x6d1bc4)) == 2 &&  *0x6c5000 == 0) {
						 *0x006D1BA8 = 0;
					}
					if( *((char*)(0x6d1bc4)) != 0) {
						L15:
						E00409B58(); // executed
						if( *((char*)(0x6d1bc4)) <= 1 ||  *0x6c5000 != 0) {
							_t18 =  *0x006D1BAC;
							if( *0x006D1BAC != 0) {
								E0040EBB8(_t18);
								_t34 =  *((intOrPtr*)(0x6d1bac));
								_t8 = _t34 + 0x10; // 0x400000
								_t53 =  *_t8;
								_t9 = _t34 + 4; // 0x400000
								if(_t53 !=  *_t9 && _t53 != 0) {
									FreeLibrary(_t53);
								}
							}
						}
						E00409B30(0x6d1b9c);
						if( *((char*)(0x6d1bc4)) == 1) {
							 *0x006D1BC0();
						}
						if( *((char*)(0x6d1bc4)) != 0) {
							E00409E34(0x6d1b9c);
						}
						if( *0x6d1b9c == 0) {
							if( *0x6cf038 != 0) {
								 *0x6cf038();
							}
							ExitProcess( *0x6c5000); // executed
						}
						memcpy(0x6d1b9c,  *0x6d1b9c, 0xc << 2);
						_t62 = _t62 + 0xc;
						0x6c5000 = 0x6c5000;
						0x6d1b9c = 0x6d1b9c;
						goto L9;
					} else {
						_t23 = E00406FD0();
						_t48 = _t23;
						if(_t23 == 0) {
							goto L15;
						} else {
							goto L14;
						}
						do {
							L14:
							E00408444(_t48);
							_t26 = E00406FD0();
							_t48 = _t26;
						} while (_t26 != 0);
						goto L15;
					}
				} else {
					do {
						_t36 =  *0x6cf058; // 0x0
						 *0x6cf058 = 0;
						 *_t36();
					} while ( *0x6cf058 != 0);
					L9:
					while(1) {
					}
				}
			}

0x00409ef2
0x00409f0c
0x00409f0e
0x00409f13
0x00409f1a
0x00409f1a
0x00409f26
0x00409f3a
0x00409f44
0x00409f44
0x00409f4d
0x00409f71
0x00409f75
0x00409f7e
0x00409f7e
0x00409f85
0x00409fa4
0x00409fa4
0x00409fad
0x00409fb4
0x00409fb9
0x00409fbb
0x00409fc0
0x00409fc3
0x00409fc3
0x00409fc6
0x00409fc9
0x00409fd0
0x00409fd0
0x00409fc9
0x00409fb9
0x00409fd7
0x00409fe0
0x00409fe2
0x00409fe2
0x00409fe9
0x00409fed
0x00409fed
0x00409ff5
0x00409ffe
0x0040a000
0x0040a000
0x0040a009
0x0040a009
0x0040a01b
0x0040a01b
0x0040a01d
0x0040a01e
0x00000000
0x00409f87
0x00409f87
0x00409f8c
0x00409f90
0x00000000
0x00000000
0x00000000
0x00000000
0x00409f92
0x00409f92
0x00409f94
0x00409f99
0x00409f9e
0x00409fa0
0x00000000
0x00409f92
0x00409f58
0x00409f58
0x00409f58
0x00409f61
0x00409f66
0x00409f68
0x00000000
0x00409f71
0x00000000
0x00409f71

APIs

GetCurrentThreadId.KERNEL32 ref: 00409F28
FreeLibrary.KERNEL32(00400000,?,?,?,0040A032,0040701B,00407062,?,?,0040707B,?,?,?,?,004B58EA,00000000), ref: 00409FD0
ExitProcess.KERNEL32(00000000,?,?,?,0040A032,0040701B,00407062,?,?,0040707B,?,?,?,?,004B58EA,00000000), ref: 0040A009

Part of subcall function 00409E60: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?,0040707B), ref: 00409E99
Part of subcall function 00409E60: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?), ref: 00409E9F
Part of subcall function 00409E60: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?), ref: 00409EBA
Part of subcall function 00409E60: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?), ref: 00409EC0

Strings

MZP, xrefs: 00409FCF

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID: MZP
API String ID: 3490077880-2889622443
Opcode ID: 86ca27ab4cbfe576b0a3ee541a0fe11273007b0e3819c982b8d9582f61fa1f39
Instruction ID: 07d30fd0877b4d42c88f7c1dd8669400ca79996a2773cdc214a63d44a36a60ff
Opcode Fuzzy Hash: 86ca27ab4cbfe576b0a3ee541a0fe11273007b0e3819c982b8d9582f61fa1f39
Instruction Fuzzy Hash: C4316E20A007828ADB21AB769494B2777E26F15318F14487FE049E62E3D7BCDCC4C71E

Uniqueness

Uniqueness Score: -1.00%

Function 0060C038 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60
processCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E0060C038(void* __eax, WCHAR* __ecx, WCHAR* __edx, void* __eflags, struct _PROCESS_INFORMATION* _a4, struct _STARTUPINFOW* _a8, char _a12, void* _a16, char _a20, int _a24, struct _SECURITY_ATTRIBUTES* _a28, struct _SECURITY_ATTRIBUTES* _a32) {
				int _v8;
				char _v16;
				long _v20;
				int _t27;
				intOrPtr _t42;
				void* _t50;
				void* _t52;
				intOrPtr _t53;

				_t50 = _t52;
				_t53 = _t52 + 0xfffffff0;
				if(E0060BF74(__eax,  &_v16) != 0) {
					_push(_t50);
					_push(0x60c0b2);
					_push( *[fs:eax]);
					 *[fs:eax] = _t53;
					_t5 =  &_a12; // 0x624d3e
					_t7 =  &_a20; // 0x624d58
					_t27 = CreateProcessW(__edx, __ecx, _a32, _a28, _a24,  *_t7, _a16,  *_t5, _a8, _a4); // executed
					_v8 = _t27;
					_v20 = GetLastError();
					_pop(_t42);
					 *[fs:eax] = _t42;
					_push(E0060C0B9);
					return E0060BFB0( &_v16);
				} else {
					_v8 = 0;
					return _v8;
				}
			}

0x0060c039
0x0060c03b
0x0060c053
0x0060c05e
0x0060c05f
0x0060c064
0x0060c067
0x0060c072
0x0060c07a
0x0060c08c
0x0060c091
0x0060c099
0x0060c09e
0x0060c0a1
0x0060c0a4
0x0060c0b1
0x0060c055
0x0060c057
0x0060c0cb
0x0060c0cb

APIs

CreateProcessW.KERNEL32 ref: 0060C08C
GetLastError.KERNEL32(00000000,00000000,006D579C,?,?,XMb,00000000,>Mb,?,?,00000000,0060C0B2,?,?,?,00000001), ref: 0060C094

Strings

>Mb, xrefs: 0060C072, 0060C075
XMb, xrefs: 0060C07A, 0060C07D

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: CreateErrorLastProcess
String ID: >Mb$XMb
API String ID: 2919029540-2660256435
Opcode ID: fc70ad85d2157d21ba367755dea5396487fa079e60854658823ca55dcf81e298
Instruction ID: 6fed8a1d79b3fe7fb7c31d778b9d5703ccb9eb2a1393ada51090ba1ca1dee2d9
Opcode Fuzzy Hash: fc70ad85d2157d21ba367755dea5396487fa079e60854658823ca55dcf81e298
Instruction Fuzzy Hash: DA113972640208AFCB54DFA9DC81DDFB7ECEB4D320B518666F908D3280D635AE108BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004785F8 Relevance: 6.1, APIs: 4, Instructions: 59
registryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E004785F8(intOrPtr _a4, short _a6, intOrPtr _a8) {
				struct _WNDCLASSW _v44;
				WCHAR* _t8;
				int _t10;
				void* _t11;
				struct HWND__* _t15;
				long _t17;
				WCHAR* _t20;
				struct HWND__* _t22;
				WCHAR* _t24;

				 *0x6c7aa8 =  *0x6d2634;
				_t8 =  *0x6c7abc; // 0x4785dc
				_t10 = GetClassInfoW( *0x6d2634, _t8,  &_v44);
				asm("sbb eax, eax");
				_t11 = _t10 + 1;
				if(_t11 == 0 || L00414778 != _v44.lpfnWndProc) {
					if(_t11 != 0) {
						_t20 =  *0x6c7abc; // 0x4785dc
						UnregisterClassW(_t20,  *0x6d2634);
					}
					RegisterClassW(0x6c7a98);
				}
				_t24 =  *0x6c7abc; // 0x4785dc
				_t15 = E00414DA0(0x80, _t24, 0,  *0x6d2634, 0, 0, 0, 0, 0, 0, 0x80000000); // executed
				_t22 = _t15;
				if(_a6 != 0) {
					_t17 = E0047845C(_a4, _a8); // executed
					SetWindowLongW(_t22, 0xfffffffc, _t17);
				}
				return _t22;
			}

0x00478604
0x0047860d
0x00478619
0x00478621
0x00478623
0x00478626
0x00478634
0x0047863c
0x00478642
0x00478642
0x0047864c
0x0047864c
0x0047866f
0x0047867a
0x0047867f
0x00478686
0x0047868e
0x00478697
0x00478697
0x004786a2

APIs

GetClassInfoW.USER32 ref: 00478619
UnregisterClassW.USER32 ref: 00478642
RegisterClassW.USER32 ref: 0047864C
SetWindowLongW.USER32(00000000,000000FC,00000000), ref: 00478697

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: c13718059519df6099dbd22287901c2cd341ee5024df696f59e832b4f8273898
Instruction ID: 194e1b82028893281538589df9a22bcce55ada3cdaffe31495447ecbac098301
Opcode Fuzzy Hash: c13718059519df6099dbd22287901c2cd341ee5024df696f59e832b4f8273898
Instruction Fuzzy Hash: D501C4716452057BCB10EB98EC85FDF739EE758314F10811AF508E7391CA39E9418BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0060EFD8 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32 ref: 0060F004
MsgWaitForMultipleObjects.USER32 ref: 0060F026
GetExitCodeProcess.KERNEL32 ref: 0060F037
CloseHandle.KERNEL32(00000001,0060F064,0060F05D,?,?,?,00000001,?,?,0060F406,?,00000000,0060F41C,?,?,?), ref: 0060F057

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
String ID:
API String ID: 4071923889-0
Opcode ID: b2c0e9a815401a59890ae953dc8cc514a32d7d884ad163320893ed3959533c1a
Instruction ID: 3bf9388a4eab4805cc6f518967bcd8e0b9f61bd1b59095cebcc575be48bbaf87
Opcode Fuzzy Hash: b2c0e9a815401a59890ae953dc8cc514a32d7d884ad163320893ed3959533c1a
Instruction Fuzzy Hash: 24012D70A80308BEEB3497A58D16FEBBBADDF45760F510536F604C36C2D5759D40C664

Uniqueness

Uniqueness Score: -1.00%

Function 006ACABC Relevance: 6.0, APIs: 4, Instructions: 34
sleepCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E006ACABC(signed char __eax, void* __ecx, void* __edx, void* __eflags) {
				long _t7;
				void* _t9;
				void* _t14;
				void* _t15;
				signed char* _t16;

				_t17 = __eflags;
				_push(__ecx);
				_t14 = __ecx;
				_t15 = __edx;
				 *_t16 = __eax;
				while(1) {
					E0060C158( *_t16 & 0x000000ff, _t15, _t17); // executed
					asm("sbb ebx, ebx");
					_t9 = _t9 + 1;
					if(_t9 != 0 || GetLastError() == 2 || GetLastError() == 3) {
						break;
					}
					_t7 = GetTickCount();
					_t17 = _t7 - _t14 - 0x7d0;
					if(_t7 - _t14 < 0x7d0) {
						Sleep(0x32);
						continue;
					}
					break;
				}
				return _t9;
			}

0x006acabc
0x006acabf
0x006acac0
0x006acac2
0x006acac4
0x006acac7
0x006acacd
0x006acad5
0x006acad7
0x006acada
0x00000000
0x00000000
0x006acaf0
0x006acaf7
0x006acafc
0x006acb00
0x00000000
0x006acb00
0x00000000
0x006acafc
0x006acb0d

APIs

GetLastError.KERNEL32 ref: 006ACADC
GetLastError.KERNEL32 ref: 006ACAE6
GetTickCount.KERNEL32 ref: 006ACAF0
Sleep.KERNEL32(00000032), ref: 006ACB00

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: ErrorLast$CountSleepTick
String ID:
API String ID: 2227064392-0
Opcode ID: 66301a0a26332de94f541b13cc40e963d91ad8f3bd11375468a19028b1306bfa
Instruction ID: 650aecd8dda8324acb9ef1ef12543e615cdaddf0aa48ac4ca6bdf88ba774c7be
Opcode Fuzzy Hash: 66301a0a26332de94f541b13cc40e963d91ad8f3bd11375468a19028b1306bfa
Instruction Fuzzy Hash: 2AE02B7234838094D725356E58864BE8D5ACFC3376F280A3FF0C4D2182C4058D85C576

Uniqueness

Uniqueness Score: -1.00%

Function 006AE3C8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E006AE3C8(long __eax, void* __ecx, void* __fp0) {
				void* __ebx;
				void* __ebp;
				long _t23;
				intOrPtr _t24;
				intOrPtr _t28;
				intOrPtr _t49;
				intOrPtr _t54;
				intOrPtr _t59;
				intOrPtr _t64;
				intOrPtr* _t69;
				struct HWND__* _t72;
				int _t73;
				intOrPtr _t74;
				void* _t77;
				void* _t79;
				void* _t93;
				void* _t94;
				void* _t95;
				intOrPtr _t98;
				void* _t100;
				intOrPtr _t104;
				intOrPtr _t106;
				intOrPtr _t107;
				intOrPtr _t108;
				intOrPtr _t113;
				intOrPtr _t116;
				intOrPtr _t118;
				intOrPtr _t120;
				long _t126;
				void* _t128;
				void* _t129;
				void* _t130;
				void* _t131;
				void* _t147;

				_t147 = __fp0;
				_t95 = __ecx;
				_t23 = __eax;
				_t126 = __eax;
				_t131 = _t126 -  *0x6cd738; // 0x0
				if(_t131 == 0) {
					L28:
					return _t23;
				}
				_t24 =  *0x6d66f8; // 0x0
				_t93 = E00464CD0(_t24, __eax);
				_t1 = _t93 + 0x18; // 0x18
				_t100 = E0040A77C(_t1);
				_t28 =  *((intOrPtr*)(_t93 + 0x18));
				if(_t28 != 0) {
					_t28 =  *((intOrPtr*)(_t28 - 4));
				}
				E005CD600(_t100, _t95, _t28);
				E005C77C4();
				E005C77C4();
				 *0x6cd738 = _t126;
				_t104 =  *0x5cac34; // 0x5cac38
				E0040BFAC(0x6d66b8, _t104);
				_t98 =  *0x5cac34; // 0x5cac38
				E0040C278(0x6d66b8, _t98, _t93, _t147);
				if( *0x6d66e0 == 0x411 &&  *0x6d67f0 < 0x5010000 && E005C7F8C(L"MS PGothic", _t93) != 0) {
					E0040A5A8(0x6d66c8, L"MS PGothic");
					 *0x6d66ec = 0xc;
				}
				if( *((intOrPtr*)(_t93 + 0x1c)) == 0) {
					_t106 =  *0x6d6601; // 0x0
					E0040A644(0x6d6744, _t106);
				} else {
					E0040A644(0x6d6744,  *((intOrPtr*)(_t93 + 0x1c)));
				}
				if( *((intOrPtr*)(_t93 + 0x20)) == 0) {
					_t107 =  *0x6d6605; // 0x0
					E0040A644(0x6d6748, _t107);
				} else {
					E0040A644(0x6d6748,  *((intOrPtr*)(_t93 + 0x20)));
				}
				_t139 =  *((intOrPtr*)(_t93 + 0x24));
				if( *((intOrPtr*)(_t93 + 0x24)) == 0) {
					_t108 =  *0x6d6609; // 0x0
					E0040A644(0x6d674c, _t108);
				} else {
					E0040A644(0x6d674c,  *((intOrPtr*)(_t93 + 0x24)));
				}
				E005C9044( *0x6d66f4 & 0x000000ff);
				_t49 =  *0x6cded8; // 0x6d5c28
				_t10 = _t49 + 0x1e8; // 0x0
				E005C8FB8(0, _t98, E0040B278( *_t10), _t139);
				_t54 =  *0x6cded8; // 0x6d5c28
				_t11 = _t54 + 0xb0; // 0x0
				E005C8FB8(1, _t98, E0040B278( *_t11), _t139);
				_t59 =  *0x6cded8; // 0x6d5c28
				_t12 = _t59 + 0x164; // 0x0
				E005C8FB8(2, _t98, E0040B278( *_t12), _t139);
				_t64 =  *0x6cded8; // 0x6d5c28
				_t13 = _t64 + 0x164; // 0x0
				E005C8FB8(3, _t98, E0040B278( *_t13), _t139);
				_t113 =  *0x6cded8; // 0x6d5c28
				_t14 = _t113 + 0x2f8; // 0x0
				_t69 =  *0x6cdec4; // 0x6d579c
				E005B8250( *_t69,  *_t14, _t139);
				_t23 =  *0x6d6704; // 0x0
				_t128 =  *((intOrPtr*)(_t23 + 8)) - 1;
				if(_t128 < 0) {
					L26:
					if( *0x6d64a4 == 0) {
						goto L28;
					}
					_t72 =  *0x6d64a8; // 0x7037a
					_t73 = SendNotifyMessageW(_t72, 0x496, 0x2711, _t126); // executed
					return _t73;
				} else {
					_t129 = _t128 + 1;
					_t130 = 0;
					do {
						_t74 =  *0x6d6704; // 0x0
						_t94 = E00464CD0(_t74, _t130);
						_t77 = ( *(_t94 + 0x25) & 0x000000ff) - 1;
						if(_t77 == 0) {
							_t17 = _t94 + 4; // 0x4
							_t116 =  *0x6cded8; // 0x6d5c28
							_t18 = _t116 + 0x1c8; // 0x0
							_t23 = E0040A5A8(_t17,  *_t18);
						} else {
							_t79 = _t77 - 1;
							if(_t79 == 0) {
								_t19 = _t94 + 4; // 0x4
								_t118 =  *0x6cded8; // 0x6d5c28
								_t20 = _t118 + 0x94; // 0x0
								_t23 = E0040A5A8(_t19,  *_t20);
							} else {
								_t23 = _t79 - 1;
								if(_t23 == 0) {
									_t21 = _t94 + 4; // 0x4
									_t120 =  *0x6cded8; // 0x6d5c28
									_t22 = _t120 + 0xb8; // 0x0
									_t23 = E0040A5A8(_t21,  *_t22);
								}
							}
						}
						_t130 = _t130 + 1;
						_t129 = _t129 - 1;
					} while (_t129 != 0);
					goto L26;
				}
			}

0x006ae3c8
0x006ae3c8
0x006ae3c8
0x006ae3cc
0x006ae3ce
0x006ae3d4
0x006ae621
0x006ae621
0x006ae621
0x006ae3dc
0x006ae3e6
0x006ae3e8
0x006ae3f0
0x006ae3f2
0x006ae3f7
0x006ae3fc
0x006ae3fc
0x006ae3ff
0x006ae413
0x006ae427
0x006ae42c
0x006ae437
0x006ae43d
0x006ae449
0x006ae44f
0x006ae45e
0x006ae484
0x006ae489
0x006ae489
0x006ae497
0x006ae4ad
0x006ae4b3
0x006ae499
0x006ae4a1
0x006ae4a1
0x006ae4bc
0x006ae4d2
0x006ae4d8
0x006ae4be
0x006ae4c6
0x006ae4c6
0x006ae4dd
0x006ae4e1
0x006ae4f7
0x006ae4fd
0x006ae4e3
0x006ae4eb
0x006ae4eb
0x006ae509
0x006ae50e
0x006ae513
0x006ae522
0x006ae527
0x006ae52c
0x006ae53b
0x006ae540
0x006ae545
0x006ae554
0x006ae559
0x006ae55e
0x006ae56d
0x006ae572
0x006ae578
0x006ae57e
0x006ae585
0x006ae58a
0x006ae592
0x006ae595
0x006ae5fe
0x006ae605
0x00000000
0x00000000
0x006ae612
0x006ae618
0x00000000
0x006ae597
0x006ae597
0x006ae598
0x006ae59a
0x006ae59c
0x006ae5a6
0x006ae5ac
0x006ae5ae
0x006ae5ba
0x006ae5bd
0x006ae5c3
0x006ae5c9
0x006ae5b0
0x006ae5b0
0x006ae5b2
0x006ae5d0
0x006ae5d3
0x006ae5d9
0x006ae5df
0x006ae5b4
0x006ae5b4
0x006ae5b6
0x006ae5e6
0x006ae5e9
0x006ae5ef
0x006ae5f5
0x006ae5f5
0x006ae5b6
0x006ae5b2
0x006ae5fa
0x006ae5fb
0x006ae5fb
0x00000000
0x006ae59a

APIs

SendNotifyMessageW.USER32(0007037A,00000496,00002711,-00000001), ref: 006AE618

Strings

MS PGothic, xrefs: 006AE46C, 006AE47F
(\m, xrefs: 006AE404, 006AE418, 006AE50E, 006AE527, 006AE540, 006AE559, 006AE572, 006AE5BD, 006AE5D3, 006AE5E9

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: MessageNotifySend
String ID: (\m$MS PGothic
API String ID: 3556456075-219475269
Opcode ID: 2500a480fbb503b296a3365eb03bbe38222c632a9ea8e700226d7071bd3521c7
Instruction ID: c4b29eded5dd607060819086577383edb80d612be209ecb45f272f1b38c29540
Opcode Fuzzy Hash: 2500a480fbb503b296a3365eb03bbe38222c632a9ea8e700226d7071bd3521c7
Instruction Fuzzy Hash: 295150347011448BC700FF69D88AE5A77E3EB9A308B54557AF4049F366CA7AEC42CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0060D530 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0060D530(void* __eax, long __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char* _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				int _t30;
				intOrPtr _t63;
				void* _t71;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t76;

				_t71 = __edi;
				_t54 = __ebx;
				_t75 = _t76;
				_t55 = 4;
				do {
					_push(0);
					_push(0);
					_t55 = _t55 - 1;
				} while (_t55 != 0);
				_push(_t55);
				_push(__ebx);
				_t73 = __eax;
				_t78 = 0;
				_push(_t75);
				_push(0x60d629);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				while(1) {
					E005C75E4( &_v12, _t54, _t55, _t78); // executed
					_t55 = L".tmp";
					E0060D294(0, _t54, L".tmp", _v12, _t71, _t73,  &_v8); // executed
					_t30 = CreateDirectoryW(E0040B278(_v8), 0); // executed
					if(_t30 != 0) {
						break;
					}
					_t54 = GetLastError();
					_t78 = _t54 - 0xb7;
					if(_t54 != 0xb7) {
						E005CD508(0x3d,  &_v32, _v8);
						_v28 = _v32;
						E0042302C( &_v36, _t54, 0);
						_v24 = _v36;
						E005C857C(_t54,  &_v40);
						_v20 = _v40;
						E005CD4D8(0x81, 2,  &_v28,  &_v16);
						_t55 = _v16;
						E00429008(_v16, 1);
						E004098C4();
					}
				}
				E0040A5A8(_t73, _v8);
				__eflags = 0;
				_pop(_t63);
				 *[fs:eax] = _t63;
				_push(E0060D630);
				E0040A228( &_v40, 3);
				return E0040A228( &_v16, 3);
			}

0x0060d530
0x0060d530
0x0060d531
0x0060d533
0x0060d538
0x0060d538
0x0060d53a
0x0060d53c
0x0060d53c
0x0060d53f
0x0060d540
0x0060d542
0x0060d544
0x0060d546
0x0060d547
0x0060d54c
0x0060d54f
0x0060d552
0x0060d559
0x0060d561
0x0060d568
0x0060d578
0x0060d57f
0x00000000
0x00000000
0x0060d586
0x0060d588
0x0060d58e
0x0060d59e
0x0060d5a6
0x0060d5b2
0x0060d5ba
0x0060d5c2
0x0060d5ca
0x0060d5d9
0x0060d5de
0x0060d5e8
0x0060d5ed
0x0060d5ed
0x0060d58e
0x0060d5fc
0x0060d601
0x0060d603
0x0060d606
0x0060d609
0x0060d616
0x0060d628

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,0060D629,?,006D579C,?,00000003,00000000,00000000,?,006AC8F3,00000000,006ACA22), ref: 0060D578
GetLastError.KERNEL32(00000000,00000000,?,00000000,0060D629,?,006D579C,?,00000003,00000000,00000000,?,006AC8F3,00000000,006ACA22), ref: 0060D581

Strings

.tmp, xrefs: 0060D561

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: 7e252bd83ff95b71af820973b8230fb04739544441579268b50ffd476fc0b7f1
Instruction ID: 90e89e80a8d15c693f6baa1c53929b57ef88e13b94ce627ec608a80cc6a9e7e5
Opcode Fuzzy Hash: 7e252bd83ff95b71af820973b8230fb04739544441579268b50ffd476fc0b7f1
Instruction Fuzzy Hash: F4219975A502089FDB05EBE4CC51EEEB7B9EB88304F10457AF901F3381DA75AE058B64

Uniqueness

Uniqueness Score: -1.00%

Function 006ACB10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E006ACB10(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char* _t12;
				long _t13;
				void* _t15;
				void* _t22;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t29;
				void* _t31;
				void* _t32;
				intOrPtr _t35;

				_t32 = __esi;
				_t31 = __edi;
				_t22 = __ebx;
				_push(0);
				_push(_t35);
				_push(0x6acba2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t35;
				E006255B8(0);
				E006255A4(0);
				if( *0x6d6530 != 0) {
					_t12 =  *0x6cdfdc; // 0x6d62e4
					if( *_t12 != 0) {
						E0061583C(0);
					}
					_t13 = GetTickCount();
					_t29 =  *0x6d6530; // 0x0
					_t15 = E0060DCC8(0, _t22, 1, _t29, _t13, E006ACABC, 0, 0, 1, 1); // executed
					if(_t15 == 0) {
						_t26 =  *0x6d6530; // 0x0
						E0040B4C8( &_v8, _t26, L"Failed to remove temporary directory: ");
						E00616130(_v8, _t22, _t31, _t32);
					}
				}
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E006ACBA9);
				return E0040A1C8( &_v8);
			}

0x006acb10
0x006acb10
0x006acb10
0x006acb13
0x006acb17
0x006acb18
0x006acb1d
0x006acb20
0x006acb25
0x006acb2c
0x006acb38
0x006acb3a
0x006acb42
0x006acb46
0x006acb46
0x006acb58
0x006acb60
0x006acb68
0x006acb6f
0x006acb74
0x006acb7f
0x006acb87
0x006acb87
0x006acb6f
0x006acb8e
0x006acb91
0x006acb94
0x006acba1

APIs

GetTickCount.KERNEL32 ref: 006ACB58

Strings

Failed to remove temporary directory: , xrefs: 006ACB7A
bm, xrefs: 006ACB3A

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: CountTick
String ID: Failed to remove temporary directory: $bm
API String ID: 536389180-2673898769
Opcode ID: bfd70c40cb1ad8d181033c251dcb3b43325d86ef4477ff23258a823bd8f54122
Instruction ID: 78e05ed3d0f448852bd59dbbb99a4cbd83d81d15065c7e17e95d6b7c04c680f0
Opcode Fuzzy Hash: bfd70c40cb1ad8d181033c251dcb3b43325d86ef4477ff23258a823bd8f54122
Instruction Fuzzy Hash: 9401D430610704AAD751FB75EC47F9A73979B46B10F51046AF500A72D2D7769C40CA28

Uniqueness

Uniqueness Score: -1.00%

Function 006AC180 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E006AC180() {
				void* _v8;
				void* __ecx;
				void* _t9;
				long _t15;
				void* _t16;

				if( *0x6d67dd == 0) {
					_t16 = 0;
				} else {
					_t16 = 2;
				}
				_t9 = E005C7A14(_t16,  *((intOrPtr*)(0x6cd7ec + ( *0x6d67dc & 0x000000ff) * 4)), 0x80000002,  &_v8, 1, 0); // executed
				if(_t9 == 0) {
					E005C793C();
					E005C793C();
					_t15 = RegCloseKey(_v8); // executed
					return _t15;
				}
				return _t9;
			}

0x006ac18c
0x006ac192
0x006ac18e
0x006ac18e
0x006ac18e
0x006ac1b1
0x006ac1b8
0x006ac1c7
0x006ac1d9
0x006ac1e2
0x00000000
0x006ac1e2
0x006ac1ea

APIs

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,006AC56B,00000000,006AC586,?,00000000,00000000,?,006B7B68,00000006), ref: 006AC1E2

Strings

RegisteredOrganization, xrefs: 006AC1D1
RegisteredOwner, xrefs: 006AC1BF

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Close
String ID: RegisteredOrganization$RegisteredOwner
API String ID: 3535843008-1113070880
Opcode ID: bd898d473dd1f21ff1d6f1f73f3955f0af61235c1559c7df92e3e59f0577a32c
Instruction ID: ca4fc0b31771868649da923643cba903dbb3fbd6f1f7080981924f9495942079
Opcode Fuzzy Hash: bd898d473dd1f21ff1d6f1f73f3955f0af61235c1559c7df92e3e59f0577a32c
Instruction Fuzzy Hash: E8F09030744108AFE700EAD4DC56BAA7B9FE787714F60106AF1008BB82C630AE00CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00414DA0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00414DA0(long __eax, WCHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32, long _a36) {
				WCHAR* _v8;
				void* _t13;
				struct HWND__* _t24;
				WCHAR* _t29;
				long _t32;

				_v8 = _t29;
				_t32 = __eax;
				_t13 = E00407404();
				_t24 = CreateWindowExW(_t32, __edx, _v8, _a36, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E004073F4(_t13);
				return _t24;
			}

0x00414da7
0x00414dac
0x00414dae
0x00414ddf
0x00414de8
0x00414df4

APIs

CreateWindowExW.USER32 ref: 00414DDF

Strings

TWindowDisabler-Window, xrefs: 00414DDD

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: CreateWindow
String ID: TWindowDisabler-Window
API String ID: 716092398-1824977358
Opcode ID: b8b775b51f73ca30bac71de3a5aa2dd226752c973776daaf732847dd1bb66243
Instruction ID: a9fb6cbc93b7d8fca137cee03195aa1e05eb631c50c99d8148995e53eb0ae486
Opcode Fuzzy Hash: b8b775b51f73ca30bac71de3a5aa2dd226752c973776daaf732847dd1bb66243
Instruction Fuzzy Hash: 7BF092B2604158BF9B80DE9DDC81EDB77ECEB4D2A4B05416AFA0CE3201D634ED118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 006AC0D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E006AC0D0(void* __eax, void* __edx, void* __eflags) {
				void* _v8;
				void* __ecx;
				void* _t7;
				void* _t17;
				void* _t24;

				_t24 = _t17;
				_t7 = E005C7A14(__eax, L"Software\\Microsoft\\Windows\\CurrentVersion", 0x80000002,  &_v8, 1, 0); // executed
				if(_t7 != 0) {
					return E0040A1C8(_t24);
				}
				if(E005C793C() == 0) {
					E0040A1C8(_t24);
				}
				return RegCloseKey(_v8);
			}

0x006ac0d7
0x006ac0f1
0x006ac0f8
0x00000000
0x006ac11e
0x006ac108
0x006ac10c
0x006ac10c
0x00000000

APIs

Part of subcall function 005C7A14: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,005C80EE,?,00000000,?,005C808E,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005C80EE), ref: 005C7A30

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,006B813A,?,006AC32E,00000000,006AC586,?,00000000,00000000), ref: 006AC115

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 006AC0E7

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: CloseOpen
String ID: Software\Microsoft\Windows\CurrentVersion
API String ID: 47109696-1019749484
Opcode ID: d229eceb27129c019e3bbbd4ff4b76b51703ff84893012891c3f6baec18ca04a
Instruction ID: 9fe961e3a0f1dd2c49f778430c2599f74e8698f8579e7211867226b13b49c2b0
Opcode Fuzzy Hash: d229eceb27129c019e3bbbd4ff4b76b51703ff84893012891c3f6baec18ca04a
Instruction Fuzzy Hash: 8FF082317042186BEA04B69E6C52BAEA69D9B86764F60007EF608D7283D9A49E0107A9

Uniqueness

Uniqueness Score: -1.00%

Function 005C7A14 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E005C7A14(void* __eax, short* __ecx, void* __edx, void** _a4, int _a8, int _a12) {
				long _t7;
				short* _t8;
				void* _t9;
				int _t10;

				_t9 = __edx;
				_t8 = __ecx;
				_t10 = _a8;
				if(__eax == 2) {
					_t10 = _t10 | 0x00000100;
				}
				_t7 = RegOpenKeyExW(_t9, _t8, _a12, _t10, _a4); // executed
				return _t7;
			}

0x005c7a14
0x005c7a14
0x005c7a18
0x005c7a1d
0x005c7a1f
0x005c7a1f
0x005c7a30
0x005c7a37

APIs

RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,005C80EE,?,00000000,?,005C808E,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005C80EE), ref: 005C7A30

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 005C7A2E

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Open
String ID: Control Panel\Desktop\ResourceLocale
API String ID: 71445658-1109908249
Opcode ID: 06a7132f66d0f60adfa239dc575e30208fbe0ee06a5a11f688fbfd3b74e0f472
Instruction ID: f7a531ddb9cdcc56bc9141aac83b8570c2bea4ceb2af7b348951fcc1ebd06380
Opcode Fuzzy Hash: 06a7132f66d0f60adfa239dc575e30208fbe0ee06a5a11f688fbfd3b74e0f472
Instruction Fuzzy Hash: C3D0C97291022C7B9B009ED9DC41EFB7B9DEB19360F40845AFD0897100C2B4EDA18BF4

Uniqueness

Uniqueness Score: -1.00%

Function 0060DCC8 Relevance: 3.2, APIs: 2, Instructions: 192
fileCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0060DCC8(signed int __eax, void* __ebx, char __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int _a16, signed int _a20, char _a24) {
				char _v8;
				char _v12;
				char _v16;
				signed int _v17;
				intOrPtr _v24;
				char _v25;
				signed int _v26;
				void* _v32;
				struct _WIN32_FIND_DATAW _v624;
				char _v628;
				char _v632;
				char _v636;
				char _v640;
				signed char _t106;
				signed char _t108;
				void* _t114;
				int _t122;
				signed int _t127;
				signed char _t135;
				signed char _t139;
				void* _t155;
				signed int _t158;
				intOrPtr _t177;
				intOrPtr _t187;
				void* _t201;
				void* _t202;
				intOrPtr _t203;

				_t159 = __ecx;
				_t201 = _t202;
				_t203 = _t202 + 0xfffffd84;
				_push(__ebx);
				_v640 = 0;
				_v636 = 0;
				_v632 = 0;
				_v628 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v25 = __ecx;
				_v24 = __edx;
				_v17 = __eax;
				_push(_t201);
				_push(0x60df66);
				_push( *[fs:eax]);
				 *[fs:eax] = _t203;
				_v26 = 1;
				if(_a24 == 0) {
					L26:
					__eflags = _a16 & 0x000000ff ^ 0x00000001 | _v26;
					if((_a16 & 0x000000ff ^ 0x00000001 | _v26) != 0) {
						__eflags = _v25;
						if(_v25 != 0) {
							__eflags = _a12;
							if(__eflags == 0) {
								_t106 = E0060C664(_v17 & 0x000000ff, _v24, __eflags); // executed
								__eflags = _t106;
								if(_t106 == 0) {
									_v26 = 0;
								}
							} else {
								_t108 = _a12();
								__eflags = _t108;
								if(_t108 == 0) {
									_v26 = 0;
								}
							}
						}
					}
					__eflags = 0;
					_pop(_t177);
					 *[fs:eax] = _t177;
					_push(E0060DF6D);
					E0040A228( &_v640, 4);
					return E0040A228( &_v16, 3);
				} else {
					_t205 = _v25;
					if(_v25 == 0) {
						L3:
						_t207 = _v25;
						if(_v25 == 0) {
							E005C5428(_v24, _t159,  &_v8);
							E0040A5F0( &_v12, _v24);
						} else {
							E005C4EA4(_v24,  &_v8);
							E0040B4C8( &_v12, 0x60df84, _v8);
						}
						_t114 = E0060C2B0(_v17 & 0x000000ff,  &_v624, _v12, _t207); // executed
						_v32 = _t114;
						if(_v32 == 0xffffffff) {
							goto L26;
						} else {
							_push(_t201);
							_push(0x60def2);
							_push( *[fs:eax]);
							 *[fs:eax] = _t203;
							do {
								E0040B318( &_v16, 0x104,  &(_v624.cFileName));
								E0040B660(_v16, 0x60df94);
								if(0 != 0) {
									_t127 = E0040B660(_v16, 0x60dfa4);
									if(0 != 0) {
										_t158 = _v624.dwFileAttributes;
										if((_t158 & 0x00000001) != 0 && (_t127 & 0xffffff00 | (_t158 & 0x00000010) == 0x00000000 | _a20) != 0) {
											E0040B4C8( &_v628, _v16, _v8);
											E0060C6DC(_v17 & 0x000000ff, _t158 & 0xfffffffe, _v628, _t158 & 0xfffffffe);
										}
										if((_v624.dwFileAttributes & 0x00000010) != 0) {
											__eflags = _a20;
											if(_a20 != 0) {
												E0040B4C8( &_v640, _v16, _v8);
												_t135 = E0060DCC8(_v17 & 0x000000ff, _t158, 1, _v640, _a4, _a8, _a12, _a16 & 0x000000ff, 1, 1); // executed
												__eflags = _t135;
												if(_t135 == 0) {
													_v26 = 0;
												}
											}
										} else {
											if(_a8 == 0) {
												E0040B4C8( &_v636, _v16, _v8);
												_t139 = E0060C158(_v17 & 0x000000ff, _v636, __eflags);
												__eflags = _t139;
												if(_t139 == 0) {
													_v26 = 0;
												}
											} else {
												E0040B4C8( &_v632, _v16, _v8);
												if(_a8() == 0) {
													_v26 = 0;
												}
											}
										}
									}
								}
								if(_a16 == 0 || _v26 != 0) {
									goto L24;
								}
								break;
								L24:
								_t122 = FindNextFileW(_v32,  &_v624); // executed
							} while (_t122 != 0);
							_pop(_t187);
							 *[fs:eax] = _t187;
							_push(E0060DEF9);
							return FindClose(_v32);
						}
					} else {
						_t155 = E0060C474(_v17 & 0x000000ff, _v24, _t205); // executed
						if(_t155 == 0) {
							goto L26;
						} else {
							goto L3;
						}
					}
				}
			}

0x0060dcc8
0x0060dcc9
0x0060dccb
0x0060dcd1
0x0060dcd4
0x0060dcda
0x0060dce0
0x0060dce6
0x0060dcec
0x0060dcef
0x0060dcf2
0x0060dcf5
0x0060dcf8
0x0060dcfb
0x0060dd00
0x0060dd01
0x0060dd06
0x0060dd09
0x0060dd0c
0x0060dd14
0x0060def9
0x0060deff
0x0060df02
0x0060df04
0x0060df08
0x0060df0a
0x0060df0e
0x0060df2e
0x0060df33
0x0060df35
0x0060df37
0x0060df37
0x0060df10
0x0060df1a
0x0060df1d
0x0060df1f
0x0060df21
0x0060df21
0x0060df1f
0x0060df0e
0x0060df08
0x0060df3b
0x0060df3d
0x0060df40
0x0060df43
0x0060df53
0x0060df65
0x0060dd1a
0x0060dd1a
0x0060dd1e
0x0060dd34
0x0060dd34
0x0060dd38
0x0060dd5d
0x0060dd68
0x0060dd3a
0x0060dd40
0x0060dd50
0x0060dd50
0x0060dd7a
0x0060dd7f
0x0060dd86
0x00000000
0x0060dd8c
0x0060dd8e
0x0060dd8f
0x0060dd94
0x0060dd97
0x0060dd9a
0x0060dda8
0x0060ddb5
0x0060ddba
0x0060ddc8
0x0060ddcd
0x0060ddd3
0x0060dddc
0x0060ddf5
0x0060de09
0x0060de09
0x0060de15
0x0060de72
0x0060de76
0x0060de99
0x0060deaa
0x0060deaf
0x0060deb1
0x0060deb3
0x0060deb3
0x0060deb1
0x0060de17
0x0060de1b
0x0060de54
0x0060de63
0x0060de68
0x0060de6a
0x0060de6c
0x0060de6c
0x0060de1d
0x0060de29
0x0060de40
0x0060de42
0x0060de42
0x0060de40
0x0060de1b
0x0060de15
0x0060ddcd
0x0060debb
0x00000000
0x00000000
0x00000000
0x0060dec3
0x0060dece
0x0060ded3
0x0060dedd
0x0060dee0
0x0060dee3
0x0060def1
0x0060def1
0x0060dd20
0x0060dd27
0x0060dd2e
0x00000000
0x00000000
0x00000000
0x00000000
0x0060dd2e
0x0060dd1e

APIs

FindNextFileW.KERNEL32(000000FF,?,00000000,0060DEF2,?,00000000,0060DF66,?,?,?,006ACB6D,00000000,006ACABC,00000000,00000000,00000001), ref: 0060DECE
FindClose.KERNEL32(000000FF,0060DEF9,0060DEF2,?,00000000,0060DF66,?,?,?,006ACB6D,00000000,006ACABC,00000000,00000000,00000001,00000001), ref: 0060DEEC

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: 880083aeac85d17b4b12782f9dbfd0f3d1e1a26c21cef740d9e526a5c46f8d33
Instruction ID: 99f5a77a41558a3604df8ac4250e6fc047523390e4335a570d25b15aca54e13b
Opcode Fuzzy Hash: 880083aeac85d17b4b12782f9dbfd0f3d1e1a26c21cef740d9e526a5c46f8d33
Instruction Fuzzy Hash: CD81B0309442899EDF15DFA5C845BEFBBB6AF45304F1482AAE844673C1C7349F45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 005C77F4 Relevance: 3.1, APIs: 2, Instructions: 112
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E005C77F4(void* __eax, void* __ebx, intOrPtr __ecx, short* __edx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				short* _v12;
				intOrPtr _v16;
				int _v20;
				int _v24;
				long _t46;
				signed int _t58;
				char _t66;
				intOrPtr _t82;
				void* _t87;
				signed int _t93;
				void* _t96;

				_v8 = 0;
				_v16 = __ecx;
				_v12 = __edx;
				_t87 = __eax;
				_push(_t96);
				_push(0x5c792a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t96 + 0xffffffec;
				while(1) {
					_v24 = 0;
					_t46 = RegQueryValueExW(_t87, _v12, 0,  &_v20, 0,  &_v24); // executed
					if(_t46 != 0 || _v20 != _a8 && _v20 != _a4) {
						break;
					}
					if(_v24 != 0) {
						__eflags = _v24 - 0x70000000;
						if(__eflags >= 0) {
							E00428FFC();
						}
						_t80 = _v24 + 1 >> 1;
						E0040A350( &_v8, _v24 + 1 >> 1, 0, __eflags);
						_t58 = RegQueryValueExW(_t87, _v12, 0,  &_v20, E0040A774( &_v8),  &_v24); // executed
						__eflags = _t58 - 0xea;
						if(_t58 == 0xea) {
							continue;
						} else {
							__eflags = _t58;
							if(_t58 != 0) {
								break;
							}
							__eflags = _v20 - _a8;
							if(_v20 == _a8) {
								L12:
								_t93 = _v24 >> 1;
								while(1) {
									__eflags = _t93;
									if(_t93 == 0) {
										break;
									}
									_t66 = _v8;
									__eflags =  *((short*)(_t66 + _t93 * 2 - 2));
									if( *((short*)(_t66 + _t93 * 2 - 2)) == 0) {
										_t93 = _t93 - 1;
										__eflags = _t93;
										continue;
									}
									break;
								}
								__eflags = _v20 - 7;
								if(_v20 == 7) {
									__eflags = _t93;
									if(_t93 != 0) {
										_t93 = _t93 + 1;
										__eflags = _t93;
									}
								}
								E0040B3F0( &_v8, _t80, _t93);
								__eflags = _v20 - 7;
								if(_v20 == 7) {
									__eflags = _t93;
									if(_t93 != 0) {
										(E0040A774( &_v8))[_t93 * 2 - 2] = 0;
									}
								}
								E0040A5A8(_v16, _v8);
								break;
							}
							__eflags = _v20 - _a4;
							if(_v20 != _a4) {
								break;
							}
							goto L12;
						}
					} else {
						E0040A1C8(_v16);
						break;
					}
				}
				_pop(_t82);
				 *[fs:eax] = _t82;
				_push(E005C7931);
				return E0040A1C8( &_v8);
			}

0x005c77ff
0x005c7802
0x005c7805
0x005c7808
0x005c780c
0x005c780d
0x005c7812
0x005c7815
0x005c781a
0x005c781c
0x005c7830
0x005c7837
0x00000000
0x00000000
0x005c7855
0x005c7866
0x005c786d
0x005c786f
0x005c786f
0x005c787d
0x005c7881
0x005c789e
0x005c78a3
0x005c78a8
0x00000000
0x005c78ae
0x005c78ae
0x005c78b0
0x00000000
0x00000000
0x005c78b5
0x005c78b8
0x005c78c2
0x005c78c5
0x005c78ca
0x005c78ca
0x005c78cc
0x00000000
0x00000000
0x005c78ce
0x005c78d1
0x005c78d7
0x005c78c9
0x005c78c9
0x00000000
0x005c78c9
0x00000000
0x005c78d7
0x005c78d9
0x005c78dd
0x005c78df
0x005c78e1
0x005c78e3
0x005c78e3
0x005c78e3
0x005c78e1
0x005c78e9
0x005c78ee
0x005c78f2
0x005c78f4
0x005c78f6
0x005c7900
0x005c7900
0x005c78f6
0x005c790d
0x00000000
0x005c7912
0x005c78bd
0x005c78c0
0x00000000
0x00000000
0x00000000
0x005c78c0
0x005c7857
0x005c785a
0x00000000
0x005c785f
0x005c7855
0x005c7916
0x005c7919
0x005c791c
0x005c7929

APIs

RegQueryValueExW.ADVAPI32(00000001,?,00000000,00000000,00000000,?,00000000,005C792A,?,006AE670,00000000), ref: 005C7830
RegQueryValueExW.ADVAPI32(00000001,?,00000000,00000000,00000000,70000000,00000001,?,00000000,00000000,00000000,?,00000000,005C792A,?,006AE670), ref: 005C789E

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1452018cd2d063f893914e341d210c6f1ccf2aaace09e96268290d6c100d62ec
Instruction ID: 9b528eccc0d206dd4e001c403f359889162c2cb04d4ae21286424304afe4548d
Opcode Fuzzy Hash: 1452018cd2d063f893914e341d210c6f1ccf2aaace09e96268290d6c100d62ec
Instruction Fuzzy Hash: 0D414731A0421DAFDB10DBD5C985EAEBBB8FB08700F50486AE915B7690D734AE04CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 005D0A74 Relevance: 3.1, APIs: 2, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E005D0A74(intOrPtr* __eax, void* __eflags, void* __fp0) {
				intOrPtr* _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				void* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t68;
				int _t72;
				intOrPtr _t88;
				void* _t89;
				intOrPtr _t94;
				void* _t102;
				intOrPtr _t103;
				intOrPtr _t111;
				void* _t113;
				int _t114;
				void* _t116;
				void* _t121;
				void* _t123;
				intOrPtr _t124;
				void* _t126;

				_t126 = __eflags;
				_t121 = _t123;
				_t124 = _t123 + 0xffffffe8;
				_push(_t89);
				_push(_t116);
				_push(_t113);
				_v8 = __eax;
				_t94 =  *0x6cdb9c; // 0x6d66b8
				_t2 = _t94 + 0x2c; // 0x8
				_t103 =  *0x6cdb9c; // 0x6d66b8
				_t3 = _t103 + 8; // 0x0
				E005CE198( *((intOrPtr*)(_v8 + 0x74)), _t89,  *_t2,  *_t3, _t113, _t116, __fp0, 8, 0); // executed
				E005CE26C( *((intOrPtr*)(_v8 + 0x74)), _t89, _v8 + 0x3d4, _v8 + 0x3d0, _t113, _t116, _t126); // executed
				if( *(_v8 + 0x3d0) != 6) {
					L2:
					_v12 = E005D10C4(0, 1, _t113);
					 *[fs:eax] = _t124;
					E005D0564(_v8, _v12);
					E005CE3FC(_v8, 6,  *(_v8 + 0x3d0), _t128, 0xd,  *(_v8 + 0x3d4));
					 *((intOrPtr*)( *_v8 + 0x70))( *[fs:eax], 0x5d0bae, _t121);
					_t114 = _v20;
					_t68 = MulDiv(_t114,  *(_v8 + 0x3d0), 6);
					_t72 = MulDiv(_v16,  *(_v8 + 0x3d4), 0xd);
					E005AE564(_v8);
					 *((intOrPtr*)( *_v8 + 0xc8))(E005AE584(_v8), _t72 +  *((intOrPtr*)(_v8 + 0x5c)) - _v16, _t68 +  *((intOrPtr*)(_v8 + 0x58)) - _t114);
					_pop(_t111);
					_pop(_t102);
					 *[fs:eax] = _t111;
					_push(E005D0BB5);
					return E005D05DC( *_v8, _t102, _v12, 0);
				} else {
					_t88 = _v8;
					_t128 =  *((intOrPtr*)(_t88 + 0x3d4)) - 0xd;
					if( *((intOrPtr*)(_t88 + 0x3d4)) == 0xd) {
						return _t88;
					} else {
						goto L2;
					}
				}
			}

0x005d0a74
0x005d0a75
0x005d0a77
0x005d0a7a
0x005d0a7b
0x005d0a7c
0x005d0a7d
0x005d0a84
0x005d0a8a
0x005d0a8d
0x005d0a93
0x005d0a9c
0x005d0ab9
0x005d0ac8
0x005d0ada
0x005d0ae8
0x005d0af6
0x005d0aff
0x005d0b21
0x005d0b2e
0x005d0b3d
0x005d0b41
0x005d0b58
0x005d0b82
0x005d0b8f
0x005d0b97
0x005d0b99
0x005d0b9a
0x005d0b9d
0x005d0bad
0x005d0aca
0x005d0aca
0x005d0acd
0x005d0ad4
0x005d0bbb
0x00000000
0x00000000
0x00000000
0x005d0ad4

APIs

Part of subcall function 005CE26C: GetDC.USER32(00000000), ref: 005CE27D
Part of subcall function 005CE26C: SelectObject.GDI32(00000001,00000000), ref: 005CE29F
Part of subcall function 005CE26C: GetTextExtentPointW.GDI32(00000001,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,?), ref: 005CE2B3
Part of subcall function 005CE26C: GetTextMetricsW.GDI32(00000001,?,00000000,005CE2F8,?,00000000,?,0068D5D0,00000001), ref: 005CE2D5
Part of subcall function 005CE26C: ReleaseDC.USER32 ref: 005CE2F2

MulDiv.KERNEL32(006B66BF,00000006,00000006), ref: 005D0B41
MulDiv.KERNEL32(?,?,0000000D), ref: 005D0B58

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Text$ExtentMetricsObjectPointReleaseSelect
String ID:
API String ID: 844173074-0
Opcode ID: 56f948a4803d8bda42e55077044f91e3e5fa0501c30f1b7e22e41dab0d924d4d
Instruction ID: 4b3286446c155bbe1f679e64263f80cdfde84c69ba5731eb2fff00bff0d4e1b0
Opcode Fuzzy Hash: 56f948a4803d8bda42e55077044f91e3e5fa0501c30f1b7e22e41dab0d924d4d
Instruction Fuzzy Hash: 8F41E735A00108EFDB00DBA8D986EADB7F9FB88704F1541A6F904EB361D771AE41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0040E8BC Relevance: 3.1, APIs: 2, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040E8BC(intOrPtr __eax, void* __ebx, signed int __ecx, signed int __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				signed int _t41;
				signed short _t43;
				signed short _t46;
				signed int _t60;
				intOrPtr _t68;
				void* _t79;
				signed int* _t81;
				intOrPtr _t84;

				_t79 = __edi;
				_t61 = __ecx;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t81 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E0040A2AC(_v8);
				E0040A2AC(_v12);
				_push(_t84);
				_push(0x40e9d3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t84;
				E0040A1C8(__ecx);
				if(_v12 == 0) {
					L14:
					_pop(_t68);
					 *[fs:eax] = _t68;
					_push(E0040E9DA);
					return E0040A228( &_v28, 6);
				}
				E0040A5F0( &_v20, _v12);
				_t41 = _v12;
				if(_t41 != 0) {
					_t41 =  *(_t41 - 4);
				}
				_t60 = _t41;
				if(_t60 < 1) {
					L7:
					_t43 = E0040E5E0(_v8, _t60, _t61,  &_v16, _t81); // executed
					if(_v16 == 0) {
						L0040524C();
						E0040DF90(_t43, _t60,  &_v24, _t79, _t81);
						_t46 = E0040E70C(_v20, _t60, _t81, _v24, _t79, _t81); // executed
						__eflags =  *_t81;
						if( *_t81 == 0) {
							__eflags =  *0x6d1c10;
							if( *0x6d1c10 == 0) {
								L00405254();
								E0040DF90(_t46, _t60,  &_v28, _t79, _t81);
								E0040E70C(_v20, _t60, _t81, _v28, _t79, _t81);
							}
						}
						__eflags =  *_t81;
						if(__eflags == 0) {
							E0040E7F0(_v20, _t60, _t81, __eflags); // executed
						}
					} else {
						E0040E70C(_v20, _t60, _t81, _v16, _t79, _t81);
					}
					goto L14;
				}
				while( *((short*)(_v12 + _t60 * 2 - 2)) != 0x2e) {
					_t60 = _t60 - 1;
					__eflags = _t60;
					if(_t60 != 0) {
						continue;
					}
					goto L7;
				}
				_t61 = _t60;
				E0040B698(_v12, _t60, 1,  &_v20);
				goto L7;
			}

0x0040e8bc
0x0040e8bc
0x0040e8bf
0x0040e8c1
0x0040e8c3
0x0040e8c5
0x0040e8c7
0x0040e8c9
0x0040e8cb
0x0040e8cc
0x0040e8cd
0x0040e8cf
0x0040e8d2
0x0040e8d8
0x0040e8e0
0x0040e8e7
0x0040e8e8
0x0040e8ed
0x0040e8f0
0x0040e8f5
0x0040e8fe
0x0040e9b8
0x0040e9ba
0x0040e9bd
0x0040e9c0
0x0040e9d2
0x0040e9d2
0x0040e90a
0x0040e90f
0x0040e914
0x0040e919
0x0040e919
0x0040e91b
0x0040e920
0x0040e947
0x0040e94d
0x0040e956
0x0040e967
0x0040e96f
0x0040e97c
0x0040e981
0x0040e984
0x0040e986
0x0040e98d
0x0040e98f
0x0040e997
0x0040e9a4
0x0040e9a4
0x0040e98d
0x0040e9a9
0x0040e9ac
0x0040e9b3
0x0040e9b3
0x0040e958
0x0040e960
0x0040e960
0x00000000
0x0040e956
0x0040e922
0x0040e942
0x0040e943
0x0040e945
0x00000000
0x00000000
0x00000000
0x0040e945
0x0040e931
0x0040e93b
0x00000000

APIs

GetUserDefaultUILanguage.KERNEL32(00000000,0040E9D3,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040EA5A,00000000,?,00000105), ref: 0040E967
GetSystemDefaultUILanguage.KERNEL32(00000000,0040E9D3,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040EA5A,00000000,?,00000105), ref: 0040E98F

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: DefaultLanguage$SystemUser
String ID:
API String ID: 384301227-0
Opcode ID: 71c01383dce129321d42375a4320665508c6a8894fd0ab1ecb023abfc2bbde49
Instruction ID: f222509f0094d30d647024d0898a7a2300edb3e6cc60590d57b3240daf1099d8
Opcode Fuzzy Hash: 71c01383dce129321d42375a4320665508c6a8894fd0ab1ecb023abfc2bbde49
Instruction Fuzzy Hash: F1312170A002199FDB10EB9AC881BAEB7B5EF44308F50497BE400B73D1D7789D558B59

Uniqueness

Uniqueness Score: -1.00%

Function 00414020 Relevance: 3.1, APIs: 2, Instructions: 57
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00414020(void* __ebx, void* __esi, struct HINSTANCE__* _a4, CHAR* _a8) {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _t22;
				CHAR* _t31;
				intOrPtr _t38;
				intOrPtr _t39;
				struct HINSTANCE__* _t41;
				void* _t43;
				void* _t44;
				intOrPtr _t45;

				_t43 = _t44;
				_t45 = _t44 + 0xfffffff8;
				_v8 = 0;
				_t31 = _a8;
				_t41 = _a4;
				_push(_t43);
				_push(0x4140be);
				_push( *[fs:eax]);
				 *[fs:eax] = _t45;
				if(_t31 >> 0x10 != 0) {
					_push(_t43);
					 *[fs:eax] = _t45;
					E0040A1EC( &_v8);
					E0040A944( &_v8, 0, _t31,  *[fs:eax]);
					_t22 = GetProcAddress(_t41, E0040AC70(_v8)); // executed
					_v12 = _t22;
					_t38 = 0x4140a1;
					 *[fs:eax] = _t38;
					_push(E004140A8);
					return E0040A1EC( &_v8);
				} else {
					_v12 = GetProcAddress(_t41, _t31);
					_pop(_t39);
					 *[fs:eax] = _t39;
					_push(E004140C5);
					return E0040A1EC( &_v8);
				}
			}

0x00414021
0x00414023
0x0041402a
0x0041402d
0x00414030
0x00414035
0x00414036
0x0041403b
0x0041403e
0x00414046
0x00414056
0x0041405f
0x00414065
0x00414074
0x00414083
0x00414088
0x0041408d
0x00414090
0x00414093
0x004140a0
0x00414048
0x0041404f
0x004140aa
0x004140ad
0x004140b0
0x004140bd
0x004140bd

APIs

GetProcAddress.KERNEL32(?,?), ref: 0041404A
GetProcAddress.KERNEL32(?,00000000), ref: 00414083

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 87bbede48919e2c320656d28165f2dd41f3e4cb1cd8a5dac7222dfe60dbaf93b
Instruction ID: b41df1fa75d381eed13266955d9feb05bf3a80cdd3b44aa66b38c7297c5ee5d6
Opcode Fuzzy Hash: 87bbede48919e2c320656d28165f2dd41f3e4cb1cd8a5dac7222dfe60dbaf93b
Instruction Fuzzy Hash: 3C11C631604208AFD701DF22CC529AD7BECEB8E714BA2047AF904E3680DB385F549599

Uniqueness

Uniqueness Score: -1.00%

Function 0040E9E0 Relevance: 3.1, APIs: 2, Instructions: 55
libraryCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040E9E0(void* __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				short _v530;
				char _v536;
				char _v540;
				void* _t44;
				intOrPtr _t45;
				void* _t49;
				void* _t52;

				_v536 = 0;
				_v540 = 0;
				_v8 = 0;
				_t49 = __eax;
				_push(_t52);
				_push(0x40ea9a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t52 + 0xfffffde8;
				GetModuleFileNameW(0,  &_v530, 0x105);
				E0040B2DC( &_v536, _t49);
				_push(_v536);
				E0040B318( &_v540, 0x105,  &_v530);
				_pop(_t44); // executed
				E0040E8BC(_v540, 0,  &_v8, _t44, __edi, _t49); // executed
				if(_v8 != 0) {
					LoadLibraryExW(E0040B278(_v8), 0, 2);
				}
				_pop(_t45);
				 *[fs:eax] = _t45;
				_push(E0040EAA1);
				E0040A228( &_v540, 2);
				return E0040A1C8( &_v8);
			}

0x0040e9ed
0x0040e9f3
0x0040e9f9
0x0040e9fc
0x0040ea00
0x0040ea01
0x0040ea06
0x0040ea09
0x0040ea1c
0x0040ea29
0x0040ea34
0x0040ea46
0x0040ea54
0x0040ea55
0x0040ea5e
0x0040ea6d
0x0040ea72
0x0040ea76
0x0040ea79
0x0040ea7c
0x0040ea8c
0x0040ea99

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040EA9A,?,?,00000000), ref: 0040EA1C
LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040EA9A,?,?,00000000), ref: 0040EA6D

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: FileLibraryLoadModuleName
String ID:
API String ID: 1159719554-0
Opcode ID: d8f8903bb8f55f7d45334c9080d72fcc7eb242fea3614e091d73e0bd29641f10
Instruction ID: bfcf378974dcce41ca09e2914a43810c414f47049a433e9fa093b73340916525
Opcode Fuzzy Hash: d8f8903bb8f55f7d45334c9080d72fcc7eb242fea3614e091d73e0bd29641f10
Instruction Fuzzy Hash: 46114270A4021CABDB10EB61DC86BDE73B8EB18304F5145FEA508B72D1DB785E848E99

Uniqueness

Uniqueness Score: -1.00%

Function 005ABB4C Relevance: 3.0, APIs: 2, Instructions: 50
threadCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E005ABB4C(intOrPtr __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _t12;
				intOrPtr _t16;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				void* _t30;
				void* _t31;
				intOrPtr _t32;

				_t30 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_t23 =  *0x6ccbac; // 0x0
				_v12 = _t23;
				_t24 =  *0x6ccbbc; // 0x0
				_v16 = _t24;
				 *0x6ccbac = __eax;
				 *0x6ccbbc = 0;
				_push(_t30);
				_push(0x5abbf9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				 *0x6ccbb8 = 1;
				_push(_t30);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				EnumThreadWindows(GetCurrentThreadId(), 0x5abafc, 0);
				_t12 =  *0x6ccbbc; // 0x0
				_v8 = _t12;
				_pop(_t25);
				 *[fs:eax] = _t25;
				_t26 = 0x5abbbb;
				 *[fs:eax] = _t26;
				_push(E005ABC00);
				 *0x6ccbb8 = 0;
				 *0x6ccbbc = _v16;
				_t16 = _v12;
				 *0x6ccbac = _t16;
				return _t16;
			}

0x005abb4d
0x005abb4f
0x005abb55
0x005abb5b
0x005abb5e
0x005abb64
0x005abb67
0x005abb6e
0x005abb7a
0x005abb7b
0x005abb80
0x005abb83
0x005abb86
0x005abb8f
0x005abb95
0x005abb98
0x005abba4
0x005abba9
0x005abbae
0x005abbb3
0x005abbb6
0x005abbd6
0x005abbd9
0x005abbdc
0x005abbe1
0x005abbeb
0x005abbf0
0x005abbf3
0x005abbf8

APIs

GetCurrentThreadId.KERNEL32 ref: 005ABB9E
EnumThreadWindows.USER32(00000000,005ABAFC,00000000), ref: 005ABBA4

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Thread$CurrentEnumWindows
String ID:
API String ID: 2396873506-0
Opcode ID: 50b1606a0afe4943f6b819d05498a248b249cba9426d36aa2a532158776b3fde
Instruction ID: ee6e8008b641080cd7585ababab2aba3c455f5a37fbde39c0718e37cfc8f8a06
Opcode Fuzzy Hash: 50b1606a0afe4943f6b819d05498a248b249cba9426d36aa2a532158776b3fde
Instruction Fuzzy Hash: C5112574A08744AFD711CF66DCA2D6ABFE9E74A720F1194AAE804D3791E7756C00CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0060C158 Relevance: 3.0, APIs: 2, Instructions: 42
fileCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E0060C158(void* __eax, void* __edx, void* __eflags) {
				int _v8;
				char _v16;
				long _v20;
				int _t13;
				intOrPtr _t27;
				void* _t32;
				void* _t34;
				intOrPtr _t35;

				_t32 = _t34;
				_t35 = _t34 + 0xfffffff0;
				if(E0060BF74(__eax,  &_v16) != 0) {
					_push(_t32);
					_push(0x60c1b5);
					_push( *[fs:eax]);
					 *[fs:eax] = _t35;
					_t13 = DeleteFileW(E0040B278(__edx)); // executed
					_v8 = _t13;
					_v20 = GetLastError();
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(E0060C1BC);
					return E0060BFB0( &_v16);
				} else {
					_v8 = 0;
					return _v8;
				}
			}

0x0060c159
0x0060c15b
0x0060c170
0x0060c17b
0x0060c17c
0x0060c181
0x0060c184
0x0060c18f
0x0060c194
0x0060c19c
0x0060c1a1
0x0060c1a4
0x0060c1a7
0x0060c1b4
0x0060c172
0x0060c174
0x0060c1cd
0x0060c1cd

APIs

DeleteFileW.KERNEL32(00000000,00000000,0060C1B5,?,?,?), ref: 0060C18F
GetLastError.KERNEL32(00000000,00000000,0060C1B5,?,?,?), ref: 0060C197

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: 3697c3af58fd59330cb1976570848beae36e068bde04d4d9265381b0fddbc49e
Instruction ID: 318e45fb2803f7fcaacad33ae20e8141f5d943eca3b4fb5a26b9ca9ca2c048f0
Opcode Fuzzy Hash: 3697c3af58fd59330cb1976570848beae36e068bde04d4d9265381b0fddbc49e
Instruction Fuzzy Hash: 9EF0C831A44308ABCB04DFB59C4149FB7E9DB0932075147FAF804D3382E7745E005994

Uniqueness

Uniqueness Score: -1.00%

Function 0060C664 Relevance: 3.0, APIs: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0060C664(void* __eax, void* __edx, void* __eflags) {
				int _v8;
				char _v16;
				long _v20;
				int _t13;
				intOrPtr _t27;
				void* _t32;
				void* _t34;
				intOrPtr _t35;

				_t32 = _t34;
				_t35 = _t34 + 0xfffffff0;
				if(E0060BF74(__eax,  &_v16) != 0) {
					_push(_t32);
					_push(0x60c6c1);
					_push( *[fs:eax]);
					 *[fs:eax] = _t35;
					_t13 = RemoveDirectoryW(E0040B278(__edx)); // executed
					_v8 = _t13;
					_v20 = GetLastError();
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(E0060C6C8);
					return E0060BFB0( &_v16);
				} else {
					_v8 = 0;
					return _v8;
				}
			}

0x0060c665
0x0060c667
0x0060c67c
0x0060c687
0x0060c688
0x0060c68d
0x0060c690
0x0060c69b
0x0060c6a0
0x0060c6a8
0x0060c6ad
0x0060c6b0
0x0060c6b3
0x0060c6c0
0x0060c67e
0x0060c680
0x0060c6d9
0x0060c6d9

APIs

RemoveDirectoryW.KERNEL32(00000000,00000000,0060C6C1,?,?,00000000), ref: 0060C69B
GetLastError.KERNEL32(00000000,00000000,0060C6C1,?,?,00000000), ref: 0060C6A3

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: 53d77f0b7f1706873743be23e773c9934c7890b647961f754ec8971419ba3f02
Instruction ID: 4dcda24c2f25390586e6dcbd063c7cff493c698b67123ab594910c5e431ffc76
Opcode Fuzzy Hash: 53d77f0b7f1706873743be23e773c9934c7890b647961f754ec8971419ba3f02
Instruction Fuzzy Hash: 86F0C231A94208ABDB14DFB5AC418AFB3E9DB493207514BBAF804E3281EB755E105698

Uniqueness

Uniqueness Score: -1.00%

Function 0042B848 Relevance: 3.0, APIs: 2, Instructions: 33
libraryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0042B848(void* __eax, void* __ebx, int __edx) {
				struct HINSTANCE__* _v12;
				int _v16;
				int _t4;
				struct HINSTANCE__* _t9;
				void* _t12;
				intOrPtr _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;

				_t18 = _t19;
				_t20 = _t19 + 0xfffffff4;
				_t12 = __eax;
				_t4 = SetErrorMode(__edx); // executed
				_v16 = _t4;
				_push(_t18);
				_push(0x42b8ba);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				asm("fnstcw word [ebp-0x2]");
				_push(_t18);
				_push(0x42b89c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				_t9 = LoadLibraryW(E0040B278(_t12)); // executed
				_v12 = _t9;
				_pop(_t16);
				 *[fs:eax] = _t16;
				_push(E0042B8A3);
				asm("fclex");
				asm("fldcw word [ebp-0x2]");
				return 0;
			}

0x0042b849
0x0042b84b
0x0042b84f
0x0042b852
0x0042b857
0x0042b85c
0x0042b85d
0x0042b862
0x0042b865
0x0042b868
0x0042b86d
0x0042b86e
0x0042b873
0x0042b876
0x0042b881
0x0042b886
0x0042b88b
0x0042b88e
0x0042b891
0x0042b896
0x0042b898
0x0042b89b

APIs

SetErrorMode.KERNEL32(00008000,00000000), ref: 0042B852
LoadLibraryW.KERNEL32(00000000,00000000,0042B89C,?,00000000,0042B8BA,?,00008000,00000000), ref: 0042B881

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: bafc7f7ad5ba0b93fd7dfaf8dc6f39cf540acb28857c75713e2fa6cc4fedd3c5
Instruction ID: 1e325d9ebe5d0822fb749a998e89c34c252ba1fb5941e6000e67edf6569427d0
Opcode Fuzzy Hash: bafc7f7ad5ba0b93fd7dfaf8dc6f39cf540acb28857c75713e2fa6cc4fedd3c5
Instruction Fuzzy Hash: D6F08270614704BEDB016FB69C5286FBBECEB4AB0079349B6F814A2691E67D581086A8

Uniqueness

Uniqueness Score: -1.00%

Function 005B8250 Relevance: 3.0, APIs: 2, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E005B8250(void* __eax, void* __edx, void* __eflags) {
				void* _t9;
				void* _t17;
				void* _t22;
				void* _t23;

				_t23 = __eflags;
				_t22 = __edx;
				_t17 = __eax;
				_t9 = E0040B660( *((intOrPtr*)(__eax + 0xa4)), __edx);
				if(_t23 == 0) {
					return _t9;
				}
				if( *((char*)(_t17 + 0xc4)) != 0) {
					if( *((char*)(_t17 + 0xeb)) == 0) {
						SetWindowTextW( *(_t17 + 0x188), E0040B278(__edx));
					} else {
						SetWindowTextW( *(_t17 + 0x188), 0);
					}
				}
				_t6 = _t17 + 0xa4; // 0xa4
				return E0040A5A8(_t6, _t22);
			}

0x005b8250
0x005b8253
0x005b8255
0x005b825f
0x005b8264
0x005b82ac
0x005b82ac
0x005b826d
0x005b8276
0x005b8297
0x005b8278
0x005b8281
0x005b8281
0x005b8276
0x005b829c
0x00000000

APIs

SetWindowTextW.USER32(?,00000000), ref: 005B8281
SetWindowTextW.USER32(?,00000000), ref: 005B8297

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 33779a9760d10673c226e654349b0cc0fe433a542468b9758a9705a4e554b78e
Instruction ID: 06eb74493f32fc7ca45b3b7e2b46e6e7fae3055f649a2dcd14cf2a1bc93d960e
Opcode Fuzzy Hash: 33779a9760d10673c226e654349b0cc0fe433a542468b9758a9705a4e554b78e
Instruction Fuzzy Hash: 2AF0A7743015002ADB11AA6A8885BFA678CAF86715F0801BAFE049F387CF785D41C3BA

Uniqueness

Uniqueness Score: -1.00%

Function 006AC477 Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E006AC477() {
				void* _t13;
				void* _t15;
				intOrPtr _t16;
				intOrPtr _t24;
				intOrPtr _t32;
				intOrPtr _t37;
				intOrPtr _t48;
				intOrPtr _t53;
				intOrPtr _t55;
				void* _t56;
				intOrPtr _t57;

				_t13 =  *0x6d68ac(0x6cd804, 0x8000, 0, _t56 - 4); // executed
				if(_t13 != 0) {
					_t15 =  *0x6d68ac(0x6cd814, 0x8000, 0, _t56 - 4); // executed
					if(_t15 != 0) {
						if( *0x6d67dc == 0) {
							_t16 =  *0x6d6534; // 0x0
							E005C4EA4(_t16, _t56 - 0x38);
							E0040B4C8(0x6d6564, L"COMMAND.COM",  *((intOrPtr*)(_t56 - 0x38))); // executed
						} else {
							_t24 =  *0x6d6538; // 0x0
							E005C4EA4(_t24, _t56 - 0x34);
							E0040B4C8(0x6d6564, L"cmd.exe",  *((intOrPtr*)(_t56 - 0x34)));
						}
						E006AC180(); // executed
						_pop(_t48);
						 *[fs:eax] = _t48;
						_push(E006AC58D);
						return E0040A228(_t56 - 0x38, 0xd);
					} else {
						_push(_t56);
						_push(0x6ac516);
						_push( *[fs:eax]);
						 *[fs:eax] = _t57;
						E0040C8BC();
						_pop(_t53);
						 *[fs:eax] = _t53;
						_push(E006AC51D);
						_t32 =  *((intOrPtr*)(_t56 - 4));
						_push(_t32);
						L0043C214();
						return _t32;
					}
				} else {
					_push(_t56);
					_push(0x6ac4c3);
					_push( *[fs:eax]);
					 *[fs:eax] = _t57;
					E0040C8BC();
					_pop(_t55);
					 *[fs:eax] = _t55;
					_push(E006AC4CA);
					_t37 =  *((intOrPtr*)(_t56 - 4));
					_push(_t37);
					L0043C214();
					return _t37;
				}
			}

0x006ac487
0x006ac48f
0x006ac4da
0x006ac4e2
0x006ac524
0x006ac54a
0x006ac54f
0x006ac561
0x006ac526
0x006ac529
0x006ac52e
0x006ac540
0x006ac540
0x006ac566
0x006ac56d
0x006ac570
0x006ac573
0x006ac585
0x006ac4e4
0x006ac4e6
0x006ac4e7
0x006ac4ec
0x006ac4ef
0x006ac4fa
0x006ac501
0x006ac504
0x006ac507
0x006ac50c
0x006ac50f
0x006ac510
0x006ac515
0x006ac515
0x006ac491
0x006ac493
0x006ac494
0x006ac499
0x006ac49c
0x006ac4a7
0x006ac4ae
0x006ac4b1
0x006ac4b4
0x006ac4b9
0x006ac4bc
0x006ac4bd
0x006ac4c2
0x006ac4c2

APIs

SHGetKnownFolderPath.SHELL32(006CD804,00008000,00000000,?,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC487
CoTaskMemFree.OLE32(?,006AC4CA,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC4BD
SHGetKnownFolderPath.SHELL32(006CD814,00008000,00000000,?,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC4DA
CoTaskMemFree.OLE32(?,006AC51D,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC510

Strings

COMMAND.COM, xrefs: 006AC55C
SystemDrive, xrefs: 006AC2C1
Failed to get path of 64-bit Common Files directory, xrefs: 006AC3FA
ProgramFilesDir, xrefs: 006AC322, 006AC3A9
CommonFilesDir, xrefs: 006AC35C, 006AC3D8
Common Files, xrefs: 006AC393
cmd.exe, xrefs: 006AC53B
Failed to get path of 64-bit Program Files directory, xrefs: 006AC3CB
\Program Files, xrefs: 006AC349

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: FolderFreeKnownPathTask
String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
API String ID: 969438705-544719455
Opcode ID: 8384953cfd88f85c37ee3bb36c9ff3900296b8c279f57d69efe11ea1f24b55c1
Instruction ID: 8490eda7aae5474be0b02337b94e319d82e09844d8c50d4b14fc66eb57101d9e
Opcode Fuzzy Hash: 8384953cfd88f85c37ee3bb36c9ff3900296b8c279f57d69efe11ea1f24b55c1
Instruction Fuzzy Hash: 32E09232744700AEE711ABA5DC62F3A77E9E74DB10B62447AF404E2690D634AD009A28

Uniqueness

Uniqueness Score: -1.00%

Function 006AC4CA Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E006AC4CA() {
				void* _t10;
				intOrPtr _t11;
				intOrPtr _t19;
				intOrPtr _t27;
				intOrPtr _t36;
				intOrPtr _t41;
				void* _t42;
				intOrPtr _t43;

				_t10 =  *0x6d68ac(0x6cd814, 0x8000, 0, _t42 - 4); // executed
				if(_t10 != 0) {
					if( *0x6d67dc == 0) {
						_t11 =  *0x6d6534; // 0x0
						E005C4EA4(_t11, _t42 - 0x38);
						E0040B4C8(0x6d6564, L"COMMAND.COM",  *((intOrPtr*)(_t42 - 0x38))); // executed
					} else {
						_t19 =  *0x6d6538; // 0x0
						E005C4EA4(_t19, _t42 - 0x34);
						E0040B4C8(0x6d6564, L"cmd.exe",  *((intOrPtr*)(_t42 - 0x34)));
					}
					E006AC180(); // executed
					_pop(_t36);
					 *[fs:eax] = _t36;
					_push(E006AC58D);
					return E0040A228(_t42 - 0x38, 0xd);
				} else {
					_push(_t42);
					_push(0x6ac516);
					_push( *[fs:eax]);
					 *[fs:eax] = _t43;
					E0040C8BC();
					_pop(_t41);
					 *[fs:eax] = _t41;
					_push(E006AC51D);
					_t27 =  *((intOrPtr*)(_t42 - 4));
					_push(_t27);
					L0043C214();
					return _t27;
				}
			}

0x006ac4da
0x006ac4e2
0x006ac524
0x006ac54a
0x006ac54f
0x006ac561
0x006ac526
0x006ac529
0x006ac52e
0x006ac540
0x006ac540
0x006ac566
0x006ac56d
0x006ac570
0x006ac573
0x006ac585
0x006ac4e4
0x006ac4e6
0x006ac4e7
0x006ac4ec
0x006ac4ef
0x006ac4fa
0x006ac501
0x006ac504
0x006ac507
0x006ac50c
0x006ac50f
0x006ac510
0x006ac515
0x006ac515

APIs

SHGetKnownFolderPath.SHELL32(006CD814,00008000,00000000,?,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC4DA
CoTaskMemFree.OLE32(?,006AC51D,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC510

Strings

COMMAND.COM, xrefs: 006AC55C
SystemDrive, xrefs: 006AC2C1
Failed to get path of 64-bit Common Files directory, xrefs: 006AC3FA
ProgramFilesDir, xrefs: 006AC322, 006AC3A9
CommonFilesDir, xrefs: 006AC35C, 006AC3D8
Common Files, xrefs: 006AC393
cmd.exe, xrefs: 006AC53B
Failed to get path of 64-bit Program Files directory, xrefs: 006AC3CB
\Program Files, xrefs: 006AC349

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: FolderFreeKnownPathTask
String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
API String ID: 969438705-544719455
Opcode ID: 313031661c9f3d937668f184e05f07051bbe0573f7bc91d8efeaafa51bbcf367
Instruction ID: c6c261769d38d943bb646f4c75fbe89f1fed75b0b48c3df2323ffd2a5fb60eac
Opcode Fuzzy Hash: 313031661c9f3d937668f184e05f07051bbe0573f7bc91d8efeaafa51bbcf367
Instruction Fuzzy Hash: 7DE02230B00300AEEB12AFA8CC02F2A73A9EB09B40F62447AF400D6680D634ED108E38

Uniqueness

Uniqueness Score: -1.00%

Function 004786AC Relevance: 3.0, APIs: 2, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004786AC(struct HWND__* __eax) {
				int _t3;
				struct HWND__* _t7;

				_t7 = __eax;
				_t6 = GetWindowLongW(__eax, 0xfffffffc);
				_t3 = DestroyWindow(_t7); // executed
				if(_t2 != L00414778) {
					return E004784F4(_t6);
				}
				return _t3;
			}

0x004786ae
0x004786b8
0x004786bb
0x004786c6
0x00000000
0x004786ca
0x004786d1

APIs

GetWindowLongW.USER32(00000000,000000FC), ref: 004786B3
DestroyWindow.USER32(00000000,00000000,000000FC,?,?,0061559E,006B8C29), ref: 004786BB

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Window$DestroyLong
String ID:
API String ID: 2871862000-0
Opcode ID: 21f9de746b4a3ac2ffe65a062f9f41cf70f012a852ffe98306038f1eec2ec08f
Instruction ID: 631b19700b559cadd17185a070b253bcc10ed0a910bd4b2a6cdfdfbedeaeb0c2
Opcode Fuzzy Hash: 21f9de746b4a3ac2ffe65a062f9f41cf70f012a852ffe98306038f1eec2ec08f
Instruction Fuzzy Hash: 14C012A12021302A161131796CC98EB00888C823A9329866FF824862D3DF8C0D8102ED

Uniqueness

Uniqueness Score: -1.00%

Function 00406DF0 Relevance: 2.6, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406DF0() {
				intOrPtr _t13;
				intOrPtr* _t14;
				int _t18;
				intOrPtr* _t23;
				void* _t25;
				void* _t26;
				void* _t28;
				void* _t31;

				_t28 =  *0x006CFAE0;
				while(_t28 != 0x6cfadc) {
					_t2 = _t28 + 4; // 0x6cfadc
					VirtualFree(_t28, 0, 0x8000); // executed
					_t28 =  *_t2;
				}
				_t25 = 0x37;
				_t13 = 0x6c5084;
				do {
					 *((intOrPtr*)(_t13 + 0xc)) = _t13;
					 *((intOrPtr*)(_t13 + 8)) = _t13;
					 *((intOrPtr*)(_t13 + 0x10)) = 1;
					 *((intOrPtr*)(_t13 + 0x14)) = 0;
					_t13 = _t13 + 0x20;
					_t25 = _t25 - 1;
				} while (_t25 != 0);
				 *0x6cfadc = 0x6cfadc;
				 *0x006CFAE0 = 0x6cfadc;
				_t26 = 0x400;
				_t23 = 0x6cfb7c;
				do {
					_t14 = _t23;
					 *_t14 = _t14;
					_t8 = _t14 + 4; // 0x6cfb7c
					 *_t8 = _t14;
					_t23 = _t23 + 8;
					_t26 = _t26 - 1;
				} while (_t26 != 0);
				 *0x6cfaf8 = 0;
				E00407760(0x6cfafc, 0x80);
				_t18 = 0;
				 *0x6cfaf4 = 0;
				_t31 =  *0x006D1B84;
				while(_t31 != 0x6d1b80) {
					_t10 = _t31 + 4; // 0x6d1b80
					_t18 = VirtualFree(_t31, 0, 0x8000);
					_t31 =  *_t10;
				}
				 *0x6d1b80 = 0x6d1b80;
				 *0x006D1B84 = 0x6d1b80;
				return _t18;
			}

0x00406dfe
0x00406e15
0x00406e03
0x00406e0e
0x00406e13
0x00406e13
0x00406e19
0x00406e1e
0x00406e23
0x00406e25
0x00406e2a
0x00406e2d
0x00406e36
0x00406e39
0x00406e3c
0x00406e3c
0x00406e3f
0x00406e41
0x00406e44
0x00406e49
0x00406e4e
0x00406e4e
0x00406e50
0x00406e52
0x00406e52
0x00406e55
0x00406e58
0x00406e58
0x00406e5d
0x00406e6e
0x00406e73
0x00406e75
0x00406e7a
0x00406e91
0x00406e7f
0x00406e8a
0x00406e8f
0x00406e8f
0x00406e95
0x00406e97
0x00406e9e

APIs

VirtualFree.KERNEL32(006CFADC,00000000,00008000), ref: 00406E0E
VirtualFree.KERNEL32(006D1B80,00000000,00008000), ref: 00406E8A

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: ba0a6a8ba3a490a9d7cf8823c3f45091e9916bb0961cb6397077b966313e451f
Instruction ID: 8d3276661228be03e62c92a97986ee0a4f38eb12010ad15582d000b3628175ea
Opcode Fuzzy Hash: ba0a6a8ba3a490a9d7cf8823c3f45091e9916bb0961cb6397077b966313e451f
Instruction Fuzzy Hash: CA1194716007009FD7648F58D841B26BBE2EB84754F26807FE54EEF381D678AC018BD8

Uniqueness

Uniqueness Score: -1.00%

Function 00409B58 Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000,00409BA6,?,006C5000,006D1B9C,?,?,00409FA9,?,?,?,0040A032,0040701B,00407062,?,?), ref: 00409B96

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: f8d181e33e77468429ffc4b921afeeebf03913a5087e96241a90740b508f10d8
Instruction ID: 984d59f3d031b3db7ed4f0d205521ad444ca36c97295ef9fd1821bff389e3508
Opcode Fuzzy Hash: f8d181e33e77468429ffc4b921afeeebf03913a5087e96241a90740b508f10d8
Instruction Fuzzy Hash: 3BF09031B05705AED3314F0AB880E53BBACFB4A770755047BD808A6792E3B9BC00C5A4

Uniqueness

Uniqueness Score: -1.00%

Function 004236FC Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000004,00000000,00000004,00000080,00000000,?,?,00443D4C,00469961,00000000,00469A4C,?,?,00443D4C), ref: 00423745

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6f16c655491f78fa5763c8526b08530e2a4023042208957ddd042cfe4711d361
Instruction ID: 502252b8251e75369e7d593655d0488969bd90bcda5cf89e16fadd6ec266699d
Opcode Fuzzy Hash: 6f16c655491f78fa5763c8526b08530e2a4023042208957ddd042cfe4711d361
Instruction Fuzzy Hash: AEE0DFE3B401243AF72069AE9C82F7B9159C781776F06023AFB60EB2D1C558EC0086E8

Uniqueness

Uniqueness Score: -1.00%

Function 005C857C Relevance: 1.5, APIs: 1, Instructions: 28
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E005C857C(long __eax, void* __edx) {
				short _v2052;
				signed int _t7;
				void* _t10;
				signed int _t16;
				void* _t17;

				_t10 = __edx;
				_t7 = FormatMessageW(0x3200, 0, __eax, 0,  &_v2052, 0x400, 0); // executed
				while(_t7 > 0) {
					_t16 =  *(_t17 + _t7 * 2 - 2) & 0x0000ffff;
					if(_t16 <= 0x20) {
						L1:
						_t7 = _t7 - 1;
						__eflags = _t7;
						continue;
					} else {
						_t20 = _t16 - 0x2e;
						if(_t16 == 0x2e) {
							goto L1;
						}
					}
					break;
				}
				return E0040A350(_t10, _t7, _t17, _t20);
			}

0x005c8583
0x005c859b
0x005c85a3
0x005c85a7
0x005c85b0
0x005c85a2
0x005c85a2
0x005c85a2
0x00000000
0x005c85b2
0x005c85b2
0x005c85b6
0x00000000
0x00000000
0x005c85b6
0x00000000
0x005c85b0
0x005c85c9

APIs

FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,005CBEAE,00000000,005CBEFF,?,005CC0E0), ref: 005C859B

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 388da2a30acd779cb9b4506f5decf73e4625cccda17330470f141bc11173101f
Instruction ID: 09862238c43e822cbcf5df792bab944b0a9534785c307f7411e32f5bd31f51a0
Opcode Fuzzy Hash: 388da2a30acd779cb9b4506f5decf73e4625cccda17330470f141bc11173101f
Instruction Fuzzy Hash: 30E020707543113EF32421950C43FFA1589F7C0B04FE4443D76409D2D5DEF9D8554296

Uniqueness

Uniqueness Score: -1.00%

Function 005C6808 Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E005C6808(void* __eax, void* __ebx, void* __ecx, void* __eflags) {
				char _v8;
				intOrPtr _t21;
				intOrPtr _t24;

				_push(0);
				_push(_t24);
				_push(0x5c684e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t24;
				E005C567C(__eax, __ecx,  &_v8, __eflags);
				GetFileAttributesW(E0040B278(_v8)); // executed
				_pop(_t21);
				 *[fs:eax] = _t21;
				_push(E005C6855);
				return E0040A1C8( &_v8);
			}

0x005c680b
0x005c6812
0x005c6813
0x005c6818
0x005c681b
0x005c6823
0x005c6831
0x005c683a
0x005c683d
0x005c6840
0x005c684d

APIs

GetFileAttributesW.KERNEL32(00000000,00000000,005C684E,?,00000000,00000000,?,005C689E,00000000,0060C275,00000000,0060C296,?,00000000,00000000,006B912A), ref: 005C6831

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: b20873582e115f6403f0b7dec274c5602bc03a2b9c5d8d66d1ec80c96a2dfcd3
Instruction ID: 7ef4f7d410bb1350c6c34c2cfd3ab79e32246cebd9daa6780dadc2d4ee8c12dd
Opcode Fuzzy Hash: b20873582e115f6403f0b7dec274c5602bc03a2b9c5d8d66d1ec80c96a2dfcd3
Instruction Fuzzy Hash: 9AE09231344308AFE701EAF6CC52E5DB7EDE749704B924879F400D7682E678AE108458

Uniqueness

Uniqueness Score: -1.00%

Function 0040D754 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D754(void* __eax) {
				short _v532;
				void* __ebx;
				void* __esi;
				intOrPtr _t14;
				void* _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t16 = __eax;
				_t22 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					GetModuleFileNameW( *(__eax + 4),  &_v532, 0x20a);
					_t14 = E0040E9E0(_t21, _t16, _t18, _t19, _t22); // executed
					_t20 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t20;
					if(_t20 == 0) {
						 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t16 + 4));
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}

0x0040d75c
0x0040d75e
0x0040d762
0x0040d772
0x0040d77b
0x0040d780
0x0040d782
0x0040d787
0x0040d78c
0x0040d78c
0x0040d787
0x0040d79a

APIs

GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 0040D772

Part of subcall function 0040E9E0: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040EA9A,?,?,00000000), ref: 0040EA1C
Part of subcall function 0040E9E0: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040EA9A,?,?,00000000), ref: 0040EA6D

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: FileModuleName$LibraryLoad
String ID:
API String ID: 4113206344-0
Opcode ID: 0c4338d5c56e5e7d061b7f443bbaa86d882c427cb1541d3f25e0c99049ab022e
Instruction ID: e6e9750417710ce6057aade1326652b07051d0f0da16d230474427610a1a2044
Opcode Fuzzy Hash: 0c4338d5c56e5e7d061b7f443bbaa86d882c427cb1541d3f25e0c99049ab022e
Instruction Fuzzy Hash: 6EE0C9B1A013109BCB10DE98C8C5A577794AF08754F044AA6ED64DF386D375D9248BD5

Uniqueness

Uniqueness Score: -1.00%

Function 005118B8 Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E005118B8(intOrPtr* __eax, void* __edx) {
				void* _t15;
				intOrPtr _t16;
				intOrPtr* _t17;

				_t17 = __eax;
				_t1 = _t17 + 0x5c; // 0x27365
				_push( *_t1);
				_t15 =  *((intOrPtr*)( *__eax + 0xc8))();
				 *(__eax + 0x98) =  *(__eax + 0x98) | 0x00000004;
				if(( *(__eax + 0x1c) & 0x00000002) != 0) {
					_t10 = _t17 + 0x58; // 0x756c6156
					_t16 =  *_t10;
					 *((intOrPtr*)(__eax + 0x1b8)) = _t16;
					return _t16;
				}
				return _t15;
			}

0x005118ba
0x005118bd
0x005118c0
0x005118cb
0x005118d1
0x005118dc
0x005118de
0x005118de
0x005118e1
0x00000000
0x005118e1
0x005118e9

APIs

KiUserCallbackDispatcher.NTDLL(00027365,00000000,00000000,004C0068,006083EC,?,00000000,?,00000001,00000000,00000000,00000000,?,0068D5D0,00000001), ref: 005118CB

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 1ef83a670f5add13b9a374239f5fba316326babbb4ed16e1d195e7c525f61efe
Instruction ID: 9fcb5f38b0df23c263da8a60913ea9fccafb23266d8756c351c2c96681b23a4d
Opcode Fuzzy Hash: 1ef83a670f5add13b9a374239f5fba316326babbb4ed16e1d195e7c525f61efe
Instruction Fuzzy Hash: 70E09A712056405BEB84DE5CC4C5B957BE9AF49214F1440E5ED498B25BC7749C48CB54

Uniqueness

Uniqueness Score: -1.00%

Function 005C68A4 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E005C68A4(void* __eax) {
				signed char _t7;

				_t7 = GetFileAttributesW(E0040B278(__eax)); // executed
				if(_t7 == 0xffffffff || (_t7 & 0x00000010) == 0 || (_t7 & 0x00000004) != 0) {
					return 0;
				} else {
					return 1;
				}
			}

0x005c68af
0x005c68b7
0x005c68c5
0x005c68c6
0x005c68c9
0x005c68c9

APIs

GetFileAttributesW.KERNEL32(00000000,?,0060C4A9,00000000,0060C4C2,?,?,00000000), ref: 005C68AF

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2c2e483fa7f1336923ebad64303dd8ba648d4ecb4c9f1657c83a641d7b42aed9
Instruction ID: d55d13c6b4de8628cf529bab2b0a17402205638270c5277f1e7dff5d9331f337
Opcode Fuzzy Hash: 2c2e483fa7f1336923ebad64303dd8ba648d4ecb4c9f1657c83a641d7b42aed9
Instruction Fuzzy Hash: 75D012A034520019DE1455FE19F9F5907C45F85325B140B6EB965D51E2D3298F9B1059

Uniqueness

Uniqueness Score: -1.00%

Function 005C685C Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E005C685C(void* __eax) {
				signed char _t5;

				_t5 = GetFileAttributesW(E0040B278(__eax)); // executed
				if(_t5 == 0xffffffff || (_t5 & 0x00000010) != 0) {
					return 0;
				} else {
					return 1;
				}
			}

0x005c6867
0x005c686f
0x005c6878
0x005c6879
0x005c687c
0x005c687c

APIs

GetFileAttributesW.KERNEL32(00000000,00000000,005CD6D7,00000000), ref: 005C6867

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 339870d1e71ad855811f7abdfcd0412af3d786cf88be23b77bd5956e1918a324
Instruction ID: 78aee2f50b20cc69f9a983c300c852fe0a8819bfcc82724499c751dbdfa7c08b
Opcode Fuzzy Hash: 339870d1e71ad855811f7abdfcd0412af3d786cf88be23b77bd5956e1918a324
Instruction Fuzzy Hash: 86C08CA02412000A6E1065FE1CC9E5902E85E0533A3240B6EF438E22E3D629CAA3201A

Uniqueness

Uniqueness Score: -1.00%

Function 00424020 Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00424020(void* __eax) {
				int _t4;

				_t4 = SetCurrentDirectoryW(E0040B278(__eax)); // executed
				asm("sbb eax, eax");
				return _t4 + 1;
			}

0x0042402b
0x00424033
0x00424037

APIs

SetCurrentDirectoryW.KERNEL32(00000000,?,006B8A06,00000000,006B8C15,?,?,00000005,00000000,006B8C4E,?,?,00000000), ref: 0042402B

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: df8aed0e477c8dea0ce41bbd81e691bd114315e892edfb9c442192a2e0a47cf9
Instruction ID: daf6799c843f8394e9bb8cef5a1a486137c4a768e82a56cfe4f83ef7845b6ded
Opcode Fuzzy Hash: df8aed0e477c8dea0ce41bbd81e691bd114315e892edfb9c442192a2e0a47cf9
Instruction Fuzzy Hash: 9AB012A27903400ACE0075FF0CC9D1D00CCD95920F7200FBFB409D2143D57EC484001C

Uniqueness

Uniqueness Score: -1.00%

Function 0042B8A3 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0042B8A3() {
				int _t4;
				intOrPtr _t7;
				void* _t8;

				_pop(_t7);
				 *[fs:eax] = _t7;
				_push(0x42b8c1);
				_t4 = SetErrorMode( *(_t8 - 0xc)); // executed
				return _t4;
			}

0x0042b8a5
0x0042b8a8
0x0042b8ab
0x0042b8b4
0x0042b8b9

APIs

SetErrorMode.KERNEL32(?,0042B8C1), ref: 0042B8B4

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: f668b7aac12c857ffb67314c22418dc82c6b08374c4fda6f72eaba5712bdb9bb
Instruction ID: 1e160e63f6e1d4a3e736ac7d2d169814141797cfe1ada65cb98a64290c0f9c9c
Opcode Fuzzy Hash: f668b7aac12c857ffb67314c22418dc82c6b08374c4fda6f72eaba5712bdb9bb
Instruction Fuzzy Hash: 9CB09B76F0C2005DA709B695745146C67D8EBC47103E148A7F404C2540D57C5444451C

Uniqueness

Uniqueness Score: -1.00%

Function 006ACE20 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E006ACE20() {
				struct HINSTANCE__* _t2;

				 *0x6d68a8 = 0;
				if( *0x6d68a4 != 0) {
					_t2 =  *0x6d68a4; // 0x0
					FreeLibrary(_t2); // executed
					 *0x6d68a4 = 0;
					return 0;
				}
				return 0;
			}

0x006ace22
0x006ace2e
0x006ace30
0x006ace36
0x006ace3d
0x00000000
0x006ace3d
0x006ace42

APIs

FreeLibrary.KERNEL32(00000000,006B8CD8,00000000,006B8CE7,?,?,?,?,?,006B97CB), ref: 006ACE36

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 650c2d9be93e6d5f462e5d12edbdf882febd7d7da0854463bef562122a1d1aae
Instruction ID: 0a261b708251fa214c00368c1c1d02b101a55c617d2dc256ba4673a2d64f6cb6
Opcode Fuzzy Hash: 650c2d9be93e6d5f462e5d12edbdf882febd7d7da0854463bef562122a1d1aae
Instruction Fuzzy Hash: 0DC002B0D131009ECF40DF7CDE45B4237E6A704305F081427F905C61A4D6344440EB24

Uniqueness

Uniqueness Score: -1.00%

Function 0047845C Relevance: 1.3, APIs: 1, Instructions: 52
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0047845C(intOrPtr _a4, intOrPtr _a8) {
				void* __ebx;
				void* _t14;
				void _t15;
				void* _t24;
				intOrPtr _t25;
				char* _t26;
				void* _t35;

				if( *0x6d4ff8 == 0) {
					_t14 = VirtualAlloc(0, 0x1000, 0x1000, 0x40); // executed
					_t35 = _t14;
					_t15 =  *0x6d4ff4; // 0x0
					 *_t35 = _t15;
					_t1 = _t35 + 4; // 0x4
					E0040714C(0x6c7a94, _t24, 2, _t1);
					_t2 = _t35 + 5; // 0x5
					 *((intOrPtr*)(_t35 + 6)) = E00478454(_t2, 0x478434);
					_t4 = _t35 + 0xa; // 0xa
					_t26 = _t4;
					do {
						 *_t26 = 0xe8;
						_t5 = _t35 + 4; // 0x4
						 *((intOrPtr*)(_t26 + 1)) = E00478454(_t26, _t5);
						 *((intOrPtr*)(_t26 + 5)) =  *0x6d4ff8;
						 *0x6d4ff8 = _t26;
						_t26 = _t26 + 0xd;
					} while (_t26 - _t35 < 0xffc);
					 *0x6d4ff4 = _t35;
				}
				_t25 =  *0x6d4ff8;
				 *0x6d4ff8 =  *((intOrPtr*)(_t25 + 5));
				 *((intOrPtr*)(_t25 + 5)) = _a4;
				 *((intOrPtr*)(_t25 + 9)) = _a8;
				return  *0x6d4ff8;
			}

0x0047846a
0x0047847a
0x0047847f
0x00478481
0x00478486
0x00478488
0x00478495
0x0047849f
0x004784a7
0x004784aa
0x004784aa
0x004784ad
0x004784ad
0x004784b0
0x004784ba
0x004784bf
0x004784c2
0x004784c4
0x004784cb
0x004784d2
0x004784d2
0x004784da
0x004784df
0x004784e4
0x004784ea
0x004784f1

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,006D62F8,00000000,00000000,?,00478693,00000000,00000B06,00000000,?,00000000,00000000,00000000), ref: 0047847A

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6c24b6a0fe5a989e3bb969723c1e56f7bd6d6c9795a823755d6c712a70d0a833
Instruction ID: 21ed9f25b44590dd6a88678dd2699128a8c8abd14296acda62ee9fdc78064473
Opcode Fuzzy Hash: 6c24b6a0fe5a989e3bb969723c1e56f7bd6d6c9795a823755d6c712a70d0a833
Instruction Fuzzy Hash: F6114C746813069BC710DF19C880B86B7E5EB98350F10C53AE96C9F385E7B4E904CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004056E8 Relevance: 1.3, APIs: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056E8(signed int __eax) {
				void* _t4;
				intOrPtr _t7;
				signed int _t8;
				void** _t10;
				void* _t12;
				void* _t14;

				_t8 = __eax;
				E0040567C(__eax);
				_t4 = VirtualAlloc(0, 0x13fff0, 0x1000, 4); // executed
				if(_t4 == 0) {
					 *0x6cfaf4 = 0;
					return 0;
				} else {
					_t10 =  *0x6cfae0; // 0x6cfadc
					_t14 = _t4;
					 *_t14 = 0x6cfadc;
					 *0x6cfae0 = _t4;
					 *(_t14 + 4) = _t10;
					 *_t10 = _t4;
					_t12 = _t14 + 0x13fff0;
					 *((intOrPtr*)(_t12 - 4)) = 2;
					 *0x6cfaf4 = 0x13ffe0 - _t8;
					_t7 = _t12 - _t8;
					 *0x6cfaf0 = _t7;
					 *(_t7 - 4) = _t8 | 0x00000002;
					return _t7;
				}
			}

0x004056ea
0x004056ec
0x004056ff
0x00405706
0x00405758
0x00405761
0x00405708
0x00405708
0x0040570e
0x00405710
0x00405716
0x0040571b
0x0040571e
0x00405722
0x0040572d
0x0040573a
0x00405742
0x00405744
0x00405751
0x00405755
0x00405755

APIs

VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,000001A3,00405CFF,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000), ref: 004056FF

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a522bf9bd685f9285ef17df139ca3c83d4d9edda6c804f015ead83d427766566
Instruction ID: 671f966e8e8ef53a1d331dc007cdee3d18c8d913abcb1f2bfacacf6af6d793b4
Opcode Fuzzy Hash: a522bf9bd685f9285ef17df139ca3c83d4d9edda6c804f015ead83d427766566
Instruction Fuzzy Hash: 9CF0AFF2B003018FD7549FB89D40B12BBD6E708354F20413EE90DEB794D7B088008B88

Uniqueness

Uniqueness Score: -1.00%

Function 00405812 Relevance: 1.3, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00405812(void* __eax) {
				struct _MEMORY_BASIC_INFORMATION _v44;
				void* _v48;
				void* _t13;
				int _t16;
				int _t20;
				void* _t22;
				signed int _t26;
				signed int _t29;
				signed int _t30;
				void* _t34;
				intOrPtr _t35;
				signed int _t39;
				void* _t41;
				void* _t42;

				_push(_t29);
				_t42 = _t41 + 0xffffffdc;
				_t34 = __eax - 0x10;
				E00405764();
				_t13 = _t34;
				 *_t42 =  *_t13;
				_v48 =  *((intOrPtr*)(_t13 + 4));
				_t26 =  *(_t13 + 0xc);
				if((_t26 & 0x00000008) != 0) {
					_t22 = _t34;
					_t39 = _t26 & 0xfffffff0;
					_t30 = 0;
					while(1) {
						VirtualQuery(_t22,  &_v44, 0x1c);
						_t16 = VirtualFree(_t22, 0, 0x8000); // executed
						if(_t16 == 0) {
							break;
						}
						_t35 = _v44.RegionSize;
						if(_t39 > _t35) {
							_t39 = _t39 - _t35;
							_t22 = _t22 + _t35;
							continue;
						}
						goto L10;
					}
					_t30 = _t30 | 0xffffffff;
				} else {
					_t20 = VirtualFree(_t34, 0, 0x8000); // executed
					if(_t20 == 0) {
						_t30 = _t29 | 0xffffffff;
					} else {
						_t30 = 0;
					}
				}
				L10:
				if(_t30 == 0) {
					 *_v48 =  *_t42;
					 *( *_t42 + 4) = _v48;
				}
				 *0x6d1b7c = 0;
				return _t30;
			}

0x00405816
0x00405818
0x0040581d
0x00405820
0x00405825
0x00405829
0x0040582f
0x00405833
0x00405839
0x00405855
0x00405859
0x0040585c
0x0040585e
0x00405866
0x00405873
0x0040587a
0x00000000
0x00000000
0x00405881
0x00405887
0x00405889
0x0040588b
0x00000000
0x0040588b
0x00000000
0x00405887
0x0040587c
0x0040583b
0x00405843
0x0040584a
0x00405850
0x0040584c
0x0040584c
0x0040584c
0x0040584a
0x0040588f
0x00405891
0x0040589a
0x004058a3
0x004058a3
0x004058a6
0x004058b6

APIs

VirtualFree.KERNEL32(?,00000000,00008000), ref: 00405843
VirtualQuery.KERNEL32(?,?,0000001C), ref: 00405866
VirtualFree.KERNEL32(?,00000000,00008000,?,?,0000001C), ref: 00405873

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Virtual$Free$Query
String ID:
API String ID: 778034434-0
Opcode ID: 9cf1a0e01308b3a939f0f8b7cd504775b3f588773c4986be2e6cc2d25f9c1fa1
Instruction ID: 84a00d9712422ee72978a24a1d80a8d623c3a2aa13178c9074bfc96ea9226af9
Opcode Fuzzy Hash: 9cf1a0e01308b3a939f0f8b7cd504775b3f588773c4986be2e6cc2d25f9c1fa1
Instruction Fuzzy Hash: B8F08135704A009FD310EB2AC945B27B7E5EFC9750F19C17AE9889B3A0E635DC118B96

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00625754 Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 187
pipeprocessfileCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00625754(void* __eax, void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				char _v12;
				char _v16;
				void* _v20;
				void* _v24;
				long _v28;
				struct _STARTUPINFOW _v96;
				struct _PROCESS_INFORMATION _v112;
				char _v116;
				long _v120;
				char _v124;
				long _v128;
				char _v132;
				intOrPtr _v136;
				char _v140;
				intOrPtr _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				void* _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char* _t62;
				WCHAR* _t91;
				WCHAR* _t97;
				intOrPtr _t98;
				void* _t127;
				intOrPtr _t139;
				struct _FILETIME* _t141;
				void* _t145;
				void* _t146;
				intOrPtr _t147;

				_t145 = _t146;
				_t147 = _t146 + 0xffffff4c;
				_v156 = 0;
				_v160 = 0;
				_v16 = 0;
				_t127 = __eax;
				_t141 =  &_v12;
				_push(_t145);
				_push(0x625a4f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t147;
				E00616130(L"Starting 64-bit helper process.", __eax, _t141, 0x6d636c);
				_t62 =  *0x6cda20; // 0x6d67dd
				if( *_t62 == 0) {
					E0060CD28(L"Cannot utilize 64-bit features on this version of Windows", _t127);
				}
				if( *0x6d6368 == 0) {
					E0060CD28(L"64-bit helper EXE wasn\'t extracted", _t127);
				}
				while(1) {
					 *0x6d636c =  *0x6d636c + 1;
					 *((intOrPtr*)(_t127 + 0x14)) = GetTickCount();
					if(QueryPerformanceCounter(_t141) == 0) {
						GetSystemTimeAsFileTime(_t141);
					}
					_v152 = GetCurrentProcessId();
					_v148 = 0;
					_v144 =  *0x6d636c;
					_v140 = 0;
					_v136 =  *((intOrPtr*)(_t127 + 0x14));
					_v132 = 0;
					_v128 = _t141->dwHighDateTime;
					_v124 = 0;
					_v120 = _t141->dwLowDateTime;
					_v116 = 0;
					E004244F8(L"\\\\.\\pipe\\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x", 4,  &_v152,  &_v16);
					_v20 = CreateNamedPipeW(E0040B278(_v16), 0x40080003, 6, 1, 0x2000, 0x2000, 0, 0);
					if(_v20 != 0xffffffff) {
						break;
					}
					if(GetLastError() != 0xe7) {
						E0060CE84(L"CreateNamedPipe");
					}
				}
				_push(_t145);
				_push(0x625a0b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t147;
				_v24 = CreateFileW(E0040B278(_v16), 0xc0000000, 0, 0x6cd098, 3, 0, 0);
				if(_v24 == 0xffffffff) {
					E0060CE84(L"CreateFile");
				}
				_push(_t145);
				_push(0x6259fa);
				_push( *[fs:eax]);
				 *[fs:eax] = _t147;
				_v28 = 2;
				if(SetNamedPipeHandleState(_v24,  &_v28, 0, 0) == 0) {
					E0060CE84(L"SetNamedPipeHandleState");
				}
				E00407760( &_v96, 0x44);
				_v96.cb = 0x44;
				E005C745C( &_v156);
				_t91 = E0040B278(_v156);
				_v176 = 0x69;
				_v172 = 0;
				_v168 = _v24;
				_v164 = 0;
				E004244F8(L"helper %d 0x%x", 1,  &_v176,  &_v160);
				_t97 = E0040B278(_v160);
				_t98 =  *0x6d6368; // 0x0
				if(CreateProcessW(E0040B278(_t98), _t97, 0, 0, 0xffffffff, 0xc000000, 0, _t91,  &_v96,  &_v112) == 0) {
					E0060CE84(L"CreateProcess");
				}
				 *((char*)(_t127 + 4)) = 1;
				 *((char*)(_t127 + 5)) = 0;
				 *(_t127 + 8) = _v112.hProcess;
				 *((intOrPtr*)(_t127 + 0x10)) = _v112.dwProcessId;
				 *((intOrPtr*)(_t127 + 0xc)) = _v20;
				_v20 = 0;
				CloseHandle(_v112.hThread);
				_v184 =  *((intOrPtr*)(_t127 + 0x10));
				_v180 = 0;
				E006163B4(L"Helper process PID: %u", _t127, 0,  &_v184, _t141, 0x6d636c);
				_pop(_t139);
				 *[fs:eax] = _t139;
				_push(E00625A01);
				return CloseHandle(_v24);
			}

0x00625755
0x00625757
0x00625762
0x00625768
0x0062576e
0x00625771
0x00625778
0x0062577d
0x0062577e
0x00625783
0x00625786
0x0062578e
0x00625793
0x0062579b
0x006257a2
0x006257a2
0x006257ae
0x006257b5
0x006257b5
0x006257ba
0x006257ba
0x006257c1
0x006257cc
0x006257cf
0x006257cf
0x006257dd
0x006257e3
0x006257ec
0x006257f2
0x006257fc
0x00625802
0x00625809
0x0062580c
0x00625812
0x00625815
0x00625829
0x00625853
0x0062585a
0x00000000
0x00000000
0x00625866
0x00625871
0x00625871
0x00625866
0x0062587d
0x0062587e
0x00625883
0x00625886
0x006258a9
0x006258b0
0x006258b7
0x006258b7
0x006258be
0x006258bf
0x006258c4
0x006258c7
0x006258ca
0x006258e4
0x006258eb
0x006258eb
0x006258fa
0x006258ff
0x00625914
0x0062591f
0x00625939
0x00625943
0x0062594d
0x00625953
0x0062596a
0x00625975
0x0062597b
0x0062598d
0x00625994
0x00625994
0x00625999
0x0062599d
0x006259a4
0x006259aa
0x006259b0
0x006259b5
0x006259bc
0x006259c4
0x006259ca
0x006259de
0x006259e5
0x006259e8
0x006259eb
0x006259f9

APIs

GetTickCount.KERNEL32 ref: 006257BC
QueryPerformanceCounter.KERNEL32(00000000,00000000,00625A4F,?,?,00000000,00000000,?,0062644E,?,00000000,00000000), ref: 006257C5
GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 006257CF
GetCurrentProcessId.KERNEL32(?,00000000,00000000,00625A4F,?,?,00000000,00000000,?,0062644E,?,00000000,00000000), ref: 006257D8
CreateNamedPipeW.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 0062584E
GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 0062585C
CreateFileW.KERNEL32(00000000,C0000000,00000000,006CD098,00000003,00000000,00000000,00000000,00625A0B,?,00000000,40080003,00000006,00000001,00002000,00002000), ref: 006258A4
SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,006259FA,?,00000000,C0000000,00000000,006CD098,00000003,00000000,00000000,00000000,00625A0B), ref: 006258DD

Part of subcall function 005C745C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005C746F

CreateProcessW.KERNEL32 ref: 00625986
CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,000000FF,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 006259BC
CloseHandle.KERNEL32(000000FF,00625A01,?,00000000,00000000,000000FF,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 006259F4

Part of subcall function 0060CE84: GetLastError.KERNEL32(00000000,0060DBAA,00000005,00000000,0060DBD2,?,?,006D579C,?,00000000,00000000,00000000,?,006B910F,00000000,006B912A), ref: 0060CE87

Strings

Cannot utilize 64-bit features on this version of Windows, xrefs: 0062579D
CreateNamedPipe, xrefs: 0062586C
CreateProcess, xrefs: 0062598F
Starting 64-bit helper process., xrefs: 00625789
CreateFile, xrefs: 006258B2
Helper process PID: %u, xrefs: 006259D9
D, xrefs: 006258FF
i, xrefs: 00625939
64-bit helper EXE wasn't extracted, xrefs: 006257B0
SetNamedPipeHandleState, xrefs: 006258E6
\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x, xrefs: 00625824
helper %d 0x%x, xrefs: 00625965

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
API String ID: 770386003-3271284199
Opcode ID: 4b38d71f613c2805a895e8b5dd9c39005fd96be071beebf230027e2823365f0d
Instruction ID: 34d3d620ae4a6a58b4d890a55742d975a8112a0372845dc610fa96f79e58b5cb
Opcode Fuzzy Hash: 4b38d71f613c2805a895e8b5dd9c39005fd96be071beebf230027e2823365f0d
Instruction Fuzzy Hash: 21717F70E407589EDB20EFB9DC46B9EBBB6EF09304F1041A9F509EB282D77499408F65

Uniqueness

Uniqueness Score: -1.00%

Function 006A60E8 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E006A60E8(void* __eax, void* __ebx, DWORD* __ecx, void* __edx, void* __esi, void* __eflags, void* __fp0) {
				char _v8;
				char _v12;
				DWORD* _v16;
				struct _SHELLEXECUTEINFOW _v76;
				long _t41;
				intOrPtr _t69;
				void* _t71;
				void* _t73;
				void* _t74;
				intOrPtr _t75;

				_t73 = _t74;
				_t75 = _t74 + 0xffffffb8;
				_v8 = 0;
				_v12 = 0;
				_v16 = __ecx;
				_t71 = __edx;
				_t60 = __eax;
				_push(_t73);
				_push(0x6a6237);
				 *[fs:eax] = _t75;
				E006A5F04(__eax,  &_v8,  *[fs:eax]);
				E006A6014( &_v12, _t60, _t71);
				E00407760( &_v76, 0x3c);
				_v76.cbSize = 0x3c;
				_v76.fMask = 0x800540;
				_v76.lpVerb = L"runas";
				_v76.lpFile = E0040B278(_v8);
				_v76.lpParameters = E0040B278(_t71);
				_v76.lpDirectory = E0040B278(_v12);
				_v76.nShow = 1;
				if(ShellExecuteExW( &_v76) == 0) {
					if(GetLastError() == 0x4c7) {
						E00428FDC();
					}
					E0060CE84(L"ShellExecuteEx");
				}
				if(_v76.hProcess == 0) {
					E0060CD28(L"ShellExecuteEx returned hProcess=0", _t60);
				}
				_push(_t73);
				_push(0x6a6215);
				_push( *[fs:edx]);
				 *[fs:edx] = _t75;
				do {
					E006A5C10();
					_t41 = MsgWaitForMultipleObjects(1,  &(_v76.hProcess), 0, 0xffffffff, 0x4ff);
				} while (_t41 == 1);
				if(_t41 == 0xffffffff) {
					E0060CE84(L"MsgWaitForMultipleObjects");
				}
				E006A5C10();
				if(GetExitCodeProcess(_v76.hProcess, _v16) == 0) {
					E0060CE84(L"GetExitCodeProcess");
				}
				_pop(_t69);
				 *[fs:eax] = _t69;
				_push(E006A621C);
				return CloseHandle(_v76.hProcess);
			}

0x006a60e9
0x006a60eb
0x006a60f2
0x006a60f5
0x006a60f8
0x006a60fb
0x006a60fd
0x006a6101
0x006a6102
0x006a610a
0x006a6112
0x006a611a
0x006a6129
0x006a612e
0x006a6135
0x006a6141
0x006a614c
0x006a6156
0x006a6161
0x006a6164
0x006a6176
0x006a6182
0x006a6184
0x006a6184
0x006a618e
0x006a618e
0x006a6197
0x006a619e
0x006a619e
0x006a61a5
0x006a61a6
0x006a61ab
0x006a61ae
0x006a61b1
0x006a61b1
0x006a61c5
0x006a61ca
0x006a61d2
0x006a61d9
0x006a61d9
0x006a61de
0x006a61f2
0x006a61f9
0x006a61f9
0x006a6200
0x006a6203
0x006a6206
0x006a6214

APIs

Part of subcall function 006A5F04: GetModuleHandleW.KERNEL32(kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F30
Part of subcall function 006A5F04: GetFileAttributesW.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F49
Part of subcall function 006A5F04: CreateFileW.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F73
Part of subcall function 006A5F04: CloseHandle.KERNEL32(00000000), ref: 006A5F91

Part of subcall function 006A6014: GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,006A60A5,?,00000097,00000000,?,006A611F,00000000,006A6237,?,?,00000001), ref: 006A6043

ShellExecuteExW.SHELL32(0000003C), ref: 006A616F
GetLastError.KERNEL32(0000003C,00000000,006A6237,?,?,00000001), ref: 006A6178
MsgWaitForMultipleObjects.USER32 ref: 006A61C5
GetExitCodeProcess.KERNEL32 ref: 006A61EB
CloseHandle.KERNEL32(00000000,006A621C,00000000,00000000,000000FF,000004FF,00000000,006A6215,?,0000003C,00000000,006A6237,?,?,00000001), ref: 006A620F

Strings

ShellExecuteEx, xrefs: 006A6189
MsgWaitForMultipleObjects, xrefs: 006A61D4
<, xrefs: 006A612E
GetExitCodeProcess, xrefs: 006A61F4
runas, xrefs: 006A613C
ShellExecuteEx returned hProcess=0, xrefs: 006A6199

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Handle$CloseFile$AttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcessShellWait
String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
API String ID: 254331816-221126205
Opcode ID: 4b01546bb7c1e1f880d0074e3a62ab49537264529600a4ba05fbe354f8589c55
Instruction ID: 3b593d6e4f6188ec2893085c4d8bc70e2010c955c7988aee54b7ca20d83eebf0
Opcode Fuzzy Hash: 4b01546bb7c1e1f880d0074e3a62ab49537264529600a4ba05fbe354f8589c55
Instruction Fuzzy Hash: 4931AF70A00208AFDB10FFE9C842A9DBABAEF06314F44053DF514E62D2D7789E448F29

Uniqueness

Uniqueness Score: -1.00%

Function 0040E0D4 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140
stringlibraryfileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040E0D4(short* __eax, intOrPtr __edx) {
				short* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				struct _WIN32_FIND_DATAW _v612;
				short _v1134;
				signed int _t50;
				signed int _t51;
				void* _t55;
				signed int _t88;
				signed int _t89;
				intOrPtr* _t90;
				signed int _t101;
				signed int _t102;
				short* _t112;
				struct HINSTANCE__* _t113;
				short* _t115;
				short* _t116;
				void* _t117;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t113 = GetModuleHandleW(L"kernel32.dll");
				if(_t113 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t115 = _v8 + 4;
						goto L10;
					} else {
						if( *((short*)(_v8 + 2)) == 0x5c) {
							_t116 = E0040E0B0(_v8 + 4);
							if( *_t116 != 0) {
								_t14 = _t116 + 2; // 0x2
								_t115 = E0040E0B0(_t14);
								if( *_t115 != 0) {
									L10:
									_t88 = _t115 - _v8;
									_t89 = _t88 >> 1;
									if(_t88 < 0) {
										asm("adc ebx, 0x0");
									}
									_t43 = _t89 + 1;
									if(_t89 + 1 <= 0x105) {
										E0040DAF8( &_v1134, _v8, _t43);
										while( *_t115 != 0) {
											_t112 = E0040E0B0(_t115 + 2);
											_t50 = _t112 - _t115;
											_t51 = _t50 >> 1;
											if(_t50 < 0) {
												asm("adc eax, 0x0");
											}
											if(_t51 + _t89 + 1 <= 0x105) {
												_t55 =  &_v1134 + _t89 + _t89;
												_t101 = _t112 - _t115;
												_t102 = _t101 >> 1;
												if(_t101 < 0) {
													asm("adc edx, 0x0");
												}
												E0040DAF8(_t55, _t115, _t102 + 1);
												_v20 = FindFirstFileW( &_v1134,  &_v612);
												if(_v20 != 0xffffffff) {
													FindClose(_v20);
													if(lstrlenW( &(_v612.cFileName)) + _t89 + 1 + 1 <= 0x105) {
														 *((short*)(_t117 + _t89 * 2 - 0x46a)) = 0x5c;
														E0040DAF8( &_v1134 + _t89 + _t89 + 2,  &(_v612.cFileName), 0x105 - _t89 - 1);
														_t89 = _t89 + lstrlenW( &(_v612.cFileName)) + 1;
														_t115 = _t112;
														continue;
													}
												}
											}
											goto L24;
										}
										E0040DAF8(_v8,  &_v1134, _v12);
									}
								}
							}
						}
					}
				} else {
					_t90 = GetProcAddress(_t113, "GetLongPathNameW");
					if(_t90 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v1134);
						_push(_v8);
						if( *_t90() == 0) {
							goto L4;
						} else {
							E0040DAF8(_v8,  &_v1134, _v12);
						}
					}
				}
				L24:
				return _v16;
			}

0x0040e0e0
0x0040e0e3
0x0040e0e9
0x0040e0f6
0x0040e0fa
0x0040e139
0x0040e140
0x0040e180
0x00000000
0x0040e142
0x0040e14a
0x0040e15b
0x0040e161
0x0040e167
0x0040e16f
0x0040e175
0x0040e183
0x0040e185
0x0040e188
0x0040e18a
0x0040e18c
0x0040e18c
0x0040e18f
0x0040e197
0x0040e1a8
0x0040e26f
0x0040e1ba
0x0040e1be
0x0040e1c0
0x0040e1c2
0x0040e1c4
0x0040e1c4
0x0040e1cf
0x0040e1df
0x0040e1e3
0x0040e1e5
0x0040e1e7
0x0040e1e9
0x0040e1e9
0x0040e1ef
0x0040e207
0x0040e20e
0x0040e214
0x0040e230
0x0040e232
0x0040e259
0x0040e26b
0x0040e26d
0x00000000
0x0040e26d
0x0040e230
0x0040e20e
0x00000000
0x0040e1cf
0x0040e285
0x0040e285
0x0040e197
0x0040e175
0x0040e161
0x0040e14a
0x0040e0fc
0x0040e107
0x0040e10b
0x00000000
0x0040e10d
0x0040e10d
0x0040e118
0x0040e11c
0x0040e121
0x00000000
0x0040e123
0x0040e12f
0x0040e12f
0x0040e121
0x0040e10b
0x0040e28a
0x0040e293

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,0041CF90,?,?), ref: 0040E0F1
GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040E102
FindFirstFileW.KERNEL32(?,?,kernel32.dll,0041CF90,?,?), ref: 0040E202
FindClose.KERNEL32(?,?,?,kernel32.dll,0041CF90,?,?), ref: 0040E214
lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,0041CF90,?,?), ref: 0040E220
lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,0041CF90,?,?), ref: 0040E265

Strings

\, xrefs: 0040E232
GetLongPathNameW, xrefs: 0040E0FC
kernel32.dll, xrefs: 0040E0EC

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameW$\$kernel32.dll
API String ID: 1930782624-3908791685
Opcode ID: 1e5aa63ad13805ebe641060d55f71927a25656d4bbeb27d65059da7d04647448
Instruction ID: 85f15f90104044dde56611b048d4fe37091be9da2e2d426f5e1dee482ffdf80d
Opcode Fuzzy Hash: 1e5aa63ad13805ebe641060d55f71927a25656d4bbeb27d65059da7d04647448
Instruction Fuzzy Hash: 09418471E005189BCB10DAA6CC85ADEB3B9EF44310F1449FAD504F72C1EB789E568F89

Uniqueness

Uniqueness Score: -1.00%

Function 0060F6D8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0060F6D8() {
				int _v4;
				struct _TOKEN_PRIVILEGES _v16;
				void* _v20;
				int _t7;

				if(E00429D18() != 2) {
					L5:
					_t7 = ExitWindowsEx(2, 0);
					asm("sbb eax, eax");
					return _t7 + 1;
				}
				if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v20) != 0) {
					LookupPrivilegeValueW(0, L"SeShutdownPrivilege",  &(_v16.Privileges));
					_v16.PrivilegeCount = 1;
					_v4 = 2;
					AdjustTokenPrivileges(_v20, 0,  &_v16, 0, 0, 0);
					if(GetLastError() == 0) {
						goto L5;
					}
					return 0;
				}
				return 0;
			}

0x0060f6e3
0x0060f740
0x0060f744
0x0060f74c
0x00000000
0x0060f74e
0x0060f6f5
0x0060f707
0x0060f70c
0x0060f714
0x0060f72e
0x0060f73a
0x00000000
0x00000000
0x00000000
0x0060f73c
0x00000000

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0060F6E8
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0060F6EE
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 0060F707
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 0060F72E
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0060F733
ExitWindowsEx.USER32 ref: 0060F744

Strings

SeShutdownPrivilege, xrefs: 0060F700

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: 587dd988ce63d715a201a3aa16ee9d515860b21273bb1684cbadb229f2035bc1
Instruction ID: 06ed2f01938c74524bf5f5b14376f39d724559be6214a1270456cb597724f4e2
Opcode Fuzzy Hash: 587dd988ce63d715a201a3aa16ee9d515860b21273bb1684cbadb229f2035bc1
Instruction Fuzzy Hash: 8EF090306E430276E624AF719C47FEB218D9B40B09F50092DF644D61C1DBA9E589826B

Uniqueness

Uniqueness Score: -1.00%

Function 006A68B0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 172
windowCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E006A68B0(intOrPtr __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __fp0, intOrPtr _a4, short* _a8, intOrPtr _a12, void* _a16, char _a20, intOrPtr _a24, intOrPtr* _a32, intOrPtr _a36, intOrPtr* _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52) {
				char _v5;
				intOrPtr _v12;
				struct HWND__* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v60;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char _v120;
				intOrPtr* _t70;
				intOrPtr* _t74;
				signed int _t77;
				signed int _t78;
				intOrPtr* _t79;
				signed int _t82;
				signed int _t83;
				short* _t87;
				intOrPtr _t106;
				intOrPtr _t123;
				void* _t125;
				char _t126;
				intOrPtr* _t127;
				intOrPtr _t136;
				intOrPtr _t140;
				intOrPtr _t145;
				intOrPtr _t147;
				intOrPtr* _t148;
				void* _t150;
				void* _t151;
				intOrPtr _t152;
				intOrPtr _t164;

				_t150 = _t151;
				_t152 = _t151 + 0xffffff8c;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t147 = __ecx;
				_t123 = __edx;
				_t145 = __eax;
				_push(_t150);
				_push(0x6a6acd);
				_push( *[fs:eax]);
				 *[fs:eax] = _t152;
				if( *0x6d648c == 0) {
					_v5 = 0;
					__eflags = 0;
					_pop(_t136);
					 *[fs:eax] = _t136;
					_push(E006A6AD4);
					return 0;
				} else {
					E00407760( &_v120, 0x60);
					_v120 = 0x60;
					if(_a20 != 0) {
						_v108 = _v108 | 0x00002000;
					}
					_v112 =  *0x6d2634;
					_t70 =  *0x6cdec4; // 0x6d579c
					if(IsIconic( *( *_t70 + 0x188)) == 0) {
						_t74 =  *0x6cdec4; // 0x6d579c
						_t77 = GetWindowLongW( *( *_t74 + 0x188), 0xfffffff0);
						__eflags = _t77 & 0x10000000;
						_t12 = (_t77 & 0x10000000) == 0;
						__eflags = _t12;
						_t78 = _t77 & 0xffffff00 | _t12;
					} else {
						_t78 = 1;
					}
					if(_t78 == 0) {
						_t79 =  *0x6cdec4; // 0x6d579c
						_t82 = GetWindowLongW( *( *_t79 + 0x188), 0xffffffec);
						__eflags = _t82 & 0x00000080;
						_t17 = (_t82 & 0x00000080) != 0;
						__eflags = _t17;
						_t83 = _t82 & 0xffffff00 | _t17;
					} else {
						_t83 = 1;
					}
					if(_t83 == 0) {
						_v116 = _t145;
					} else {
						_v116 = 0;
					}
					_v104 = _a44;
					_v100 = _a52;
					_v96 = _a48;
					_v92 = _t123;
					_v88 = _t147;
					_t87 = _a8;
					if(_t87 != 0 &&  *_t87 != 0) {
						_v60 = _a8;
					}
					if(_a24 != 0) {
						_v36 = 0x6a6888;
						_v32 = _a24;
					}
					_v12 = 0;
					_push(_t150);
					_push(0x6a6ab4);
					_push( *[fs:edx]);
					 *[fs:edx] = _t152;
					_t125 = _a36 + 1;
					if(_t125 != 0) {
						_t106 =  *0x54808c; // 0x5480e4
						_v12 = E00466A64(0, 1, _t145, _t106);
						_v108 = _v108 | 0x00000010;
						_t125 = _t125 - 1;
						if(_t125 >= 0) {
							_t126 = _t125 + 1;
							_t164 = _t126;
							_v24 = _t126;
							_t127 = _a40;
							_t148 = _a32;
							do {
								_t145 = E0054BA48(_v12);
								E0054B708(_t145,  *_t127, _t164);
								 *((intOrPtr*)(_t145 + 0x18)) =  *_t148;
								_t148 = _t148 + 4;
								_t127 = _t127 + 4;
								_t45 =  &_v24;
								 *_t45 = _v24 - 1;
							} while ( *_t45 != 0);
						}
						_v80 = E0054BA54(_v12);
						_v84 =  *((intOrPtr*)( *((intOrPtr*)(_v12 + 8)) + 8));
					}
					E005C9060();
					_v16 = GetActiveWindow();
					_v20 = E005ABB4C(0, _t125, _t145, _t147);
					 *[fs:eax] = _t152;
					_v5 =  *0x6d648c( &_v120, _a12, 0, _a4,  *[fs:eax], 0x6a6a97, _t150) == 0;
					_pop(_t140);
					 *[fs:eax] = _t140;
					_push(E006A6A9E);
					E005ABC0C(_v20);
					SetActiveWindow(_v16);
					return E005C9060();
				}
			}

0x006a68b1
0x006a68b3
0x006a68b6
0x006a68b7
0x006a68b8
0x006a68b9
0x006a68bb
0x006a68bd
0x006a68c1
0x006a68c2
0x006a68c7
0x006a68ca
0x006a68d4
0x006a6abb
0x006a6abf
0x006a6ac1
0x006a6ac4
0x006a6ac7
0x006a6acc
0x006a68da
0x006a68e4
0x006a68e9
0x006a68f4
0x006a68f6
0x006a68f6
0x006a6902
0x006a6905
0x006a691a
0x006a6920
0x006a6930
0x006a6935
0x006a693a
0x006a693a
0x006a693a
0x006a691c
0x006a691c
0x006a691c
0x006a693f
0x006a6945
0x006a6955
0x006a695a
0x006a695c
0x006a695c
0x006a695c
0x006a6941
0x006a6941
0x006a6941
0x006a6961
0x006a696a
0x006a6963
0x006a6965
0x006a6965
0x006a6970
0x006a6976
0x006a697c
0x006a697f
0x006a6982
0x006a6985
0x006a698a
0x006a6995
0x006a6995
0x006a699c
0x006a699e
0x006a69a8
0x006a69a8
0x006a69ad
0x006a69b2
0x006a69b3
0x006a69b8
0x006a69bb
0x006a69c1
0x006a69c4
0x006a69c6
0x006a69da
0x006a69dd
0x006a69e1
0x006a69e4
0x006a69e6
0x006a69e6
0x006a69e7
0x006a69ea
0x006a69ed
0x006a69f0
0x006a69f8
0x006a69fe
0x006a6a05
0x006a6a08
0x006a6a0b
0x006a6a0e
0x006a6a0e
0x006a6a0e
0x006a69f0
0x006a6a1b
0x006a6a27
0x006a6a27
0x006a6a2f
0x006a6a39
0x006a6a43
0x006a6a51
0x006a6a6a
0x006a6a70
0x006a6a73
0x006a6a76
0x006a6a7e
0x006a6a87
0x006a6a96
0x006a6a96

APIs

IsIconic.USER32 ref: 006A6913
GetWindowLongW.USER32(?,000000F0), ref: 006A6930
GetWindowLongW.USER32(?,000000EC), ref: 006A6955

Part of subcall function 005ABC0C: IsWindow.USER32(8B565300), ref: 005ABC1A
Part of subcall function 005ABC0C: EnableWindow.USER32(8B565300,000000FF), ref: 005ABC29

GetActiveWindow.USER32 ref: 006A6A34
SetActiveWindow.USER32(006C479A,006A6A9E,006A6AB4,?,?,000000EC,?,000000F0,?,00000000,006A6ACD,?,00000000,?,00000000), ref: 006A6A87

Strings

`, xrefs: 006A68E9

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Window$ActiveLong$EnableIconic
String ID: `
API String ID: 4222481217-2679148245
Opcode ID: cde2a6536f5044e3bc4238d2ffbe734793dbf8fec1bfd9d9ee3b4b44e3c8bba9
Instruction ID: 936cf99dd23b6ce25ef8ab77046748165037aff960be166beb91cb3f54ae6a19
Opcode Fuzzy Hash: cde2a6536f5044e3bc4238d2ffbe734793dbf8fec1bfd9d9ee3b4b44e3c8bba9
Instruction Fuzzy Hash: C3611875A002099FDB00EFA9C885A9EBBF6FB4A304F598469F914EB361D734AD41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 006B8DE4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89
fileCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E006B8DE4(void* __eax, void* __ebx, void* __esi, void* __eflags) {
				char _v8;
				void* _v12;
				struct _WIN32_FIND_DATAW _v604;
				char _v608;
				char _v612;
				void* _t59;
				intOrPtr _t70;
				intOrPtr _t73;
				signed int _t77;
				void* _t80;
				void* _t81;
				intOrPtr _t82;

				_t80 = _t81;
				_t82 = _t81 + 0xfffffda0;
				_v612 = 0;
				_v608 = 0;
				_v8 = 0;
				_t59 = __eax;
				_push(_t80);
				_push(0x6b8f21);
				_push( *[fs:eax]);
				 *[fs:eax] = _t82;
				E0040B4C8( &_v608, L"isRS-???.tmp", __eax);
				_v12 = FindFirstFileW(E0040B278(_v608),  &_v604);
				if(_v12 == 0xffffffff) {
					_pop(_t70);
					 *[fs:eax] = _t70;
					_push(E006B8F28);
					E0040A228( &_v612, 2);
					return E0040A1C8( &_v8);
				} else {
					_push(_t80);
					_push(0x6b8ef4);
					_push( *[fs:eax]);
					 *[fs:eax] = _t82;
					do {
						if(E004241A0( &(_v604.cFileName), 5, L"isRS-") == 0 && (_v604.dwFileAttributes & 0x00000010) == 0) {
							E0040B318( &_v612, 0x104,  &(_v604.cFileName));
							E0040B4C8( &_v8, _v612, _t59);
							_t77 = _v604.dwFileAttributes;
							if((_t77 & 0x00000001) != 0) {
								SetFileAttributesW(E0040B278(_v8), _t77 & 0xfffffffe);
							}
							E00423A20(_v8);
						}
					} while (FindNextFileW(_v12,  &_v604) != 0);
					_pop(_t73);
					 *[fs:eax] = _t73;
					_push(E006B8EFB);
					return FindClose(_v12);
				}
			}

0x006b8de5
0x006b8de7
0x006b8df1
0x006b8df7
0x006b8dfd
0x006b8e00
0x006b8e04
0x006b8e05
0x006b8e0a
0x006b8e0d
0x006b8e24
0x006b8e3a
0x006b8e41
0x006b8efd
0x006b8f00
0x006b8f03
0x006b8f13
0x006b8f20
0x006b8e47
0x006b8e49
0x006b8e4a
0x006b8e4f
0x006b8e52
0x006b8e55
0x006b8e6c
0x006b8e88
0x006b8e98
0x006b8e9d
0x006b8ea9
0x006b8eb8
0x006b8eb8
0x006b8ec0
0x006b8ec0
0x006b8ed5
0x006b8edf
0x006b8ee2
0x006b8ee5
0x006b8ef3
0x006b8ef3

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,006B8F21,?,006D579C,?,?,006B90D6,00000000,006B912A,?,00000000,00000000,00000000), ref: 006B8E35
SetFileAttributesW.KERNEL32(00000000,00000010), ref: 006B8EB8
FindNextFileW.KERNEL32(000000FF,?,00000000,006B8EF4,?,00000000,?,00000000,006B8F21,?,006D579C,?,?,006B90D6,00000000,006B912A), ref: 006B8ED0
FindClose.KERNEL32(000000FF,006B8EFB,006B8EF4,?,00000000,?,00000000,006B8F21,?,006D579C,?,?,006B90D6,00000000,006B912A), ref: 006B8EEE

Strings

isRS-???.tmp, xrefs: 006B8E1D
isRS-, xrefs: 006B8E55

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstNext
String ID: isRS-$isRS-???.tmp
API String ID: 134685335-3422211394
Opcode ID: bc046ff19386ae941c1e2fbaddcc9e352fae9fbf8a3a0acc36942c416fb33cce
Instruction ID: d39c6702953267373b2098697dd7c4daff6c19a754f4e73b98016d5d2bb0ed42
Opcode Fuzzy Hash: bc046ff19386ae941c1e2fbaddcc9e352fae9fbf8a3a0acc36942c416fb33cce
Instruction Fuzzy Hash: E6317670A006189FDB10DF65DC45ADEB7BEEB84304F5145FAE804A3291EB389E81CB58

Uniqueness

Uniqueness Score: -1.00%

Function 005C90B4 Relevance: 9.1, APIs: 6, Instructions: 98
windowCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E005C90B4(WCHAR* __eax, void* __ebx, signed int __ecx, WCHAR* __edx, void* __edi, void* __esi) {
				signed int _v8;
				int _v12;
				struct HWND__* _v16;
				intOrPtr _v20;
				intOrPtr* _t28;
				intOrPtr* _t32;
				signed int _t36;
				intOrPtr* _t37;
				signed int _t41;
				intOrPtr* _t43;
				WCHAR* _t62;
				intOrPtr _t73;
				intOrPtr _t75;
				void* _t76;
				WCHAR* _t78;
				void* _t80;
				void* _t81;
				intOrPtr _t82;

				_t76 = __edi;
				_t80 = _t81;
				_t82 = _t81 + 0xfffffff0;
				_push(__ebx);
				_push(__esi);
				_v8 = __ecx;
				_t78 = __edx;
				_t62 = __eax;
				if( *0x6d5814 != 0) {
					_v8 = _v8 | 0x00180000;
				}
				E005C9060();
				_push(_t80);
				_push(0x5c91da);
				_push( *[fs:edx]);
				 *[fs:edx] = _t82;
				_t28 =  *0x6cdec4; // 0x6d579c
				if(IsIconic( *( *_t28 + 0x188)) == 0) {
					_t32 =  *0x6cdec4; // 0x6d579c
					_t36 = GetWindowLongW( *( *_t32 + 0x188), 0xfffffff0) & 0xffffff00 | (_t35 & 0x10000000) == 0x00000000;
				} else {
					_t36 = 1;
				}
				if(_t36 == 0) {
					_t37 =  *0x6cdec4; // 0x6d579c
					_t41 = GetWindowLongW( *( *_t37 + 0x188), 0xffffffec) & 0xffffff00 | (_t40 & 0x00000080) != 0x00000000;
				} else {
					_t41 = 1;
				}
				if(_t41 == 0) {
					_t43 =  *0x6cdec4; // 0x6d579c
					_v12 = L005B8BCC( *_t43, _t62, _t78, _t62, _t76, _t78, _v8);
					_pop(_t73);
					 *[fs:eax] = _t73;
					_push(E005C91E1);
					return E005C9060();
				} else {
					_v16 = GetActiveWindow();
					_v20 = E005ABB4C(0, _t62, _t76, _t78);
					_push(_t80);
					_push(0x5c919d);
					_push( *[fs:eax]);
					 *[fs:eax] = _t82;
					_v12 = MessageBoxW(0, _t62, _t78, _v8 | 0x00002000);
					_pop(_t75);
					 *[fs:eax] = _t75;
					_push(E005C91A4);
					E005ABC0C(_v20);
					return SetActiveWindow(_v16);
				}
			}

0x005c90b4
0x005c90b5
0x005c90b7
0x005c90ba
0x005c90bb
0x005c90bc
0x005c90bf
0x005c90c1
0x005c90ca
0x005c90cc
0x005c90cc
0x005c90d8
0x005c90df
0x005c90e0
0x005c90e5
0x005c90e8
0x005c90eb
0x005c9100
0x005c9106
0x005c9120
0x005c9102
0x005c9102
0x005c9102
0x005c9125
0x005c912b
0x005c9142
0x005c9127
0x005c9127
0x005c9127
0x005c9147
0x005c91af
0x005c91bf
0x005c91c4
0x005c91c7
0x005c91ca
0x005c91d9
0x005c9149
0x005c914e
0x005c9158
0x005c915d
0x005c915e
0x005c9163
0x005c9166
0x005c917b
0x005c9180
0x005c9183
0x005c9186
0x005c918e
0x005c919c
0x005c919c

APIs

IsIconic.USER32 ref: 005C90F9
GetWindowLongW.USER32(?,000000F0), ref: 005C9116
GetWindowLongW.USER32(?,000000EC), ref: 005C913B
GetActiveWindow.USER32 ref: 005C9149
MessageBoxW.USER32(00000000,00000000,?,000000E5), ref: 005C9176
SetActiveWindow.USER32(00000000,005C91A4,?,000000EC,?,000000F0,?,00000000,005C91DA,?,?,00000000), ref: 005C9197

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Window$ActiveLong$IconicMessage
String ID:
API String ID: 1633107849-0
Opcode ID: 6ccadbc60b25befb027f438fb9d8ea6f9f99e08362a6b6c28a86a9c04d8ecebe
Instruction ID: 0eaebbc0e28104152e09dfddf635ce6469108de93c670a6b66e2a7222b47ea08
Opcode Fuzzy Hash: 6ccadbc60b25befb027f438fb9d8ea6f9f99e08362a6b6c28a86a9c04d8ecebe
Instruction Fuzzy Hash: 4F319375A04605AFDB00EFA9DD4AF9A7BF9FB89350B1544A9F400D73A1DB34AD00DB14

Uniqueness

Uniqueness Score: -1.00%

Function 005C8B3C Relevance: 3.0, APIs: 2, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E005C8B3C(void* __eax) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				void* _t18;
				intOrPtr _t19;

				_t18 = __eax;
				InitializeSecurityDescriptor( &_v36, 1);
				SetSecurityDescriptorDacl( &_v36, 0xffffffff, 0, 0);
				_v16 = 0xc;
				_v12 = _t19;
				_v8 = 0;
				return E00413E90( &_v16, 0, E0040B278(_t18));
			}

0x005c8b40
0x005c8b49
0x005c8b59
0x005c8b5e
0x005c8b68
0x005c8b6e
0x005c8b8a

APIs

InitializeSecurityDescriptor.ADVAPI32(00000001,00000001), ref: 005C8B49
SetSecurityDescriptorDacl.ADVAPI32(00000000,000000FF,00000000,00000000,00000001,00000001), ref: 005C8B59

Part of subcall function 00413E90: CreateMutexW.KERNEL32(?,?,?,?,006B91D7,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,006B94FD,?,?,00000000), ref: 00413EA6

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: DescriptorSecurity$CreateDaclInitializeMutex
String ID:
API String ID: 3525989157-0
Opcode ID: 8c33769221f5c02fb9acf0c53c91398d8a51c8b1cb76e2f494f5bcae13adf59b
Instruction ID: 330012b0c6753e8d8900aa9d7e53afb48d76169d5e03c13c529c7fe63a2e2798
Opcode Fuzzy Hash: 8c33769221f5c02fb9acf0c53c91398d8a51c8b1cb76e2f494f5bcae13adf59b
Instruction Fuzzy Hash: E9E092B16443006FE700DFB58C86F9B77DC9B84725F104A2EB664DB2C1E778DA48879A

Uniqueness

Uniqueness Score: -1.00%

Function 006B9138 Relevance: 24.8, APIs: 6, Strings: 8, Instructions: 260
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E006B9138(char __ebx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v12;
				void* _v16;
				char _v20;
				char _v21;
				signed int _v22;
				void* _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v60;
				void* _t62;
				signed int _t110;
				intOrPtr _t129;
				signed int _t130;
				char _t134;
				char _t139;
				char _t142;
				char* _t149;
				intOrPtr* _t158;
				void* _t159;
				intOrPtr _t181;
				intOrPtr _t189;
				intOrPtr _t190;
				intOrPtr _t192;
				intOrPtr _t196;
				intOrPtr _t199;
				intOrPtr* _t204;
				intOrPtr _t206;
				intOrPtr _t207;
				void* _t216;

				_t216 = __fp0;
				_t202 = __edi;
				_t157 = __ebx;
				_t206 = _t207;
				_t159 = 7;
				do {
					_push(0);
					_push(0);
					_t159 = _t159 - 1;
				} while (_t159 != 0);
				_push(__ebx);
				_push(__edi);
				_t204 =  *0x6cdec4; // 0x6d579c
				_push(_t206);
				_push(0x6b94fd);
				_push( *[fs:eax]);
				 *[fs:eax] = _t207;
				E005C6FB0(1, __ebx,  &_v36, __edi, _t204);
				_t62 = E00422368(_v36, _t159, L"/REG");
				_t209 = _t62;
				if(_t62 != 0) {
					E005C6FB0(1, __ebx,  &_v40, __edi, _t204);
					__eflags = E00422368(_v40, _t159, L"/REGU");
					if(__eflags != 0) {
						__eflags = 0;
						_pop(_t181);
						 *[fs:eax] = _t181;
						_push(E006B9504);
						E0040A228( &_v60, 7);
						return E0040A228( &_v20, 4);
					} else {
						_v21 = 0;
						goto L6;
					}
				} else {
					_v21 = 1;
					L6:
					E005B8250( *_t204, L"Setup", _t209);
					ShowWindow( *( *_t204 + 0x188), 5);
					E006AF824();
					_v28 = E00413E90(0, 0, L"Inno-Setup-RegSvr-Mutex");
					ShowWindow( *( *_t204 + 0x188), 0);
					if(_v28 != 0) {
						do {
							E005B8704( *_t204);
						} while (MsgWaitForMultipleObjects(1,  &_v28, 0, 0xffffffff, 0x4ff) == 1);
					}
					ShowWindow( *( *_t204 + 0x188), 5);
					_push(_t206);
					_push(0x6b94ce);
					_push( *[fs:eax]);
					 *[fs:eax] = _t207;
					E005C6FB0(0, _t157,  &_v44, _t202, _t204);
					E005C4F90(_v44, _t157,  &_v8, L".msg", _t202, _t204);
					E005C6FB0(0, _t157,  &_v48, _t202, _t204);
					E005C4F90(_v48, _t157,  &_v12, L".lst", _t202, _t204);
					if(E005C685C(_v12) == 0) {
						E00423A20(_v12);
						E00423A20(_v8);
						_push(_t206);
						_push( *[fs:eax]);
						 *[fs:eax] = _t207;
						E006B9098(_t157,  &_v12, _t202, _t204, __eflags);
						_pop(_t189);
						 *[fs:eax] = _t189;
						_t190 = 0x6b949e;
						 *[fs:eax] = _t190;
						_push(E006B94D5);
						__eflags = _v28;
						if(_v28 != 0) {
							ReleaseMutex(_v28);
							return CloseHandle(_v28);
						}
						return 0;
					} else {
						E005CD6BC(_v8, _t157, 1, 0, _t202, _t204);
						_t110 =  *0x6cddd0; // 0x6d603c
						E005C9044(_t110 & 0xffffff00 | ( *(_t110 + 0x4c) & 0x00000001) != 0x00000000);
						_t192 =  *0x6cded8; // 0x6d5c28
						_t26 = _t192 + 0x2f8; // 0x0
						E005B8250( *_t204,  *_t26,  *(_t110 + 0x4c) & 0x00000001);
						_push(_t206);
						_push(0x6b946a);
						_push( *[fs:eax]);
						 *[fs:eax] = _t207;
						E006AC8CC(_t157,  *_t26, _t202, _t204);
						_v32 = E005CBFB8(1, 1, 0, 2);
						_push(_t206);
						_push(0x6b9450);
						_push( *[fs:eax]);
						 *[fs:eax] = _t207;
						while(E005CC258(_v32) == 0) {
							E005CC268(_v32, _t157,  &_v16, _t202, _t204, __eflags);
							_t157 = _v16;
							__eflags = _t157;
							if(_t157 != 0) {
								_t158 = _t157 - 4;
								__eflags = _t158;
								_t157 =  *_t158;
							}
							__eflags = _t157 - 4;
							if(__eflags > 0) {
								__eflags =  *_v16 - 0x5b;
								if(__eflags == 0) {
									__eflags =  *((short*)(_v16 + 6)) - 0x5d;
									if(__eflags == 0) {
										E0040B698(_v16, 0x7fffffff, 5,  &_v20);
										_t129 = _v16;
										__eflags =  *((short*)(_t129 + 4)) - 0x71;
										if( *((short*)(_t129 + 4)) == 0x71) {
											L19:
											_t130 = 1;
										} else {
											__eflags = _v21;
											if(_v21 == 0) {
												L18:
												_t130 = 0;
											} else {
												_t149 =  *0x6cdcc4; // 0x6d67df
												__eflags =  *_t149;
												if( *_t149 == 0) {
													goto L19;
												} else {
													goto L18;
												}
											}
										}
										_v22 = _t130;
										_push(_t206);
										_push(0x6b93c5);
										_push( *[fs:eax]);
										 *[fs:eax] = _t207;
										_t134 = ( *(_v16 + 2) & 0x0000ffff) - 0x53;
										__eflags = _t134;
										if(_t134 == 0) {
											_push(_v22 & 0x000000ff);
											E00624E78(0, _t157, _v20, 1, _t202, _t204, _t216);
										} else {
											_t139 = _t134 - 1;
											__eflags = _t139;
											if(_t139 == 0) {
												__eflags = 0;
												E006255F0(0, _t157, _v20, _t204, 0, _t216);
											} else {
												_t142 = _t139 - 0x1f;
												__eflags = _t142;
												if(_t142 == 0) {
													_push(_v22 & 0x000000ff);
													E00624E78(0, _t157, _v20, 0, _t202, _t204, _t216);
												} else {
													__eflags = _t142 - 1;
													if(__eflags == 0) {
														E0062460C(_v20, _t157, _t204);
													}
												}
											}
										}
										_pop(_t199);
										 *[fs:eax] = _t199;
									}
								}
							}
						}
						_pop(_t196);
						 *[fs:eax] = _t196;
						_push(E006B9457);
						return E00408444(_v32);
					}
				}
			}

0x006b9138
0x006b9138
0x006b9138
0x006b9139
0x006b913b
0x006b9140
0x006b9140
0x006b9142
0x006b9144
0x006b9144
0x006b9147
0x006b9149
0x006b914a
0x006b9152
0x006b9153
0x006b9158
0x006b915b
0x006b9166
0x006b9173
0x006b9178
0x006b917a
0x006b918a
0x006b919c
0x006b919e
0x006b94d5
0x006b94d7
0x006b94da
0x006b94dd
0x006b94ea
0x006b94fc
0x006b91a4
0x006b91a4
0x00000000
0x006b91a4
0x006b917c
0x006b917c
0x006b91a8
0x006b91af
0x006b91bf
0x006b91c4
0x006b91d7
0x006b91e5
0x006b91ee
0x006b91f0
0x006b91f2
0x006b920b
0x006b91f0
0x006b921b
0x006b9222
0x006b9223
0x006b9228
0x006b922b
0x006b9233
0x006b9243
0x006b924d
0x006b925d
0x006b926c
0x006b9474
0x006b947c
0x006b9483
0x006b9489
0x006b948c
0x006b948f
0x006b9496
0x006b9499
0x006b94aa
0x006b94ad
0x006b94b0
0x006b94b5
0x006b94b9
0x006b94bf
0x00000000
0x006b94c8
0x006b94cd
0x006b9272
0x006b9279
0x006b927e
0x006b928a
0x006b928f
0x006b9295
0x006b929d
0x006b92a4
0x006b92a5
0x006b92aa
0x006b92ad
0x006b92b0
0x006b92ca
0x006b92cf
0x006b92d0
0x006b92d5
0x006b92d8
0x006b942a
0x006b92e6
0x006b92eb
0x006b92ee
0x006b92f0
0x006b92f2
0x006b92f2
0x006b92f5
0x006b92f5
0x006b92f7
0x006b92fa
0x006b9303
0x006b9307
0x006b9310
0x006b9315
0x006b932c
0x006b9331
0x006b9334
0x006b9339
0x006b934f
0x006b934f
0x006b933b
0x006b933b
0x006b933f
0x006b934b
0x006b934b
0x006b9341
0x006b9341
0x006b9346
0x006b9349
0x00000000
0x00000000
0x00000000
0x00000000
0x006b9349
0x006b933f
0x006b9351
0x006b9356
0x006b9357
0x006b935c
0x006b935f
0x006b9369
0x006b9369
0x006b936d
0x006b9398
0x006b93a0
0x006b936f
0x006b936f
0x006b936f
0x006b9372
0x006b93b4
0x006b93b6
0x006b9374
0x006b9374
0x006b9374
0x006b9378
0x006b9385
0x006b938d
0x006b937a
0x006b937a
0x006b937d
0x006b93aa
0x006b93aa
0x006b937d
0x006b9378
0x006b9372
0x006b93bd
0x006b93c0
0x006b93c0
0x006b9315
0x006b9307
0x006b92fa
0x006b943c
0x006b943f
0x006b9442
0x006b944f
0x006b944f
0x006b926c

APIs

ShowWindow.USER32(?,00000005,00000000,006B94FD,?,?,00000000,?,00000000,00000000,?,006B99DE,00000000,006B99E8,?,00000000), ref: 006B91BF
ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,006B94FD,?,?,00000000,?,00000000,00000000), ref: 006B91E5
MsgWaitForMultipleObjects.USER32 ref: 006B9206
ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,006B94FD,?,?,00000000,?,00000000), ref: 006B921B

Part of subcall function 005C6FB0: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,005C7045,?,?,?,00000001,?,0061037E,00000000,006103E9), ref: 005C6FE5

Strings

/REG, xrefs: 006B916E
Setup, xrefs: 006B91AA
Inno-Setup-RegSvr-Mutex, xrefs: 006B91C9
/REGU, xrefs: 006B9192
.msg, xrefs: 006B923E
(\m, xrefs: 006B928F
.lst, xrefs: 006B9258
<`m, xrefs: 006B927E

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: ShowWindow$FileModuleMultipleNameObjectsWait
String ID: (\m$.lst$.msg$/REG$/REGU$<`m$Inno-Setup-RegSvr-Mutex$Setup
API String ID: 66301061-906243933
Opcode ID: df712ab440413233fbdf681961169c50f21f8a39d032ff2575ee3172733b7740
Instruction ID: 4d26cb6eac5053f9cdac576eea358071a92945d2d4b93ba07426bed60c59251a
Opcode Fuzzy Hash: df712ab440413233fbdf681961169c50f21f8a39d032ff2575ee3172733b7740
Instruction Fuzzy Hash: 9B91D5B0A042059FDB10EBA4D856FEEBBF6FB49304F514469F600A7381DA79AD81CB74

Uniqueness

Uniqueness Score: -1.00%

Function 00629850 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 214
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00629850(char __eax, void* __ebx, signed char __edx, void* __edi, void* __esi, void* __fp0, char _a4, char _a8, intOrPtr _a12) {
				char _v5;
				char _v6;
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v60;
				void* __ecx;
				char _t65;
				void* _t69;
				void* _t112;
				signed char _t135;
				intOrPtr _t137;
				intOrPtr _t164;
				intOrPtr _t178;
				void* _t188;
				signed int _t189;
				char _t191;
				intOrPtr _t193;
				intOrPtr _t194;

				_t210 = __fp0;
				_t187 = __edi;
				_t193 = _t194;
				_t137 = 6;
				do {
					_push(0);
					_push(0);
					_t137 = _t137 - 1;
				} while (_t137 != 0);
				_push(_t137);
				_t1 =  &_v8;
				_t138 =  *_t1;
				 *_t1 = _t137;
				_push(__edi);
				_v5 =  *_t1;
				_t135 = __edx;
				_t191 = __eax;
				_push(_t193);
				_push(0x629b12);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194;
				_v6 = 1;
				E005C53D0(__eax,  &_v12);
				if(E00422368(_v12,  *_t1, L".hlp") != 0) {
					E005C53D0(_t191,  &_v24);
					_t65 = E00422368(_v24, _t138, L".chm");
					__eflags = _t65;
					if(_t65 == 0) {
						E005C4F90(_t191, _t135,  &_v28, L".chw", __edi, _t191);
						__eflags = 0;
						E00629850(_v28, _t135, _t135, __edi, _t191, __fp0, 0, 0, _a12);
						_pop(_t138);
					}
				} else {
					E005C4F90(_t191, _t135,  &_v16, L".gid", __edi, _t191);
					E00629850(_v16, _t135, _t135, __edi, _t191, __fp0, 0, 0, _a12);
					E005C4F90(_t191, _t135,  &_v20, L".fts", __edi, _t191);
					E00629850(_v20, _t135, _t135, _t187, _t191, __fp0, 0, 0, _a12);
					_pop(_t138);
				}
				E005C53D0(_t191,  &_v32);
				_t69 = E00422368(_v32, _t138, L".lnk");
				_t197 = _t69;
				if(_t69 == 0) {
					E00624924(_t191, _t135);
				}
				if(E0060C5F4(_t135, _t191, _t197) == 0) {
					L25:
					_pop(_t164);
					 *[fs:eax] = _t164;
					_push(E00629B19);
					E0040A228( &_v60, 5);
					return E0040A228( &_v32, 6);
				} else {
					_v40 = _t191;
					_v36 = 0x11;
					_t141 = 0;
					E006163B4(L"Deleting file: %s", _t135, 0,  &_v40, _t187, _t191);
					_t199 = _a4;
					if(_a4 != 0) {
						_t189 = E0060C330(_t135, _t191, _t199);
						if(_t189 != 0xffffffff) {
							_t201 = _t189 & 0x00000001;
							if((_t189 & 0x00000001) != 0) {
								_t141 = 0xfffffffe & _t189;
								_t112 = E0060C6DC(_t135, 0xfffffffe & _t189, _t191, _t201);
								_t202 = _t112;
								if(_t112 == 0) {
									E00616130(L"Failed to strip read-only attribute.", _t135, _t189, _t191);
								} else {
									E00616130(L"Stripped read-only attribute.", _t135, _t189, _t191);
								}
							}
						}
					}
					if(E0060C158(_t135, _t191, _t202) != 0) {
						__eflags = _v5;
						if(_v5 != 0) {
							SHChangeNotify(4, 5, E0040B278(_t191), 0);
							E005C5378(_t191, _t141,  &_v60);
							E00610640( *((intOrPtr*)(_a12 - 0x3c)), _t141, _v60, _t210);
						}
						goto L25;
					} else {
						_t188 = GetLastError();
						if(_a8 == 0 ||  *((char*)(_a12 - 0x29)) == 0) {
							L22:
							_v40 = _t188;
							_v36 = 0;
							E006163B4(L"Failed to delete the file; it may be in use (%d).", _t135, 0,  &_v40, _t188, _t191);
							_v6 = 0;
							goto L25;
						} else {
							if(_t188 == 5) {
								L20:
								if((E0060C330(_t135, _t191, _t207) & 0x00000001) != 0) {
									goto L22;
								}
								_v40 = _t188;
								_v36 = 0;
								E006163B4(L"The file appears to be in use (%d). Will delete on restart.", _t135, 0,  &_v40, _t188, _t191);
								_push(_t193);
								 *[fs:eax] = _t194;
								E0060D8B0(_t135, _t135, _t191, _t188, _t191);
								 *((char*)( *((intOrPtr*)(_a12 - 0x30)) + 0x1c)) = 1;
								E005C52C8(_t191,  &_v48, _t193,  *[fs:eax]);
								E005C5378(_v48, 0,  &_v44);
								E00610640( *((intOrPtr*)(_a12 + (_t135 & 0x000000ff) * 4 - 0x38)), _a12, _v44, _t210);
								_t178 = 0x629a6d;
								 *[fs:eax] = _t178;
								goto L25;
							}
							_t207 = _t188 - 0x20;
							if(_t188 != 0x20) {
								goto L22;
							}
							goto L20;
						}
					}
				}
			}

0x00629850
0x00629850
0x00629851
0x00629854
0x00629859
0x00629859
0x0062985b
0x0062985d
0x0062985d
0x00629860
0x00629861
0x00629861
0x00629861
0x00629866
0x00629867
0x0062986a
0x0062986c
0x00629870
0x00629871
0x00629876
0x00629879
0x0062987c
0x00629885
0x00629899
0x006298ea
0x006298f7
0x006298fc
0x006298fe
0x00629912
0x0062991a
0x0062991e
0x00629923
0x00629923
0x0062989b
0x006298ad
0x006298b9
0x006298d1
0x006298dd
0x006298e2
0x006298e2
0x00629929
0x00629936
0x0062993b
0x0062993d
0x00629941
0x00629941
0x00629951
0x00629aea
0x00629aec
0x00629aef
0x00629af2
0x00629aff
0x00629b11
0x00629957
0x00629957
0x0062995a
0x00629961
0x00629968
0x0062996d
0x00629971
0x0062997c
0x00629981
0x00629983
0x00629989
0x00629990
0x00629996
0x0062999b
0x0062999d
0x006299b0
0x0062999f
0x006299a4
0x006299a4
0x0062999d
0x00629989
0x00629981
0x006299c0
0x00629ab9
0x00629abd
0x00629acd
0x00629ad7
0x00629ae5
0x00629ae5
0x00000000
0x006299c6
0x006299cb
0x006299d1
0x00629a9d
0x00629a9d
0x00629aa0
0x00629aae
0x00629ab3
0x00000000
0x006299e4
0x006299e7
0x006299f2
0x006299fd
0x00000000
0x00000000
0x00629a03
0x00629a06
0x00629a14
0x00629a1b
0x00629a24
0x00629a2d
0x00629a38
0x00629a41
0x00629a4c
0x00629a5e
0x00629a65
0x00629a68
0x00000000
0x00629a68
0x006299e9
0x006299ec
0x00000000
0x00000000
0x00000000
0x006299ec
0x006299d1
0x006299c0

APIs

GetLastError.KERNEL32(00000000,00629B12,?,?,?,?,00000005,00000000,00000000,?,?,0062AF86,00000000,00000000,?,00000000), ref: 006299C6

Strings

Deleting file: %s, xrefs: 00629963
.chw, xrefs: 0062990B
Failed to strip read-only attribute., xrefs: 006299AB
.gid, xrefs: 006298A6
.hlp, xrefs: 0062988D
Failed to delete the file; it may be in use (%d)., xrefs: 00629AA9
Stripped read-only attribute., xrefs: 0062999F
.fts, xrefs: 006298CA
.chm, xrefs: 006298F2
The file appears to be in use (%d). Will delete on restart., xrefs: 00629A0F
.lnk, xrefs: 00629931

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: ErrorLast
String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
API String ID: 1452528299-3112430753
Opcode ID: e86b536b56413c09e9305a1eb6eef416c5ea9b69f8604097457debdc0e62690a
Instruction ID: 80e8b6ab9e5d3a552657306fa088f7fa642ecff14c11c84625059ee943e1d250
Opcode Fuzzy Hash: e86b536b56413c09e9305a1eb6eef416c5ea9b69f8604097457debdc0e62690a
Instruction Fuzzy Hash: D371E330B00B245FDB04EF68E851BEE77A6AF89710F14842DF801A7381DAB89D45CB79

Uniqueness

Uniqueness Score: -1.00%

Function 0060E4D8 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 253
registryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0060E4D8(void* __ebx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				intOrPtr _v12;
				char _v13;
				void* _v20;
				char _v21;
				char _v28;
				int _v32;
				int _v36;
				char _v40;
				char _v44;
				char* _v48;
				char _v52;
				char _v56;
				char _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char* _v72;
				char _v76;
				char _v80;
				void* _t77;
				char _t98;
				char _t103;
				char* _t110;
				char _t133;
				char _t139;
				char _t144;
				void* _t168;
				short* _t169;
				char _t170;
				char _t172;
				intOrPtr _t189;
				intOrPtr _t194;
				intOrPtr _t196;
				void* _t207;
				void* _t208;
				intOrPtr _t209;

				_t207 = _t208;
				_t209 = _t208 + 0xffffffb4;
				_push(__esi);
				_push(__edi);
				_v40 = 0;
				_v44 = 0;
				_v60 = 0;
				_v76 = 0;
				_v80 = 0;
				_v56 = 0;
				_v8 = 0;
				_v12 = __edx;
				_push(_t207);
				_push(0x60e7be);
				_push( *[fs:edx]);
				 *[fs:edx] = _t209;
				_v13 = 0;
				_t168 = E005C7A14(_t77, L"Software\\Microsoft\\Windows\\CurrentVersion\\SharedDLLs", 0x80000002,  &_v20, 3, 0);
				if(_t168 == 2) {
					L30:
					_pop(_t189);
					 *[fs:eax] = _t189;
					_push(E0060E7C5);
					E0040A228( &_v80, 2);
					E0040A228( &_v60, 2);
					E0040A228( &_v44, 2);
					return E0040A1C8( &_v8);
				} else {
					if(_t168 != 0) {
						E0060CF98(0x80000002,  &_v56, _t207);
						_v52 = _v56;
						_v48 = L"Software\\Microsoft\\Windows\\CurrentVersion\\SharedDLLs";
						E005CD4D8(0x52, 1,  &_v52,  &_v44);
						_push(_v44);
						_push(L"\r\n\r\n");
						_v72 = L"RegOpenKeyEx";
						E00423004(_t168,  &_v76);
						_v68 = _v76;
						E005C857C(_t168,  &_v80);
						_v64 = _v80;
						E005CD4D8(0x48, 2,  &_v72,  &_v60);
						_push(_v60);
						E0040B550( &_v40, _t168, 3, __edi, __esi);
						E00429008(_v40, 1);
						E004098C4();
					}
					_push(_t207);
					_push(0x60e77a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t209;
					_t169 = E0040B278(_v12);
					if(RegQueryValueExW(_v20, _t169, 0,  &_v32, 0,  &_v36) == 0) {
						_v21 = 0;
						_v28 = 0;
						_push(_t207);
						_push(0x60e6b8);
						_push( *[fs:eax]);
						 *[fs:eax] = _t209;
						_t98 = _v32 - 1;
						__eflags = _t98;
						if(_t98 == 0) {
							__eflags = E005C793C();
							if(__eflags != 0) {
								_v28 = E0042339C(_v8, __eflags);
								_v21 = 1;
							}
						} else {
							_t133 = _t98 - 2;
							__eflags = _t133;
							if(_t133 == 0) {
								__eflags = _v36 - 1;
								if(_v36 >= 1) {
									__eflags = _v36 - 4;
									if(_v36 <= 4) {
										_t139 = RegQueryValueExW(_v20, E0040B278(_v12), 0, 0,  &_v28,  &_v36);
										__eflags = _t139;
										if(_t139 == 0) {
											_v21 = 1;
										}
									}
								}
							} else {
								__eflags = _t133 == 1;
								if(_t133 == 1) {
									_v36 = 4;
									_t144 = RegQueryValueExW(_v20, _t169, 0, 0,  &_v28,  &_v36);
									__eflags = _t144;
									if(_t144 == 0) {
										_v21 = 1;
									}
								}
							}
						}
						_pop(_t194);
						 *[fs:eax] = _t194;
						__eflags = _v21;
						if(_v21 != 0) {
							_v28 = _v28 - 1;
							__eflags = _v28;
							if(_v28 > 0) {
								_t103 = _v32 - 1;
								__eflags = _t103;
								if(_t103 == 0) {
									E0042302C( &_v8, _v28, 0);
									_t170 = _v8;
									__eflags = _t170;
									if(_t170 != 0) {
										_t172 = _t170 - 4;
										__eflags = _t172;
										_t170 =  *_t172;
									}
									_t110 = E0040B278(_v8);
									RegSetValueExW(_v20, E0040B278(_v12), 0, 1, _t110, _t170 + 1 + _t170 + 1);
								} else {
									__eflags = _t103 + 0xfffffffe - 2;
									if(_t103 + 0xfffffffe - 2 < 0) {
										RegSetValueExW(_v20, E0040B278(_v12), 0, _v32,  &_v28, 4);
									}
								}
							} else {
								_v13 = 1;
								RegDeleteValueW(_v20, E0040B278(_v12));
							}
							__eflags = 0;
							_pop(_t196);
							 *[fs:eax] = _t196;
							_push(E0060E781);
							return RegCloseKey(_v20);
						} else {
							E004099B8();
							goto L30;
						}
					} else {
						E004099B8();
						goto L30;
					}
				}
			}

0x0060e4d9
0x0060e4db
0x0060e4df
0x0060e4e0
0x0060e4e3
0x0060e4e6
0x0060e4e9
0x0060e4ec
0x0060e4ef
0x0060e4f2
0x0060e4f5
0x0060e4f8
0x0060e4fd
0x0060e4fe
0x0060e503
0x0060e506
0x0060e509
0x0060e524
0x0060e529
0x0060e781
0x0060e783
0x0060e786
0x0060e789
0x0060e796
0x0060e7a3
0x0060e7b0
0x0060e7bd
0x0060e52f
0x0060e531
0x0060e543
0x0060e54b
0x0060e553
0x0060e562
0x0060e567
0x0060e56a
0x0060e578
0x0060e580
0x0060e588
0x0060e590
0x0060e598
0x0060e5a7
0x0060e5ac
0x0060e5b7
0x0060e5c6
0x0060e5cb
0x0060e5cb
0x0060e5d2
0x0060e5d3
0x0060e5d8
0x0060e5db
0x0060e5f2
0x0060e600
0x0060e60c
0x0060e612
0x0060e617
0x0060e618
0x0060e61d
0x0060e620
0x0060e626
0x0060e626
0x0060e627
0x0060e640
0x0060e642
0x0060e64c
0x0060e64f
0x0060e64f
0x0060e629
0x0060e629
0x0060e629
0x0060e62c
0x0060e655
0x0060e659
0x0060e65b
0x0060e65f
0x0060e67a
0x0060e67f
0x0060e681
0x0060e683
0x0060e683
0x0060e681
0x0060e65f
0x0060e62e
0x0060e62e
0x0060e62f
0x0060e689
0x0060e6a1
0x0060e6a6
0x0060e6a8
0x0060e6aa
0x0060e6aa
0x0060e6a8
0x0060e62f
0x0060e62c
0x0060e6b0
0x0060e6b3
0x0060e6c2
0x0060e6c6
0x0060e6d2
0x0060e6d5
0x0060e6d9
0x0060e6f6
0x0060e6f6
0x0060e6f7
0x0060e70d
0x0060e712
0x0060e715
0x0060e717
0x0060e719
0x0060e719
0x0060e71c
0x0060e71c
0x0060e727
0x0060e73e
0x0060e6f9
0x0060e6fc
0x0060e6ff
0x0060e75e
0x0060e75e
0x0060e6ff
0x0060e6db
0x0060e6db
0x0060e6ec
0x0060e6ec
0x0060e763
0x0060e765
0x0060e768
0x0060e76b
0x0060e779
0x0060e6c8
0x0060e6c8
0x00000000
0x0060e6c8
0x0060e602
0x0060e602
0x00000000
0x0060e602
0x0060e600

APIs

Part of subcall function 005C7A14: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,005C80EE,?,00000000,?,005C808E,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005C80EE), ref: 005C7A30

RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,00000000,0060E77A,?,?,00000003,00000000,00000000,0060E7BE), ref: 0060E5F9

Part of subcall function 005C857C: FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,005CBEAE,00000000,005CBEFF,?,005CC0E0), ref: 005C859B

RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000004,00000000,0060E6B8,?,?,00000000,00000000,?,00000000,?,00000000), ref: 0060E67A
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000004,00000000,0060E6B8,?,?,00000000,00000000,?,00000000,?,00000000), ref: 0060E6A1

Strings

Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 0060E515
RegOpenKeyEx, xrefs: 0060E573
, xrefs: 0060E56A
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 0060E54E

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: QueryValue$FormatMessageOpen
String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 2812809588-1577016196
Opcode ID: c7bcec260bc8b0e98996bd8c9af5b618b9eef9dc2c6f3a24e84bb91db002359f
Instruction ID: f3c5cbb3acae1969306396449b745ae43344fa58bfe099d55e14c7ecbf00227c
Opcode Fuzzy Hash: c7bcec260bc8b0e98996bd8c9af5b618b9eef9dc2c6f3a24e84bb91db002359f
Instruction Fuzzy Hash: C7919270E84219AFDB04DFA5D885BEFBBBAEB48304F14482AF500E72C1D7769945CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0062709C Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 162
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0062709C(signed int __eax, void* __ebx, signed int __edx, void* __edi, void* __esi) {
				signed int _v5;
				char _v8;
				void* _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* __ecx;
				void* _t79;
				signed int _t83;
				signed char _t125;
				intOrPtr _t127;
				intOrPtr _t156;
				signed int _t170;
				intOrPtr _t178;
				intOrPtr _t180;
				intOrPtr _t181;

				_t180 = _t181;
				_t127 = 4;
				do {
					_push(0);
					_push(0);
					_t127 = _t127 - 1;
				} while (_t127 != 0);
				_t1 =  &_v8;
				_t128 =  *_t1;
				 *_t1 = _t127;
				_t178 =  *_t1;
				_v5 = __edx;
				_t125 = __eax;
				_push(_t180);
				_push(0x6272a5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t181;
				if( *((intOrPtr*)(0x6d6380 + ((__eax & 0x000000ff) + (__eax & 0x000000ff)) * 8 + (_v5 & 0x000000ff) * 4)) != 0) {
					L18:
					E0040A5A8(_t178,  *((intOrPtr*)(0x6d6380 + ((_t125 & 0x000000ff) + (_t125 & 0x000000ff)) * 8 + (_v5 & 0x000000ff) * 4)));
					_pop(_t156);
					 *[fs:eax] = _t156;
					_push(E006272AC);
					return E0040A228( &_v32, 5);
				}
				E00626F48(__eax, _t128,  &_v16, _t180);
				if((_v5 & 0x000000ff) + 0xfe - 2 >= 0 || E005C7A14(_t125, L"SOFTWARE\\Microsoft\\.NETFramework\\Policy\\v4.0", 0x80000002,  &_v12, 1, 0) != 0) {
					_t79 = (_v5 & 0x000000ff) - 1;
					if(_t79 == 0 || _t79 == 2) {
						if(E005C7A14(_t125, L"SOFTWARE\\Microsoft\\.NETFramework\\Policy\\v2.0", 0x80000002,  &_v12, 1, 0) != 0) {
							goto L10;
						} else {
							_t174 = _t125 & 0x0000007f;
							E005C4EA4( *((intOrPtr*)(0x6d6374 + (_t125 & 0x0000007f) * 4)),  &_v24);
							E0040B4C8(0x6d6380 + (_t174 + _t174) * 8 + (_v5 & 0x000000ff) * 4, L"v2.0.50727", _v24);
							RegCloseKey(_v12);
							goto L14;
						}
					} else {
						L10:
						_t83 = _v5 & 0x000000ff;
						if(_t83 == 0 || _t83 == 3) {
							if(E005C7A14(_t125, L"SOFTWARE\\Microsoft\\.NETFramework\\Policy\\v1.1", 0x80000002,  &_v12, 1, 0) == 0) {
								_t172 = _t125 & 0x0000007f;
								E005C4EA4( *((intOrPtr*)(0x6d6374 + (_t125 & 0x0000007f) * 4)),  &_v28);
								E0040B4C8(0x6d6380 + (_t172 + _t172) * 8 + (_v5 & 0x000000ff) * 4, L"v1.1.4322", _v28);
								RegCloseKey(_v12);
							}
						}
						goto L14;
					}
				} else {
					_t176 = _t125 & 0x0000007f;
					E005C4EA4( *((intOrPtr*)(0x6d6374 + (_t125 & 0x0000007f) * 4)),  &_v20);
					E0040B4C8(0x6d6380 + (_t176 + _t176) * 8 + (_v5 & 0x000000ff) * 4, L"v4.0.30319", _v20);
					RegCloseKey(_v12);
					L14:
					_t170 = _v5 & 0x000000ff;
					if( *((intOrPtr*)(0x6d6380 + ((_t125 & 0x000000ff) + (_t125 & 0x000000ff)) * 8 + _t170 * 4)) == 0) {
						if(_v5 == 3) {
							E0060CD28(L".NET Framework not found", _t125);
						} else {
							_v40 =  *((intOrPtr*)(0x6cd0a4 + _t170 * 4));
							_v36 = 0x11;
							E004244F8(L".NET Framework version %s not found", 0,  &_v40,  &_v32);
							E0060CD28(_v32, _t125);
						}
					}
					goto L18;
				}
			}

0x0062709d
0x006270a0
0x006270a5
0x006270a5
0x006270a7
0x006270a9
0x006270a9
0x006270ac
0x006270ac
0x006270ac
0x006270b2
0x006270b4
0x006270b7
0x006270bb
0x006270bc
0x006270c1
0x006270c4
0x006270db
0x00627270
0x00627285
0x0062728c
0x0062728f
0x00627292
0x006272a4
0x006272a4
0x006270e6
0x006270f3
0x00627157
0x00627159
0x0062717a
0x00000000
0x0062717c
0x00627181
0x0062718b
0x006271aa
0x006271b3
0x00000000
0x006271b3
0x006271ba
0x006271ba
0x006271ba
0x006271c0
0x006271e1
0x006271e8
0x006271f2
0x00627211
0x0062721a
0x0062721a
0x006271e1
0x00000000
0x006271c0
0x00627112
0x00627117
0x00627121
0x00627140
0x00627149
0x0062721f
0x0062721f
0x00627233
0x00627239
0x0062726b
0x0062723b
0x00627246
0x00627249
0x00627257
0x0062725f
0x0062725f
0x00627239
0x00000000
0x00627233

APIs

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,006272A5,?,00626DA0,?,00000000,00000000,00000000,?,?,00627510,00000000), ref: 00627149
RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,006272A5,?,00626DA0,?,00000000,00000000,00000000,?,?,00627510,00000000), ref: 006271B3
RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,00000001,00000000,00000000,006272A5,?,00626DA0,?,00000000,00000000,00000000,?), ref: 0062721A

Strings

SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 006271D0
SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 00627169
v4.0.30319, xrefs: 0062713B
.NET Framework not found, xrefs: 00627266
v2.0.50727, xrefs: 006271A5
.NET Framework version %s not found, xrefs: 00627252
v1.1.4322, xrefs: 0062720C
SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 006270FF

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Close
String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
API String ID: 3535843008-446240816
Opcode ID: e0941211630b040962ad433e1c7d93649d8e46d21326bdffa5a487f6456e7331
Instruction ID: 6a27bfdae97b75501bbdc0cce0dcd9b9ee0f65bcede85a7be403583e7914197f
Opcode Fuzzy Hash: e0941211630b040962ad433e1c7d93649d8e46d21326bdffa5a487f6456e7331
Instruction Fuzzy Hash: 8551E131A091699FCF04DBA8E861FFD7BB7EF45300F1504AAF500A7392D639AB058B21

Uniqueness

Uniqueness Score: -1.00%

Function 00625D14 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70
sleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00625D14(intOrPtr __eax, void* __edx) {
				long _v12;
				long _v16;
				void* __ebx;
				void* __esi;
				void* _t44;
				void* _t50;
				intOrPtr _t51;
				DWORD* _t52;

				_t19 = __eax;
				_t52 =  &_v12;
				_t44 = __edx;
				_t51 = __eax;
				if( *((char*)(__eax + 4)) == 0) {
					L11:
					return _t19;
				}
				 *((char*)(__eax + 5)) = 1;
				_v16 =  *((intOrPtr*)(__eax + 0x10));
				_v12 = 0;
				E006163B4(L"Stopping 64-bit helper process. (PID: %u)", __edx, 0,  &_v16, _t50, __eax);
				CloseHandle( *(_t51 + 0xc));
				 *(_t51 + 0xc) = 0;
				while(WaitForSingleObject( *(_t51 + 8), 0x2710) == 0x102) {
					E00616130(L"Helper isn\'t responding; killing it.", _t44, _t50, _t51);
					TerminateProcess( *(_t51 + 8), 1);
				}
				if(GetExitCodeProcess( *(_t51 + 8), _t52) == 0) {
					E00616130(L"Helper process exited, but failed to get exit code.", _t44, _t50, _t51);
				} else {
					if( *_t52 != 0) {
						_v16 =  *_t52;
						_v12 = 0;
						E006163B4(L"Helper process exited with failure code: 0x%x", _t44, 0,  &_v16, _t50, _t51);
					} else {
						E00616130(L"Helper process exited.", _t44, _t50, _t51);
					}
				}
				CloseHandle( *(_t51 + 8));
				 *(_t51 + 8) = 0;
				_t19 = 0;
				 *((intOrPtr*)(_t51 + 0x10)) = 0;
				 *((char*)(_t51 + 4)) = 0;
				if(_t44 == 0) {
					goto L11;
				} else {
					Sleep(0xfa);
					return 0;
				}
			}

0x00625d14
0x00625d16
0x00625d19
0x00625d1b
0x00625d21
0x00625df3
0x00625df3
0x00625df3
0x00625d27
0x00625d2e
0x00625d32
0x00625d42
0x00625d4b
0x00625d52
0x00625d6c
0x00625d5c
0x00625d67
0x00625d67
0x00625d8d
0x00625dc4
0x00625d8f
0x00625d93
0x00625da4
0x00625da8
0x00625db8
0x00625d95
0x00625d9a
0x00625d9a
0x00625d93
0x00625dcd
0x00625dd4
0x00625dd7
0x00625dd9
0x00625ddc
0x00625de2
0x00000000
0x00625de4
0x00625de9
0x00000000
0x00625de9

APIs

CloseHandle.KERNEL32(?), ref: 00625D4B
TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00625D67
WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00625D75
GetExitCodeProcess.KERNEL32 ref: 00625D86
CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00625DCD
Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00625DE9

Strings

Stopping 64-bit helper process. (PID: %u), xrefs: 00625D3D
Helper process exited., xrefs: 00625D95
Helper isn't responding; killing it., xrefs: 00625D57
Helper process exited with failure code: 0x%x, xrefs: 00625DB3
Helper process exited, but failed to get exit code., xrefs: 00625DBF

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
API String ID: 3355656108-1243109208
Opcode ID: 39883d29d795098f418b7966fdcadf6d747d73cc4ff91dfa499128bca298669b
Instruction ID: d564c8b30f574b505304bc0216fad519ef2dd9895e072bde183416e8b9fa8f35
Opcode Fuzzy Hash: 39883d29d795098f418b7966fdcadf6d747d73cc4ff91dfa499128bca298669b
Instruction Fuzzy Hash: 9C21AF70604F50AAD330EB78E44578BBBE69F08310F048C2DB59BC7682D734E8808B5A

Uniqueness

Uniqueness Score: -1.00%

Function 006B740C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 145
fileCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E006B740C(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				char _v8;
				struct HWND__* _v12;
				void* _v16;
				char _v20;
				char _v24;
				char _v28;
				struct HWND__* _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				WCHAR* _t41;
				intOrPtr _t42;
				int _t44;
				intOrPtr* _t54;
				void* _t68;
				intOrPtr _t80;
				intOrPtr _t102;
				intOrPtr _t104;
				void* _t108;
				void* _t109;
				intOrPtr _t110;
				void* _t118;

				_t118 = __fp0;
				_t106 = __esi;
				_t105 = __edi;
				_t88 = __ecx;
				_t87 = __ebx;
				_t108 = _t109;
				_t110 = _t109 + 0xffffffd4;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v24 = 0;
				_v48 = 0;
				_v44 = 0;
				_v20 = 0;
				_v8 = 0;
				_push(_t108);
				_push(0x6b75fa);
				_push( *[fs:eax]);
				 *[fs:eax] = _t110;
				E005C75E4( &_v20, __ebx, __ecx, __eflags);
				if(E0060D3B4(_v20, __ebx,  &_v8, __edi, __esi) == 0) {
					_push(_t108);
					_push( *[fs:eax]);
					 *[fs:eax] = _t110;
					E0060D8B0(0, _t87, _v8, __edi, __esi);
					_pop(_t104);
					_t88 = 0x6b746f;
					 *[fs:eax] = _t104;
				}
				_t41 = E0040B278(_v8);
				_t42 =  *0x6d68d0; // 0x0
				_t44 = CopyFileW(E0040B278(_t42), _t41, 0);
				_t113 = _t44;
				if(_t44 == 0) {
					_t80 =  *0x6cded8; // 0x6d5c28
					_t11 = _t80 + 0x208; // 0x0
					E006B68EC( *_t11, _t87, _t88, _t106, _t113);
				}
				SetFileAttributesW(E0040B278(_v8), 0x80);
				_v12 = E00414DA0(0, L"STATIC", 0,  *0x6d2634, 0, 0, 0, 0, 0, 0, 0);
				 *0x6d68fc = SetWindowLongW(_v12, 0xfffffffc, E006B6AB0);
				_push(_t108);
				_push(0x6b75c3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t110;
				_t54 =  *0x6cdec4; // 0x6d579c
				SetWindowPos( *( *_t54 + 0x188), 0, 0, 0, 0, 0, 0x97);
				E005C6FB0(0, _t87,  &_v44, _t105, _t106);
				_v40 = _v44;
				_v36 = 0x11;
				_v32 = _v12;
				_v28 = 0;
				E004244F8(L"/SECONDPHASE=\"%s\" /FIRSTPHASEWND=$%x ", 1,  &_v40,  &_v24);
				_push( &_v24);
				E005C6E90( &_v48, _t87, _t106, 0);
				_pop(_t68);
				E0040B470(_t68, _v48);
				_v16 = E006B6998(_v8, _t87, _v24, _t105, _t106, _t118);
				do {
				} while (E006B6A74() == 0 && MsgWaitForMultipleObjects(1,  &_v16, 0, 0xffffffff, 0x4ff) == 1);
				CloseHandle(_v16);
				_pop(_t102);
				 *[fs:eax] = _t102;
				_push(E006B75CA);
				return DestroyWindow(_v12);
			}

0x006b740c
0x006b740c
0x006b740c
0x006b740c
0x006b740c
0x006b740d
0x006b740f
0x006b7412
0x006b7413
0x006b7414
0x006b7417
0x006b741a
0x006b741d
0x006b7420
0x006b7423
0x006b7428
0x006b7429
0x006b742e
0x006b7431
0x006b7437
0x006b7449
0x006b744d
0x006b7453
0x006b7456
0x006b7460
0x006b7467
0x006b7469
0x006b746a
0x006b746a
0x006b747e
0x006b7484
0x006b748f
0x006b7494
0x006b7496
0x006b7498
0x006b749d
0x006b74a3
0x006b74a3
0x006b74b6
0x006b74e2
0x006b74f5
0x006b74fc
0x006b74fd
0x006b7502
0x006b7505
0x006b7517
0x006b7525
0x006b7533
0x006b753b
0x006b753e
0x006b7545
0x006b7548
0x006b7559
0x006b7561
0x006b7565
0x006b756d
0x006b756e
0x006b757e
0x006b7581
0x006b7586
0x006b75a7
0x006b75ae
0x006b75b1
0x006b75b4
0x006b75c2

APIs

Part of subcall function 0060D3B4: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,0060D4F1), ref: 0060D4A1
Part of subcall function 0060D3B4: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,0060D4F1), ref: 0060D4B1

CopyFileW.KERNEL32(00000000,00000000,00000000,00000000,006B75FA), ref: 006B748F
SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000000,00000000,00000000,006B75FA), ref: 006B74B6
SetWindowLongW.USER32(?,000000FC,006B6AB0), ref: 006B74F0
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,006B75C3,?,?,000000FC,006B6AB0,00000000,?,00000000), ref: 006B7525
MsgWaitForMultipleObjects.USER32 ref: 006B7599
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,006B75C3,?,?,000000FC,006B6AB0,00000000), ref: 006B75A7

Part of subcall function 0060D8B0: WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0060D996

DestroyWindow.USER32(?,006B75CA,00000000,00000000,00000000,00000000,00000000,00000097,00000000,006B75C3,?,?,000000FC,006B6AB0,00000000,?), ref: 006B75BD

Strings

/SECONDPHASE="%s" /FIRSTPHASEWND=$%x , xrefs: 006B7554
(\m, xrefs: 006B7498
STATIC, xrefs: 006B74D6

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: FileWindow$CloseHandle$AttributesCopyCreateDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
String ID: (\m$/SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
API String ID: 1779715363-1630723103
Opcode ID: 590c0ad9364cb792a84a58c9118fcebc7ede51f51827efcc5232604c532853bb
Instruction ID: ef81c38150d0c0f6437f901880bd06975f11695bff6d213fe2789ed19ae6d402
Opcode Fuzzy Hash: 590c0ad9364cb792a84a58c9118fcebc7ede51f51827efcc5232604c532853bb
Instruction Fuzzy Hash: EE4181B1A04208AFDB00EFB5DC56EDE7BF9EB89314F11456AF500F7291DB789A408B64

Uniqueness

Uniqueness Score: -1.00%

Function 00625FC4 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 124
pipeCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E00625FC4(intOrPtr __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __fp0, char _a4) {
				intOrPtr _v8;
				long _v12;
				void* _v16;
				struct _OVERLAPPED _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				long _t83;
				intOrPtr _t94;
				void* _t99;
				void* _t100;
				intOrPtr _t101;

				_t99 = _t100;
				_t101 = _t100 + 0xffffffd8;
				_v40 = 0;
				_v44 = 0;
				_v8 = __eax;
				_push(_t99);
				_push(0x626202);
				_push( *[fs:eax]);
				 *[fs:eax] = _t101;
				 *(_v8 + 0x14) =  *(_v8 + 0x14) + 1;
				 *(_v8 + 0x20) =  *(_v8 + 0x14);
				 *((intOrPtr*)(_v8 + 0x24)) = __edx;
				 *((intOrPtr*)(_v8 + 0x28)) = __ecx;
				_t83 = 0xc + __ecx;
				_push(_t99);
				_push(0x6261a7);
				_push( *[fs:edx]);
				 *[fs:edx] = _t101;
				_v16 = CreateEventW(0, 0xffffffff, 0, 0);
				if(_v16 == 0) {
					E0060CE84(L"CreateEvent");
				}
				_push(_t99);
				_push(0x62613c);
				_push( *[fs:edx]);
				 *[fs:edx] = _t101;
				E00407760( &_v36, 0x14);
				_v36.hEvent = _v16;
				if(TransactNamedPipe( *(_v8 + 0xc), _v8 + 0x20, _t83, _v8 + 0x4034, 0x14,  &_v12,  &_v36) != 0) {
					_pop(_t94);
					 *[fs:eax] = _t94;
					_push(E00626143);
					return CloseHandle(_v16);
				} else {
					if(GetLastError() != 0x3e5) {
						E0060CE84(L"TransactNamedPipe");
					}
					_push(_t99);
					_push(0x62610e);
					_push( *[fs:edx]);
					 *[fs:edx] = _t101;
					if(_a4 != 0 &&  *((short*)(_v8 + 0x1a)) != 0) {
						do {
							 *((intOrPtr*)(_v8 + 0x18))();
						} while (MsgWaitForMultipleObjects(1,  &_v16, 0, 0xffffffff, 0x4ff) == 1);
					}
					_pop( *[fs:0x0]);
					_push(E00626115);
					GetOverlappedResult( *(_v8 + 0xc),  &_v36,  &_v12, 0xffffffff);
					return GetLastError();
				}
			}

0x00625fc5
0x00625fc7
0x00625fcf
0x00625fd2
0x00625fd5
0x00625fda
0x00625fdb
0x00625fe0
0x00625fe3
0x00625fe9
0x00625ff5
0x00625ffb
0x00626001
0x00626009
0x0062600d
0x0062600e
0x00626013
0x00626016
0x00626026
0x0062602d
0x00626034
0x00626034
0x0062603b
0x0062603c
0x00626041
0x00626044
0x00626051
0x00626059
0x00626085
0x00626127
0x0062612a
0x0062612d
0x0062613b
0x0062608b
0x00626095
0x0062609c
0x0062609c
0x006260a3
0x006260a4
0x006260a9
0x006260ac
0x006260b3
0x006260bf
0x006260c5
0x006260dc
0x006260bf
0x006260e1
0x006260eb
0x00626101
0x0062610d
0x0062610d

APIs

CreateEventW.KERNEL32(00000000,000000FF,00000000,00000000,00000000,006261A7,?,00000000,00626202,?,?,00000000,00000000), ref: 00626021
TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,0062613C,?,00000000,000000FF,00000000,00000000,00000000,006261A7), ref: 0062607E
GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,0062613C,?,00000000,000000FF,00000000,00000000,00000000,006261A7), ref: 0062608B
MsgWaitForMultipleObjects.USER32 ref: 006260D7
GetOverlappedResult.KERNEL32(?,?,00000000,000000FF,00626115,00000000,00000000), ref: 00626101
GetLastError.KERNEL32(?,?,00000000,000000FF,00626115,00000000,00000000), ref: 00626108

Part of subcall function 0060CE84: GetLastError.KERNEL32(00000000,0060DBAA,00000005,00000000,0060DBD2,?,?,006D579C,?,00000000,00000000,00000000,?,006B910F,00000000,006B912A), ref: 0060CE87

Strings

CreateEvent, xrefs: 0062602F
TransactNamedPipe, xrefs: 00626097

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
String ID: CreateEvent$TransactNamedPipe
API String ID: 2182916169-3012584893
Opcode ID: a06eff76c2156a534d1e4dc483291fabc8641127e113913af401bd78cfb4e81c
Instruction ID: 6106728f610c95dcbec9252819f2c5c1e9fccb50d9899b4423df3e52f48f78ac
Opcode Fuzzy Hash: a06eff76c2156a534d1e4dc483291fabc8641127e113913af401bd78cfb4e81c
Instruction Fuzzy Hash: 6441AC70A00618EFDB05DF99DD85EDEBBBAEB08310F1041A9F904E7392D674AE50CB24

Uniqueness

Uniqueness Score: -1.00%

Function 0040DF90 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0040DF90(signed short __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v8;
				void* _t18;
				signed short _t28;
				intOrPtr _t35;
				intOrPtr* _t44;
				intOrPtr _t47;

				_t42 = __edi;
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t44 = __edx;
				_t28 = __eax;
				_push(_t47);
				_push(0x40e094);
				_push( *[fs:eax]);
				 *[fs:eax] = _t47;
				EnterCriticalSection(0x6d1c14);
				if(_t28 !=  *0x6d1c2c) {
					LeaveCriticalSection(0x6d1c14);
					E0040A1C8(_t44);
					if(IsValidLocale(_t28 & 0x0000ffff, 2) != 0) {
						if( *0x6d1c10 == 0) {
							_t18 = E0040DC78(_t28, _t28, _t44, __edi, _t44);
							L00405254();
							if(_t28 != _t18) {
								if( *_t44 != 0) {
									_t18 = E0040B470(_t44, E0040E0AC);
								}
								L00405254();
								E0040DC78(_t18, _t28,  &_v8, _t42, _t44);
								E0040B470(_t44, _v8);
							}
						} else {
							E0040DE74(_t28, _t44);
						}
					}
					EnterCriticalSection(0x6d1c14);
					 *0x6d1c2c = _t28;
					E0040DAF8(0x6d1c2e, E0040B278( *_t44), 0xaa);
					LeaveCriticalSection(0x6d1c14);
				} else {
					E0040B318(_t44, 0x55, 0x6d1c2e);
					LeaveCriticalSection(0x6d1c14);
				}
				_pop(_t35);
				 *[fs:eax] = _t35;
				_push(E0040E09B);
				return E0040A1C8( &_v8);
			}

0x0040df90
0x0040df93
0x0040df95
0x0040df96
0x0040df97
0x0040df99
0x0040df9d
0x0040df9e
0x0040dfa3
0x0040dfa6
0x0040dfae
0x0040dfba
0x0040dfe1
0x0040dfe8
0x0040dffa
0x0040e003
0x0040e014
0x0040e019
0x0040e021
0x0040e026
0x0040e02f
0x0040e02f
0x0040e034
0x0040e03c
0x0040e046
0x0040e046
0x0040e005
0x0040e009
0x0040e009
0x0040e003
0x0040e050
0x0040e055
0x0040e06f
0x0040e079
0x0040dfbc
0x0040dfc8
0x0040dfd2
0x0040dfd2
0x0040e080
0x0040e083
0x0040e086
0x0040e093

APIs

EnterCriticalSection.KERNEL32(006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3,?,?,00000000,00000000,00000000), ref: 0040DFAE
LeaveCriticalSection.KERNEL32(006D1C14,006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3,?,?,00000000,00000000), ref: 0040DFD2
LeaveCriticalSection.KERNEL32(006D1C14,006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3,?,?,00000000,00000000), ref: 0040DFE1
IsValidLocale.KERNEL32(00000000,00000002,006D1C14,006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3), ref: 0040DFF3
EnterCriticalSection.KERNEL32(006D1C14,00000000,00000002,006D1C14,006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3), ref: 0040E050
LeaveCriticalSection.KERNEL32(006D1C14,006D1C14,00000000,00000002,006D1C14,006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3), ref: 0040E079

Strings

en-US,en,, xrefs: 0040DFBE, 0040E065

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$LocaleValid
String ID: en-US,en,
API String ID: 975949045-3579323720
Opcode ID: 171b762d311100d548245b05869de6cc58e31fb58a3f3531ab4430e822a5ac23
Instruction ID: 7d1429daecdd90a797f7fba0e37e49eac4d41b909b59f49409e6443efac98480
Opcode Fuzzy Hash: 171b762d311100d548245b05869de6cc58e31fb58a3f3531ab4430e822a5ac23
Instruction Fuzzy Hash: F7218A60B90614A6DB10B7B78C0265A3245DB46708F51487BB540BF3C7CAFD8D558AAF

Uniqueness

Uniqueness Score: -1.00%

Function 00624704 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E00624704(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				void* _v12;
				char _v16;
				char _v20;
				void* _t28;
				intOrPtr* _t30;
				intOrPtr _t33;
				intOrPtr* _t37;
				intOrPtr* _t49;
				intOrPtr _t61;
				intOrPtr* _t66;
				void* _t68;
				intOrPtr _t70;
				intOrPtr _t71;

				_t70 = _t71;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t68 = __eax;
				_push(_t70);
				_push(0x62481e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t71;
				_t66 = E00414020(__ebx, _t68, GetModuleHandleW(L"OLEAUT32.DLL"), L"UnRegisterTypeLib");
				_t49 = _t66;
				if(_t66 == 0) {
					E0060CE84(L"GetProcAddress");
				}
				E005C52C8(_t68,  &_v20, _t70);
				E0040B368( &_v8, _v20);
				_push(E0040EC28( &_v12));
				_t28 = E0040AEF4(_v8);
				_push(_t28);
				L0043C244();
				if(_t28 != 0) {
					E0060CE98(L"LoadTypeLib", _t49, _t28, _t68);
				}
				_push( &_v16);
				_t30 = _v12;
				_push(_t30);
				if( *((intOrPtr*)( *_t30 + 0x1c))() != 0) {
					E0060CE98(L"ITypeLib::GetLibAttr", _t49, _t32, _t68);
				}
				_push(_t70);
				_push(0x6247f1);
				_push( *[fs:edx]);
				 *[fs:edx] = _t71;
				_t33 = _v16;
				_push( *((intOrPtr*)(_t33 + 0x14)));
				_push( *((intOrPtr*)(_t33 + 0x10)));
				_push( *(_t33 + 0x1a) & 0x0000ffff);
				_push( *(_t33 + 0x18) & 0x0000ffff);
				_push(_t33);
				if( *_t49() != 0) {
					E0060CE98(L"UnRegisterTypeLib", _t49, _t34, _t68);
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_t37 = _v12;
				return  *((intOrPtr*)( *_t37 + 0x30))(_t37, _v16, E006247F8);
			}

0x00624705
0x00624709
0x0062470a
0x0062470b
0x0062470c
0x0062470d
0x0062470e
0x00624710
0x00624714
0x00624715
0x0062471a
0x0062471d
0x00624735
0x00624737
0x0062473b
0x00624742
0x00624742
0x0062474c
0x00624757
0x00624764
0x00624768
0x0062476d
0x0062476e
0x00624775
0x0062477e
0x0062477e
0x00624786
0x00624787
0x0062478a
0x00624792
0x0062479b
0x0062479b
0x006247a2
0x006247a3
0x006247a8
0x006247ab
0x006247ae
0x006247b4
0x006247b8
0x006247bd
0x006247c2
0x006247c3
0x006247c8
0x006247d1
0x006247d1
0x006247d8
0x006247db
0x006247e7
0x006247f0

APIs

GetModuleHandleW.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,0062481E,?,?,?,00000000,00000000,00000000,00000000,00000000,?,0062A1C5,00000000,0062A1D9), ref: 0062472A

Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A

LoadTypeLib.OLEAUT32(00000000,00000000), ref: 0062476E

Part of subcall function 0060CE84: GetLastError.KERNEL32(00000000,0060DBAA,00000005,00000000,0060DBD2,?,?,006D579C,?,00000000,00000000,00000000,?,006B910F,00000000,006B912A), ref: 0060CE87

Strings

OLEAUT32.DLL, xrefs: 00624725
GetProcAddress, xrefs: 0062473D
LoadTypeLib, xrefs: 00624779
UnRegisterTypeLib, xrefs: 006247CC
UnRegisterTypeLib, xrefs: 00624720
ITypeLib::GetLibAttr, xrefs: 00624796

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: AddressErrorHandleLastLoadModuleProcType
String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
API String ID: 1914119943-2711329623
Opcode ID: 222b5e7ee090e2c4018f0ee27552968bac4b15f90272fda75f58545e40cad072
Instruction ID: 47cd072b4b06506b06a7a0fd2e311c11a36de303591e536be68bff5c72022a6e
Opcode Fuzzy Hash: 222b5e7ee090e2c4018f0ee27552968bac4b15f90272fda75f58545e40cad072
Instruction Fuzzy Hash: 19219171610A146FDB14EFA9EC42D6B77EEEF897407124469F410D3291EF78EC008B64

Uniqueness

Uniqueness Score: -1.00%

Function 005C7FF4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82
registryCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E005C7FF4(void* __ebx, void* __esi, void* __eflags) {
				char _v8;
				void* _v12;
				char _v16;
				char _v20;
				intOrPtr* _t21;
				intOrPtr _t61;
				void* _t68;

				_push(__ebx);
				_v20 = 0;
				_v8 = 0;
				_push(_t68);
				_push(0x5c80ee);
				_push( *[fs:eax]);
				 *[fs:eax] = _t68 + 0xfffffff0;
				_t21 = E00414020(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"GetUserDefaultUILanguage");
				if(_t21 == 0) {
					if(E00429D18() != 2) {
						if(E005C7A14(0, L"Control Panel\\Desktop\\ResourceLocale", 0x80000001,  &_v12, 1, 0) == 0) {
							E005C793C();
							RegCloseKey(_v12);
						}
					} else {
						if(E005C7A14(0, L".DEFAULT\\Control Panel\\International", 0x80000003,  &_v12, 1, 0) == 0) {
							E005C793C();
							RegCloseKey(_v12);
						}
					}
					E0040B4C8( &_v20, _v8, 0x5c8204);
					E00407870(_v20,  &_v16);
					if(_v16 != 0) {
					}
				} else {
					 *_t21();
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E005C80F5);
				E0040A1C8( &_v20);
				return E0040A1C8( &_v8);
			}

0x005c7ffa
0x005c7ffd
0x005c8000
0x005c8005
0x005c8006
0x005c800b
0x005c800e
0x005c8021
0x005c8028
0x005c803b
0x005c8090
0x005c809d
0x005c80a6
0x005c80a6
0x005c803d
0x005c8058
0x005c8065
0x005c806e
0x005c806e
0x005c8058
0x005c80b6
0x005c80c1
0x005c80cc
0x005c80cc
0x005c802a
0x005c802a
0x005c802c
0x005c80d2
0x005c80d5
0x005c80d8
0x005c80e0
0x005c80ed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,005C80EE), ref: 005C801B

Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A

RegCloseKey.ADVAPI32(00000001,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005C80EE), ref: 005C806E

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 005C807D
GetUserDefaultUILanguage, xrefs: 005C8011
Locale, xrefs: 005C805D
kernel32.dll, xrefs: 005C8016
.DEFAULT\Control Panel\International, xrefs: 005C8045

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 4190037839-2401316094
Opcode ID: f7e7be658f0a955c462c647893507e18f8cdc3df8b481e5329b6105bcbfa9dbc
Instruction ID: b59d3067a1cffae51886ca0dc1f1740e66d40653876fb7099798d5cffc045aa9
Opcode Fuzzy Hash: f7e7be658f0a955c462c647893507e18f8cdc3df8b481e5329b6105bcbfa9dbc
Instruction Fuzzy Hash: 51214F34A04209AFDB10EAE5CC5AFFE7BE9FB48704F60486DA500F3681EE74AA45C755

Uniqueness

Uniqueness Score: -1.00%

Function 00624BA8 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00624BA8(char __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v12;
				char _v13;
				char _v84;
				void* _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				void* _t58;
				void* _t91;
				char _t92;
				intOrPtr _t110;
				void* _t120;
				void* _t123;

				_t118 = __edi;
				_v116 = 0;
				_v120 = 0;
				_v112 = 0;
				_v108 = 0;
				_v104 = 0;
				_v8 = 0;
				_v12 = 0;
				_t120 = __ecx;
				_t91 = __edx;
				_v13 = __eax;
				_push(_t123);
				_push(0x624d3e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t123 + 0xffffff84;
				E005C745C( &_v8);
				_push(0x624d58);
				E005C4EA4(_v8,  &_v104);
				_push(_v104);
				_push(L"regsvr32.exe\"");
				E0040B550( &_v12, _t91, 3, __edi, _t120);
				if(_v13 != 0) {
					E0040B470( &_v12, 0x624d90);
				}
				_push(_v12);
				_push(L" /s \"");
				_push(_t120);
				_push(0x624d58);
				E0040B550( &_v12, _t91, 4, _t118, _t120);
				_t126 = _t91;
				if(_t91 == 0) {
					E0040B4C8( &_v112, _v12, L"Spawning 32-bit RegSvr32: ");
					E00616130(_v112, _t91, _t118, _t120);
				} else {
					E0040B4C8( &_v108, _v12, L"Spawning 64-bit RegSvr32: ");
					E00616130(_v108, _t91, _t118, _t120);
				}
				E00407760( &_v84, 0x44);
				_v84 = 0x44;
				_t58 = E0040B278(_v8);
				if(E0060C038(_t91, E0040B278(_v12), 0, _t126,  &_v100,  &_v84, _t58, 0, 0x4000000, 0, 0, 0) == 0) {
					E0060CE84(L"CreateProcess");
				}
				CloseHandle(_v96);
				_t92 = E00624AA4( &_v100);
				if(_t92 != 0) {
					_v128 = _t92;
					_v124 = 0;
					E004244F8(L"0x%x", 0,  &_v128,  &_v120);
					E005CD508(0x53,  &_v116, _v120);
					E00429008(_v116, 1);
					E004098C4();
				}
				_pop(_t110);
				 *[fs:eax] = _t110;
				_push(E00624D45);
				E0040A228( &_v120, 5);
				return E0040A228( &_v12, 2);
			}

0x00624ba8
0x00624bb2
0x00624bb5
0x00624bb8
0x00624bbb
0x00624bbe
0x00624bc1
0x00624bc4
0x00624bc7
0x00624bc9
0x00624bcb
0x00624bd0
0x00624bd1
0x00624bd6
0x00624bd9
0x00624bdf
0x00624be4
0x00624bef
0x00624bf4
0x00624bf7
0x00624c04
0x00624c0d
0x00624c17
0x00624c17
0x00624c1c
0x00624c1f
0x00624c24
0x00624c25
0x00624c32
0x00624c37
0x00624c39
0x00624c60
0x00624c68
0x00624c3b
0x00624c46
0x00624c4e
0x00624c4e
0x00624c77
0x00624c7c
0x00624c93
0x00624cb6
0x00624cbd
0x00624cbd
0x00624cc6
0x00624cd3
0x00624cd7
0x00624cdd
0x00624ce0
0x00624cee
0x00624cfd
0x00624d0c
0x00624d11
0x00624d11
0x00624d18
0x00624d1b
0x00624d1e
0x00624d2b
0x00624d3d

APIs

Part of subcall function 005C745C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005C746F

CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00624D58,?, /s ",006D579C,regsvr32.exe",?,00624D58), ref: 00624CC6

Strings

Spawning 32-bit RegSvr32: , xrefs: 00624C5B
/u, xrefs: 00624C12
CreateProcess, xrefs: 00624CB8
regsvr32.exe", xrefs: 00624BF7
0x%x, xrefs: 00624CE9
/s ", xrefs: 00624C1F
Spawning 64-bit RegSvr32: , xrefs: 00624C41
D, xrefs: 00624C7C

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: CloseDirectoryHandleSystem
String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
API String ID: 2051275411-1862435767
Opcode ID: 9ce8fcc7bdafabcc66a0714f470f8e6e7717fe01addbd125e4d9ca934750157a
Instruction ID: 4609d961d1e6a6c9b50d20a9c17260b7e2f4bf46ee5c2bafd069b1c5a14d41a0
Opcode Fuzzy Hash: 9ce8fcc7bdafabcc66a0714f470f8e6e7717fe01addbd125e4d9ca934750157a
Instruction Fuzzy Hash: 0B413F30A0061CABDB10EFE5D892ACDBBBAFF48304F51457EA504B7282DB746A05CF59

Uniqueness

Uniqueness Score: -1.00%

Function 004062CC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51
fileCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E004062CC(int __eax, void* __ecx, void* __edx) {
				long _v12;
				int _t4;
				long _t7;
				void* _t11;
				long _t12;
				void* _t13;
				long _t18;

				_t4 = __eax;
				_t24 = __edx;
				_t20 = __eax;
				if( *0x6cf05c == 0) {
					_push(0x2010);
					_push(__edx);
					_push(__eax);
					_push(0);
					L0040529C();
				} else {
					_t7 = E0040A6C4(__edx);
					WriteFile(GetStdHandle(0xfffffff4), _t24, _t7,  &_v12, 0);
					_t11 =  *0x6c507c; // 0x40543c
					_t12 = E0040A6C4(_t11);
					_t13 =  *0x6c507c; // 0x40543c
					WriteFile(GetStdHandle(0xfffffff4), _t13, _t12,  &_v12, 0);
					_t18 = E0040A6C4(_t20);
					_t4 = WriteFile(GetStdHandle(0xfffffff4), _t20, _t18,  &_v12, 0);
				}
				return _t4;
			}

0x004062cc
0x004062cf
0x004062d1
0x004062da
0x0040633d
0x00406342
0x00406343
0x00406344
0x00406346
0x004062dc
0x004062e5
0x004062f4
0x00406300
0x00406305
0x0040630b
0x00406319
0x00406327
0x00406336
0x00406336
0x0040634e

APIs

GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 004062EE
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000), ref: 004062F4
GetStdHandle.KERNEL32(000000F4,0040543C,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 00406313
WriteFile.KERNEL32(00000000,000000F4,0040543C,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 00406319
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000000,000000F4,0040543C,00000000,?,00000000,00000000,000000F4,?,00000000,?), ref: 00406330
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000000,000000F4,0040543C,00000000,?,00000000,00000000,000000F4,?,00000000), ref: 00406336

Strings

<T@, xrefs: 00406300, 0040630B

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: FileHandleWrite
String ID: <T@
API String ID: 3320372497-2050694182
Opcode ID: 3a7656cd0c19575780d7894bf4f285e5ac945aaff44c80ad8d028cd78a591cb3
Instruction ID: ee5667e1a227ecbea5375e2fa2ea65b47cf69c4a4a195d8f09788a9c4629ec5a
Opcode Fuzzy Hash: 3a7656cd0c19575780d7894bf4f285e5ac945aaff44c80ad8d028cd78a591cb3
Instruction Fuzzy Hash: 5701A9A16046147DE610F3BA9C4AF6B279CCB0976CF10463B7514F61D2C97C9C548B7E

Uniqueness

Uniqueness Score: -1.00%

Function 00628E3C Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00628E3C(void* __eax, void* __ebx, intOrPtr __ecx, char __edx, void* __edi, void* __esi, void* __eflags, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				char _v9;
				char _v16;
				char _v20;
				char _v24;
				void* _t44;
				intOrPtr _t50;
				void* _t51;
				void* _t65;
				void* _t71;
				void* _t76;
				intOrPtr _t88;
				signed int _t103;
				void* _t104;
				char _t106;
				void* _t109;
				void* _t122;

				_t122 = __fp0;
				_push(__ebx);
				_push(__esi);
				_v24 = 0;
				_v8 = __ecx;
				_t106 = __edx;
				_t76 = __eax;
				_push(_t109);
				_push(0x628fc2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t109 + 0xffffffec;
				_t103 = E0060C330(__eax, __edx, __eflags);
				if(_t103 == 0xffffffff || (_t103 & 0x00000010) == 0) {
					_v9 = 1;
					goto L18;
				} else {
					_v20 = _t106;
					_v16 = 0x11;
					E006163B4(L"Deleting directory: %s", _t76, 0,  &_v20, _t103, _t106);
					if((_t103 & 0x00000001) == 0) {
						L9:
						_t44 = E0060C664(_t76, _t106, _t117);
						asm("sbb eax, eax");
						_v9 = _t44 + 1;
						if(_v9 != 0) {
							L18:
							_pop(_t88);
							 *[fs:eax] = _t88;
							_push(E00628FC9);
							return E0040A1C8( &_v24);
						}
						_t104 = GetLastError();
						if(_v8 == 0) {
							__eflags = _a4;
							if(_a4 == 0) {
								L16:
								_v20 = _t104;
								_v16 = 0;
								E006163B4(L"Failed to delete directory (%d).", _t76, 0,  &_v20, _t104, _t106);
								goto L18;
							}
							_t50 = E00628C68(_a4, _t76, _t106, _t106);
							__eflags = _t50;
							if(_t50 == 0) {
								goto L16;
							}
							_t51 = E00429D18();
							__eflags = _t51 - 2;
							if(_t51 != 2) {
								goto L16;
							}
							_v20 = _t104;
							_v16 = 0;
							E006163B4(L"Failed to delete directory (%d). Will delete on restart (if empty).", _t76, 0,  &_v20, _t104, _t106);
							E00628D50(_t76, _t76, _t106, _t104, _t106);
							goto L18;
						}
						_v20 = _t104;
						_v16 = 0;
						E006163B4(L"Failed to delete directory (%d). Will retry later.", _t76, 0,  &_v20, _t104, _t106);
						E0040B29C();
						E0040B470( &_v24, _t106);
						E00610640(_v8, 0, _v24, _t122);
						goto L18;
					}
					_t115 = _t103 & 0x00000400;
					if((_t103 & 0x00000400) != 0) {
						L5:
						_t65 = E0060C6DC(_t76, 0xfffffffe & _t103, _t106, _t116);
						_t117 = _t65;
						if(_t65 == 0) {
							E00616130(L"Failed to strip read-only attribute.", _t76, _t103, _t106);
						} else {
							E00616130(L"Stripped read-only attribute.", _t76, _t103, _t106);
						}
						goto L9;
					}
					_t71 = E0060DFAC(_t76, _t76, _t106, _t106, _t115);
					_t116 = _t71;
					if(_t71 == 0) {
						E00616130(L"Not stripping read-only attribute because the directory does not appear to be empty.", _t76, _t103, _t106);
						goto L9;
					}
					goto L5;
				}
			}

0x00628e3c
0x00628e42
0x00628e43
0x00628e47
0x00628e4a
0x00628e4d
0x00628e4f
0x00628e53
0x00628e54
0x00628e59
0x00628e5c
0x00628e68
0x00628e6d
0x00628fa8
0x00000000
0x00628e7f
0x00628e7f
0x00628e82
0x00628e90
0x00628e9b
0x00628ee8
0x00628eec
0x00628ef4
0x00628ef7
0x00628efe
0x00628fac
0x00628fae
0x00628fb1
0x00628fb4
0x00628fc1
0x00628fc1
0x00628f09
0x00628f0f
0x00628f51
0x00628f55
0x00628f90
0x00628f90
0x00628f93
0x00628fa1
0x00000000
0x00628fa1
0x00628f5c
0x00628f61
0x00628f63
0x00000000
0x00000000
0x00628f65
0x00628f6a
0x00628f6d
0x00000000
0x00000000
0x00628f6f
0x00628f72
0x00628f80
0x00628f89
0x00000000
0x00628f89
0x00628f11
0x00628f14
0x00628f22
0x00628f35
0x00628f3f
0x00628f4a
0x00000000
0x00628f4a
0x00628e9d
0x00628ea3
0x00628eb2
0x00628ebd
0x00628ec2
0x00628ec4
0x00628ed7
0x00628ec6
0x00628ecb
0x00628ecb
0x00000000
0x00628ec4
0x00628ea9
0x00628eae
0x00628eb0
0x00628ee3
0x00000000
0x00628ee3
0x00000000
0x00628eb0

APIs

GetLastError.KERNEL32(00000000,00628FC2,?,00000000,?), ref: 00628F04

Part of subcall function 0060DFAC: FindClose.KERNEL32(000000FF,0060E0A1), ref: 0060E090

Strings

Failed to delete directory (%d)., xrefs: 00628F9C
Failed to strip read-only attribute., xrefs: 00628ED2
Failed to delete directory (%d). Will retry later., xrefs: 00628F1D
Deleting directory: %s, xrefs: 00628E8B
Stripped read-only attribute., xrefs: 00628EC6
Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 00628EDE
Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00628F7B

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: CloseErrorFindLast
String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
API String ID: 754982922-1448842058
Opcode ID: 7fc0813c7db3ed8f80165e3b8539aa30754377e7929e0533272f97a4bbcf9ceb
Instruction ID: bb024c1df45f9af0c8d848e5c22ededdbf4d41f71593f538bf5593c1374477db
Opcode Fuzzy Hash: 7fc0813c7db3ed8f80165e3b8539aa30754377e7929e0533272f97a4bbcf9ceb
Instruction Fuzzy Hash: B5410330A11A285ECB00EB68DD053EE77E7AF84310F11842EB411D3382CFB48E45CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 005B8390 Relevance: 12.1, APIs: 8, Instructions: 99
windowthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E005B8390(void* __eax, struct HWND__** __edx) {
				long _v20;
				intOrPtr _t17;
				intOrPtr _t30;
				void* _t46;
				void* _t50;
				struct HWND__** _t51;
				struct HWND__* _t52;
				struct HWND__* _t53;
				void* _t54;
				DWORD* _t55;

				_t55 = _t54 + 0xfffffff8;
				_t51 = __edx;
				_t50 = __eax;
				_t46 = 0;
				_t17 =  *((intOrPtr*)(__edx + 4));
				if(_t17 < 0x100 || _t17 > 0x109) {
					L19:
					return _t46;
				} else {
					_t52 = GetCapture();
					if(_t52 != 0) {
						GetWindowThreadProcessId(_t52, _t55);
						GetWindowThreadProcessId( *(_t50 + 0x188),  &_v20);
						if( *_t55 == _v20 && SendMessageW(_t52, _t51[1] + 0xbc00, _t51[2], _t51[3]) != 0) {
							_t46 = 1;
						}
						goto L19;
					}
					_t53 =  *_t51;
					_t30 =  *((intOrPtr*)(_t50 + 0x58));
					if(_t30 == 0 || _t53 !=  *((intOrPtr*)(_t30 + 0x3c4))) {
						L7:
						if(E0050E9B4(_t53) == 0 && _t53 != 0) {
							_t53 = GetParent(_t53);
							goto L7;
						}
						if(_t53 == 0) {
							_t53 =  *_t51;
						}
						goto L11;
					} else {
						_t53 = E0051B414(_t30);
						L11:
						if(IsWindowUnicode(_t53) == 0) {
							if(SendMessageA(_t53, _t51[1] + 0xbc00, _t51[2], _t51[3]) != 0) {
								_t46 = 1;
							}
						} else {
							if(SendMessageW(_t53, _t51[1] + 0xbc00, _t51[2], _t51[3]) != 0) {
								_t46 = 1;
							}
						}
						goto L19;
					}
				}
			}

0x005b8394
0x005b8397
0x005b8399
0x005b839b
0x005b839d
0x005b83a5
0x005b847e
0x005b8486
0x005b83b6
0x005b83bb
0x005b83bf
0x005b8442
0x005b8453
0x005b845f
0x005b847c
0x005b847c
0x00000000
0x005b845f
0x005b83c1
0x005b83c3
0x005b83c8
0x005b83e3
0x005b83ec
0x005b83e1
0x00000000
0x005b83e1
0x005b83f4
0x005b83f6
0x005b83f6
0x00000000
0x005b83d2
0x005b83d7
0x005b83f8
0x005b8400
0x005b843a
0x005b843c
0x005b843c
0x005b8402
0x005b841b
0x005b841d
0x005b841d
0x005b841b
0x00000000
0x005b8400
0x005b83c8

APIs

GetCapture.USER32 ref: 005B83B6
IsWindowUnicode.USER32(00000000), ref: 005B83F9
SendMessageW.USER32(00000000,-0000BBEE,00000000,?), ref: 005B8414
SendMessageA.USER32 ref: 005B8433
GetWindowThreadProcessId.USER32(00000000), ref: 005B8442
GetWindowThreadProcessId.USER32(?,?), ref: 005B8453
SendMessageW.USER32(00000000,-0000BBEE,00000000,?), ref: 005B8473

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: MessageSendWindow$ProcessThread$CaptureUnicode
String ID:
API String ID: 1994056952-0
Opcode ID: 60d5d18c6536e8f3e7333ea3e87ccb02092badd8fb76314d68d3832b537e943d
Instruction ID: fa2d834c3aada0f77e9407d785ac3e39b975c7e98aa55159218471e4f58a832a
Opcode Fuzzy Hash: 60d5d18c6536e8f3e7333ea3e87ccb02092badd8fb76314d68d3832b537e943d
Instruction Fuzzy Hash: 3C21BFB520460A6F9A60EA99CD40EE777DCFF44744B105829B999C3642DE14F840C765

Uniqueness

Uniqueness Score: -1.00%

Function 006158C4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 239
windowCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E006158C4(void* __ebx, int* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v12;
				int* _v16;
				char _v144;
				intOrPtr _v148;
				void* _v152;
				intOrPtr _v156;
				char _v168;
				char _v172;
				void* _t51;
				intOrPtr* _t57;
				intOrPtr* _t62;
				intOrPtr* _t65;
				intOrPtr* _t71;
				intOrPtr _t77;
				void* _t104;
				void* _t107;
				int* _t108;
				struct HWND__* _t118;
				int _t122;
				intOrPtr _t152;
				intOrPtr _t156;
				intOrPtr _t157;
				intOrPtr _t162;
				struct HWND__* _t163;
				intOrPtr _t164;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t169;
				intOrPtr _t172;
				intOrPtr _t176;
				void* _t181;
				void* _t182;
				intOrPtr _t183;
				void* _t189;

				_t189 = __fp0;
				_t179 = __esi;
				_t178 = __edi;
				_t181 = _t182;
				_t183 = _t182 + 0xffffff58;
				_push(__esi);
				_push(__edi);
				_v172 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = __edx;
				_push(_t181);
				_push(0x615c7e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t183;
				_push(_t181);
				_push(0x615c40);
				_push( *[fs:edx]);
				 *[fs:edx] = _t183;
				_t122 =  *_v16;
				_t51 = _t122 - 0x4a;
				if(_t51 == 0) {
					_t53 = _v16[2];
					_t152 =  *(_v16[2]) - 0x800;
					__eflags = _t152;
					if(__eflags == 0) {
						_push(_t181);
						_push(0x615a6b);
						_push( *[fs:edx]);
						 *[fs:edx] = _t183;
						E0040A350( &_v8,  *(_t53 + 4) >> 1,  *((intOrPtr*)(_t53 + 8)), __eflags);
						_push(_t181);
						_push(0x615a29);
						_push( *[fs:eax]);
						 *[fs:eax] = _t183;
						_t57 =  *0x6cd8cc; // 0x6d681c
						 *_t57 =  *_t57 + 1;
						_push(_t181);
						_push(0x615a0e);
						_push( *[fs:eax]);
						 *[fs:eax] = _t183;
						L006ABD3C(_v8,  *(_t53 + 4) >> 1,  &_v12);
						_pop(_t156);
						 *[fs:eax] = _t156;
						_push(E00615A15);
						_t62 =  *0x6cd8cc; // 0x6d681c
						 *_t62 =  *_t62 - 1;
						__eflags =  *_t62;
						return _t62;
					} else {
						_t157 = _t152 - 1;
						__eflags = _t157;
						if(_t157 == 0) {
							_push(_t181);
							_push(0x615b61);
							_push( *[fs:edx]);
							 *[fs:edx] = _t183;
							E0040714C( *((intOrPtr*)(_t53 + 8)), _t122, 0x98,  &_v168);
							_push(_t181);
							_push(0x615b1f);
							_push( *[fs:eax]);
							 *[fs:eax] = _t183;
							_t65 =  *0x6cdb4c; // 0x6d682c
							__eflags =  *_t65;
							if( *_t65 == 0) {
								E00429008(L"Cannot evaluate variable because [Code] isn\'t running yet", 1);
								E004098C4();
							}
							E0040A998( &_v172, 0x80,  &_v144, 0);
							_t71 =  *0x6cdb4c; // 0x6d682c
							E006A3E88( *_t71, _t122, _v156, _t178, _t179, _t189,  &_v12, _v172, _v148);
							_v16[3] = 1;
							_pop(_t162);
							 *[fs:eax] = _t162;
							_t163 =  *0x6d62f8; // 0x0
							_t77 =  *0x6d62f4; // 0x0
							E005D6064(_t77, _t122, _t163, _t178, _t179, _v12);
							_pop(_t164);
							 *[fs:eax] = _t164;
						} else {
							_t169 = _t157 - 1;
							__eflags = _t169;
							if(_t169 == 0) {
								_push(_t181);
								_push(0x615bb7);
								_push( *[fs:edx]);
								 *[fs:edx] = _t183;
								E0040A1EC(0x6d62e8);
								E0040A3A4(0x6d62e8,  *(_v16[2] + 4) >> 0,  *((intOrPtr*)(_v16[2] + 8)), __eflags, 0);
								_v16[3] = 1;
								_pop(_t172);
								 *[fs:eax] = _t172;
							} else {
								__eflags = _t169 == 1;
								if(_t169 == 1) {
									_push(_t181);
									_push(0x615c0a);
									_push( *[fs:edx]);
									 *[fs:edx] = _t183;
									E0040A1EC(0x6d62ec);
									E0040A3A4(0x6d62ec,  *(_v16[2] + 4) >> 0,  *((intOrPtr*)(_v16[2] + 8)), __eflags, 0);
									_v16[3] = 1;
									_pop(_t176);
									 *[fs:eax] = _t176;
								}
							}
						}
						goto L21;
					}
				} else {
					_t104 = _t51 - 0xbb6;
					if(_t104 == 0) {
						 *0x6d62e4 = 0;
						 *0x6d62f4 = 0;
						 *0x6d62fc = 1;
						 *0x6d62fd = 0;
						PostMessageW(0, 0, 0, 0);
					} else {
						_t107 = _t104 - 1;
						if(_t107 == 0) {
							 *0x6d62fc = 1;
							_t108 = _v16;
							__eflags =  *((intOrPtr*)(_t108 + 4)) - 1;
							 *0x6d62fd =  *((intOrPtr*)(_t108 + 4)) == 1;
							PostMessageW(0, 0, 0, 0);
						} else {
							if(_t107 == 2) {
								SetForegroundWindow(_v16[1]);
							} else {
								_t118 =  *0x6d62f8; // 0x0
								_v16[3] = DefWindowProcW(_t118, _t122, _v16[1], _v16[2]);
							}
						}
					}
					L21:
					_pop(_t165);
					 *[fs:eax] = _t165;
					_pop(_t166);
					 *[fs:eax] = _t166;
					_push(E00615C85);
					E0040A1EC( &_v172);
					return E0040A228( &_v12, 2);
				}
			}

0x006158c4
0x006158c4
0x006158c4
0x006158c5
0x006158c7
0x006158ce
0x006158cf
0x006158d2
0x006158d8
0x006158db
0x006158de
0x006158e3
0x006158e4
0x006158e9
0x006158ec
0x006158f1
0x006158f2
0x006158f7
0x006158fa
0x00615900
0x00615904
0x00615907
0x00615986
0x0061598b
0x0061598b
0x00615991
0x006159af
0x006159b0
0x006159b5
0x006159b8
0x006159c6
0x006159cd
0x006159ce
0x006159d3
0x006159d6
0x006159d9
0x006159de
0x006159e2
0x006159e3
0x006159e8
0x006159eb
0x006159f4
0x006159fb
0x006159fe
0x00615a01
0x00615a06
0x00615a0b
0x00615a0b
0x00615a0d
0x00615993
0x00615993
0x00615993
0x00615994
0x00615a7c
0x00615a7d
0x00615a82
0x00615a85
0x00615a96
0x00615a9d
0x00615a9e
0x00615aa3
0x00615aa6
0x00615aa9
0x00615aae
0x00615ab1
0x00615abf
0x00615ac4
0x00615ac4
0x00615ae3
0x00615af3
0x00615b06
0x00615b0e
0x00615b17
0x00615b1a
0x00615b44
0x00615b4a
0x00615b4f
0x00615b56
0x00615b59
0x0061599a
0x0061599a
0x0061599a
0x0061599b
0x00615b72
0x00615b73
0x00615b78
0x00615b7b
0x00615b83
0x00615b9e
0x00615ba6
0x00615baf
0x00615bb2
0x006159a1
0x006159a1
0x006159a2
0x00615bc5
0x00615bc6
0x00615bcb
0x00615bce
0x00615bd6
0x00615bf1
0x00615bf9
0x00615c02
0x00615c05
0x00615c05
0x006159a2
0x0061599b
0x00000000
0x00615994
0x00615909
0x00615909
0x0061590e
0x0061591d
0x00615926
0x0061592b
0x00615932
0x00615941
0x00615910
0x00615910
0x00615911
0x0061594b
0x00615952
0x00615955
0x00615959
0x00615968
0x00615913
0x00615916
0x00615979
0x00615918
0x00615c25
0x00615c33
0x00615c33
0x00615916
0x00615911
0x00615c36
0x00615c38
0x00615c3b
0x00615c5a
0x00615c5d
0x00615c60
0x00615c6b
0x00615c7d
0x00615c7d

APIs

PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00615941
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00615968
SetForegroundWindow.USER32(?,00000000,00615C40,?,00000000,00615C7E), ref: 00615979
DefWindowProcW.USER32(00000000,?,?,?,00000000,00615C40,?,00000000,00615C7E), ref: 00615C2B

Strings

Cannot evaluate variable because [Code] isn't running yet, xrefs: 00615AB3
,hm, xrefs: 00615AA9, 00615AF3

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: MessagePostWindow$ForegroundProc
String ID: ,hm$Cannot evaluate variable because [Code] isn't running yet
API String ID: 602442252-4088602279
Opcode ID: 035c484aa870e85df39017a6846f67cb24ba4c1d627fefdd11be8a5083181655
Instruction ID: a4d9e41ba68ff62660f6698438dd6fdd69331843db6522f8d42236939986de27
Opcode Fuzzy Hash: 035c484aa870e85df39017a6846f67cb24ba4c1d627fefdd11be8a5083181655
Instruction Fuzzy Hash: F691BC34A04704EFD711DF69D8A1F99FBB6EB89700F19C4AAF8059B7A1C634AD80CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0060D8B0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0060D8B0(char __eax, void* __ebx, char __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v41;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				void* __ecx;
				char _t90;
				char _t167;
				char _t168;
				intOrPtr _t171;
				intOrPtr _t179;
				intOrPtr _t186;
				intOrPtr _t207;
				intOrPtr _t217;
				intOrPtr _t218;

				_t215 = __esi;
				_t214 = __edi;
				_t217 = _t218;
				_t171 = 8;
				goto L1;
				L4:
				if(E005C77E8() != 0) {
					__eflags = _t167;
					if(__eflags == 0) {
						E0060D650(_v8, _t167,  &_v68, _t214, _t215, __eflags);
						E0040A5F0( &_v8, _v68);
						__eflags = _v12;
						if(__eflags != 0) {
							E0060D650(_v12, _t167,  &_v72, _t214, _t215, __eflags);
							E0040A5F0( &_v12, _v72);
						}
					}
					_t90 = E0060C558(_t167, _v12, _v8, 5);
					__eflags = _t90;
					if(_t90 == 0) {
						E0060CE84(L"MoveFileEx");
					}
					__eflags = 0;
					_pop(_t186);
					 *[fs:eax] = _t186;
					_push(E0060DBD9);
					E0040A228( &_v72, 7);
					return E0040A228( &_v32, 7);
				} else {
					E005C7430( &_v16);
					E005C4EA4(_v16,  &_v56);
					E0040B4C8( &_v20, L"WININIT.INI", _v56);
					E0060D294(0, _t167, L".tmp", _v16, _t214, _t215,  &_v24);
					_push(_t217);
					_push(0x60db3e);
					_push( *[fs:eax]);
					 *[fs:eax] = _t218;
					_v36 = 0;
					_v40 = 0;
					_push(_t217);
					_push(0x60dae2);
					_push( *[fs:eax]);
					 *[fs:eax] = _t218;
					WritePrivateProfileStringW(0, 0, 0, E0040B278(_v20));
					_v36 = E005CBFB8(1, 1, 0, 3);
					_t179 = _v24;
					_v40 = E005CBFB8(1, 0, 1, 0);
					_v41 = 0;
					_t168 = 0;
					while(E005CC258(_v36) == 0) {
						E005CC268(_v36, _t168,  &_v28, _t214, _t215, __eflags);
						E004225EC(_v28, 1,  &_v32, _t215);
						__eflags = _v32;
						if(__eflags == 0) {
							L11:
							E005CC5A0(_v40, 1, _v28, _t215, __eflags);
							_t168 = 0;
							__eflags = 0;
							continue;
						} else {
							__eflags =  *_v32 - 0x5b;
							if(__eflags != 0) {
								goto L11;
							} else {
								__eflags = E00422368(_v32, _t179, L"[rename]");
								if(__eflags != 0) {
									__eflags = _v41;
									if(__eflags == 0) {
										goto L11;
									}
								} else {
									_v41 = 1;
									goto L11;
								}
							}
						}
						break;
					}
					_t223 = _v41;
					if(_v41 == 0) {
						E005CC5A0(_v40, _t168, L"[rename]", _t215, _t223);
					}
					_t224 = _v12;
					if(_v12 == 0) {
						E0040A5F0( &_v32, 0x60dc48);
					} else {
						E005C73D8(_v12, _t179,  &_v32, _t224);
					}
					_push(_v32);
					_push(0x60dc5c);
					E005C73D8(_v8, _t179,  &_v64, _t224);
					_push(_v64);
					E0040B550( &_v60, _t168, 3, _t214, _t215);
					E005CC5A0(_v40, _t168, _v60, _t215, _t224);
					_t225 = _t168;
					if(_t168 != 0) {
						E005CC5A0(_v40, _t168, _v28, _t215, _t225);
					}
					while(E005CC258(_v36) == 0) {
						E005CC268(_v36, _t168,  &_v28, _t214, _t215, __eflags);
						E005CC5A0(_v40, _t168, _v28, _t215, __eflags);
					}
					_pop(_t207);
					 *[fs:eax] = _t207;
					_push(E0060DAE9);
					E00408444(_v40);
					return E00408444(_v36);
				}
				L1:
				_push(0);
				_push(0);
				_t171 = _t171 - 1;
				if(_t171 != 0) {
					goto L1;
				} else {
					_t1 =  &_v8;
					 *_t1 = _t171;
					_push(__esi);
					_push(__edi);
					_v12 =  *_t1;
					_v8 = __edx;
					_t167 = __eax;
					E0040A2AC(_v8);
					E0040A2AC(_v12);
					_push(_t217);
					_push(0x60dbd2);
					 *[fs:eax] = _t218;
					E005C52C8(_v8,  &_v48, _t217,  *[fs:eax]);
					E0040A5F0( &_v8, _v48);
					if(_v12 != 0) {
						E005C52C8(_v12,  &_v52, _t217);
						E0040A5F0( &_v12, _v52);
					}
				}
				goto L4;
			}

0x0060d8b0
0x0060d8b0
0x0060d8b1
0x0060d8b4
0x0060d8b4
0x0060d91e
0x0060d925
0x0060db57
0x0060db59
0x0060db61
0x0060db6c
0x0060db71
0x0060db75
0x0060db7d
0x0060db88
0x0060db88
0x0060db75
0x0060db97
0x0060db9c
0x0060db9e
0x0060dba5
0x0060dba5
0x0060dbaa
0x0060dbac
0x0060dbaf
0x0060dbb2
0x0060dbbf
0x0060dbd1
0x0060d92b
0x0060d92e
0x0060d939
0x0060d949
0x0060d95c
0x0060d963
0x0060d964
0x0060d969
0x0060d96c
0x0060d971
0x0060d976
0x0060d97b
0x0060d97c
0x0060d981
0x0060d984
0x0060d996
0x0060d9b0
0x0060d9b9
0x0060d9c8
0x0060d9cb
0x0060d9cf
0x0060da24
0x0060d9d9
0x0060d9e6
0x0060d9eb
0x0060d9ef
0x0060da17
0x0060da1d
0x0060da22
0x0060da22
0x00000000
0x0060d9f1
0x0060d9f4
0x0060d9f8
0x00000000
0x0060d9fa
0x0060da07
0x0060da09
0x0060da11
0x0060da15
0x00000000
0x00000000
0x0060da0b
0x0060da0b
0x00000000
0x0060da0b
0x0060da09
0x0060d9f8
0x00000000
0x0060d9ef
0x0060da30
0x0060da34
0x0060da3e
0x0060da3e
0x0060da43
0x0060da47
0x0060da5e
0x0060da49
0x0060da4f
0x0060da4f
0x0060da63
0x0060da66
0x0060da71
0x0060da76
0x0060da81
0x0060da8c
0x0060da91
0x0060da93
0x0060da9b
0x0060da9b
0x0060dab8
0x0060daa8
0x0060dab3
0x0060dab3
0x0060dac6
0x0060dac9
0x0060dacc
0x0060dad4
0x0060dae1
0x0060dae1
0x0060d8b9
0x0060d8b9
0x0060d8bb
0x0060d8bd
0x0060d8be
0x00000000
0x0060d8c0
0x0060d8c0
0x0060d8c0
0x0060d8c4
0x0060d8c5
0x0060d8c6
0x0060d8c9
0x0060d8cc
0x0060d8d1
0x0060d8d9
0x0060d8e0
0x0060d8e1
0x0060d8e9
0x0060d8f2
0x0060d8fd
0x0060d906
0x0060d90e
0x0060d919
0x0060d919
0x0060d906
0x00000000

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0060D996

Strings

NUL, xrefs: 0060DA59
[rename], xrefs: 0060D9FA, 0060DA36
WININIT.INI, xrefs: 0060D944
MoveFileEx, xrefs: 0060DBA0
.tmp, xrefs: 0060D952

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
API String ID: 390214022-3304407042
Opcode ID: 448576033111d628455bbc900039c2b3076aab3907525e3a5e7b6a874702d213
Instruction ID: 9ccae61fee5444c96898e798bd08ad00ad1f0a42c005b5ee0ec7678d9f590d11
Opcode Fuzzy Hash: 448576033111d628455bbc900039c2b3076aab3907525e3a5e7b6a874702d213
Instruction Fuzzy Hash: 3E810974A44209AFDB04EBE5C882BDEBBB6EF88304F504669E400B73D1E775AE45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00408E18 Relevance: 10.6, APIs: 7, Instructions: 130
threadCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00408E18(signed char* __eax, void* __edx, void* __eflags) {
				void* _t49;
				signed char _t56;
				intOrPtr _t57;
				signed char _t59;
				void* _t70;
				signed char* _t71;
				intOrPtr _t72;
				signed char* _t73;

				_t70 = __edx;
				_t71 = __eax;
				_t72 =  *((intOrPtr*)(__eax + 0x10));
				while(1) {
					L1:
					 *_t73 = E004092D8(_t71);
					if( *_t73 != 0 || _t70 == 0) {
						break;
					}
					_t73[1] = 0;
					if(_t72 <= 0) {
						while(1) {
							L17:
							_t56 =  *_t71;
							if(_t56 == 0) {
								goto L1;
							}
							asm("lock cmpxchg [esi], edx");
							if(_t56 != _t56) {
								continue;
							} else {
								goto L19;
							}
							do {
								L19:
								_t73[4] = GetTickCount();
								E0040901C(_t71);
								_t57 =  *0x6cf8fc; // 0x6c76d4
								 *((intOrPtr*)(_t57 + 0x10))();
								 *_t73 = 0 == 0;
								if(_t70 != 0xffffffff) {
									_t73[8] = GetTickCount();
									if(_t70 <= _t73[8] - _t73[4]) {
										_t70 = 0;
									} else {
										_t70 = _t70 - _t73[8] - _t73[4];
									}
								}
								if( *_t73 == 0) {
									do {
										asm("lock cmpxchg [esi], edx");
									} while ( *_t71 !=  *_t71);
									_t73[1] = 1;
								} else {
									while(1) {
										_t59 =  *_t71;
										if((_t59 & 0x00000001) != 0) {
											goto L29;
										}
										asm("lock cmpxchg [esi], edx");
										if(_t59 != _t59) {
											continue;
										}
										_t73[1] = 1;
										goto L29;
									}
								}
								L29:
							} while (_t73[1] == 0);
							if( *_t73 != 0) {
								_t71[8] = GetCurrentThreadId();
								_t71[4] = 1;
							}
							goto L32;
						}
						continue;
					}
					_t73[4] = GetTickCount();
					_t73[0xc] = 0;
					if(_t72 <= 0) {
						L13:
						if(_t70 == 0xffffffff) {
							goto L17;
						}
						_t73[8] = GetTickCount();
						_t49 = _t73[8] - _t73[4];
						if(_t70 > _t49) {
							_t70 = _t70 - _t49;
							goto L17;
						}
						 *_t73 = 0;
						break;
					}
					L5:
					L5:
					if(_t70 == 0xffffffff || _t70 > GetTickCount() - _t73[4]) {
						goto L8;
					} else {
						 *_t73 = 0;
					}
					break;
					L8:
					if( *_t71 > 1) {
						goto L13;
					}
					if( *_t71 != 0) {
						L12:
						E00408AF8( &(_t73[0xc]));
						_t72 = _t72 - 1;
						if(_t72 > 0) {
							goto L5;
						}
						goto L13;
					}
					asm("lock cmpxchg [esi], edx");
					if(0 != 0) {
						goto L12;
					}
					_t71[8] = GetCurrentThreadId();
					_t71[4] = 1;
					 *_t73 = 1;
					break;
				}
				L32:
				return  *_t73 & 0x000000ff;
			}

0x00408e1f
0x00408e21
0x00408e23
0x00408e26
0x00408e26
0x00408e2d
0x00408e34
0x00000000
0x00000000
0x00408e42
0x00408e49
0x00408ee1
0x00408ee1
0x00408ee1
0x00408ee5
0x00000000
0x00000000
0x00408ef0
0x00408ef6
0x00000000
0x00000000
0x00000000
0x00000000
0x00408ef8
0x00408ef8
0x00408efd
0x00408f03
0x00408f0a
0x00408f14
0x00408f19
0x00408f20
0x00408f27
0x00408f35
0x00408f43
0x00408f37
0x00408f3f
0x00408f3f
0x00408f35
0x00408f49
0x00408f6b
0x00408f74
0x00408f78
0x00408f7c
0x00000000
0x00408f4b
0x00408f4b
0x00408f50
0x00000000
0x00000000
0x00408f5c
0x00408f62
0x00000000
0x00000000
0x00408f64
0x00000000
0x00408f64
0x00408f4b
0x00408f81
0x00408f81
0x00408f90
0x00408f97
0x00408f9a
0x00408f9a
0x00000000
0x00408f90
0x00000000
0x00408ee1
0x00408e54
0x00408e5a
0x00408e60
0x00408ebc
0x00408ebf
0x00000000
0x00000000
0x00408ec6
0x00408ece
0x00408ed4
0x00408edf
0x00000000
0x00408edf
0x00408ed6
0x00000000
0x00408ed6
0x00000000
0x00408e62
0x00408e65
0x00000000
0x00408e74
0x00408e74
0x00408e74
0x00000000
0x00408e7d
0x00408e80
0x00000000
0x00000000
0x00408e85
0x00408eae
0x00408eb2
0x00408eb7
0x00408eba
0x00000000
0x00000000
0x00000000
0x00408eba
0x00408e8e
0x00408e94
0x00000000
0x00000000
0x00408e9b
0x00408e9e
0x00408ea5
0x00000000
0x00408ea5
0x00408fa1
0x00408fac

APIs

Part of subcall function 004092D8: GetCurrentThreadId.KERNEL32 ref: 004092DB

GetTickCount.KERNEL32 ref: 00408E4F
GetTickCount.KERNEL32 ref: 00408E67
GetCurrentThreadId.KERNEL32 ref: 00408E96
GetTickCount.KERNEL32 ref: 00408EC1
GetTickCount.KERNEL32 ref: 00408EF8
GetTickCount.KERNEL32 ref: 00408F22
GetCurrentThreadId.KERNEL32 ref: 00408F92

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: CountTick$CurrentThread
String ID:
API String ID: 3968769311-0
Opcode ID: 20bc9faa338205b9676b9ce63f6a6fc95d4e340ef3c4d15d54fbfb65282f0910
Instruction ID: 216a2c916ba6e2f13aacbc2b486a5202febe2ca6ab096472d485461ede499aa8
Opcode Fuzzy Hash: 20bc9faa338205b9676b9ce63f6a6fc95d4e340ef3c4d15d54fbfb65282f0910
Instruction Fuzzy Hash: FD4171712087429ED721AF78CA4031FBAD2AF94354F15897EE4D9D72C2DB7C9881874A

Uniqueness

Uniqueness Score: -1.00%

Function 006A5F04 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 72
fileCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E006A5F04(void* __eax, void* __edx, intOrPtr _a4076) {
				char _v4120;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t6;
				void* _t11;
				signed char _t14;
				void* _t22;
				intOrPtr* _t23;
				void* _t24;
				void* _t28;
				long _t30;
				void* _t31;
				void* _t32;
				void* _t33;

				_push(__eax);
				_t6 = 2;
				do {
					_t32 = _t32 + 0xfffff004;
					_push(_t6);
					_t6 = _t6 - 1;
				} while (_t6 != 0);
				_t33 = _t32 + 4;
				_t28 = __edx;
				_t29 = _a4076;
				_t23 = E00414020(_t22, _a4076, GetModuleHandleW(L"kernel32.dll"), L"GetFinalPathNameByHandleW");
				if(_t23 == 0) {
					L11:
					_t11 = E0040A5A8(_t28, _t29);
				} else {
					_t14 = GetFileAttributesW(E0040B278(_t29));
					if(_t14 == 0xffffffff) {
						goto L11;
					} else {
						if((_t14 & 0x00000010) == 0) {
							_t30 = 0;
							__eflags = 0;
						} else {
							_t30 = 0x2000000;
						}
						_t31 = CreateFileW(E0040B278(_t29), 0, 7, 0, 3, _t30, 0);
						if(_t31 == 0xffffffff) {
							goto L11;
						} else {
							_t24 =  *_t23(_t31,  &_v4120, 0x1000, 0);
							CloseHandle(_t31);
							if(_t24 <= 0) {
								goto L11;
							} else {
								_t41 = _t24 - 0xff0;
								if(_t24 >= 0xff0) {
									goto L11;
								} else {
									_t11 = E006A5E1C(_t33, _t24, _t28, _t29, _t41);
								}
							}
						}
					}
				}
				return _t11;
			}

0x006a5f08
0x006a5f09
0x006a5f0e
0x006a5f0e
0x006a5f14
0x006a5f15
0x006a5f15
0x006a5f1f
0x006a5f22
0x006a5f24
0x006a5f3b
0x006a5f3f
0x006a5fad
0x006a5fb1
0x006a5f41
0x006a5f49
0x006a5f51
0x00000000
0x006a5f53
0x006a5f55
0x006a5f5e
0x006a5f5e
0x006a5f57
0x006a5f57
0x006a5f57
0x006a5f78
0x006a5f7d
0x00000000
0x006a5f7f
0x006a5f8e
0x006a5f91
0x006a5f98
0x00000000
0x006a5f9a
0x006a5f9a
0x006a5fa0
0x00000000
0x006a5fa2
0x006a5fa6
0x006a5fa6
0x006a5fa0
0x006a5f98
0x006a5f7d
0x006a5f51
0x006a5fc0

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F30
GetFileAttributesW.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F49
CreateFileW.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F73
CloseHandle.KERNEL32(00000000), ref: 006A5F91

Strings

GetFinalPathNameByHandleW, xrefs: 006A5F26
kernel32.dll, xrefs: 006A5F2B

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: FileHandle$AttributesCloseCreateModule
String ID: GetFinalPathNameByHandleW$kernel32.dll
API String ID: 791737717-340263132
Opcode ID: ee2239582e227f58055d6c75fc8972661dcf133dd665b7ba8432f605ab2c3931
Instruction ID: 33e75e3eedf917459a19461fb92274fc6dcf6f547d9e1cd84d4496d1484fa6be
Opcode Fuzzy Hash: ee2239582e227f58055d6c75fc8972661dcf133dd665b7ba8432f605ab2c3931
Instruction Fuzzy Hash: FD110860740B043FE530B17A5C8BFBB204E8B96769F14013ABB1ADA3C2E9799D410D9A

Uniqueness

Uniqueness Score: -1.00%

Function 00408BB4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E00408BB4(void* __edx) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				char* _t23;
				intOrPtr _t29;
				intOrPtr _t39;
				void* _t41;
				void* _t43;
				intOrPtr _t44;

				_t41 = _t43;
				_t44 = _t43 + 0xfffffff4;
				_v16 = 0;
				if(GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetLogicalProcessorInformation") == 0) {
					L10:
					_v8 = 0x40;
					goto L11;
				} else {
					_t23 =  &_v16;
					_push(_t23);
					_push(0);
					L00405324();
					if(_t23 != 0 || GetLastError() != 0x7a) {
						goto L10;
					} else {
						_v12 = E00406F0C(_v16);
						_push(_t41);
						_push(E00408C62);
						_push( *[fs:edx]);
						 *[fs:edx] = _t44;
						_push( &_v16);
						_push(_v12);
						L00405324();
						_t29 = _v12;
						if(_v16 <= 0) {
							L8:
							_pop(_t39);
							 *[fs:eax] = _t39;
							_push(E00408C69);
							return E00406F28(_v12);
						} else {
							while( *((short*)(_t29 + 4)) != 2 ||  *((char*)(_t29 + 8)) != 1) {
								_t29 = _t29 + 0x18;
								_v16 = _v16 - 0x18;
								if(_v16 > 0) {
									continue;
								} else {
									goto L8;
								}
								goto L12;
							}
							_v8 =  *(_t29 + 0xa) & 0x0000ffff;
							E004099B8();
							L11:
							return _v8;
						}
					}
				}
				L12:
			}

0x00408bb5
0x00408bb7
0x00408bbc
0x00408bd6
0x00408c69
0x00408c69
0x00000000
0x00408bdc
0x00408bdc
0x00408bdf
0x00408be0
0x00408be2
0x00408be9
0x00000000
0x00408bf5
0x00408bfd
0x00408c02
0x00408c03
0x00408c08
0x00408c0b
0x00408c11
0x00408c15
0x00408c16
0x00408c1b
0x00408c22
0x00408c4c
0x00408c4e
0x00408c51
0x00408c54
0x00408c61
0x00408c24
0x00408c24
0x00408c3f
0x00408c42
0x00408c4a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00408c4a
0x00408c35
0x00408c38
0x00408c70
0x00408c76
0x00408c76
0x00408c22
0x00408be9
0x00000000

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 00408BC9
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00408BCF
GetLastError.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 00408BEB

Strings

@, xrefs: 00408C69
GetLogicalProcessorInformation, xrefs: 00408BBF
kernel32.dll, xrefs: 00408BC4

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: @$GetLogicalProcessorInformation$kernel32.dll
API String ID: 4275029093-79381301
Opcode ID: d2b5bb259a4a67909b9857f382d53dc443368d34a06db9e148c60c099e14fc22
Instruction ID: fae384035c4cbf403bb6e842233c038de7d928fc1d1ef8a2a4529768a9174d83
Opcode Fuzzy Hash: d2b5bb259a4a67909b9857f382d53dc443368d34a06db9e148c60c099e14fc22
Instruction Fuzzy Hash: E4117570D05208AEEF10EBA5DA45A6EB7F4DB44704F1084BFE454B72C1DF7D8A548B29

Uniqueness

Uniqueness Score: -1.00%

Function 006B8141 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E006B8141(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char* _t18;
				char* _t23;
				intOrPtr* _t25;
				intOrPtr _t29;
				intOrPtr _t32;
				void* _t34;
				intOrPtr _t42;
				intOrPtr _t44;
				void* _t45;
				void* _t48;

				if( *((char*)(_t48 - 0x21)) != 0) {
					_t18 =  *0x6cdfdc; // 0x6d62e4
					if( *_t18 != 0) {
						E00616130(L"Not restarting Windows because Uninstall is being run from the debugger.", __ebx, __edi, __esi);
					} else {
						E00616130(L"Restarting Windows.", __ebx, __edi, __esi);
						_t23 =  *0x6cdefc; // 0x6d6825
						 *_t23 = 1;
						if(E0060F6D8() == 0) {
							_t25 =  *0x6cdec4; // 0x6d579c
							SetForegroundWindow( *( *_t25 + 0x188));
							_push(1);
							_push(1);
							_t29 =  *0x6cded8; // 0x6d5c28
							_t3 = _t29 + 0x164; // 0x0
							_push(E0040B278( *_t3));
							_t32 =  *0x6cded8; // 0x6d5c28
							_t4 = _t32 + 0x15c; // 0x0
							_t34 = E0040B278( *_t4);
							_pop(_t45);
							E006AF190(_t34, __ebx, 0x30, _t45, __edi, __esi);
						}
					}
				}
				_pop(_t42);
				 *[fs:eax] = _t42;
				_push(E006B8200);
				E0040A1C8(_t48 - 0x48);
				E0040A228(_t48 - 0x3c, 5);
				_t44 =  *0x4012b8; // 0x4012bc
				E0040C024(_t48 - 0x20, 7, _t44);
				return E0040A1EC(_t48 - 4);
			}

0x006b8145
0x006b8147
0x006b814f
0x006b81b6
0x006b8151
0x006b8156
0x006b815b
0x006b8160
0x006b816a
0x006b816c
0x006b817a
0x006b817f
0x006b8181
0x006b8183
0x006b8188
0x006b8193
0x006b8194
0x006b8199
0x006b819f
0x006b81a9
0x006b81aa
0x006b81aa
0x006b816a
0x006b814f
0x006b81bd
0x006b81c0
0x006b81c3
0x006b81cb
0x006b81d8
0x006b81e5
0x006b81eb
0x006b81f8

APIs

Part of subcall function 0060F6D8: GetCurrentProcess.KERNEL32(00000028), ref: 0060F6E8
Part of subcall function 0060F6D8: OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0060F6EE

SetForegroundWindow.USER32(?), ref: 006B817A

Strings

Not restarting Windows because Uninstall is being run from the debugger., xrefs: 006B81B1
(\m, xrefs: 006B8183, 006B8194
Restarting Windows., xrefs: 006B8151
%hm, xrefs: 006B815B
bm, xrefs: 006B8147

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Process$CurrentForegroundOpenTokenWindow
String ID: %hm$(\m$Not restarting Windows because Uninstall is being run from the debugger.$Restarting Windows.$bm
API String ID: 3179053593-36556386
Opcode ID: b7594902ceb65011b7cd408ddb31800c32ac1c1d22a90f0235b323c67c5cc1dc
Instruction ID: d1bb377931262cf507ba46983c8bd46f5a1d5c2f393bef5d4bb5aec732555b7a
Opcode Fuzzy Hash: b7594902ceb65011b7cd408ddb31800c32ac1c1d22a90f0235b323c67c5cc1dc
Instruction Fuzzy Hash: 621130746042049FD700EB69DD86FE837EAAB49304F5540BAF401AB7A2CE79AC82C759

Uniqueness

Uniqueness Score: -1.00%

Function 00409E60 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40
fileCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E00409E60(void* __ecx) {
				long _v4;
				void* _t3;
				void* _t9;

				if( *0x6cf05c == 0) {
					if( *0x6c5036 == 0) {
						_push(0);
						_push("Error");
						_push("Runtime error     at 00000000");
						_push(0);
						L0040529C();
					}
					return _t3;
				} else {
					if( *0x6cf348 == 0xd7b2 &&  *0x6cf350 > 0) {
						 *0x6cf360();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1d,  &_v4, 0);
					_t9 = E0040AC70(0x409ef4);
					return WriteFile(GetStdHandle(0xfffffff5), _t9, 2,  &_v4, 0);
				}
			}

0x00409e68
0x00409ece
0x00409ed0
0x00409ed2
0x00409ed7
0x00409edc
0x00409ede
0x00409ede
0x00409ee4
0x00409e6a
0x00409e73
0x00409e83
0x00409e83
0x00409e9f
0x00409eb2
0x00409ec6
0x00409ec6

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?,0040707B), ref: 00409E99
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?), ref: 00409E9F
GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?), ref: 00409EBA
WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?), ref: 00409EC0

Strings

Error, xrefs: 00409ED2
Runtime error at 00000000, xrefs: 00409E92, 00409ED7

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: FileHandleWrite
String ID: Error$Runtime error at 00000000
API String ID: 3320372497-2970929446
Opcode ID: a4deac2aa97ac97823855fef04cac89a22f23a0563f87e50a6800a30aeefe081
Instruction ID: a01582976990e38fcf300ac2ca1e4f1bd102d55210953f65d1fcb3aa769fb624
Opcode Fuzzy Hash: a4deac2aa97ac97823855fef04cac89a22f23a0563f87e50a6800a30aeefe081
Instruction Fuzzy Hash: 52F04FA0A44780BAEB10B7A19C07F7B261AD741B28F10567FB214B91D3C6B85CC49AE9

Uniqueness

Uniqueness Score: -1.00%

Function 0043171C Relevance: 9.1, APIs: 6, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0043171C(short* __eax, intOrPtr __ecx, signed short* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				signed short* _v808;
				void* __ebp;
				signed char _t55;
				signed int _t64;
				void* _t72;
				intOrPtr* _t83;
				void* _t103;
				void* _t105;
				void* _t108;
				void* _t109;
				intOrPtr* _t118;
				void* _t122;
				intOrPtr _t123;
				char* _t124;
				void* _t125;

				_t110 = __ecx;
				_v780 = __ecx;
				_v808 = __edx;
				_v776 = __eax;
				if((_v808[0] & 0x00000020) == 0) {
					L00430EC8(0x80070057);
				}
				_t55 =  *_v808 & 0x0000ffff;
				if((_t55 & 0x00000fff) != 0xc) {
					_push(_v808);
					_push(_v776);
					L0042F04C();
					return L00430EC8(_v776);
				} else {
					if((_t55 & 0x00000040) == 0) {
						_v792 = _v808[4];
					} else {
						_v792 =  *(_v808[4]);
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t103 = _v788 - 1;
					if(_t103 < 0) {
						L9:
						_push( &_v772);
						_t64 = _v788;
						_push(_t64);
						_push(0xc);
						L0042F628();
						_t123 = _t64;
						if(_t123 == 0) {
							E00430C20(_t110);
						}
						L00431164(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t123;
						_t105 = _v788 - 1;
						if(_t105 < 0) {
							L14:
							_t107 = _v788 - 1;
							if(E00431694(_v788 - 1, _t125) != 0) {
								L0042F650();
								L00430EC8(_v792);
								L0042F650();
								L00430EC8( &_v260);
								_v780(_t123,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t72 = E004316C4(_t107, _t125);
						} else {
							_t108 = _t105 + 1;
							_t83 =  &_v768;
							_t118 =  &_v260;
							do {
								 *_t118 =  *_t83;
								_t118 = _t118 + 4;
								_t83 = _t83 + 8;
								_t108 = _t108 - 1;
							} while (_t108 != 0);
							do {
								goto L14;
							} while (_t72 != 0);
							return _t72;
						}
					} else {
						_t109 = _t103 + 1;
						_t122 = 0;
						_t124 =  &_v772;
						do {
							_v804 = _t124;
							_push(_v804 + 4);
							_t23 = _t122 + 1; // 0x1
							_push(_v792);
							L0042F630();
							L00430EC8(_v792);
							_push( &_v784);
							_t26 = _t122 + 1; // 0x1
							_push(_v792);
							L0042F638();
							L00430EC8(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t122 = _t122 + 1;
							_t124 = _t124 + 8;
							_t109 = _t109 - 1;
						} while (_t109 != 0);
						goto L9;
					}
				}
			}

0x0043171c
0x00431728
0x0043172e
0x00431734
0x00431744
0x0043174b
0x0043174b
0x00431756
0x00431764
0x004318ef
0x004318f6
0x004318f7
0x00000000
0x0043176a
0x0043176d
0x0043178b
0x0043176f
0x0043177a
0x0043177a
0x0043179a
0x004317a6
0x004317a9
0x00431816
0x0043181c
0x0043181d
0x00431823
0x00431824
0x00431826
0x0043182b
0x0043182f
0x00431831
0x00431831
0x0043183c
0x00431847
0x00431852
0x0043185b
0x0043185e
0x0043187a
0x00431881
0x0043188c
0x004318a3
0x004318a8
0x004318bc
0x004318c1
0x004318d4
0x004318d4
0x004318dd
0x00431860
0x00431860
0x00431861
0x00431867
0x0043186d
0x0043186f
0x00431871
0x00431874
0x00431877
0x00431877
0x0043187a
0x00000000
0x00000000
0x00000000
0x0043187a
0x004317ab
0x004317ab
0x004317ac
0x004317ae
0x004317b4
0x004317b6
0x004317c5
0x004317c6
0x004317d0
0x004317d1
0x004317d6
0x004317e1
0x004317e2
0x004317ec
0x004317ed
0x004317f2
0x0043180d
0x0043180f
0x00431810
0x00431813
0x00431813
0x00000000
0x004317b4
0x004317a9

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004317D1
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 004317ED
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 00431826
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004318A3
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004318BC
VariantCopy.OLEAUT32(?,?), ref: 004318F7

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: 040e7940f355aaa7652d1378d9b08393b08e43244b2170bcb39dc03bfc7fe70c
Instruction ID: ede279f2d9249a03c5eeb803d5e3445196a0ad83b08d93498a0369a0c14e8414
Opcode Fuzzy Hash: 040e7940f355aaa7652d1378d9b08393b08e43244b2170bcb39dc03bfc7fe70c
Instruction Fuzzy Hash: 41512D75A002299FCB62DB59CD81BD9B3FCAF0C304F4455EAE508E7212D634AF858F58

Uniqueness

Uniqueness Score: -1.00%

Function 006AE6F8 Relevance: 9.1, APIs: 6, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E006AE6F8(signed int __eax) {
				intOrPtr* _t14;
				signed int _t18;
				intOrPtr* _t19;
				intOrPtr* _t23;
				signed int _t26;
				long _t27;
				intOrPtr* _t29;
				intOrPtr* _t33;
				signed int _t37;
				intOrPtr* _t38;

				_t37 = __eax;
				 *0x6d6827 = __eax ^ 0x00000001;
				_t14 =  *0x6cdec4; // 0x6d579c
				_t18 = GetWindowLongW( *( *_t14 + 0x188), 0xffffffec) & 0xffffff00 | (_t17 & 0x00000080) == 0x00000000;
				if(_t37 != _t18) {
					_t19 =  *0x6cdec4; // 0x6d579c
					SetWindowPos( *( *_t19 + 0x188), 0, 0, 0, 0, 0, 0x97);
					_t23 =  *0x6cdec4; // 0x6d579c
					_t26 = GetWindowLongW( *( *_t23 + 0x188), 0xffffffec);
					if(_t37 == 0) {
						_t27 = _t26 | 0x00000080;
					} else {
						_t27 = _t26 & 0xffffff7f;
					}
					_t38 =  *0x6cdec4; // 0x6d579c
					SetWindowLongW( *( *_t38 + 0x188), 0xffffffec, _t27);
					if(_t37 == 0) {
						_t29 =  *0x6cdec4; // 0x6d579c
						return SetWindowPos( *( *_t29 + 0x188), 0, 0, 0, 0, 0, 0x57);
					} else {
						_t33 =  *0x6cdec4; // 0x6d579c
						return ShowWindow( *( *_t33 + 0x188), 5);
					}
				}
				return _t18;
			}

0x006ae6f9
0x006ae6ff
0x006ae704
0x006ae71b
0x006ae720
0x006ae735
0x006ae743
0x006ae748
0x006ae758
0x006ae75f
0x006ae768
0x006ae761
0x006ae761
0x006ae761
0x006ae76d
0x006ae77f
0x006ae786
0x006ae7ab
0x00000000
0x006ae788
0x006ae78a
0x00000000
0x006ae798
0x006ae786
0x006ae7bf

APIs

GetWindowLongW.USER32(?,000000EC), ref: 006AE714
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,006B78BD,00000000,006B81F9), ref: 006AE743
GetWindowLongW.USER32(?,000000EC), ref: 006AE758
SetWindowLongW.USER32(?,000000EC,00000000), ref: 006AE77F
ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 006AE798
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 006AE7B9

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Window$Long$Show
String ID:
API String ID: 3609083571-0
Opcode ID: 5cdc2a2f03025ac3e3b3afbb97f1bf29b70dcad7f16aa9e547f2343e461a08eb
Instruction ID: c5f2d3f14be40374ea6ae40072baf741f42d7864aa45c80e1917733d0618a2ec
Opcode Fuzzy Hash: 5cdc2a2f03025ac3e3b3afbb97f1bf29b70dcad7f16aa9e547f2343e461a08eb
Instruction Fuzzy Hash: FC111C75745200AFD700EB68DD81FE237EAAB9E314F4541A5F6158F3E2CA65EC40DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0060D3B4 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 105
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E0060D3B4(char __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v17;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				void* _t60;
				signed int _t63;
				intOrPtr _t77;
				void* _t83;
				intOrPtr _t86;

				_t64 = 0;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_v16 = __edx;
				_v8 = __eax;
				E0040A2AC(_v8);
				_push(_t86);
				_push(0x60d4f1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t86;
				E005C4EA4(_v8,  &_v24);
				E0040A5F0( &_v8, _v24);
				_t83 = 0x123456;
				_t63 = 0;
				_v17 = 0;
				do {
					_t83 = _t83 + 1;
					if(_t83 > 0x1ffffff) {
						_t83 = 0;
					}
					_t90 = 0x123456 - _t83;
					if(0x123456 == _t83) {
						_t9 =  &_v32; // 0x6b7447
						E005C567C(_v8, _t64, _t9, _t90);
						_t11 =  &_v32; // 0x6b7447
						E005CD508(0x5a,  &_v28,  *_t11);
						_t64 = _v28;
						E00429008(_v28, 1);
						E004098C4();
					}
					_push(_v8);
					_push("_iu");
					E0060D21C(_t83, _t63,  &_v36, 0x123456, _t83);
					_push(_v36);
					_push(L".tmp");
					E0040B550( &_v12, _t63, 4, 0x123456, _t83);
					if(E005C6880(_t90) == 0) {
						_t63 = 1;
						_v17 = E005C685C(_v12);
						if(_v17 != 0) {
							_t60 = CreateFileW(E0040B278(_v12), 0xc0000000, 0, 0, 2, 0x80, 0);
							_t63 = 0 | _t60 != 0xffffffff;
							if(1 != 0) {
								CloseHandle(_t60);
							}
						}
					}
				} while (_t63 == 0);
				E0040A5A8(_v16, _v12);
				_pop(_t77);
				 *[fs:eax] = _t77;
				_push(E0060D4F8);
				E0040A228( &_v36, 4);
				return E0040A228( &_v12, 2);
			}

0x0060d3b7
0x0060d3b9
0x0060d3ba
0x0060d3bb
0x0060d3bc
0x0060d3bd
0x0060d3be
0x0060d3bf
0x0060d3c0
0x0060d3c4
0x0060d3c7
0x0060d3cd
0x0060d3d4
0x0060d3d5
0x0060d3da
0x0060d3dd
0x0060d3e6
0x0060d3f1
0x0060d3fb
0x0060d3fd
0x0060d3ff
0x0060d403
0x0060d403
0x0060d40a
0x0060d40c
0x0060d40c
0x0060d40e
0x0060d410
0x0060d412
0x0060d418
0x0060d41d
0x0060d427
0x0060d42c
0x0060d436
0x0060d43b
0x0060d43b
0x0060d440
0x0060d443
0x0060d44d
0x0060d452
0x0060d455
0x0060d462
0x0060d471
0x0060d473
0x0060d47d
0x0060d484
0x0060d4a1
0x0060d4a9
0x0060d4ae
0x0060d4b1
0x0060d4b1
0x0060d4ae
0x0060d484
0x0060d4b6
0x0060d4c4
0x0060d4cb
0x0060d4ce
0x0060d4d1
0x0060d4de
0x0060d4f0

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,0060D4F1), ref: 0060D4A1
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,0060D4F1), ref: 0060D4B1

Strings

_iu, xrefs: 0060D443
Gtk, xrefs: 0060D412, 0060D41D
.tmp, xrefs: 0060D455

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: .tmp$Gtk$_iu
API String ID: 3498533004-1320520068
Opcode ID: 8f4bd8aeb1207aa4b07bf03847036b0a2b10865cd30baef83bcbefd08e77ff22
Instruction ID: 38fd5bd3aef28e796ac18a57f9f91bd27b67d48edde35eb58a18837c564f9665
Opcode Fuzzy Hash: 8f4bd8aeb1207aa4b07bf03847036b0a2b10865cd30baef83bcbefd08e77ff22
Instruction Fuzzy Hash: 73319030E80209ABDB14EBE4C842BDEBBB5AF54308F118169E904B73D1D738AE458B55

Uniqueness

Uniqueness Score: -1.00%

Function 006B8998 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E006B8998(char __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v40;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr _t61;
				intOrPtr _t66;
				intOrPtr _t92;
				void* _t96;
				void* _t97;
				void* _t98;
				intOrPtr _t99;

				_t100 = __eflags;
				_t95 = __esi;
				_t94 = __edi;
				_t68 = __ebx;
				_t97 = _t98;
				_t99 = _t98 + 0xffffffdc;
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				 *[fs:eax] = _t99;
				_t27 =  *0x6cdec4; // 0x6d579c
				E005B8250( *_t27, L"Uninstall", __eflags);
				_t30 =  *0x6cdec4; // 0x6d579c
				ShowWindow( *( *_t30 + 0x188), 5);
				 *[fs:edx] = _t99;
				E006AF824();
				E005C745C( &_v20);
				E00424020(_v20);
				E005C6FB0(0, __ebx,  &_v24, __edi, __esi);
				E0040A5A8(0x6d68d0, _v24);
				E006B6C80(__ebx, __edi, __esi, _t100);
				_t44 =  *0x6d68d0; // 0x0
				E005C4F90(_t44, _t68,  &_v28, L".dat", _t94, _t95);
				E0040A5A8(0x6d68d4, _v28);
				_t48 =  *0x6d68d0; // 0x0
				E005C4F90(_t48, _t68,  &_v32, L".msg", _t94, _t95);
				E0040A5A8(0x6d68d8, _v32);
				_v8 = E005CBFB8(1, 1, 0, 2);
				 *[fs:eax] = _t99;
				 *((intOrPtr*)( *_v8 + 4))( *[fs:eax], 0x6b8af0, _t97,  *[fs:edx], 0x6b8c15, _t97,  *[fs:eax], 0x6b8c4e, _t97, __edi, __esi, __ebx, _t96);
				E005CBF78(_v8, _v40 - 8);
				E005CBF50(_v8, 8,  &_v16);
				if(_v16 == 0x67734d49) {
					_t61 =  *0x6d68d0; // 0x0
					E005CD6BC(_t61, _t68, 1, _v12, _t94, _t95);
				} else {
					_t66 =  *0x6d68d8; // 0x0
					E005CD6BC(_t66, _t68, 1, 0, _t94, _t95);
				}
				_pop(_t92);
				 *[fs:eax] = _t92;
				_push(E006B8AF7);
				return E00408444(_v8);
			}

0x006b8998
0x006b8998
0x006b8998
0x006b8998
0x006b8999
0x006b899b
0x006b89a3
0x006b89a6
0x006b89a9
0x006b89ac
0x006b89ba
0x006b89bd
0x006b89c9
0x006b89d0
0x006b89de
0x006b89ee
0x006b89f1
0x006b89f9
0x006b8a01
0x006b8a0b
0x006b8a18
0x006b8a1d
0x006b8a2a
0x006b8a2f
0x006b8a3c
0x006b8a49
0x006b8a4e
0x006b8a5b
0x006b8a78
0x006b8a86
0x006b8a91
0x006b8a9d
0x006b8aad
0x006b8ab9
0x006b8ad0
0x006b8ad5
0x006b8abb
0x006b8abf
0x006b8ac4
0x006b8ac4
0x006b8adc
0x006b8adf
0x006b8ae2
0x006b8aef

APIs

Part of subcall function 005B8250: SetWindowTextW.USER32(?,00000000), ref: 005B8281

ShowWindow.USER32(?,00000005,00000000,006B8C4E,?,?,00000000), ref: 006B89DE

Part of subcall function 005C745C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005C746F

Part of subcall function 00424020: SetCurrentDirectoryW.KERNEL32(00000000,?,006B8A06,00000000,006B8C15,?,?,00000005,00000000,006B8C4E,?,?,00000000), ref: 0042402B

Part of subcall function 005C6FB0: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,005C7045,?,?,?,00000001,?,0061037E,00000000,006103E9), ref: 005C6FE5

Strings

IMsg, xrefs: 006B8AB2
.dat, xrefs: 006B8A25
Uninstall, xrefs: 006B89C4
.msg, xrefs: 006B8A44

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
String ID: .dat$.msg$IMsg$Uninstall
API String ID: 3312786188-1660910688
Opcode ID: a3002b033f6a18a544abd0b7a5371b2778306b012f82d7460bf43857e6ba0576
Instruction ID: 43941ce92546cf1f75effb4615d96ab71b8b1f254b2d248514a95b56d5af6042
Opcode Fuzzy Hash: a3002b033f6a18a544abd0b7a5371b2778306b012f82d7460bf43857e6ba0576
Instruction Fuzzy Hash: 65415CB0A002059FC700EFA4CD96E9EBBB6FB88304F51846AF400A7751DB75AE41DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 006153AC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 59
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E006153AC(struct HWND__* __eax, signed char __edx, void* __ebp) {
				char _v16;
				signed char _v20;
				char _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t8;
				struct HWND__* _t14;
				void* _t21;
				intOrPtr* _t22;
				struct HWND__* _t28;
				void* _t29;
				signed char* _t31;

				_t31 =  &_v20;
				 *_t31 = __edx;
				_t28 = __eax;
				_t21 = SendMessageW(__eax, 0xb06, 0, 0);
				if(_t21 != 0x6020000) {
					_v28 = _t21;
					_v24 = 0;
					_v20 = 0x6020000;
					_v16 = 0;
					_t23 = L"Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)";
					E00429044(_t21, L"Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)", 1, 0x6d62f8, _t28, 1,  &_v28);
					E004098C4();
				}
				 *0x6d62e4 = 1;
				 *0x6d62f4 = _t28;
				_t8 =  *0x615310; // 0x615368
				 *0x6d62f8 = E004785F8(E006158C4, _t8);
				if( *0x6d62f8 == 0) {
					E0060CD28(L"Failed to create DebugClientWnd", _t21);
				}
				_t29 = 4;
				_t22 =  *0x6cdb54; // 0x6cceb4
				do {
					E005C86E0( *0x6d62f8, _t23,  *_t22);
					_t22 = _t22 + 4;
					_t29 = _t29 - 1;
				} while (_t29 != 0);
				_t14 =  *0x6d62f4; // 0x0
				return SendMessageW(_t14, 0xb00,  *0x6d62f8,  *_t31 & 0x000000ff);
			}

0x006153af
0x006153b2
0x006153b5
0x006153cb
0x006153d3
0x006153d5
0x006153d9
0x006153de
0x006153e6
0x006153f2
0x006153fe
0x00615403
0x00615403
0x00615408
0x0061540f
0x00615415
0x00615425
0x0061542a
0x00615431
0x00615431
0x00615436
0x0061543b
0x00615441
0x00615445
0x0061544a
0x0061544d
0x0061544d
0x0061545d
0x0061546e

APIs

SendMessageW.USER32(00000000,00000B06,00000000,00000000), ref: 006153C6
SendMessageW.USER32(00000000,00000B00,00000000,00000000), ref: 00615463

Strings

hSa, xrefs: 00615415
Failed to create DebugClientWnd, xrefs: 0061542C
Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 006153F2

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: MessageSend
String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd$hSa
API String ID: 3850602802-2905362044
Opcode ID: 0e412e84a358142af428e011a0e255765662ed08f503d990aefe787644027a64
Instruction ID: bd2b79d17f40968884fe1c372ced24de8c60c917dea0cb25488337d16b2a65e4
Opcode Fuzzy Hash: 0e412e84a358142af428e011a0e255765662ed08f503d990aefe787644027a64
Instruction Fuzzy Hash: 391123B1A403129FE300EB28DC81FDABBD69F94304F08002AF5858B3D2D3749C84C766

Uniqueness

Uniqueness Score: -1.00%

Function 00624AA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00624AA4(HANDLE* __eax) {
				HANDLE* _v8;
				long _v12;
				intOrPtr* _t7;
				long _t11;
				intOrPtr _t27;
				void* _t30;

				_v8 = __eax;
				_push(_t30);
				_push(0x624b25);
				_push( *[fs:edx]);
				 *[fs:edx] = _t30 + 0xfffffff8;
				do {
					_t7 =  *0x6cdec4; // 0x6d579c
					E005B8704( *_t7);
					_t11 = MsgWaitForMultipleObjects(1, _v8, 0, 0xffffffff, 0x4ff);
				} while (_t11 == 1);
				if(_t11 == 0xffffffff) {
					E0060CE84(L"MsgWaitForMultipleObjects");
				}
				if(GetExitCodeProcess( *_v8,  &_v12) == 0) {
					E0060CE84(L"GetExitCodeProcess");
				}
				_pop(_t27);
				 *[fs:eax] = _t27;
				_push(E00624B2C);
				return CloseHandle( *_v8);
			}

0x00624aaa
0x00624aaf
0x00624ab0
0x00624ab5
0x00624ab8
0x00624abb
0x00624abb
0x00624ac2
0x00624ad6
0x00624adb
0x00624ae3
0x00624aea
0x00624aea
0x00624b00
0x00624b07
0x00624b07
0x00624b0e
0x00624b11
0x00624b14
0x00624b24

APIs

MsgWaitForMultipleObjects.USER32 ref: 00624AD6
GetExitCodeProcess.KERNEL32 ref: 00624AF9
CloseHandle.KERNEL32(?,00624B2C,00000001,00000000,000000FF,000004FF,00000000,00624B25), ref: 00624B1F

Strings

GetExitCodeProcess, xrefs: 00624B02
MsgWaitForMultipleObjects, xrefs: 00624AE5

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: CloseCodeExitHandleMultipleObjectsProcessWait
String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
API String ID: 2573145106-3235461205
Opcode ID: 5a47b888b64c9d71a21df3ce652ab4a6790a840d61fbcb63caf85f52caaf36c3
Instruction ID: b445045a4a45572890d55b61ba1fda7f57045845c9b5a3357f52015174d7dfc9
Opcode Fuzzy Hash: 5a47b888b64c9d71a21df3ce652ab4a6790a840d61fbcb63caf85f52caaf36c3
Instruction Fuzzy Hash: CE01A234640605AFD710EFA8ED62E9977EAEB49721F200265F520D73D0DE74ED44CA19

Uniqueness

Uniqueness Score: -1.00%

Function 004070B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004070B0(signed int __eax, void* __edx) {
				short _v530;
				short _v1052;
				short _v1056;
				short _v1058;
				signed int _t20;
				void* _t24;
				WCHAR* _t25;

				_t25 =  &_v1052;
				_t24 = __edx;
				_t20 = __eax;
				if(__eax != 0) {
					 *_t25 = (__eax & 0x000000ff) + 0x41 - 1;
					_v1058 = 0x3a;
					_v1056 = 0;
					GetCurrentDirectoryW(0x105,  &_v530);
					SetCurrentDirectoryW(_t25);
				}
				GetCurrentDirectoryW(0x105,  &_v1052);
				if(_t20 != 0) {
					SetCurrentDirectoryW( &_v530);
				}
				return E0040B318(_t24, 0x105,  &_v1052);
			}

0x004070b2
0x004070b8
0x004070ba
0x004070be
0x004070c8
0x004070cc
0x004070d3
0x004070e7
0x004070ed
0x004070ed
0x004070fc
0x00407103
0x0040710d
0x0040710d
0x0040712a

APIs

GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 004070E7
SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 004070ED
GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 004070FC
SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 0040710D

Strings

:, xrefs: 004070CC

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: aa9707b4d0d9c5d03511b22bbefae7383822b12ede650e628390a7387f8948e9
Instruction ID: 4e46778bef482c884a40b6a77bd37b1cdf5980326a29a022de95e28d89e8e0a5
Opcode Fuzzy Hash: aa9707b4d0d9c5d03511b22bbefae7383822b12ede650e628390a7387f8948e9
Instruction Fuzzy Hash: 71F0627154474465D310E7658852BDB729CDF84348F04843E76C89B2D1E6BC5948979B

Uniqueness

Uniqueness Score: -1.00%

Function 0059BDE0 Relevance: 7.6, APIs: 5, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0059BDE0(int __eax, void* __edx) {
				void* __edi;
				void* __esi;
				signed int _t39;
				signed int _t40;
				intOrPtr _t44;
				int _t45;
				void* _t47;
				int _t48;
				intOrPtr* _t49;

				_t18 = __eax;
				_t49 = __eax;
				if(( *(__eax + 0x1c) & 0x00000008) == 0) {
					if(( *(__eax + 0x1c) & 0x00000002) != 0) {
						 *((char*)(__eax + 0x80)) = 1;
						return __eax;
					}
					_t19 =  *((intOrPtr*)(__eax + 0x78));
					if( *((intOrPtr*)(__eax + 0x78)) != 0) {
						return E0059BDE0(_t19, __edx);
					}
					_t18 = GetMenuItemCount(E0059BF18(__eax, _t45, _t47));
					_t48 = _t18;
					_t40 = _t39 & 0xffffff00 | _t48 == 0x00000000;
					while(_t48 > 0) {
						_t45 = _t48 - 1;
						_t18 = GetMenuState(E0059BF18(_t49, _t45, _t48), _t45, 0x400);
						if((_t18 & 0x00000004) == 0) {
							_t18 = RemoveMenu(E0059BF18(_t49, _t45, _t48), _t45, 0x400);
							_t40 = 1;
						}
						_t48 = _t48 - 1;
					}
					if(_t40 != 0) {
						if( *((intOrPtr*)(_t49 + 0x70)) != 0) {
							L14:
							E0059BC9C(_t49, _t45, _t48);
							L15:
							return  *((intOrPtr*)( *_t49 + 0x50))();
						}
						_t44 =  *0x59a1c4; // 0x59a21c
						if(E0040868C( *((intOrPtr*)(_t49 + 0x7c)), _t44) == 0 || GetMenuItemCount(E0059BF18(_t49, _t45, _t48)) != 0) {
							goto L14;
						} else {
							DestroyMenu( *(_t49 + 0xbc));
							 *(_t49 + 0xbc) = 0;
							goto L15;
						}
					}
				}
				return _t18;
			}

0x0059bde0
0x0059bde4
0x0059bdea
0x0059bdf4
0x0059bdf6
0x00000000
0x0059bdf6
0x0059be02
0x0059be07
0x00000000
0x0059be09
0x0059be1b
0x0059be20
0x0059be24
0x0059be29
0x0059be32
0x0059be3c
0x0059be43
0x0059be53
0x0059be58
0x0059be58
0x0059be5a
0x0059be5b
0x0059be61
0x0059be67
0x0059bea2
0x0059bea4
0x0059bea9
0x00000000
0x0059beaf
0x0059be6c
0x0059be79
0x00000000
0x0059be8c
0x0059be93
0x0059be9a
0x00000000
0x0059be9a
0x0059be79
0x0059be61
0x0059beb6

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad8bebb6b70c684c30d9747228a5e3f8ffc0963a0edfe972ae4d2d3d4fc87c04
Instruction ID: f6f51fa323c2004b4ed4a12cf3aa4c02228d8e81e9c13bd86265522dc6499af0
Opcode Fuzzy Hash: ad8bebb6b70c684c30d9747228a5e3f8ffc0963a0edfe972ae4d2d3d4fc87c04
Instruction Fuzzy Hash: B01172A160425956FF706A7A6F09BEA3F9C7FD1745F050429BE419B283CB38CC458BA4

Uniqueness

Uniqueness Score: -1.00%

Function 005B631C Relevance: 7.5, APIs: 5, Instructions: 39
threadCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E005B631C() {
				intOrPtr _v4;
				void* _v8;
				int _t5;
				void* _t6;
				intOrPtr _t12;
				struct HHOOK__* _t14;
				void* _t19;
				void* _t20;

				if( *0x6d57c0 != 0) {
					_t14 =  *0x6d57c0; // 0x0
					UnhookWindowsHookEx(_t14);
				}
				 *0x6d57c0 = 0;
				_v4 = 0x6d57c4;
				_t5 = 0;
				asm("lock xchg [edx], eax");
				_v8 = 0;
				if(_v8 != 0) {
					_t6 =  *0x6d57bc; // 0x0
					SetEvent(_t6);
					if(GetCurrentThreadId() !=  *0x6d57b8) {
						while(MsgWaitForMultipleObjects(1,  &_v8, 0, 0xffffffff, 0x4ff) != 0) {
							_t12 =  *0x6d579c; // 0x0
							E005B871C(_t12, _t19, _t20);
						}
					}
					_t5 = CloseHandle(_v8);
				}
				return _t5;
			}

0x005b6326
0x005b6328
0x005b632e
0x005b632e
0x005b6335
0x005b633a
0x005b6346
0x005b6348
0x005b634b
0x005b6352
0x005b6354
0x005b635a
0x005b636a
0x005b6378
0x005b636e
0x005b6373
0x005b6373
0x005b6378
0x005b6395
0x005b6395
0x005b639c

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 005B632E
SetEvent.KERNEL32(00000000), ref: 005B635A
GetCurrentThreadId.KERNEL32 ref: 005B635F
MsgWaitForMultipleObjects.USER32 ref: 005B6388
CloseHandle.KERNEL32(00000000,00000000), ref: 005B6395

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: CloseCurrentEventHandleHookMultipleObjectsThreadUnhookWaitWindows
String ID:
API String ID: 2132507429-0
Opcode ID: 3d70fa8801357980af144d8f96a13d0436440f37400d9bd4b324e4fa6e60107c
Instruction ID: 777aa0f60006170efd8bf97b8faec0e2cbbea874aebe53a0ac6f8c30ff2fdbbe
Opcode Fuzzy Hash: 3d70fa8801357980af144d8f96a13d0436440f37400d9bd4b324e4fa6e60107c
Instruction Fuzzy Hash: 30018B70A09700EED700EB65DC45BAE37E9FB44715F604A2AF055C75D0DB38A480CB42

Uniqueness

Uniqueness Score: -1.00%

Function 006B8F64 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E006B8F64(intOrPtr __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				WCHAR* _t43;
				char _t58;
				intOrPtr _t68;
				void* _t72;
				signed int _t74;
				void* _t78;

				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v20 = __edx;
				_v16 = __eax;
				_push(_t78);
				_push(0x6b9062);
				_push( *[fs:eax]);
				 *[fs:eax] = _t78 + 0xffffffe4;
				E0040A1C8(_v20);
				E005C5428(_v16, 0,  &_v8);
				_t72 = 0;
				_t58 = 0;
				do {
					_v32 = _t58;
					_v28 = 0;
					E004244F8(L"isRS-%.3u.tmp", 0,  &_v32,  &_v24);
					E0040B4C8( &_v12, _v24, _v8);
					_t74 = GetFileAttributesW(E0040B278(_v12));
					if(_t74 == 0xffffffff) {
						L5:
						_t43 = E0040B278(_v12);
						if(MoveFileExW(E0040B278(_v16), _t43, 1) == 0) {
							_t72 = _t72 + 1;
							if(_t72 == 0xa) {
								break;
							}
							goto L8;
						}
						E0040A5A8(_v20, _v12);
						break;
					}
					if((_t74 & 0x00000010) != 0) {
						goto L8;
					}
					if((_t74 & 0x00000001) != 0) {
						SetFileAttributesW(E0040B278(_v12), _t74 & 0xfffffffe);
					}
					goto L5;
					L8:
					_t58 = _t58 + 1;
				} while (_t58 != 0x3e8);
				_pop(_t68);
				 *[fs:eax] = _t68;
				_push(E006B9069);
				E0040A1C8( &_v24);
				return E0040A228( &_v12, 2);
			}

0x006b8f6f
0x006b8f72
0x006b8f75
0x006b8f78
0x006b8f7b
0x006b8f80
0x006b8f81
0x006b8f86
0x006b8f89
0x006b8f8f
0x006b8f9a
0x006b8f9f
0x006b8fa1
0x006b8fa3
0x006b8fa7
0x006b8faa
0x006b8fb8
0x006b8fc6
0x006b8fd9
0x006b8fde
0x006b9002
0x006b9007
0x006b901d
0x006b902c
0x006b9030
0x00000000
0x00000000
0x00000000
0x006b9030
0x006b9025
0x00000000
0x006b9025
0x006b8fe6
0x00000000
0x00000000
0x006b8fee
0x006b8ffd
0x006b8ffd
0x00000000
0x006b9032
0x006b9032
0x006b9033
0x006b9041
0x006b9044
0x006b9047
0x006b904f
0x006b9061

APIs

GetFileAttributesW.KERNEL32(00000000,006C46F1,00000000,006B9062,?,?,006D579C,?,00000000,00000000,?,006B9494,00000000,006B949E,?,00000000), ref: 006B8FD4
SetFileAttributesW.KERNEL32(00000000,00000000,00000000,006C46F1,00000000,006B9062,?,?,006D579C,?,00000000,00000000,?,006B9494,00000000,006B949E), ref: 006B8FFD
MoveFileExW.KERNEL32(00000000,00000000,00000001,00000000,006C46F1,00000000,006B9062,?,?,006D579C,?,00000000,00000000,?,006B9494,00000000), ref: 006B9016

Strings

isRS-%.3u.tmp, xrefs: 006B8FB3

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: File$Attributes$Move
String ID: isRS-%.3u.tmp
API String ID: 3839737484-3657609586
Opcode ID: 8d4268528f0551a281f2f3f55997a38572bb3cbe4dffdc26fb30d28ba37c9b4b
Instruction ID: 31d351f3c97924346b89867796ea0414510024315a00da88274a448b23120628
Opcode Fuzzy Hash: 8d4268528f0551a281f2f3f55997a38572bb3cbe4dffdc26fb30d28ba37c9b4b
Instruction Fuzzy Hash: AB318170D04218ABCB00EBB9C8859EEB7B9EF48314F51467EF814B7281D7385E818769

Uniqueness

Uniqueness Score: -1.00%

Function 006B6998 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59
processCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E006B6998(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				struct _STARTUPINFOW _v76;
				struct _PROCESS_INFORMATION _v92;
				int _t22;
				intOrPtr _t28;
				intOrPtr _t41;
				void* _t47;

				_v8 = 0;
				_t44 = __edx;
				_t32 = __eax;
				_push(_t47);
				_push(0x6b6a40);
				_push( *[fs:eax]);
				 *[fs:eax] = _t47 + 0xffffffa8;
				_push(0x6b6a5c);
				_push(__eax);
				_push(E006B6A6C);
				_push(__edx);
				E0040B550( &_v8, __eax, 4, __edi, __edx);
				E00407760( &_v76, 0x44);
				_v76.cb = 0x44;
				_t22 = CreateProcessW(0, E0040B278(_v8), 0, 0, 0, 0, 0, 0,  &_v76,  &_v92);
				_t49 = _t22;
				if(_t22 == 0) {
					_t28 =  *0x6cded8; // 0x6d5c28
					_t8 = _t28 + 0x20c; // 0x0
					E006B68EC( *_t8, _t32, 0, _t44, _t49);
				}
				CloseHandle(_v92.hThread);
				_pop(_t41);
				 *[fs:eax] = _t41;
				_push(E006B6A47);
				return E0040A1C8( &_v8);
			}

0x006b69a2
0x006b69a5
0x006b69a7
0x006b69ab
0x006b69ac
0x006b69b1
0x006b69b4
0x006b69b7
0x006b69bc
0x006b69bd
0x006b69c2
0x006b69cb
0x006b69da
0x006b69df
0x006b6a05
0x006b6a0a
0x006b6a0c
0x006b6a0e
0x006b6a13
0x006b6a19
0x006b6a19
0x006b6a22
0x006b6a2c
0x006b6a2f
0x006b6a32
0x006b6a3f

APIs

CreateProcessW.KERNEL32 ref: 006B6A05
CloseHandle.KERNEL32(006B6AB0,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,006B6A6C,?,006B6A5C,00000000), ref: 006B6A22

Part of subcall function 006B68EC: GetLastError.KERNEL32(00000000,006B6989,?,?,?), ref: 006B690F

Strings

(\m, xrefs: 006B6A0E
D, xrefs: 006B69DF

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: CloseCreateErrorHandleLastProcess
String ID: (\m$D
API String ID: 3798668922-1981685662
Opcode ID: a5833d7c80436315819c56a95c2be4cf65ccd9a37b43d1b18280e5cc74a4d4a7
Instruction ID: 5a29f4a3f67f8962990b16f59edcecd6c92ec2fdb2b6e45770094aa6b13b7383
Opcode Fuzzy Hash: a5833d7c80436315819c56a95c2be4cf65ccd9a37b43d1b18280e5cc74a4d4a7
Instruction Fuzzy Hash: 53115EB1604248AFDB00EBA5CC92EEE77ADEF08704F51407AF505F7281E678AE448768

Uniqueness

Uniqueness Score: -1.00%

Function 0062460C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54
registryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E0062460C(void* __eax, void* __ebx, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				void* _t19;
				char _t20;
				void* _t34;
				intOrPtr _t39;
				intOrPtr _t45;

				_t42 = __esi;
				_push(0);
				_push(0);
				_push(0);
				_push(_t45);
				_push(0x6246a6);
				 *[fs:eax] = _t45;
				E005C52C8(__eax,  &_v16, _t45,  *[fs:eax]);
				E0040B368( &_v8, _v16);
				_push(E0040EC28( &_v12));
				_t19 = E0040AEF4(_v8);
				_t34 = _t19;
				_push(_t34);
				L0043C244();
				if(_t19 != 0) {
					E0060CE98(L"LoadTypeLib", _t34, _t19, __esi);
				}
				_push(0);
				_push(_t34);
				_t20 = _v12;
				_push(_t20);
				L0043C24C();
				if(_t20 != 0) {
					E0060CE98(L"RegisterTypeLib", _t34, _t20, _t42);
				}
				_pop(_t39);
				 *[fs:eax] = _t39;
				_push(E006246AD);
				E0040A1C8( &_v16);
				E0040EC28( &_v12);
				return E0040A210( &_v8);
			}

0x0062460c
0x0062460f
0x00624611
0x00624613
0x0062461a
0x0062461b
0x00624623
0x0062462b
0x00624636
0x00624643
0x00624647
0x0062464c
0x0062464e
0x0062464f
0x00624656
0x0062465f
0x0062465f
0x00624664
0x00624666
0x00624667
0x0062466a
0x0062466b
0x00624672
0x0062467b
0x0062467b
0x00624682
0x00624685
0x00624688
0x00624690
0x00624698
0x006246a5

APIs

Part of subcall function 005C52C8: GetFullPathNameW.KERNEL32(00000000,00001000,?,?,00000002,?,?,006D579C,00000000,0060D8F7,00000000,0060DBD2,?,?,006D579C), ref: 005C52F9

LoadTypeLib.OLEAUT32(00000000,00000000), ref: 0062464F
RegisterTypeLib.OLEAUT32(?,00000000,00000000), ref: 0062466B

Strings

RegisterTypeLib, xrefs: 00624676
LoadTypeLib, xrefs: 0062465A

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Type$FullLoadNamePathRegister
String ID: LoadTypeLib$RegisterTypeLib
API String ID: 4170313675-2435364021
Opcode ID: 4a5734cba4f1f567cfe39a2ea32e2412489323ff365467ecfcfbb8db8d726f7e
Instruction ID: a0643c8b31b351ed7dd0ed5e96a0399ab73b0cd2583ebe073036f576505b33dd
Opcode Fuzzy Hash: 4a5734cba4f1f567cfe39a2ea32e2412489323ff365467ecfcfbb8db8d726f7e
Instruction Fuzzy Hash: 2D0148317407146BDB10EBB6DC82F8E77EDDB49704F514876B400F62D2DE78AE058A58

Uniqueness

Uniqueness Score: -1.00%

Function 0060DAE9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41
fileCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0060DAE9(void* __edx) {
				WCHAR* _t13;
				intOrPtr _t32;
				intOrPtr _t33;
				void* _t36;

				SetFileAttributesW(E0040B278( *((intOrPtr*)(_t36 - 0x10))), 0x20);
				if(E00423A20( *((intOrPtr*)(_t36 - 0x10))) == 0) {
					E0060CE84(L"DeleteFile");
				}
				_t13 = E0040B278( *((intOrPtr*)(_t36 - 0x10)));
				if(MoveFileW(E0040B278( *((intOrPtr*)(_t36 - 0x14))), _t13) == 0) {
					E0060CE84(L"MoveFile");
				}
				_pop(_t32);
				 *[fs:eax] = _t32;
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(E0060DBD9);
				E0040A228(_t36 - 0x44, 7);
				return E0040A228(_t36 - 0x1c, 7);
			}

0x0060daf4
0x0060db03
0x0060db0a
0x0060db0a
0x0060db12
0x0060db28
0x0060db2f
0x0060db2f
0x0060db36
0x0060db39
0x0060dbac
0x0060dbaf
0x0060dbb2
0x0060dbbf
0x0060dbd1

APIs

SetFileAttributesW.KERNEL32(00000000,00000020), ref: 0060DAF4

Part of subcall function 00423A20: DeleteFileW.KERNEL32(00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00423A30
Part of subcall function 00423A20: GetLastError.KERNEL32(00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00423A3F
Part of subcall function 00423A20: GetFileAttributesW.KERNEL32(00000000,00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000), ref: 00423A47
Part of subcall function 00423A20: RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000), ref: 00423A62

MoveFileW.KERNEL32(00000000,00000000), ref: 0060DB21

Part of subcall function 0060CE84: GetLastError.KERNEL32(00000000,0060DBAA,00000005,00000000,0060DBD2,?,?,006D579C,?,00000000,00000000,00000000,?,006B910F,00000000,006B912A), ref: 0060CE87

Strings

MoveFile, xrefs: 0060DB2A
DeleteFile, xrefs: 0060DB05

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: File$AttributesErrorLast$DeleteDirectoryMoveRemove
String ID: DeleteFile$MoveFile
API String ID: 3947864702-139070271
Opcode ID: 69906e1fa498f448b67ec90ed8193f3809713f06cd0179ef74a02e782715ba36
Instruction ID: fe212bc12655be3e3d7d94ed230904773b29f806c55adb2c37bf9887ca86c235
Opcode Fuzzy Hash: 69906e1fa498f448b67ec90ed8193f3809713f06cd0179ef74a02e782715ba36
Instruction Fuzzy Hash: 62F044706841058AEB08FBF6E9069AF73A5EF44318F51467EF404E72C1DA3C9C05862D

Uniqueness

Uniqueness Score: -1.00%

Function 00626F48 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39
registryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00626F48(signed int __eax, void* __ecx, void* __edx, void* __ebp) {
				void* _v16;
				void* __ebx;
				void* _t31;
				signed int _t33;

				_push(__ecx);
				_t31 = __edx;
				_t22 = __eax;
				_t33 = __eax & 0x0000007f;
				if( *((intOrPtr*)(0x6d6374 + _t33 * 4)) == 0) {
					if(E005C7A14(__eax, L"SOFTWARE\\Microsoft\\.NETFramework", 0x80000002,  &_v16, 1, 0) == 0) {
						E005C793C();
						RegCloseKey(_v16);
					}
					if( *((intOrPtr*)(0x6d6374 + _t33 * 4)) == 0) {
						E0060CD28(L".NET Framework not found", _t22);
					}
				}
				return E0040A5A8(_t31,  *((intOrPtr*)(0x6d6374 + _t33 * 4)));
			}

0x00626f4b
0x00626f4c
0x00626f4e
0x00626f52
0x00626f5d
0x00626f7b
0x00626f8c
0x00626f95
0x00626f95
0x00626fa2
0x00626fa9
0x00626fa9
0x00626fa2
0x00626fc0

APIs

Part of subcall function 005C7A14: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,005C80EE,?,00000000,?,005C808E,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005C80EE), ref: 005C7A30

RegCloseKey.ADVAPI32(00000000,?,00000001,00000000,00000003,00626DA0,00000003,00000000,006270EB,00000000,006272A5,?,00626DA0,?,00000000,00000000), ref: 00626F95

Strings

.NET Framework not found, xrefs: 00626FA4
SOFTWARE\Microsoft\.NETFramework, xrefs: 00626F6A
InstallRoot, xrefs: 00626F84

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: CloseOpen
String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
API String ID: 47109696-2631785700
Opcode ID: cda95d6e92defb5476691493b7d59d62c1fa9335c75e1bc5c16bb959f18c3f17
Instruction ID: de5110e5fa14fd350821f7972f2051635d336fb801c9b7b6397190480774c976
Opcode Fuzzy Hash: cda95d6e92defb5476691493b7d59d62c1fa9335c75e1bc5c16bb959f18c3f17
Instruction Fuzzy Hash: 48F0FF31B05524AFEB10EB49FC41B5A6B9BDB85310F50213AF184C3281E631DC018BA2

Uniqueness

Uniqueness Score: -1.00%

Function 005C86E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
windowCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E005C86E0(void* __eax, void* __ecx, void* __edx) {
				void* __ebx;
				void* __esi;
				void* _t3;
				void* _t7;
				void* _t12;
				intOrPtr* _t13;

				_t8 = __ecx;
				_push(__ecx);
				_t7 = __edx;
				_t12 = __eax;
				if( *0x6d57f0 == 0) {
					 *0x6d57f4 = E00414020(_t7, _t12, GetModuleHandleW(L"user32.dll"), L"ChangeWindowMessageFilterEx");
					 *_t13 = 0x6d57f0;
					asm("lock xchg [edx], eax");
				}
				if( *0x6d57f4 == 0) {
					_t3 = E005C8644(_t7, _t8);
				} else {
					_t3 =  *0x6d57f4(_t12, _t7, 1, 0);
				}
				return _t3;
			}

0x005c86e0
0x005c86e2
0x005c86e3
0x005c86e5
0x005c86ee
0x005c8705
0x005c870a
0x005c8719
0x005c8719
0x005c8723
0x005c8735
0x005c8725
0x005c872b
0x005c872b
0x005c873d

APIs

GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,?,00000004,006CCEB4,0061544A,006158C4,00615368,00000000,00000B06,00000000,00000000), ref: 005C86FA

Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A

Part of subcall function 005C8644: GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,?,005C873A,?,00000004,006CCEB4,0061544A,006158C4,00615368,00000000,00000B06,00000000,00000000), ref: 005C865B

ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,?,00000004,006CCEB4,0061544A,006158C4,00615368,00000000,00000B06,00000000,00000000), ref: 005C872B

Strings

user32.dll, xrefs: 005C86F5
ChangeWindowMessageFilterEx, xrefs: 005C86F0

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: HandleModule$AddressChangeFilterMessageProcWindow
String ID: ChangeWindowMessageFilterEx$user32.dll
API String ID: 989041661-2676053874
Opcode ID: 069d2c8e1b8fc22a779199f9f95faad227b90f375a0982a66332104caa2a493e
Instruction ID: 33574298acf09a9ab3b8dc906f6acd80ea038e69245e9512450f7745a5549cab
Opcode Fuzzy Hash: 069d2c8e1b8fc22a779199f9f95faad227b90f375a0982a66332104caa2a493e
Instruction Fuzzy Hash: F7F0A070702610DFD715EBA9AC89F662FE6EB84345F30142EF1069B691DBB60880C699

Uniqueness

Uniqueness Score: -1.00%

Function 004698FC Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E004698FC(void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi, void* _a4, signed short _a8) {
				char _v5;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _t30;
				void* _t67;
				void* _t68;
				intOrPtr _t73;
				intOrPtr _t77;
				char _t78;
				intOrPtr _t82;
				signed short _t93;
				void* _t96;
				void* _t98;
				void* _t99;
				intOrPtr _t100;

				_t78 = __edx;
				_t68 = __ecx;
				_t98 = _t99;
				_t100 = _t99 + 0xffffffdc;
				_v36 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				if(__edx != 0) {
					_t100 = _t100 + 0xfffffff0;
					_t30 = E00408A40(_t30, _t98);
				}
				_t96 = _t68;
				_v5 = _t78;
				_t67 = _t30;
				_t93 = _a8;
				_push(_t98);
				_push(0x469a4c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t100;
				if((0x0000ff00 & _t93) != 0xff00) {
					E0046976C(E004236A4(_t96, _t93 & 0x0000ffff), 0);
					if( *((intOrPtr*)(_t67 + 4)) == 0xffffffff) {
						E00423BD0(_t96,  &_v36);
						_v24 = _v36;
						_v20 = 0x11;
						E00427D54(GetLastError(), _t67, 0, _t96);
						_v16 = _v40;
						_v12 = 0x11;
						_t73 =  *0x6cd8a8; // 0x415564
						E00429100(_t67, _t73, 1, _t93, _t96, 1,  &_v24);
						E004098C4();
					}
				} else {
					_t94 = _t93 & 0x000000ff;
					if((_t93 & 0x000000ff) == 0xff) {
						_t94 = 0x10;
					}
					E0046976C(E004236FC(_t96, _t94 & 0x0000ffff), 0);
					if( *((intOrPtr*)(_t67 + 4)) == 0xffffffff) {
						E00423BD0(_t96,  &_v28);
						_v24 = _v28;
						_v20 = 0x11;
						E00427D54(GetLastError(), _t67, 0, _t96);
						_v16 = _v32;
						_v12 = 0x11;
						_t77 =  *0x6ce1a8; // 0x41555c
						E00429100(_t67, _t77, 1, _t94, _t96, 1,  &_v24);
						E004098C4();
					}
				}
				_t28 = _t67 + 8; // 0x443d54
				E0040A5A8(_t28, _t96);
				_pop(_t82);
				 *[fs:eax] = _t82;
				_push(E00469A53);
				return E0040A228( &_v40, 4);
			}

0x004698fc
0x004698fc
0x004698fd
0x004698ff
0x00469907
0x0046990a
0x0046990d
0x00469910
0x00469915
0x00469917
0x0046991a
0x0046991a
0x0046991f
0x00469921
0x00469924
0x00469926
0x0046992b
0x0046992c
0x00469931
0x00469934
0x00469942
0x004699d2
0x004699db
0x004699e2
0x004699ea
0x004699ed
0x004699fb
0x00469a03
0x00469a06
0x00469a10
0x00469a1d
0x00469a22
0x00469a22
0x00469944
0x00469944
0x0046994e
0x00469950
0x00469950
0x00469967
0x00469970
0x0046997b
0x00469983
0x00469986
0x00469994
0x0046999c
0x0046999f
0x004699a9
0x004699b6
0x004699bb
0x004699bb
0x00469970
0x00469a27
0x00469a2c
0x00469a33
0x00469a36
0x00469a39
0x00469a4b

APIs

GetLastError.KERNEL32(00000000,00469A4C,?,?,00443D4C,00000001), ref: 0046998A

Part of subcall function 004236A4: CreateFileW.KERNEL32(00000000,000000F0,000000F0,00000000,00000003,00000080,00000000,?,?,00443D4C,004699CC,00000000,00469A4C,?,?,00443D4C), ref: 004236F3

Part of subcall function 00423BD0: GetFullPathNameW.KERNEL32(00000000,00000104,?,?,?,?,?,00443D4C,004699E7,00000000,00469A4C,?,?,00443D4C,00000001), ref: 00423BF3

GetLastError.KERNEL32(00000000,00469A4C,?,?,00443D4C,00000001), ref: 004699F1

Part of subcall function 00427D54: FormatMessageW.KERNEL32(00003300,00000000,00000000,00000000,00000001,00000000,00000000,?,00443D4C,00000000,?,00469A00,00000000,00469A4C), ref: 00427D78
Part of subcall function 00427D54: LocalFree.KERNEL32(00000001,00427DD1,00003300,00000000,00000000,00000000,00000001,00000000,00000000,?,00443D4C,00000000,?,00469A00,00000000,00469A4C), ref: 00427DC4

Strings

dUA, xrefs: 00469A10
\UA, xrefs: 004699A9

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: ErrorLast$CreateFileFormatFreeFullLocalMessageNamePath
String ID: \UA$dUA
API String ID: 503893064-3864016770
Opcode ID: b0b121723ddee52f030030255f4b80514a6c0ed541d556e71d6ab1a2d84e7d43
Instruction ID: 123e0454fb2a9dec89cd9e8203dbd653fcf04e778e7e37e714b9737e464d7bf3
Opcode Fuzzy Hash: b0b121723ddee52f030030255f4b80514a6c0ed541d556e71d6ab1a2d84e7d43
Instruction Fuzzy Hash: 8641A370B002599FDB00EFA6C8815EEBBF5AF58314F40812AE914A7382D77D5E05CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE74 Relevance: 6.1, APIs: 4, Instructions: 95
threadCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040DE74(signed short __eax, void* __edx) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				signed int _v20;
				short _v22;
				short _v24;
				char _v26;
				char _v32;
				void* __ebp;
				void* _t39;
				void* _t55;
				void* _t59;
				short* _t62;
				signed short _t66;
				void* _t67;
				void* _t68;
				signed short _t79;
				void* _t81;

				_t81 = __edx;
				_t66 = __eax;
				_v16 = 0;
				if(__eax !=  *0x6d1c0c()) {
					_v16 = E0040DE30( &_v8);
					_t79 = _t66;
					_v20 = 3;
					_t62 =  &_v26;
					do {
						 *_t62 =  *(0xf + "0123456789ABCDEF") & 0x000000ff;
						_t79 = (_t79 & 0x0000ffff) >> 4;
						_v20 = _v20 - 1;
						_t62 = _t62 - 2;
					} while (_v20 != 0xffffffff);
					_v24 = 0;
					_v22 = 0;
					 *0x6d1c08(4,  &_v32,  &_v20);
				}
				_t39 = E0040DE30( &_v12);
				_t67 = _t39;
				if(_t67 != 0) {
					_t55 = _v12 - 2;
					if(_t55 >= 0) {
						_t59 = _t55 + 1;
						_v20 = 0;
						do {
							if( *((short*)(_t67 + _v20 * 2)) == 0) {
								 *((short*)(_t67 + _v20 * 2)) = 0x2c;
							}
							_v20 = _v20 + 1;
							_t59 = _t59 - 1;
						} while (_t59 != 0);
					}
					E0040B2DC(_t81, _t67);
					_t39 = E00406F28(_t67);
				}
				if(_v16 != 0) {
					 *0x6d1c08(0, 0,  &_v20);
					_t68 = E0040DE30( &_v12);
					if(_v8 != _v12 || E0040DE0C(_v16, _v12, _t68) != 0) {
						 *0x6d1c08(8, _v16,  &_v20);
					}
					E00406F28(_t68);
					return E00406F28(_v16);
				}
				return _t39;
			}

0x0040de7c
0x0040de7e
0x0040de82
0x0040de8e
0x0040de98
0x0040de9b
0x0040de9d
0x0040dea4
0x0040dea7
0x0040deb8
0x0040debe
0x0040dec1
0x0040dec4
0x0040dec7
0x0040decd
0x0040ded3
0x0040dee3
0x0040dee3
0x0040deec
0x0040def1
0x0040def5
0x0040defa
0x0040deff
0x0040df01
0x0040df02
0x0040df09
0x0040df11
0x0040df16
0x0040df16
0x0040df1c
0x0040df1f
0x0040df1f
0x0040df09
0x0040df26
0x0040df2d
0x0040df2d
0x0040df36
0x0040df40
0x0040df4e
0x0040df56
0x0040df73
0x0040df73
0x0040df7b
0x00000000
0x0040df83
0x0040df8d

APIs

GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040DE85
SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040DEE3
SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040DF40
SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040DF73

Part of subcall function 0040DE30: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040DEF1), ref: 0040DE47
Part of subcall function 0040DE30: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040DEF1), ref: 0040DE64

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Thread$LanguagesPreferred$Language
String ID:
API String ID: 2255706666-0
Opcode ID: 7b6831f497646e761f52de9c536b6e12a9bbcbfaf2b29159977432e5b56d760a
Instruction ID: 69b1dabfcf83cd92044bbbe7d095353c7cd2b80021ffbfb9d1b785f1729ac455
Opcode Fuzzy Hash: 7b6831f497646e761f52de9c536b6e12a9bbcbfaf2b29159977432e5b56d760a
Instruction Fuzzy Hash: 63317070E1021A9BCB10DFE9D884AAEB7B5FF14305F40417AE516FB2D1D7789A09CB94

Uniqueness

Uniqueness Score: -1.00%

Function 005CE374 Relevance: 6.1, APIs: 4, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E005CE374(intOrPtr* __eax, int __ecx, int __edx, int _a4, int _a8) {
				int _v8;
				int _v12;
				int _t31;
				intOrPtr* _t41;
				int _t54;
				int _t55;

				_v8 = __ecx;
				_t54 = __edx;
				_t41 = __eax;
				MulDiv( *(__eax + 0x50), __edx, _v8);
				_v12 = MulDiv( *(_t41 + 0x54), _a8, _a4);
				if(( *(_t41 + 0x61) & 0x00000001) != 0) {
					_t55 =  *(_t41 + 0x58);
				} else {
					_t55 = MulDiv( *(_t41 + 0x58), _t54, _v8);
				}
				if(( *(_t41 + 0x61) & 0x00000002) != 0) {
					_t31 =  *(_t41 + 0x5c);
				} else {
					_t31 = MulDiv( *(_t41 + 0x5c), _a8, _a4);
				}
				return  *((intOrPtr*)( *_t41 + 0xc8))(_t31, _t55);
			}

0x005ce37d
0x005ce380
0x005ce382
0x005ce38d
0x005ce3a5
0x005ce3ac
0x005ce3c0
0x005ce3ae
0x005ce3bc
0x005ce3bc
0x005ce3c7
0x005ce3dc
0x005ce3c9
0x005ce3d5
0x005ce3d5
0x005ce3f6

APIs

MulDiv.KERNEL32(?,0068D5D0,?), ref: 005CE38D
MulDiv.KERNEL32(?,005CE4BF,0068D5D0), ref: 005CE3A0
MulDiv.KERNEL32(?,0068D5D0,?), ref: 005CE3B7
MulDiv.KERNEL32(?,005CE4BF,0068D5D0), ref: 005CE3D5

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac23038dacf6796b57d110ed30358184083c47a134689276074c101833fe842e
Instruction ID: 3e71b6adc286f200af4aaafaaf3a8fca573aba72415269075ac824ff0f327e96
Opcode Fuzzy Hash: ac23038dacf6796b57d110ed30358184083c47a134689276074c101833fe842e
Instruction Fuzzy Hash: B9113072A04244AFCB44DEDDD8C5E9F7BEDEF48364B144499F908DB242C678ED808BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004F53AC Relevance: 6.1, APIs: 4, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004F53AC(intOrPtr* __eax, struct HICON__* __edx, void* __eflags) {
				intOrPtr* _v8;
				struct _ICONINFO _v28;
				intOrPtr _v44;
				intOrPtr _v48;
				void _v52;
				intOrPtr _t33;
				intOrPtr _t45;
				void* _t49;
				void* _t51;
				intOrPtr _t52;

				_t49 = _t51;
				_t52 = _t51 + 0xffffffd0;
				_v8 = __eax;
				E004F5338(_v8, __edx);
				if(__edx == 0 || GetIconInfo(__edx,  &_v28) == 0) {
					return  *((intOrPtr*)( *_v8 + 0x10))();
				} else {
					_push(_t49);
					_push(0x4f5429);
					_push( *[fs:edx]);
					 *[fs:edx] = _t52;
					if(GetObjectW(_v28.hbmColor, 0x18,  &_v52) != 0) {
						_t33 =  *((intOrPtr*)(_v8 + 0x28));
						 *((intOrPtr*)(_t33 + 0xc)) = _v48;
						 *((intOrPtr*)(_t33 + 0x10)) = _v44;
					}
					_pop(_t45);
					 *[fs:eax] = _t45;
					_push(E004F5430);
					DeleteObject(_v28.hbmMask);
					return DeleteObject(_v28.hbmColor);
				}
			}

0x004f53ad
0x004f53af
0x004f53b5
0x004f53bf
0x004f53c6
0x004f543f
0x004f53d6
0x004f53d8
0x004f53d9
0x004f53de
0x004f53e1
0x004f53f5
0x004f53fa
0x004f5400
0x004f5406
0x004f5406
0x004f540b
0x004f540e
0x004f5411
0x004f541a
0x004f5428
0x004f5428

APIs

GetIconInfo.USER32(00000000,00000000), ref: 004F53CD
GetObjectW.GDI32(0068D5D0,00000018,00000000,00000000,004F5429,?,004C0068), ref: 004F53EE
DeleteObject.GDI32(?), ref: 004F541A
DeleteObject.GDI32(0068D5D0), ref: 004F5423

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Object$Delete$IconInfo
String ID:
API String ID: 507670407-0
Opcode ID: 939d8cbd648baad16ebc5502745bc899ef72b4fd7c693fad9428492138ac7e12
Instruction ID: 4322d414b200eb17045e09ec041732102b9da4c87ad94fc4c4d540c0fc3291bf
Opcode Fuzzy Hash: 939d8cbd648baad16ebc5502745bc899ef72b4fd7c693fad9428492138ac7e12
Instruction Fuzzy Hash: 2B11A375A00608AFCB04DFA6D981DAEB7F9EF88314B5081AAFE04D3351DB38DE408B54

Uniqueness

Uniqueness Score: -1.00%

Function 005B9590 Relevance: 6.1, APIs: 4, Instructions: 53
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E005B9590(signed char __eax, intOrPtr _a4) {
				int _t22;
				void* _t23;
				int _t31;
				signed int _t35;
				signed char _t38;
				void* _t43;
				void* _t44;

				_t38 = __eax;
				_t2 = _a4 - 4; // 0xc31852ff
				_t22 = IsWindowVisible( *( *_t2 + 0x188));
				asm("sbb eax, eax");
				_t23 = _t22 + 1;
				_t43 = _t23 -  *0x6cccd4; // 0x0
				if(_t43 == 0) {
					_t44 = _t38 -  *0x6cccd4; // 0x0
					if(_t44 != 0) {
						_t5 = _a4 - 4; // 0xc31852ff
						if( *((char*)( *_t5 + 0xeb)) != 0 &&  *0x6cccd4 == 0) {
							_t8 = _a4 - 4; // 0xc31852ff
							_t35 = GetWindowLongW( *( *_t8 + 0x188), 0xffffffec);
							_t11 = _a4 - 4; // 0xc31852ff
							SetWindowLongW( *( *_t11 + 0x188), 0xffffffec, _t35 | 0x08000000);
						}
						_t16 = _a4 - 4; // 0xc31852ff
						_t31 = SetWindowPos( *( *_t16 + 0x188), 0, 0, 0, 0, 0,  *(0x6cccd6 + (_t38 & 0x000000ff) * 2) & 0x0000ffff);
						 *0x6cccd4 = _t38;
						return _t31;
					}
				}
				return _t23;
			}

0x005b9594
0x005b9599
0x005b95a3
0x005b95ab
0x005b95ad
0x005b95ae
0x005b95b4
0x005b95b6
0x005b95bc
0x005b95c1
0x005b95cb
0x005b95d9
0x005b95e5
0x005b95ed
0x005b95ff
0x005b95ff
0x005b961d
0x005b9627
0x005b962c
0x00000000
0x005b962c
0x005b95bc
0x005b9634

APIs

IsWindowVisible.USER32(?), ref: 005B95A3
GetWindowLongW.USER32(?,000000EC), ref: 005B95E5
SetWindowLongW.USER32(?,000000EC,00000000), ref: 005B95FF
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,C31852FF,?,00000000,?,005B96B9,?,?,?,00000000), ref: 005B9627

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Window$Long$Visible
String ID:
API String ID: 2967648141-0
Opcode ID: c53b897a5a1d9d2e71e6f85843be0105534f78b66b69f438aa9e828b25e0526c
Instruction ID: de5a40ccb5800a4cef2b87037ee72a09c9fd5293aebedbf233be07227e7c069f
Opcode Fuzzy Hash: c53b897a5a1d9d2e71e6f85843be0105534f78b66b69f438aa9e828b25e0526c
Instruction Fuzzy Hash: B31161742851446FDB00DB28D888FFA7FE9AB45324F458191F988CB362CA38ED80CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0046A218 Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0046A218(void* __eax, struct HINSTANCE__* __edx, WCHAR* _a8) {
				WCHAR* _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t18;
				void* _t23;
				WCHAR* _t24;
				void* _t25;
				struct HRSRC__* _t29;
				void* _t30;
				struct HINSTANCE__* _t31;
				void* _t32;

				_v8 = _t24;
				_t31 = __edx;
				_t23 = __eax;
				_t29 = FindResourceW(__edx, _v8, _a8);
				 *(_t23 + 0x10) = _t29;
				if(_t29 == 0) {
					E0046A178(_t23, _t24, _t29, _t31, _t32);
					_pop(_t24);
				}
				_t5 = _t23 + 0x10; // 0x46a2b4
				_t30 = LoadResource(_t31,  *_t5);
				 *(_t23 + 0x14) = _t30;
				if(_t30 == 0) {
					E0046A178(_t23, _t24, _t30, _t31, _t32);
				}
				_t7 = _t23 + 0x10; // 0x46a2b4
				_push(SizeofResource(_t31,  *_t7));
				_t8 = _t23 + 0x14; // 0x469b00
				_t18 = LockResource( *_t8);
				_pop(_t25);
				return E00469AAC(_t23, _t25, _t18);
			}

0x0046a21f
0x0046a222
0x0046a224
0x0046a234
0x0046a236
0x0046a23b
0x0046a23e
0x0046a243
0x0046a243
0x0046a244
0x0046a24e
0x0046a250
0x0046a255
0x0046a258
0x0046a25d
0x0046a25e
0x0046a268
0x0046a269
0x0046a26d
0x0046a276
0x0046a281

APIs

FindResourceW.KERNEL32(?,?,?,00444A50,?,00000001,00000000,?,0046A15A,00000000,00000000,?,006D579C,?,?,006AC890), ref: 0046A22F
LoadResource.KERNEL32(?,0046A2B4,?,?,?,00444A50,?,00000001,00000000,?,0046A15A,00000000,00000000,?,006D579C,?), ref: 0046A249
SizeofResource.KERNEL32(?,0046A2B4,?,0046A2B4,?,?,?,00444A50,?,00000001,00000000,?,0046A15A,00000000,00000000), ref: 0046A263
LockResource.KERNEL32(00469B00,00000000,?,0046A2B4,?,0046A2B4,?,?,?,00444A50,?,00000001,00000000,?,0046A15A,00000000), ref: 0046A26D

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: c0a3742649e4821bf1d8e39dd4131d6b260b263a11f53cd498264533ba18d33a
Instruction ID: abb9b97bb193dfeb05d9d82a7f41705a61c143c3b7d9841fcbe573c2d8062a85
Opcode Fuzzy Hash: c0a3742649e4821bf1d8e39dd4131d6b260b263a11f53cd498264533ba18d33a
Instruction Fuzzy Hash: C4F081B36406046F5745EE9DA881DAB77ECEE89364310015FF908D7302EA39DD51477A

Uniqueness

Uniqueness Score: -1.00%

Function 00610040 Relevance: 6.0, APIs: 4, Instructions: 48
registrywindowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00610040(void* __eax, void* __ecx, void* __edx) {
				void* _v16;
				int _t13;
				void* _t20;
				void* _t26;
				void* _t27;

				_push(__ecx);
				_t27 = __edx;
				_t26 = __eax;
				if(__ecx == 0) {
					_t20 = 0x80000002;
				} else {
					_t20 = 0x80000001;
				}
				if(E005C7A14(0,  *((intOrPtr*)(0x6ccfc0 + (E005C77E8() & 0x0000007f) * 4)), _t20,  &_v16, 2, 0) == 0) {
					RegDeleteValueW(_v16, E0040B278(_t26));
					RegCloseKey(_v16);
				}
				_t13 = RemoveFontResourceW(E0040B278(_t27));
				if(_t13 != 0) {
					_t13 = SendNotifyMessageW(0xffff, 0x1d, 0, 0);
				}
				return _t13;
			}

0x00610043
0x00610044
0x00610046
0x0061004a
0x00610053
0x0061004c
0x0061004c
0x0061004c
0x0061007b
0x0061008a
0x00610093
0x00610093
0x006100a0
0x006100a7
0x006100b4
0x006100b4
0x006100bd

APIs

RegDeleteValueW.ADVAPI32(?,00000000,?,00000002,00000000,?,?,?,?,0062AC8F), ref: 0061008A
RegCloseKey.ADVAPI32(00000000,?,00000000,?,00000002,00000000,?,?,?,?,0062AC8F), ref: 00610093
RemoveFontResourceW.GDI32(00000000), ref: 006100A0
SendNotifyMessageW.USER32(0000FFFF,0000001D,00000000,00000000), ref: 006100B4

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: CloseDeleteFontMessageNotifyRemoveResourceSendValue
String ID:
API String ID: 261542597-0
Opcode ID: 77a4b43a7585b641cb4056c657f18fe2b74d7f9113a8b954b3ed7bedb6d61676
Instruction ID: 1dce9f2b70afa6587215b720e4c7b57155893329b24cac9d33cbe1fd09ddcff8
Opcode Fuzzy Hash: 77a4b43a7585b641cb4056c657f18fe2b74d7f9113a8b954b3ed7bedb6d61676
Instruction Fuzzy Hash: B2F0C87674430567EA20B6B65C4BFEF128E8FC9745F24492EBA04EB282D668DC814369

Uniqueness

Uniqueness Score: -1.00%

Function 0050E958 Relevance: 6.0, APIs: 4, Instructions: 35
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0050E958(struct HWND__* __eax, void* __ecx) {
				intOrPtr _t5;
				struct HWND__* _t12;
				void* _t15;
				DWORD* _t16;

				_t13 = __ecx;
				_push(__ecx);
				_t12 = __eax;
				_t15 = 0;
				if(__eax != 0 && GetWindowThreadProcessId(__eax, _t16) != 0 && GetCurrentProcessId() ==  *_t16) {
					_t5 =  *0x6d5648; // 0x0
					if(GlobalFindAtomW(E0040B278(_t5)) !=  *0x6d5642) {
						_t15 = E0050E924(_t12, _t13);
					} else {
						_t15 = GetPropW(_t12,  *0x6d5642 & 0x0000ffff);
					}
				}
				return _t15;
			}

0x0050e958
0x0050e95a
0x0050e95b
0x0050e95d
0x0050e961
0x0050e978
0x0050e98f
0x0050e9aa
0x0050e991
0x0050e99f
0x0050e99f
0x0050e98f
0x0050e9b1

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0050E965
GetCurrentProcessId.KERNEL32(?,00000000,00000000,005BA39A,?,?,00000000,00000001,005B8697,?,00000000,00000000,00000000,00000000), ref: 0050E96E
GlobalFindAtomW.KERNEL32(00000000), ref: 0050E983
GetPropW.USER32(00000000,00000000), ref: 0050E99A

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow
String ID:
API String ID: 2582817389-0
Opcode ID: 96014bfda2539c3c724341726d25520330f77261c7fcf234c4c7e102e9717c52
Instruction ID: 299b27e64c01e87a133ce8a54c99347aef86e5c58dac0e1e1101b5cceb09c5b5
Opcode Fuzzy Hash: 96014bfda2539c3c724341726d25520330f77261c7fcf234c4c7e102e9717c52
Instruction Fuzzy Hash: 09F0ECA160511166CB60BBB65C8787F5A8C9FC43907751D2BF841DA192D514CC8142FE

Uniqueness

Uniqueness Score: -1.00%

Function 006A5D88 Relevance: 6.0, APIs: 4, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E006A5D88() {
				long _v8;
				void _v12;
				void* _v16;
				void* _t16;
				HANDLE* _t17;

				_t17 =  &_v12;
				_t16 = 0;
				if(OpenProcessToken(GetCurrentProcess(), 8, _t17) != 0) {
					_v12 = 0;
					if(GetTokenInformation(_v16, 0x12,  &_v12, 4,  &_v8) != 0) {
						_t16 = _v16;
					}
					CloseHandle( *_t17);
				}
				return _t16;
			}

0x006a5d89
0x006a5d8c
0x006a5d9e
0x006a5da2
0x006a5dc0
0x006a5dc2
0x006a5dc2
0x006a5dca
0x006a5dca
0x006a5dd5

APIs

GetCurrentProcess.KERNEL32(00000008), ref: 006A5D91
OpenProcessToken.ADVAPI32(00000000,00000008), ref: 006A5D97
GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008), ref: 006A5DB9
CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008), ref: 006A5DCA

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: afea7f4269af62d161ed65023b08510fb3f5f5d3f19be2d10221e2fcac776304
Instruction ID: 606920211f29873d44d72264013709cf63daaae85b794eef22724c21b877f5a5
Opcode Fuzzy Hash: afea7f4269af62d161ed65023b08510fb3f5f5d3f19be2d10221e2fcac776304
Instruction Fuzzy Hash: 30F030716043017BD700EAB58D82EDB77DCAF45715F00482DBA98C7281DA38ED489766

Uniqueness

Uniqueness Score: -1.00%

Function 004F5548 Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004F5548() {
				signed char _v28;
				void* _t4;
				signed int _t8;
				struct HDC__* _t9;
				struct tagTEXTMETRICW* _t10;

				_t8 = 1;
				_t9 = GetDC(0);
				if(_t9 != 0) {
					_t4 =  *0x6d54b0; // 0x58a00b4
					if(SelectObject(_t9, _t4) != 0 && GetTextMetricsW(_t9, _t10) != 0) {
						_t8 = _v28 & 0x000000ff;
					}
					ReleaseDC(0, _t9);
				}
				return _t8;
			}

0x004f554d
0x004f5556
0x004f555a
0x004f555c
0x004f556a
0x004f5577
0x004f5577
0x004f557f
0x004f557f
0x004f558b

APIs

GetDC.USER32(00000000), ref: 004F5551
SelectObject.GDI32(00000000,058A00B4), ref: 004F5563
GetTextMetricsW.GDI32(00000000,?,00000000,058A00B4,00000000), ref: 004F556E
ReleaseDC.USER32 ref: 004F557F

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: MetricsObjectReleaseSelectText
String ID:
API String ID: 2013942131-0
Opcode ID: 7f08a457e74fbd3b271c5bbe40b56a30871c5d5dda21d4d00258fc544de77888
Instruction ID: eb0f3ac5e6ff13c2d338f041733c2278b611cd6d279531a3f0c2a93b6799ed89
Opcode Fuzzy Hash: 7f08a457e74fbd3b271c5bbe40b56a30871c5d5dda21d4d00258fc544de77888
Instruction Fuzzy Hash: 64E0DF71E029A432D61071661C82BEF2A498F823AAF08112BFF08992D1DA0CC94083FE

Uniqueness

Uniqueness Score: -1.00%

Function 0060F338 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0060F338(void* __eax, void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __fp0, intOrPtr* _a4, void* _a8, intOrPtr _a12, signed char _a16, char _a20) {
				intOrPtr _v8;
				struct _SHELLEXECUTEINFOW _v68;
				void* _t52;
				intOrPtr _t61;
				void* _t65;
				intOrPtr* _t67;
				void* _t70;

				_v8 = __ecx;
				_t65 = __edx;
				_t52 = __eax;
				_t67 = _a4;
				E0040A2AC(_a20);
				_push(_t70);
				_push(0x60f41c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t70 + 0xffffffc0;
				if(_a20 == 0) {
					E005C5378(_t65, __ecx,  &_a20);
					if(_a20 == 0) {
						E005C745C( &_a20);
					}
				}
				E00407760( &_v68, 0x3c);
				_v68.cbSize = 0x3c;
				_v68.fMask = 0x540;
				if(_t52 != 0) {
					_v68.lpVerb = E0040B278(_t52);
				}
				_v68.lpFile = E0040B278(_t65);
				_v68.lpParameters = E0040B278(_v8);
				_v68.lpDirectory = E0040B278(_a20);
				_v68.nShow = _a12;
				ShellExecuteExW( &_v68);
				asm("sbb ebx, ebx");
				_t53 = _t52 + 1;
				if(_t52 + 1 != 0) {
					 *_t67 = 0x103;
					_t39 = _v68.hProcess;
					if(_v68.hProcess != 0) {
						E0060EFD8(_t39, _t53, _a16 & 0x000000ff, _t65, _t67, _t67);
					}
				} else {
					 *_t67 = GetLastError();
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E0060F423);
				return E0040A1C8( &_a20);
			}

0x0060f341
0x0060f344
0x0060f346
0x0060f348
0x0060f34e
0x0060f355
0x0060f356
0x0060f35b
0x0060f35e
0x0060f365
0x0060f36c
0x0060f375
0x0060f37a
0x0060f37a
0x0060f375
0x0060f389
0x0060f38e
0x0060f395
0x0060f39e
0x0060f3a7
0x0060f3a7
0x0060f3b1
0x0060f3bc
0x0060f3c7
0x0060f3cd
0x0060f3d4
0x0060f3dc
0x0060f3de
0x0060f3e1
0x0060f3ec
0x0060f3f2
0x0060f3f7
0x0060f401
0x0060f401
0x0060f3e3
0x0060f3e8
0x0060f3e8
0x0060f408
0x0060f40b
0x0060f40e
0x0060f41b

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0060F3D4
GetLastError.KERNEL32(00000000,0060F41C,?,?,?,00000001), ref: 0060F3E3

Part of subcall function 005C745C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005C746F

Strings

<, xrefs: 0060F38E

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: DirectoryErrorExecuteLastShellSystem
String ID: <
API String ID: 893404051-4251816714
Opcode ID: e61f532a34ba40f9ed11058ee7bbe23f206fa57e54983470e3e4627e38209dd8
Instruction ID: dcf8102ceadd4487f49ba87b12be971fda6b0883f73445cbcbdd13ac2b4765a0
Opcode Fuzzy Hash: e61f532a34ba40f9ed11058ee7bbe23f206fa57e54983470e3e4627e38209dd8
Instruction Fuzzy Hash: 6C216D70A40209DFDB24EFA5C885ADE7BE9EF58394F50003AF800E7691E77899518B98

Uniqueness

Uniqueness Score: -1.00%

Function 006B72C2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E006B72C2(void* __ecx, void* __esi, void* __fp0) {
				void* _t21;
				intOrPtr* _t27;
				intOrPtr* _t33;
				void* _t41;
				intOrPtr _t43;
				char _t46;
				void* _t47;
				intOrPtr _t55;
				intOrPtr _t59;
				void* _t60;
				void* _t61;
				intOrPtr _t62;
				void* _t67;

				_t67 = __fp0;
				_t60 = __esi;
				_t47 = __ecx;
				if(( *(_t61 - 9) & 0x00000001) != 0) {
					L3:
					_t46 = 1;
				} else {
					_t64 =  *(_t61 - 9) & 0x00000040;
					if(( *(_t61 - 9) & 0x00000040) != 0) {
						goto L3;
					} else {
						_t46 = 0;
					}
				}
				_t21 = E006A5DD8(_t46, _t47, 0, _t64, _t67);
				_t65 = _t21;
				if(_t21 != 0) {
					_t27 =  *0x6cdec4; // 0x6d579c
					SetWindowPos( *( *_t27 + 0x188), 0, 0, 0, 0, 0, 0x97);
					_push(_t61);
					_push(0x6b736d);
					_push( *[fs:eax]);
					 *[fs:eax] = _t62;
					_t33 =  *0x6cdec4; // 0x6d579c
					 *((intOrPtr*)(_t61 - 0x18)) =  *((intOrPtr*)( *_t33 + 0x188));
					 *((char*)(_t61 - 0x14)) = 0;
					E004244F8(L"/INITPROCWND=$%x ", 0, _t61 - 0x18, _t61 - 0x10);
					_push(_t61 - 0x10);
					E005C6E90(_t61 - 0x1c, _t46, _t60, _t65);
					_pop(_t41);
					E0040B470(_t41,  *((intOrPtr*)(_t61 - 0x1c)));
					_t43 =  *0x6d68d0; // 0x0
					E006A60E8(_t43, _t46, 0x6cd884,  *((intOrPtr*)(_t61 - 0x10)), _t60, _t65, _t67);
					_pop(_t59);
					 *[fs:eax] = _t59;
					 *((char*)(_t61 - 1)) = 1;
				}
				_pop(_t55);
				 *[fs:eax] = _t55;
				_push(E006B73CE);
				E0040A1C8(_t61 - 0x1c);
				return E0040A1C8(_t61 - 0x10);
			}

0x006b72c2
0x006b72c2
0x006b72c2
0x006b72c6
0x006b72d2
0x006b72d2
0x006b72c8
0x006b72c8
0x006b72cc
0x00000000
0x006b72ce
0x006b72ce
0x006b72ce
0x006b72cc
0x006b72d8
0x006b72dd
0x006b72df
0x006b72f4
0x006b7302
0x006b7309
0x006b730a
0x006b730f
0x006b7312
0x006b7319
0x006b7326
0x006b7329
0x006b7337
0x006b733f
0x006b7343
0x006b734b
0x006b734c
0x006b7359
0x006b735e
0x006b7365
0x006b7368
0x006b73a5
0x006b73a5
0x006b73ab
0x006b73ae
0x006b73b1
0x006b73b9
0x006b73c6

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 006B7302

Strings

/INITPROCWND=$%x , xrefs: 006B7332
@, xrefs: 006B72C8

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Window
String ID: /INITPROCWND=$%x $@
API String ID: 2353593579-4169826103
Opcode ID: c5684dee33ba9897102623d205b8f12a775b2b56f0b9d91e0f24c978029d6739
Instruction ID: aee196482ecc750f80196a5b85e8ce4b28bd470815894a77b79cec9963f5eee4
Opcode Fuzzy Hash: c5684dee33ba9897102623d205b8f12a775b2b56f0b9d91e0f24c978029d6739
Instruction Fuzzy Hash: 0721C070A083489FDB01EBA4D841FEE77F6EF89304F51447AF800E7291DA38AA45DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00435608 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00435608(signed short* __eax, void* __ebx, void* __edx) {
				signed short* _v8;
				char _v16;
				char _v24;
				void* _t23;
				intOrPtr _t31;
				void* _t32;
				void* _t34;

				_t23 = __edx;
				_v8 = __eax;
				_t2 =  &_v24; // 0x435946
				L0042F03C();
				 *[fs:eax] = _t34 + 0xffffffec;
				_t4 =  &_v24; // 0x435946
				E00430ED4( *((intOrPtr*)( *((intOrPtr*)( *0x6cdffc))))(_v8, 0x400, 0, 8,  *[fs:eax], 0x435674, _t34, _t2, __ebx, _t32), 8,  *_v8 & 0x0000ffff);
				_t6 =  &_v16; // 0x43596b
				E0040A61C(_t23,  *_t6);
				_t31 = _t4;
				 *[fs:eax] = _t31;
				_push(E0043567B);
				_t7 =  &_v24; // 0x435946
				return L00431164(_t7);
			}

0x0043560f
0x00435611
0x00435614
0x00435618
0x00435628
0x00435638
0x0043564f
0x00435656
0x00435659
0x00435660
0x00435663
0x00435666
0x0043566b
0x00435673

APIs

VariantInit.OLEAUT32(FYC), ref: 00435618

Part of subcall function 0040A61C: SysReAllocStringLen.OLEAUT32(00000000,?,?), ref: 0040A636

Strings

kYC, xrefs: 00435656
FYC, xrefs: 00435614, 00435638, 0043566B, 00435617, 0043563B

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: AllocInitStringVariant
String ID: FYC$kYC
API String ID: 4010818693-1629163012
Opcode ID: 3b028a09afde62da82f47710d3d6daef9e5d11d6f2f19900e295b27d7684dbff
Instruction ID: 78d3457c21f8c6ae710edabf1b7f51a26e4fb704544ac86c5ed1d2f79e361521
Opcode Fuzzy Hash: 3b028a09afde62da82f47710d3d6daef9e5d11d6f2f19900e295b27d7684dbff
Instruction Fuzzy Hash: 2FF08171704608AFD700EB95CC52E9EB3F8EB4D700FA04176F604E3690DA346E04C769

Uniqueness

Uniqueness Score: -1.00%

Function 006B8CAC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E006B8CAC(void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t1;
				int _t9;
				void* _t12;
				void* _t15;
				intOrPtr _t16;
				void* _t17;
				void* _t18;
				intOrPtr _t20;

				_t15 = __edx;
				if( *0x6d68e5 != 0) {
					E00616130(L"Detected restart. Removing temporary directory.", _t12, _t17, _t18);
					_push(0x6b8ce7);
					_push( *[fs:eax]);
					 *[fs:eax] = _t20;
					E006ACE20();
					E006ACB10(_t12, _t15, _t17, _t18);
					_pop(_t16);
					 *[fs:eax] = _t16;
					E00615560();
					_t9 =  *0x6cd884; // 0x1
					return TerminateProcess(GetCurrentProcess(), _t9);
				}
				return _t1;
			}

0x006b8cac
0x006b8cb9
0x006b8cc0
0x006b8cc8
0x006b8ccd
0x006b8cd0
0x006b8cd3
0x006b8cd8
0x006b8cdf
0x006b8ce2
0x006b8cf6
0x006b8cfb
0x00000000
0x006b8d07
0x006b8d10

APIs

Part of subcall function 006ACE20: FreeLibrary.KERNEL32(00000000,006B8CD8,00000000,006B8CE7,?,?,?,?,?,006B97CB), ref: 006ACE36

Part of subcall function 006ACB10: GetTickCount.KERNEL32 ref: 006ACB58

Part of subcall function 00615560: SendMessageW.USER32(00000000,00000B01,00000000,00000000), ref: 0061557F

GetCurrentProcess.KERNEL32(00000001,?,?,?,?,006B97CB), ref: 006B8D01
TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,006B97CB), ref: 006B8D07

Strings

Detected restart. Removing temporary directory., xrefs: 006B8CBB

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
String ID: Detected restart. Removing temporary directory.
API String ID: 1717587489-3199836293
Opcode ID: ba331b089060afb977d72fce05483963aa44ed152fcb3281d86fb57da4e379c7
Instruction ID: 85aea6856e01ecd59818c985a9c9c54c6fb1bec533a363d5825b66760217dfd7
Opcode Fuzzy Hash: ba331b089060afb977d72fce05483963aa44ed152fcb3281d86fb57da4e379c7
Instruction Fuzzy Hash: 38E0E5F16082446EE2417BB9FC13DA67F9FDB86764B51043BF50083542D9295C80C338

Uniqueness

Uniqueness Score: -1.00%

Function 005C8790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E005C8790(void* __eax, void* __edx, void* __eflags) {
				void* __ebx;
				void* __esi;
				void* _t9;
				void* _t11;
				intOrPtr* _t12;
				void* _t14;
				void* _t15;

				_t14 = __edx;
				_t15 = __eax;
				E005C8820(__eax, __eflags);
				_t12 = E00414020(_t11, _t15, GetModuleHandleW(L"user32.dll"), L"ShutdownBlockReasonCreate");
				if(_t12 == 0) {
					__eflags = 0;
					return 0;
				}
				_t9 =  *_t12(_t15, E0040B278(_t14));
				asm("sbb eax, eax");
				return _t9 + 1;
			}

0x005c8793
0x005c8795
0x005c8799
0x005c87b3
0x005c87b7
0x005c87cc
0x00000000
0x005c87cc
0x005c87c2
0x005c87c7
0x00000000

APIs

Part of subcall function 005C8820: GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,?,005C879E,?,?,?,006B7DE9,0000000A,00000002,00000001,00000031,00000000,006B8019), ref: 005C882E

GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonCreate,?,?,?,006B7DE9,0000000A,00000002,00000001,00000031,00000000,006B8019,?,00000000,006B80E6), ref: 005C87A8

Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A

Strings

user32.dll, xrefs: 005C87A3
ShutdownBlockReasonCreate, xrefs: 005C879E

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: ShutdownBlockReasonCreate$user32.dll
API String ID: 1883125708-2866557904
Opcode ID: 362b9cabf5ac7dba346b645e3f3f1642086c31dc1fbbcb2e577ef78e05f1780f
Instruction ID: 7110eff28424d8e01fad9884693b7150e68d4fec514983f83c6ed3211673b8d3
Opcode Fuzzy Hash: 362b9cabf5ac7dba346b645e3f3f1642086c31dc1fbbcb2e577ef78e05f1780f
Instruction Fuzzy Hash: E7E0C2623402212E020071FF2C85F7F08CCEDC8B6A3300C3EB200D3501EE5ACC0101AC

Uniqueness

Uniqueness Score: -1.00%

Function 005C7488 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E005C7488(void* __eax, void* __esi, void* __ebp, void* __eflags) {
				char _v536;
				void* __ebx;
				intOrPtr* _t6;
				void* _t9;
				void* _t15;

				_t9 = __eax;
				E0040A1C8(__eax);
				_t6 = E00414020(_t9, __esi, GetModuleHandleW(L"kernel32.dll"), L"GetSystemWow64DirectoryW");
				if(_t6 != 0) {
					_t6 =  *_t6( &_v536, 0x105);
					if(_t6 > 0 && _t6 < 0x105) {
						return E0040B318(_t9, 0x105, _t15);
					}
				}
				return _t6;
			}

0x005c748f
0x005c7493
0x005c74a8
0x005c74af
0x005c74bb
0x005c74bf
0x00000000
0x005c74d1
0x005c74bf
0x005c74dd

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetSystemWow64DirectoryW,?,0060D678,00000000,0060D74A,?,?,006D579C,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C74A2

Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A

Strings

GetSystemWow64DirectoryW, xrefs: 005C7498
kernel32.dll, xrefs: 005C749D

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 1646373207-1816364905
Opcode ID: de46d4672a17b173ff2fef0e233ef539359877c205945a502f5ea110ad9e1670
Instruction ID: e1b2a1fbaeccbf4b8658dcbc551e8be6aafa7850fd628b76cf9cecd9236f8401
Opcode Fuzzy Hash: de46d4672a17b173ff2fef0e233ef539359877c205945a502f5ea110ad9e1670
Instruction Fuzzy Hash: 95E0DFB07047051BDF1061FA8CC3F9A1D896BDC794F20483E3A90D66C2F9ACD9400AAA

Uniqueness

Uniqueness Score: -1.00%

Function 005C8644 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E005C8644(void* __eax, void* __ecx) {
				void* __ebx;
				void* _t1;
				void* _t4;
				void* _t8;
				intOrPtr* _t9;

				_t1 = __eax;
				_t4 = __eax;
				if( *0x6d57e8 == 0) {
					 *0x6d57ec = E00414020(_t4, _t8, GetModuleHandleW(L"user32.dll"), L"ChangeWindowMessageFilter");
					 *_t9 = 0x6d57e8;
					_t1 = 1;
					asm("lock xchg [edx], eax");
				}
				if( *0x6d57ec != 0) {
					_t1 =  *0x6d57ec(_t4, 1);
				}
				return _t1;
			}

0x005c8644
0x005c8646
0x005c864f
0x005c8666
0x005c866b
0x005c8675
0x005c867a
0x005c867a
0x005c8684
0x005c8689
0x005c8689
0x005c8691

APIs

GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,?,005C873A,?,00000004,006CCEB4,0061544A,006158C4,00615368,00000000,00000B06,00000000,00000000), ref: 005C865B

Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A

Strings

ChangeWindowMessageFilter, xrefs: 005C8651
user32.dll, xrefs: 005C8656

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ChangeWindowMessageFilter$user32.dll
API String ID: 1646373207-2498399450
Opcode ID: fef6738620f745ab1874efba3004544ff6482e169155c0e349f99ac77237f17e
Instruction ID: f5cb7bf2fd8e9c4876a78839223762f9bc4b5f6247b358773db5c5b1cf956787
Opcode Fuzzy Hash: fef6738620f745ab1874efba3004544ff6482e169155c0e349f99ac77237f17e
Instruction Fuzzy Hash: 4CE01AB4A01701DED711ABA6AC49FE93BEEE798305F20641EB246D6695CBB904C0CF94

Uniqueness

Uniqueness Score: -1.00%

Function 005C8820 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E005C8820(void* __eax, void* __eflags) {
				void* __ebx;
				void* __esi;
				void* _t7;
				intOrPtr* _t8;
				void* _t9;

				_t9 = __eax;
				_t8 = E00414020(_t7, _t9, GetModuleHandleW(L"user32.dll"), L"ShutdownBlockReasonDestroy");
				if(_t8 == 0) {
					L2:
					return 0;
				} else {
					_push(_t9);
					if( *_t8() != 0) {
						return 1;
					} else {
						goto L2;
					}
				}
			}

0x005c8822
0x005c8839
0x005c883d
0x005c8846
0x005c884a
0x005c883f
0x005c883f
0x005c8844
0x005c884f
0x00000000
0x00000000
0x00000000
0x005c8844

APIs

GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,?,005C879E,?,?,?,006B7DE9,0000000A,00000002,00000001,00000031,00000000,006B8019), ref: 005C882E

Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A

Strings

user32.dll, xrefs: 005C8829
ShutdownBlockReasonDestroy, xrefs: 005C8824

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ShutdownBlockReasonDestroy$user32.dll
API String ID: 1646373207-260599015
Opcode ID: 3fbd28814d97db1a372840751324d8c3ac9be682008ec3644daf7441840e1d78
Instruction ID: f0c74795214b74e90bc607b5066537e4d8d40fa8e1211c6ca3dcb32fdea7855f
Opcode Fuzzy Hash: 3fbd28814d97db1a372840751324d8c3ac9be682008ec3644daf7441840e1d78
Instruction Fuzzy Hash: 22D0C7B37117222A651075FA3CE1FF70A8CDD95795354087EF700E2941DD55DC4111A8

Uniqueness

Uniqueness Score: -1.00%

Function 006B9800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E006B9800(void* __eflags) {
				intOrPtr* _t2;
				void* _t4;
				void* _t5;

				_t2 = E00414020(_t4, _t5, GetModuleHandleW(L"user32.dll"), L"DisableProcessWindowsGhosting");
				if(_t2 != 0) {
					return  *_t2();
				}
				return _t2;
			}

0x006b9810
0x006b9817
0x00000000
0x006b9819
0x006b981b

APIs

GetModuleHandleW.KERNEL32(user32.dll,DisableProcessWindowsGhosting,006C46BE,00000001,00000000,006C46F1), ref: 006B980A

Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A

Strings

DisableProcessWindowsGhosting, xrefs: 006B9800
user32.dll, xrefs: 006B9805

Memory Dump Source

Source File: 00000002.00000002.405419741.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.405398269.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406962324.00000000006C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406982499.00000000006CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.406996479.00000000006CC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407011143.00000000006CE000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407020321.00000000006CF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407029662.00000000006D4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407044489.00000000006D9000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407057322.00000000006DB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407071112.00000000006DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.407078390.00000000006DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_YogaDNSSetup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: DisableProcessWindowsGhosting$user32.dll
API String ID: 1646373207-834958232
Opcode ID: 1d0e836530d80ee037b6803170de1fe8933ba33f6b77be0c16a5e781bf2d5ad3
Instruction ID: a737f6cb342469133653c2ad22e7ce718afd724c013acdac2058dbbd1ad6bbf7
Opcode Fuzzy Hash: 1d0e836530d80ee037b6803170de1fe8933ba33f6b77be0c16a5e781bf2d5ad3
Instruction Fuzzy Hash: 99B092F0240331101C1072B33C02ACA080A08CBB497024C2A3720A108ADD4880C01239

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: YogaDNS.exePID: 6940, Parent PID: 6828COMMON

Execution Graph

Execution Coverage:	15.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.4%
Total number of Nodes:	54
Total number of Limit Nodes:	5

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 01210ED5 Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E01210ED5(long _a4) {
				void* _t7;
				void* _t8;
				struct HINSTANCE__* _t9;
				void* _t12;
				intOrPtr _t13;

				_t7 = L01215290(_t12);
				if(_t7 == 0) {
					L10:
					ExitThread(_a4);
				}
				_t13 =  *((intOrPtr*)(_t7 + 0x360));
				if(_t13 == 0) {
					goto L10;
				}
				_t16 =  *((char*)(_t13 + 0x10));
				if( *((char*)(_t13 + 0x10)) != 0) {
					E012178E1(_t16);
				}
				_t8 =  *(_t13 + 8);
				if(_t8 != 0xffffffff && _t8 != 0) {
					CloseHandle(_t8);
				}
				_t9 =  *(_t13 + 0xc);
				if(_t9 != 0xffffffff && _t9 != 0) {
					FreeLibraryAndExitThread(_t9, _a4); // executed
				}
				goto L10;
			}

0x01210edb
0x01210ee2
0x01210f22
0x01210f25
0x01210f25
0x01210ee4
0x01210eec
0x00000000
0x00000000
0x01210eee
0x01210ef2
0x01210ef4
0x01210ef4
0x01210ef9
0x01210eff
0x01210f06
0x01210f06
0x01210f0c
0x01210f12
0x01210f1c
0x01210f1c
0x00000000

APIs

CloseHandle.KERNEL32(?,?,?,012110A9,?,?,01210E7E,00000000), ref: 01210F06
FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,012110A9,?,?,01210E7E,00000000), ref: 01210F1C
ExitThread.KERNEL32 ref: 01210F25

Memory Dump Source

Source File: 0000000E.00000002.358710219.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000E.00000002.358701300.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.359521770.000000000125E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.359724402.00000000012E3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.359728409.00000000012E5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.359731878.00000000012E6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.359735366.00000000012E7000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.359742471.00000000012F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.359747349.00000000012F5000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.359788047.000000000131F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.360174373.0000000001473000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1000000_YogaDNS.jbxd

Similarity

API ID: ExitThread$CloseFreeHandleLibrary
String ID:
API String ID: 2705336791-0
Opcode ID: 48af41c851e0c24dd60289dae7ec7d309f0acc65d621428fcd92fba08bd82c12
Instruction ID: ef6b5455233cfb3366515b67ad8f85f30dc7b7f32b2b2b3307c990c2d4034868
Opcode Fuzzy Hash: 48af41c851e0c24dd60289dae7ec7d309f0acc65d621428fcd92fba08bd82c12
Instruction Fuzzy Hash: 3FF05E304107067BEB319B29984DA5A7FD9AF65320F194A10FB65C2199EF30D981C795

Uniqueness

Uniqueness Score: -1.00%

Function 01210E20 Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 46%

			E01210E20(void* __ecx, void* __edx) {
				void* _t10;
				void* _t12;
				signed int _t17;
				intOrPtr* _t27;
				void* _t29;

				_push(0xc);
				_push(0x12dbd58);
				E011EF850();
				_t27 =  *((intOrPtr*)(_t29 + 8));
				if(_t27 == 0) {
					ExitThread(GetLastError());
				}
				 *((intOrPtr*)(L01215139(__ecx, __edx) + 0x360)) = _t27;
				_t10 = E0121B271(__ecx);
				_t31 = _t10 - 2;
				if(_t10 == 2) {
					_t17 = E012178A6(_t31, 1);
					asm("sbb al, al");
					 *((char*)(_t27 + 0x10)) =  ~_t17 + 1;
				}
				 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
				 *0x125edd8(); // executed
				_t12 =  *((intOrPtr*)( *_t27))(); // executed
				E0121109C( *_t27, _t12,  *((intOrPtr*)(_t27 + 4))); // executed
				 *((intOrPtr*)(_t29 - 0x1c)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t29 - 0x14))))));
				return E012120EA( *((intOrPtr*)(_t29 - 0x14)),  *(_t29 - 4),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t29 - 0x14)))))),  *((intOrPtr*)(_t29 - 0x14)));
			}

0x01210e20
0x01210e22
0x01210e27
0x01210e2c
0x01210e31
0x01210e3a
0x01210e3a
0x01210e45
0x01210e4b
0x01210e50
0x01210e53
0x01210e57
0x01210e5e
0x01210e62
0x01210e62
0x01210e65
0x01210e70
0x01210e76
0x01210e79
0x01210e85
0x01210e91

APIs

GetLastError.KERNEL32(012DBD58,0000000C), ref: 01210E33
ExitThread.KERNEL32 ref: 01210E3A

Memory Dump Source

Source File: 0000000E.00000002.358710219.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000E.00000002.358701300.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.359521770.000000000125E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.359724402.00000000012E3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.359728409.00000000012E5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.359731878.00000000012E6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.359735366.00000000012E7000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.359742471.00000000012F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.359747349.00000000012F5000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.359788047.000000000131F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.360174373.0000000001473000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1000000_YogaDNS.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: ec784ccbb0e44df6b2e63420e5880197f60f56bc781833dc57856dfba5af38b7
Instruction ID: b07e6cffae0559f57cad00f46298f470c46809e450da5b67ff064bf7e52d089f
Opcode Fuzzy Hash: ec784ccbb0e44df6b2e63420e5880197f60f56bc781833dc57856dfba5af38b7
Instruction Fuzzy Hash: 30F0F930A20206EFEB11EFB0D84DE7E7BB1EFA5200F200148F40597288DB305A41CBA0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0121B271 Relevance: .0, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0121B271(void* __ecx) {
				signed int _v8;
				intOrPtr _t10;
				signed int _t18;

				_t18 =  *0x12f35c8; // 0x1
				if(_t18 == 0) {
					_v8 = _v8 & _t18;
					_t18 = _t18 + 1;
					_t10 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t21 =  *((intOrPtr*)(_t10 + 8));
					if( *((intOrPtr*)(_t10 + 8)) >= 0) {
						E012173EF(_t21,  &_v8);
						if(_v8 == _t18) {
							_t18 = 2;
						}
					}
					 *0x12f35c8 = _t18;
				}
				return _t18;
			}

0x0121b278
0x0121b281
0x0121b289
0x0121b28c
0x0121b28d
0x0121b290
0x0121b294
0x0121b29a
0x0121b2a2
0x0121b2a6
0x0121b2a6
0x0121b2a2
0x0121b2ae
0x0121b2ae
0x0121b2b6

Memory Dump Source

Source File: 0000000E.00000002.358710219.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000E.00000002.358701300.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.359521770.000000000125E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.359724402.00000000012E3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.359728409.00000000012E5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.359731878.00000000012E6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.359735366.00000000012E7000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.359742471.00000000012F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.359747349.00000000012F5000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.359788047.000000000131F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.360174373.0000000001473000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1000000_YogaDNS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cdce24e165d0378745189f099e16da580ed1bfb1ae3a86fc53817baf1792c9c
Instruction ID: 86b4b14d3002bd23cea010faebf37981099256c5863d17b0d340e2c05c3fa6f7
Opcode Fuzzy Hash: 8cdce24e165d0378745189f099e16da580ed1bfb1ae3a86fc53817baf1792c9c
Instruction Fuzzy Hash: 3FF06531A21224EFCB26CB5CD409BA9B3FCEB49B65F11009AFA45DB251CAB49D40C7D0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: YogaDNS.exePID: 7008, Parent PID: 3616COMMON

Execution Graph

Execution Coverage:	15.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	54
Total number of Limit Nodes:	5

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 01210ED5 Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E01210ED5(long _a4) {
				void* _t7;
				void* _t8;
				struct HINSTANCE__* _t9;
				void* _t12;
				intOrPtr _t13;

				_t7 = L01215290(_t12);
				if(_t7 == 0) {
					L10:
					ExitThread(_a4);
				}
				_t13 =  *((intOrPtr*)(_t7 + 0x360));
				if(_t13 == 0) {
					goto L10;
				}
				_t16 =  *((char*)(_t13 + 0x10));
				if( *((char*)(_t13 + 0x10)) != 0) {
					E012178E1(_t16);
				}
				_t8 =  *(_t13 + 8);
				if(_t8 != 0xffffffff && _t8 != 0) {
					CloseHandle(_t8);
				}
				_t9 =  *(_t13 + 0xc);
				if(_t9 != 0xffffffff && _t9 != 0) {
					FreeLibraryAndExitThread(_t9, _a4); // executed
				}
				goto L10;
			}

APIs

CloseHandle.KERNEL32(?,?,?,012110A9,?,?,01210E7E,00000000), ref: 01210F06
FreeLibraryAndExitThread.KERNEL32(?,?,?,?,012110A9,?,?,01210E7E,00000000), ref: 01210F1C
ExitThread.KERNEL32 ref: 01210F25

Memory Dump Source

Source File: 00000015.00000002.780162235.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true

Associated: 00000015.00000002.780150932.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.780552664.000000000125E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.780649991.00000000012E3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.780657058.00000000012E5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.780665549.00000000012E6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.780681310.00000000012E7000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.780703850.00000000012EE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.780717745.00000000012F5000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.780741876.000000000131F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.780887929.0000000001473000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1000000_YogaDNS.jbxd

Similarity

API ID: ExitThread$CloseFreeHandleLibrary
String ID:
API String ID: 2705336791-0
Opcode ID: 48af41c851e0c24dd60289dae7ec7d309f0acc65d621428fcd92fba08bd82c12
Instruction ID: ef6b5455233cfb3366515b67ad8f85f30dc7b7f32b2b2b3307c990c2d4034868
Opcode Fuzzy Hash: 48af41c851e0c24dd60289dae7ec7d309f0acc65d621428fcd92fba08bd82c12
Instruction Fuzzy Hash: 3FF05E304107067BEB319B29984DA5A7FD9AF65320F194A10FB65C2199EF30D981C795

Uniqueness

Uniqueness Score: -1.00%

Function 01210E20 Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 46%

			E01210E20(void* __ecx, void* __edx) {
				void* _t10;
				void* _t12;
				signed int _t17;
				intOrPtr* _t27;
				void* _t29;

				_push(0xc);
				_push(0x12dbd58);
				E011EF850();
				_t27 =  *((intOrPtr*)(_t29 + 8));
				if(_t27 == 0) {
					ExitThread(GetLastError());
				}
				 *((intOrPtr*)(L01215139(__ecx, __edx) + 0x360)) = _t27;
				_t10 = E0121B271(__ecx);
				_t31 = _t10 - 2;
				if(_t10 == 2) {
					_t17 = E012178A6(_t31, 1);
					asm("sbb al, al");
					 *((char*)(_t27 + 0x10)) =  ~_t17 + 1;
				}
				 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
				 *0x125edd8(); // executed
				_t12 =  *((intOrPtr*)( *_t27))(); // executed
				E0121109C( *_t27, _t12,  *((intOrPtr*)(_t27 + 4))); // executed
				 *((intOrPtr*)(_t29 - 0x1c)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t29 - 0x14))))));
				return E012120EA( *((intOrPtr*)(_t29 - 0x14)),  *(_t29 - 4),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t29 - 0x14)))))),  *((intOrPtr*)(_t29 - 0x14)));
			}

APIs

GetLastError.KERNEL32(012DBD58,0000000C), ref: 01210E33
ExitThread.KERNEL32 ref: 01210E3A

Memory Dump Source

Source File: 00000015.00000002.780162235.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true

Associated: 00000015.00000002.780150932.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.780552664.000000000125E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.780649991.00000000012E3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.780657058.00000000012E5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.780665549.00000000012E6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.780681310.00000000012E7000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.780703850.00000000012EE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.780717745.00000000012F5000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.780741876.000000000131F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.780887929.0000000001473000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1000000_YogaDNS.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: ec784ccbb0e44df6b2e63420e5880197f60f56bc781833dc57856dfba5af38b7
Instruction ID: b07e6cffae0559f57cad00f46298f470c46809e450da5b67ff064bf7e52d089f
Opcode Fuzzy Hash: ec784ccbb0e44df6b2e63420e5880197f60f56bc781833dc57856dfba5af38b7
Instruction Fuzzy Hash: 30F0F930A20206EFEB11EFB0D84DE7E7BB1EFA5200F200148F40597288DB305A41CBA0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: YogaDNS.exePID: 5116, Parent PID: 6828COMMON

Execution Graph

Execution Coverage:	15.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	54
Total number of Limit Nodes:	5

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 01210ED5 Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E01210ED5(long _a4) {
				void* _t7;
				void* _t8;
				struct HINSTANCE__* _t9;
				void* _t12;
				intOrPtr _t13;

				_t7 = L01215290(_t12);
				if(_t7 == 0) {
					L10:
					ExitThread(_a4);
				}
				_t13 =  *((intOrPtr*)(_t7 + 0x360));
				if(_t13 == 0) {
					goto L10;
				}
				_t16 =  *((char*)(_t13 + 0x10));
				if( *((char*)(_t13 + 0x10)) != 0) {
					E012178E1(_t16);
				}
				_t8 =  *(_t13 + 8);
				if(_t8 != 0xffffffff && _t8 != 0) {
					CloseHandle(_t8);
				}
				_t9 =  *(_t13 + 0xc);
				if(_t9 != 0xffffffff && _t9 != 0) {
					FreeLibraryAndExitThread(_t9, _a4); // executed
				}
				goto L10;
			}

APIs

CloseHandle.KERNEL32(?,?,?,012110A9,?,?,01210E7E,00000000), ref: 01210F06
FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,012110A9,?,?,01210E7E,00000000), ref: 01210F1C
ExitThread.KERNEL32 ref: 01210F25

Memory Dump Source

Source File: 00000017.00000002.400860012.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true

Associated: 00000017.00000002.400850949.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.402385021.000000000125E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.402473528.00000000012E3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.402481457.00000000012E5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.402486876.00000000012E6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.402492510.00000000012E7000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.402502727.00000000012F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.402521249.00000000012F5000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.402546321.000000000131F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.403039437.0000000001473000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1000000_YogaDNS.jbxd

Similarity

API ID: ExitThread$CloseFreeHandleLibrary
String ID:
API String ID: 2705336791-0
Opcode ID: 48af41c851e0c24dd60289dae7ec7d309f0acc65d621428fcd92fba08bd82c12
Instruction ID: ef6b5455233cfb3366515b67ad8f85f30dc7b7f32b2b2b3307c990c2d4034868
Opcode Fuzzy Hash: 48af41c851e0c24dd60289dae7ec7d309f0acc65d621428fcd92fba08bd82c12
Instruction Fuzzy Hash: 3FF05E304107067BEB319B29984DA5A7FD9AF65320F194A10FB65C2199EF30D981C795

Uniqueness

Uniqueness Score: -1.00%

Function 01210E20 Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 46%

			E01210E20(void* __ecx, void* __edx) {
				void* _t10;
				void* _t12;
				signed int _t17;
				intOrPtr* _t27;
				void* _t29;

				_push(0xc);
				_push(0x12dbd58);
				E011EF850();
				_t27 =  *((intOrPtr*)(_t29 + 8));
				if(_t27 == 0) {
					ExitThread(GetLastError());
				}
				 *((intOrPtr*)(L01215139(__ecx, __edx) + 0x360)) = _t27;
				_t10 = E0121B271(__ecx);
				_t31 = _t10 - 2;
				if(_t10 == 2) {
					_t17 = E012178A6(_t31, 1);
					asm("sbb al, al");
					 *((char*)(_t27 + 0x10)) =  ~_t17 + 1;
				}
				 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
				 *0x125edd8(); // executed
				_t12 =  *((intOrPtr*)( *_t27))(); // executed
				E0121109C( *_t27, _t12,  *((intOrPtr*)(_t27 + 4))); // executed
				 *((intOrPtr*)(_t29 - 0x1c)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t29 - 0x14))))));
				return E012120EA( *((intOrPtr*)(_t29 - 0x14)),  *(_t29 - 4),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t29 - 0x14)))))),  *((intOrPtr*)(_t29 - 0x14)));
			}

APIs

GetLastError.KERNEL32(012DBD58,0000000C), ref: 01210E33
ExitThread.KERNEL32 ref: 01210E3A

Memory Dump Source

Source File: 00000017.00000002.400860012.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true

Associated: 00000017.00000002.400850949.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.402385021.000000000125E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.402473528.00000000012E3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.402481457.00000000012E5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.402486876.00000000012E6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.402492510.00000000012E7000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.402502727.00000000012F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.402521249.00000000012F5000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.402546321.000000000131F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.403039437.0000000001473000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1000000_YogaDNS.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: ec784ccbb0e44df6b2e63420e5880197f60f56bc781833dc57856dfba5af38b7
Instruction ID: b07e6cffae0559f57cad00f46298f470c46809e450da5b67ff064bf7e52d089f
Opcode Fuzzy Hash: ec784ccbb0e44df6b2e63420e5880197f60f56bc781833dc57856dfba5af38b7
Instruction Fuzzy Hash: 30F0F930A20206EFEB11EFB0D84DE7E7BB1EFA5200F200148F40597288DB305A41CBA0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Tactics:	Credential Access, Discovery
Data Sources:	Host network interface, Netflow/Enclave netflow, Network device logs, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report YogaDNSSetup.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Joe Sandbox Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\YogaDNS\Driver\DnsFltEngineDrv.inf (copy)

C:\Program Files (x86)\YogaDNS\Driver\DnsFltEngineDrv.sys (copy)

C:\Program Files (x86)\YogaDNS\Driver\is-A6E8V.tmp

C:\Program Files (x86)\YogaDNS\Driver\is-UMI1O.tmp

C:\Program Files (x86)\YogaDNS\ServiceManager.exe (copy)

C:\Program Files (x86)\YogaDNS\YogaDNS.exe (copy)

C:\Program Files (x86)\YogaDNS\dnscrypt-proxy.toml (copy)

C:\Program Files (x86)\YogaDNS\dnscrypt.dll (copy)

C:\Program Files (x86)\YogaDNS\is-44LQ8.tmp

C:\Program Files (x86)\YogaDNS\is-GG959.tmp

C:\Program Files (x86)\YogaDNS\is-MENUL.tmp

C:\Program Files (x86)\YogaDNS\is-OA2B1.tmp

C:\Program Files (x86)\YogaDNS\is-QTSO1.tmp

C:\Program Files (x86)\YogaDNS\is-S3AL5.tmp

C:\Program Files (x86)\YogaDNS\is-VCP4T.tmp

C:\Program Files (x86)\YogaDNS\is-VKNMA.tmp

C:\Program Files (x86)\YogaDNS\libcrypto-1_1.dll (copy)

C:\Program Files (x86)\YogaDNS\public-resolvers.md (copy)

C:\Program Files (x86)\YogaDNS\root.key (copy)

Windows Analysis Report
YogaDNSSetup.exe

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre