Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe

Overview

General Information

Sample name:SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
Analysis ID:1510318
MD5:7268329d169f985be48d34007c4fd957
SHA1:c44b9bbb1a384b146e758316532164df963bdb50
SHA256:f1ce6d3956c9ec05c7fdc5cc58828b62e698d9a9b27733b2df03166f9242f2a3
Tags:exe
Infos:

Detection

Score:42
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:36
Range:0 - 100

Signatures

Detected unpacking (changes PE section rights)
AI detected suspicious sample
Hides threads from debuggers
PE file contains section with special chars
Performs DNS TXT record lookups
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: Explorer Process Tree Break
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe (PID: 6304 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe" MD5: 7268329D169F985BE48D34007C4FD957)
    • cmd.exe (PID: 6548 cmdline: "cmd.exe" /c taskkill /f /im "BlackBerryBackupExtractor.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 6880 cmdline: taskkill /f /im "BlackBerryBackupExtractor.exe" MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
    • explorer.exe (PID: 6636 cmdline: "C:\Windows\explorer.exe" C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
  • explorer.exe (PID: 6196 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 662F4F92FDE3557E86D110526BB578D5)
    • BlackBerryBackupExtractor.exe (PID: 420 cmdline: "C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe" MD5: 8CD8B27DAB255BA25B5283FB4496709D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Explorer Process Tree Break
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber: Data: Command: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, CommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 752, ProcessCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ProcessId: 6196, ProcessName: explorer.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.7% probability
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeEXE: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor-uninstaller.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeEXE: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeEXE: cmd.exeJump to behavior

Compliance

barindex
EXE planting / hijacking vulnerabilities found
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeEXE: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor-uninstaller.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeEXE: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeEXE: cmd.exeJump to behavior
Uses 32bit PE files
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Found installer window with terms and condition text
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeWindow detected: I &AgreeCancelNullsoft Install System v3.08 Nullsoft Install System v3.08License AgreementPlease review the license terms before installing BlackBerry Backup Extractor.Press Page Down to see the rest of the agreement.License Contents A. Reincubate Software Ltd Terms & Conditions B. Droid Font Family Copyright Notice C. LED Icon Set Copyright NoticeA. Reincubate Software Ltd Terms & ConditionsThank you for choosing a Reincubate product or service. Please read the following terms & conditions carefully as they govern your use of our products services and our websites. Occasionally a particular product or service will require its own specific terms & conditions. If this is the case please read those in addition to these terms.TermsIn these terms & conditions the following definitions apply:"We" "us" "our" and "Reincubate" refer to Reincubate Software Ltd a company registered in England number 5189175."You" refers to the person or company currently reading these terms & conditions."Product" or "application" refers to any product developed and sold by Reincubate."service" refers to any online service provided by Reincubate whether free or subscription."website" refers to any Reincubate website including (but not limited to) www.reincubate.com www.iphonebackupextractor.com www.blackberryconverter.com www.awdit.com and www.keepcalm-o-matic.co.uk.1. Copyright and trademarkAll Reincubate products and services are copyright (c) 2023 Reincubate Software Ltd. You may not copy disassemble decompile modify or in any other way alter or duplicate any of our products or services without our explicit permission. There are two exceptions to this:- Where we make available a demonstration version of a product or service you may distribute this freely provided you acknowledge us as the copyright holder and link back to our website.- Where you have purchased a Reincubate product or service you may make one copy for backup or archival purposes provided the backup copy is not used at the same time as the original.Reincubate is a registered trademark of Reincubate Software Ltd. Other trademarks used in Reincubate products and services are held by their respective owners.2. Use of Reincubate products services and websitesWhen you purchase a Reincubate product you are permitted a single non-exclusive worldwide perpetual license to use the product. By using the product you agree to be bound by these terms. Services may be purchased on a time-limited basis in which case any such license expires at the end of the term set out when the service was originally purchased. You may not reverse user or decompile our products or services or take any action that may assist others to do so. You may not incorporate any part of our products or services into any third party website application or service without our express written permission. You may not copy sell lend give away or otherwise distribute the registered version of any of our products without express written perm
Creates a software uninstall entry
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BlackBerry Backup ExtractorJump to behavior
Creates license or readme file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile created: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\License.txtJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile created: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\README.txtJump to behavior
PE / OLE file has a valid certificate
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeStatic PE information: certificate valid
Uses secure TLS version for HTTPS connections
Source: unknownHTTPS traffic detected: 104.26.7.161:443 -> 192.168.2.6:64531 version: TLS 1.2
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Binary contains paths to debug symbols
Source: Binary string: c:\Users\dbdkm\work\bbbe-app\tmp\BlackBerryBackupExtractor-merged.pdbBSJB source: BlackBerryBackupExtractor.exe, 00000009.00000003.2261331780.0000000005220000.00000004.00001000.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000009.00000002.4646291742.00000000006D2000.00000040.00000001.01000000.0000000D.sdmp
Source: Binary string: c:\Users\dbdkm\work\bbbe-app\tmp\BlackBerryBackupExtractor-merged.pdb source: BlackBerryBackupExtractor.exe, 00000009.00000003.2261331780.0000000005220000.00000004.00001000.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000009.00000002.4646291742.00000000006D2000.00000040.00000001.01000000.0000000D.sdmp
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeCode function: 0_2_0040290B FindFirstFileW,0_2_0040290B
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeCode function: 0_2_004069C3 FindFirstFileW,FindClose,0_2_004069C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeCode function: 0_2_00405D99 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405D99
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile opened: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup ExtractorJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile opened: C:\Users\user\AppData\Roaming\ReincubateJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile opened: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: global trafficTCP traffic: 192.168.2.6:64530 -> 1.1.1.1:53
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /latest-version/D306C1B115846349DC76/ HTTP/1.1User-Agent: bbbe-2.0.8.5-1-1Host: uds.reincubate.comConnection: Close
Source: global trafficDNS traffic detected: DNS query: uds.reincubate.com
Source: BlackBerryBackupExtractor.exe, 00000009.00000002.4657661580.0000000007DC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ascendercorp.com/eula10.html
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, nsqFEF.tmp.0.dr, BlackBerryBackupExtractor.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, nsqFEF.tmp.0.dr, BlackBerryBackupExtractor.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, nsqFEF.tmp.0.dr, BlackBerryBackupExtractor.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, nsqFEF.tmp.0.dr, BlackBerryBackupExtractor.exe.0.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: BlackBerryBackupExtractor.exe, 00000009.00000002.4659017915.000000000BA56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, nsqFEF.tmp.0.dr, BlackBerryBackupExtractor.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, nsqFEF.tmp.0.dr, BlackBerryBackupExtractor.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, nsqFEF.tmp.0.dr, BlackBerryBackupExtractor.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, nsqFEF.tmp.0.dr, BlackBerryBackupExtractor.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, nsqFEF.tmp.0.dr, BlackBerryBackupExtractor.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, nsqFEF.tmp.0.dr, BlackBerryBackupExtractor.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, nsqFEF.tmp.0.dr, BlackBerryBackupExtractor.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: BlackBerryBackupExtractor.exe, 00000009.00000002.4652504209.0000000006801000.00000004.00000800.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.0000000005589000.00000004.00000800.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000009.00000002.4652504209.0000000006749000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000003.2229831094.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000002.2241646485.000000000019A000.00000004.00000010.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000003.2229725069.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000002.2242677975.0000000000784000.00000004.00000020.00020000.00000000.sdmp, nsqFEF.tmp.0.dr, License.txt.0.drString found in binary or memory: http://led24.de/
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, BlackBerryBackupExtractor-uninstaller.exe.0.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, nsqFEF.tmp.0.dr, BlackBerryBackupExtractor.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, nsqFEF.tmp.0.dr, BlackBerryBackupExtractor.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, nsqFEF.tmp.0.dr, BlackBerryBackupExtractor.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, nsqFEF.tmp.0.dr, BlackBerryBackupExtractor.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
Source: BlackBerryBackupExtractor.exe.0.drString found in binary or memory: http://ocsp.sectigo.com0
Source: BlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.0000000005747000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: BlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.0000000005773000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://uds.reincubate.com
Source: BlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.0000000005773000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://uds.reincubate.comd
Source: BlackBerryBackupExtractor.exe, 00000009.00000002.4658048723.00000000095B2000.00000004.00000800.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000009.00000002.4657661580.0000000007DC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/
Source: BlackBerryBackupExtractor.exe, 00000009.00000002.4658048723.00000000095B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/$http://ascendercorp.com/eula10.html
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmp, BlackBerryBackupExtractor.exe, 00000009.00000002.4658441180.0000000009F90000.00000002.00000001.00040000.00000015.sdmp, BlackBerryBackupExtractor.exe, 00000009.00000002.4658394641.0000000009F70000.00000002.00000001.00040000.00000014.sdmp, nsqFEF.tmp.0.dr, DroidSans-Bold.ttf.0.dr, DroidSans.ttf.0.drString found in binary or memory: http://www.ascendercorp.com/http://ascendercorp.com/eula10.html
Source: nsqFEF.tmp.0.dr, DroidSans-Bold.ttf.0.dr, DroidSans.ttf.0.drString found in binary or memory: http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.htmlThis
Source: BlackBerryBackupExtractor.exe, 00000009.00000003.2441321716.0000000007DE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html%
Source: BlackBerryBackupExtractor.exe, 00000009.00000002.4658048723.00000000095B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlhDroid
Source: BlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.00000000056CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blackberryconverter.com/?utm_source=app&utm_campaign=2.0.8.5
Source: nsqFEF.tmp.0.dr, README.txt.0.drString found in binary or memory: http://www.blackberryconverter.com/blog/
Source: nsqFEF.tmp.0.dr, README.txt.0.drString found in binary or memory: http://www.blackberryconverter.com/help-howto-and-support/
Source: nsqFEF.tmp.0.dr, README.txt.0.drString found in binary or memory: http://www.blackberryconverter.com/help-howto-and-support/#running
Source: BlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.00000000056CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blackberryconverter.com/help-howto-and-support/?utm_source=app&utm_campaign=2.0.8.5
Source: BlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.00000000056CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blackberryconverter.com/register/?utm_source=app&utm_campaign=2.0.8.5
Source: BlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.00000000056CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blackberryconverter.com/terms-and-conditions/?utm_source=app&utm_campaign=2.0.8.5
Source: BlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.00000000056CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blackberryconverter.com/upgrade-key/?utm_source=app&utm_campaign=2.0.8.5
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000003.2229831094.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000002.2241646485.000000000019A000.00000004.00000010.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000003.2229725069.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000002.2242677975.0000000000784000.00000004.00000020.00020000.00000000.sdmp, nsqFEF.tmp.0.dr, License.txt.0.drString found in binary or memory: http://www.droidfonts.com/
Source: BlackBerryBackupExtractor.exe, 00000009.00000002.4652504209.0000000006801000.00000004.00000800.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000009.00000002.4652504209.0000000006749000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google-analytics.com/collect
Source: BlackBerryBackupExtractor.exe, 00000009.00000002.4646560649.00000000008DE000.00000040.00000001.01000000.0000000D.sdmpString found in binary or memory: http://www.oreans.com
Source: BlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.00000000056B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://appexceptions.reincubate.com/error-report/D306C1B115846349DC76/
Source: BlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.00000000057CC000.00000004.00000800.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.00000000057C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reincubate.com/res/labs/bbbe/bbbe-latest.exe
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, nsqFEF.tmp.0.dr, BlackBerryBackupExtractor.exe.0.drString found in binary or memory: https://sectigo.com/CPS0
Source: BlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.0000000005747000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uds.reincubate.com
Source: BlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.0000000005589000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uds.reincubate.com/client-auth-reset/
Source: BlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.0000000005589000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uds.reincubate.com/client-auth/
Source: BlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.0000000005589000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uds.reincubate.com/client-status/
Source: BlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.00000000056B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uds.reincubate.com/latest-version/D306C1B115846349DC76/
Source: BlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.00000000057CC000.00000004.00000800.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.00000000057BD000.00000004.00000800.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.00000000057C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.reincubate.com/support/ipbe/what-iphone-backup-extractor-does/#compatibility
Source: unknownNetwork traffic detected: HTTP traffic on port 64531 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64531
Source: unknownHTTPS traffic detected: 104.26.7.161:443 -> 192.168.2.6:64531 version: TLS 1.2
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeCode function: 0_2_0040582E GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040582E
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_11FA64B0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,9_2_11FA64B0

System Summary

barindex
PE file contains section with special chars
Source: BlackBerryBackupExtractor.exe.0.drStatic PE information: section name:
Source: BlackBerryBackupExtractor.exe.0.drStatic PE information: section name: .idata
Source: BlackBerryBackupExtractor.exe.0.drStatic PE information: section name:
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess Stats: CPU usage > 49%
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeCode function: 0_2_00403665 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403665
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile created: C:\Windows\Fonts\DroidSans.ttfJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile created: C:\Windows\Fonts\DroidSans-Bold.ttfJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeCode function: 0_2_00406ED50_2_00406ED5
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeCode function: 0_2_004076AC0_2_004076AC
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_051FB2449_2_051FB244
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_051FB2359_2_051FB235
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_051FBA3F9_2_051FBA3F
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_0957C8409_2_0957C840
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_0957C8329_2_0957C832
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_09DBC4709_2_09DBC470
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_09DBC46B9_2_09DBC46B
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_0B27AF389_2_0B27AF38
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_0B27A3209_2_0B27A320
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_0B27E0649_2_0B27E064
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_0B27A6689_2_0B27A668
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_0B27E8709_2_0B27E870
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_0BC3DE489_2_0BC3DE48
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_0BC46EC09_2_0BC46EC0
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_0BC43D1F9_2_0BC43D1F
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_0BC42CB09_2_0BC42CB0
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_0BC449E09_2_0BC449E0
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_0BC42CB09_2_0BC42CB0
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_0BC44F389_2_0BC44F38
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_0BC46EC09_2_0BC46EC0
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: BlackBerryBackupExtractor.exe.0.drStatic PE information: Section: ZLIB complexity 0.9924017252753556
Source: BlackBerryBackupExtractor.exe.0.drStatic PE information: Section: .rsrc ZLIB complexity 0.994140625
Source: BlackBerryBackupExtractor.exe.0.drStatic PE information: Section: ebblbqjy ZLIB complexity 0.9896841476212687
Source: BlackBerryBackupExtractor.exe.0.drStatic PE information: Section: jwuvegyw ZLIB complexity 1.021484375
Source: classification engineClassification label: mal42.evad.winEXE@11/15@2/1
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeCode function: 0_2_00403665 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403665
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeCode function: 0_2_00404ADA GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404ADA
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeCode function: 0_2_004021AA CoCreateInstance,0_2_004021AA
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile created: C:\Users\user\AppData\Roaming\ReincubateJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3320:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile created: C:\Users\user\AppData\Local\Temp\nsaFDE.tmpJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess created: C:\Windows\explorer.exeJump to behavior
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BlackBerryBackupExtractor.exe")
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: BlackBerryBackupExtractor.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: BlackBerryBackupExtractor.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c taskkill /f /im "BlackBerryBackupExtractor.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im "BlackBerryBackupExtractor.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe "C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c taskkill /f /im "BlackBerryBackupExtractor.exe"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im "BlackBerryBackupExtractor.exe"Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe "C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ninput.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: actxprxy.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ninput.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: actxprxy.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: smartscreenps.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: rasman.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: dui70.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: duser.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: thumbcache.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: windows.ui.fileexplorer.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: structuredquery.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: windows.storage.search.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: twinapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: actxprxy.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: networkexplorer.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: mrmcorer.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: windows.staterepositorycore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: bcp47mrm.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: provsvc.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: Uninstall.lnk.0.drLNK file: ..\..\..\..\..\..\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor-uninstaller.exe
Source: BlackBerry Backup Extractor.lnk.0.drLNK file: ..\..\..\..\..\..\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe
Source: BlackBerry Backup Extractor.lnk0.0.drLNK file: ..\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeWindow detected: I &AgreeCancelNullsoft Install System v3.08 Nullsoft Install System v3.08License AgreementPlease review the license terms before installing BlackBerry Backup Extractor.Press Page Down to see the rest of the agreement.License Contents A. Reincubate Software Ltd Terms & Conditions B. Droid Font Family Copyright Notice C. LED Icon Set Copyright NoticeA. Reincubate Software Ltd Terms & ConditionsThank you for choosing a Reincubate product or service. Please read the following terms & conditions carefully as they govern your use of our products services and our websites. Occasionally a particular product or service will require its own specific terms & conditions. If this is the case please read those in addition to these terms.TermsIn these terms & conditions the following definitions apply:"We" "us" "our" and "Reincubate" refer to Reincubate Software Ltd a company registered in England number 5189175."You" refers to the person or company currently reading these terms & conditions."Product" or "application" refers to any product developed and sold by Reincubate."service" refers to any online service provided by Reincubate whether free or subscription."website" refers to any Reincubate website including (but not limited to) www.reincubate.com www.iphonebackupextractor.com www.blackberryconverter.com www.awdit.com and www.keepcalm-o-matic.co.uk.1. Copyright and trademarkAll Reincubate products and services are copyright (c) 2023 Reincubate Software Ltd. You may not copy disassemble decompile modify or in any other way alter or duplicate any of our products or services without our explicit permission. There are two exceptions to this:- Where we make available a demonstration version of a product or service you may distribute this freely provided you acknowledge us as the copyright holder and link back to our website.- Where you have purchased a Reincubate product or service you may make one copy for backup or archival purposes provided the backup copy is not used at the same time as the original.Reincubate is a registered trademark of Reincubate Software Ltd. Other trademarks used in Reincubate products and services are held by their respective owners.2. Use of Reincubate products services and websitesWhen you purchase a Reincubate product you are permitted a single non-exclusive worldwide perpetual license to use the product. By using the product you agree to be bound by these terms. Services may be purchased on a time-limited basis in which case any such license expires at the end of the term set out when the service was originally purchased. You may not reverse user or decompile our products or services or take any action that may assist others to do so. You may not incorporate any part of our products or services into any third party website application or service without our express written permission. You may not copy sell lend give away or otherwise distribute the registered version of any of our products without express written perm
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWindow detected: Number of UI elements: 13
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BlackBerry Backup ExtractorJump to behavior
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeStatic PE information: certificate valid
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeStatic file information: File size 3046224 > 1048576
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: c:\Users\dbdkm\work\bbbe-app\tmp\BlackBerryBackupExtractor-merged.pdbBSJB source: BlackBerryBackupExtractor.exe, 00000009.00000003.2261331780.0000000005220000.00000004.00001000.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000009.00000002.4646291742.00000000006D2000.00000040.00000001.01000000.0000000D.sdmp
Source: Binary string: c:\Users\dbdkm\work\bbbe-app\tmp\BlackBerryBackupExtractor-merged.pdb source: BlackBerryBackupExtractor.exe, 00000009.00000003.2261331780.0000000005220000.00000004.00001000.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000009.00000002.4646291742.00000000006D2000.00000040.00000001.01000000.0000000D.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeUnpacked PE file: 9.2.BlackBerryBackupExtractor.exe.6d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ebblbqjy:EW;jwuvegyw:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: jwuvegyw
Source: nsExec.dll.0.drStatic PE information: real checksum: 0x0 should be: 0xde0c
Source: LangDLL.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x91a8
Source: System.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x3d68
Source: BlackBerryBackupExtractor-uninstaller.exe.0.drStatic PE information: real checksum: 0x2ea28f should be: 0x36d63
Source: BlackBerryBackupExtractor.exe.0.drStatic PE information: section name:
Source: BlackBerryBackupExtractor.exe.0.drStatic PE information: section name: .idata
Source: BlackBerryBackupExtractor.exe.0.drStatic PE information: section name:
Source: BlackBerryBackupExtractor.exe.0.drStatic PE information: section name: ebblbqjy
Source: BlackBerryBackupExtractor.exe.0.drStatic PE information: section name: jwuvegyw
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_051F2468 pushad ; iretd 9_2_051F2469
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_05542ED9 push es; ret 9_2_05542F3D
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_055431F1 push es; ret 9_2_05543217
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_05543219 push es; ret 9_2_05543247
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_05542F41 push es; ret 9_2_05542F97
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_05542E65 push es; ret 9_2_05542F3D
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_05543161 push es; ret 9_2_05543185
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_05543099 push es; ret 9_2_055430C7
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_09DBF9D1 push 940BC23Dh; retf 9_2_09DBF9DD
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_09DBC3F0 push es; retn 000Bh9_2_09DBC3F2
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_09DB76A3 push eax; iretd 9_2_09DB76A9
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_0B270E88 push CC0000C3h; ret 9_2_0B270EAD
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_0BC31E20 pushfd ; retn 000Bh9_2_0BC31E21
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_0BC31CB0 pushad ; retn 000Bh9_2_0BC31DC9
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_0BC315F1 pushad ; retn 000Bh9_2_0BC315F2
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_0BC31591 pushad ; retn 000Bh9_2_0BC31592
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_11FA7500 pushfd ; iretd 9_2_11FA7501
Source: BlackBerryBackupExtractor.exe.0.drStatic PE information: section name: entropy: 7.963639992526216
Source: BlackBerryBackupExtractor.exe.0.drStatic PE information: section name: ebblbqjy entropy: 7.947437869566587
Source: BlackBerryBackupExtractor.exe.0.drStatic PE information: section name: jwuvegyw entropy: 7.334086978180639
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile created: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\LangDLL.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile created: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\System.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile created: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor-uninstaller.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile created: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile created: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile created: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\License.txtJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile created: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\README.txtJump to behavior

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ReincubateJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Reincubate\BlackBerry Backup ExtractorJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Reincubate\BlackBerry Backup Extractor\Uninstall.lnkJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Reincubate\BlackBerry Backup Extractor\BlackBerry Backup Extractor.lnkJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A4F0B second address: 9A4F23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jng 00007F6F151CEA82h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A4F23 second address: 9A4F29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A4F29 second address: 9A4F2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A4F2D second address: 9A4F39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F6F14AF69F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A4F39 second address: 9A4F3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A3EAE second address: 9A3EDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F14AF69FEh 0x00000009 js 00007F6F14AF69F6h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 popad 0x00000012 js 00007F6F14AF6A02h 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A3EDF second address: 9A3EE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A4040 second address: 9A4059 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F14AF6A03h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A4059 second address: 9A405F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A405F second address: 9A4063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A4063 second address: 9A4084 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007F6F151CEA76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F6F151CEA7Eh 0x00000016 push edx 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A44A6 second address: 9A44AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A4610 second address: 9A4614 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A4614 second address: 9A4629 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F14AF6A01h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A4629 second address: 9A462F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A462F second address: 9A463B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F6F14AF69F6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A463B second address: 9A4658 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6F151CEA76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6F151CEA7Fh 0x00000013 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A4658 second address: 9A467A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jno 00007F6F14AF69F6h 0x0000000b jmp 00007F6F14AF69FAh 0x00000010 push edx 0x00000011 pop edx 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jnl 00007F6F14AF69F6h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A467A second address: 9A467E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A8003 second address: 9A8052 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jns 00007F6F14AF6A0Bh 0x00000013 jmp 00007F6F14AF6A05h 0x00000018 push 00000000h 0x0000001a xor dword ptr [ebp+1264189Fh], edi 0x00000020 call 00007F6F14AF69F9h 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F6F14AF6A03h 0x0000002d rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A8052 second address: 9A80A6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6F151CEA7Eh 0x0000000b popad 0x0000000c push eax 0x0000000d jng 00007F6F151CEA7Eh 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 jnc 00007F6F151CEA7Eh 0x0000001d mov eax, dword ptr [eax] 0x0000001f pushad 0x00000020 jmp 00007F6F151CEA7Ah 0x00000025 jnl 00007F6F151CEA78h 0x0000002b pushad 0x0000002c popad 0x0000002d popad 0x0000002e mov dword ptr [esp+04h], eax 0x00000032 push eax 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A80A6 second address: 9A8110 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F14AF69FAh 0x00000009 popad 0x0000000a pop eax 0x0000000b pop eax 0x0000000c mov dh, B6h 0x0000000e push 00000003h 0x00000010 mov dword ptr [ebp+12641B77h], ecx 0x00000016 push 00000000h 0x00000018 jns 00007F6F14AF6A0Dh 0x0000001e jg 00007F6F14AF6A07h 0x00000024 call 00007F6F14AF6A00h 0x00000029 pop esi 0x0000002a push 00000003h 0x0000002c add di, 33CDh 0x00000031 push edx 0x00000032 call 00007F6F14AF6A00h 0x00000037 mov edx, dword ptr [ebp+12642B5Dh] 0x0000003d pop ecx 0x0000003e pop edx 0x0000003f call 00007F6F14AF69F9h 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 push ecx 0x00000048 pop ecx 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A8110 second address: 9A8115 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A8115 second address: 9A811A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A811A second address: 9A8163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007F6F151CEA86h 0x00000011 jmp 00007F6F151CEA81h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F6F151CEA83h 0x0000001e rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A8163 second address: 9A817C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007F6F14AF69FCh 0x00000013 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A817C second address: 9A818F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F151CEA7Fh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A818F second address: 9A81BD instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6F14AF69F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push ebx 0x0000000f jbe 00007F6F14AF6A00h 0x00000015 jmp 00007F6F14AF69FAh 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jbe 00007F6F14AF69F8h 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A81BD second address: 9A81F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F151CEA87h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a stc 0x0000000b lea ebx, dword ptr [ebp+12709EBBh] 0x00000011 add esi, dword ptr [ebp+1264386Eh] 0x00000017 js 00007F6F151CEA7Ch 0x0000001d mov dword ptr [ebp+1264189Fh], ecx 0x00000023 push eax 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 push edx 0x00000028 pop edx 0x00000029 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A8258 second address: 9A825C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A825C second address: 9A82B0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6F151CEA76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jbe 00007F6F151CEA7Ch 0x00000012 jnc 00007F6F151CEA76h 0x00000018 jmp 00007F6F151CEA86h 0x0000001d popad 0x0000001e nop 0x0000001f pushad 0x00000020 sub eax, dword ptr [ebp+12642B41h] 0x00000026 mov edx, dword ptr [ebp+12642CB5h] 0x0000002c popad 0x0000002d push 00000000h 0x0000002f push edx 0x00000030 mov si, di 0x00000033 pop ecx 0x00000034 push 89E6D34Dh 0x00000039 je 00007F6F151CEA84h 0x0000003f push eax 0x00000040 push edx 0x00000041 push edx 0x00000042 pop edx 0x00000043 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A839F second address: 9A83A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A83A5 second address: 9A83D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F151CEA85h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6F151CEA7Fh 0x00000013 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A83D2 second address: 9A83DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F6F14AF69F6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A83DC second address: 9A83E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A83E0 second address: 9A8422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007F6F14AF69F8h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 mov si, 2B0Ch 0x00000027 push 00000000h 0x00000029 or dword ptr [ebp+12641B59h], esi 0x0000002f push 479ADB30h 0x00000034 jbe 00007F6F14AF6A04h 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A8422 second address: 9A8426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A8426 second address: 9A848B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xor dword ptr [esp], 479ADBB0h 0x0000000d jmp 00007F6F14AF6A00h 0x00000012 push 00000003h 0x00000014 mov di, cx 0x00000017 push 00000000h 0x00000019 push 00000003h 0x0000001b jng 00007F6F14AF69FCh 0x00000021 mov dword ptr [ebp+1264341Eh], edi 0x00000027 jmp 00007F6F14AF6A01h 0x0000002c call 00007F6F14AF69F9h 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F6F14AF6A07h 0x00000038 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A848B second address: 9A84BA instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6F151CEA7Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F6F151CEA84h 0x00000013 jc 00007F6F151CEA76h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9A84BA second address: 9A8566 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F14AF6A04h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push edi 0x0000000e jmp 00007F6F14AF6A06h 0x00000013 pop edi 0x00000014 mov eax, dword ptr [eax] 0x00000016 pushad 0x00000017 push esi 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a pop esi 0x0000001b push esi 0x0000001c push edx 0x0000001d pop edx 0x0000001e pop esi 0x0000001f popad 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 pushad 0x00000025 jmp 00007F6F14AF69FAh 0x0000002a jmp 00007F6F14AF6A00h 0x0000002f popad 0x00000030 pop eax 0x00000031 push 00000000h 0x00000033 push eax 0x00000034 call 00007F6F14AF69F8h 0x00000039 pop eax 0x0000003a mov dword ptr [esp+04h], eax 0x0000003e add dword ptr [esp+04h], 00000019h 0x00000046 inc eax 0x00000047 push eax 0x00000048 ret 0x00000049 pop eax 0x0000004a ret 0x0000004b mov dl, E3h 0x0000004d lea ebx, dword ptr [ebp+12709ECFh] 0x00000053 add edi, 44866533h 0x00000059 xchg eax, ebx 0x0000005a pushad 0x0000005b push eax 0x0000005c push edx 0x0000005d jmp 00007F6F14AF6A08h 0x00000062 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9C809D second address: 9C80BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F151CEA85h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9C80BA second address: 9C80CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F14AF69FCh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9C80CC second address: 9C80DF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F6F151CEA7Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9C5DF3 second address: 9C5E03 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6F14AF69F6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9C5E03 second address: 9C5E09 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9C5E09 second address: 9C5E26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6F14AF6A01h 0x0000000b popad 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9C5E26 second address: 9C5E40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F151CEA86h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9C5F94 second address: 9C5F98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9C6244 second address: 9C626B instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6F151CEA76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F6F151CEA82h 0x00000012 jl 00007F6F151CEA76h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9C63C6 second address: 9C63CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9C63CA second address: 9C63D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9C63D4 second address: 9C63E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F14AF69FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9C63E2 second address: 9C63E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9C63E8 second address: 9C63EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9C6561 second address: 9C6579 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6F151CEA81h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9C6579 second address: 9C6598 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F6F14AF69FAh 0x0000000e je 00007F6F14AF69FCh 0x00000014 jng 00007F6F14AF69F6h 0x0000001a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9C6598 second address: 9C65A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F151CEA7Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9C6835 second address: 9C6851 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007F6F14AF69F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F6F14AF69FCh 0x00000015 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9C6851 second address: 9C6857 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9C6857 second address: 9C685D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9C6E42 second address: 9C6E4C instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6F151CEA93h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9C6FDC second address: 9C6FE8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6F14AF69F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9BF20E second address: 9BF245 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F151CEA7Fh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jmp 00007F6F151CEA85h 0x00000011 jnc 00007F6F151CEA78h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9BF245 second address: 9BF24F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F6F14AF69F6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9BF24F second address: 9BF280 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F151CEA86h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a jo 00007F6F151CEA96h 0x00000010 jne 00007F6F151CEA7Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9BF280 second address: 9BF284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9BF284 second address: 9BF28A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 99F486 second address: 99F4A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F14AF6A07h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9C7162 second address: 9C717E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6F151CEA84h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9C717E second address: 9C7183 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9C772E second address: 9C7732 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9C7732 second address: 9C7774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b jnc 00007F6F14AF69F6h 0x00000011 pop edi 0x00000012 jmp 00007F6F14AF6A06h 0x00000017 popad 0x00000018 push edi 0x00000019 pushad 0x0000001a jmp 00007F6F14AF6A05h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9C7774 second address: 9C7790 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F151CEA81h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9C7790 second address: 9C7796 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9C7BF3 second address: 9C7C03 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 jp 00007F6F151CEA76h 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9C7C03 second address: 9C7C0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F6F14AF69F6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9BF278 second address: 9BF280 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9CA497 second address: 9CA49B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9CA7B6 second address: 9CA7BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 99C98D second address: 99C9ED instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F6F14AF6A04h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop ecx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jg 00007F6F14AF6A0Fh 0x00000014 pushad 0x00000015 jne 00007F6F14AF69F6h 0x0000001b jmp 00007F6F14AF6A07h 0x00000020 push ebx 0x00000021 pop ebx 0x00000022 popad 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D1DAA second address: 9D1DAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D1DAE second address: 9D1DB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D1DB2 second address: 9D1DCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F6F151CEA76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F6F151CEA7Dh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D242D second address: 9D2450 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F14AF6A09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D2450 second address: 9D2456 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D2456 second address: 9D245A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D245A second address: 9D2460 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D25CE second address: 9D25D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D25D4 second address: 9D25EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F6F151CEA80h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D25EB second address: 9D262C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F14AF6A08h 0x00000007 jmp 00007F6F14AF6A00h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F6F14AF6A03h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D5340 second address: 9D5348 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D53C3 second address: 9D53DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jc 00007F6F14AF69F6h 0x0000000c pop edi 0x0000000d popad 0x0000000e push eax 0x0000000f jl 00007F6F14AF69FEh 0x00000015 push ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D53DB second address: 9D53EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007F6F151CEA78h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D53EE second address: 9D53F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D53F4 second address: 9D5413 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6F151CEA76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F6F151CEA7Fh 0x00000015 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D5413 second address: 9D543C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F14AF6A00h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d pushad 0x0000000e jmp 00007F6F14AF69FDh 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D543C second address: 9D5453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 pop eax 0x00000007 mov edi, dword ptr [ebp+12642BADh] 0x0000000d push 141A5ED8h 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D5453 second address: 9D5458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D58E6 second address: 9D58EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D58EC second address: 9D58F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D58F2 second address: 9D5909 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6F151CEA76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jnp 00007F6F151CEA84h 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D6441 second address: 9D6449 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D6449 second address: 9D6473 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F151CEA86h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6F151CEA7Ch 0x00000012 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D68C5 second address: 9D68F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F6F14AF69FCh 0x0000000b jng 00007F6F14AF69F6h 0x00000011 popad 0x00000012 push eax 0x00000013 pushad 0x00000014 jmp 00007F6F14AF6A06h 0x00000019 push eax 0x0000001a push edx 0x0000001b push esi 0x0000001c pop esi 0x0000001d rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D78F5 second address: 9D78F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D78F9 second address: 9D7977 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov esi, dword ptr [ebp+12642DDDh] 0x0000000f push 00000000h 0x00000011 mov si, 0CE7h 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push edi 0x0000001a call 00007F6F14AF69F8h 0x0000001f pop edi 0x00000020 mov dword ptr [esp+04h], edi 0x00000024 add dword ptr [esp+04h], 00000016h 0x0000002c inc edi 0x0000002d push edi 0x0000002e ret 0x0000002f pop edi 0x00000030 ret 0x00000031 xchg eax, ebx 0x00000032 push ecx 0x00000033 pushad 0x00000034 jmp 00007F6F14AF6A06h 0x00000039 jmp 00007F6F14AF6A04h 0x0000003e popad 0x0000003f pop ecx 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 push edi 0x00000044 jmp 00007F6F14AF6A05h 0x00000049 pop edi 0x0000004a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D7977 second address: 9D797C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D7747 second address: 9D7765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F14AF6A09h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D7765 second address: 9D7790 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6F151CEA78h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d jmp 00007F6F151CEA7Fh 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F6F151CEA7Ah 0x0000001a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D81F0 second address: 9D8202 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jnc 00007F6F14AF69F6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D8202 second address: 9D8207 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D944B second address: 9D945B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F6F14AF69F8h 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D945B second address: 9D9461 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9DA8A6 second address: 9DA8AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9DA8AB second address: 9DA901 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007F6F151CEA78h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 push 00000000h 0x00000028 adc si, 9991h 0x0000002d push 00000000h 0x0000002f sub dword ptr [ebp+12641BDAh], edi 0x00000035 xchg eax, ebx 0x00000036 pushad 0x00000037 push edx 0x00000038 push esi 0x00000039 pop esi 0x0000003a pop edx 0x0000003b jne 00007F6F151CEA7Ch 0x00000041 popad 0x00000042 push eax 0x00000043 jl 00007F6F151CEA84h 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9DA901 second address: 9DA905 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9DA655 second address: 9DA659 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9DB37F second address: 9DB384 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9DBE32 second address: 9DBE36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9DBE36 second address: 9DBE3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9DBE3C second address: 9DBE42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9DBE42 second address: 9DBE46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9DBE46 second address: 9DBE4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9DC66E second address: 9DC68A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6F14AF69F8h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F6F14AF69FBh 0x00000016 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9DC68A second address: 9DC690 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9DC690 second address: 9DC695 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9DD9B7 second address: 9DDA45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6F151CEA84h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007F6F151CEA78h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 mov ebx, dword ptr [ebp+12642CE9h] 0x0000002e mov dword ptr [ebp+1264233Fh], edx 0x00000034 push 00000000h 0x00000036 jnl 00007F6F151CEA7Ah 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push ebx 0x00000041 call 00007F6F151CEA78h 0x00000046 pop ebx 0x00000047 mov dword ptr [esp+04h], ebx 0x0000004b add dword ptr [esp+04h], 0000001Dh 0x00000053 inc ebx 0x00000054 push ebx 0x00000055 ret 0x00000056 pop ebx 0x00000057 ret 0x00000058 sub dword ptr [ebp+12641A99h], ebx 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 push edi 0x00000062 pushad 0x00000063 popad 0x00000064 pop edi 0x00000065 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9DDA45 second address: 9DDA4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9DEB36 second address: 9DEBAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F6F151CEA76h 0x0000000a popad 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov edi, dword ptr [ebp+12642BC1h] 0x00000015 jbe 00007F6F151CEA81h 0x0000001b jmp 00007F6F151CEA7Bh 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push edi 0x00000025 call 00007F6F151CEA78h 0x0000002a pop edi 0x0000002b mov dword ptr [esp+04h], edi 0x0000002f add dword ptr [esp+04h], 00000015h 0x00000037 inc edi 0x00000038 push edi 0x00000039 ret 0x0000003a pop edi 0x0000003b ret 0x0000003c jmp 00007F6F151CEA81h 0x00000041 movsx edi, cx 0x00000044 push 00000000h 0x00000046 mov bx, F901h 0x0000004a push eax 0x0000004b pushad 0x0000004c jns 00007F6F151CEA7Ch 0x00000052 pushad 0x00000053 jo 00007F6F151CEA76h 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9DFADB second address: 9DFADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9DFADF second address: 9DFAE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 995F5D second address: 995F73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007F6F14AF69F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F6F14AF69FAh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9DFCED second address: 9DFCF2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9E20E7 second address: 9E20ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9E307D second address: 9E3083 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9E22B6 second address: 9E22BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9E41E1 second address: 9E41E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9E331A second address: 9E3324 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9E3324 second address: 9E3328 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9E5FC4 second address: 9E601F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F14AF6A02h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov edi, dword ptr [ebp+12642D5Dh] 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007F6F14AF69F8h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 0000001Ah 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c jnp 00007F6F14AF69FCh 0x00000032 push 00000000h 0x00000034 mov edi, dword ptr [ebp+12642BE5h] 0x0000003a push eax 0x0000003b push eax 0x0000003c push edx 0x0000003d push ecx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9E601F second address: 9E6024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9E6024 second address: 9E603B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6F14AF6A02h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9E5357 second address: 9E535B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9E535B second address: 9E5365 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6F14AF69F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9E70CB second address: 9E70CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9E70CF second address: 9E7115 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a xor dword ptr [ebp+1273006Ah], edx 0x00000010 push 00000000h 0x00000012 mov dword ptr [ebp+127112D1h], edi 0x00000018 push 00000000h 0x0000001a and ebx, dword ptr [ebp+12642C39h] 0x00000020 jbe 00007F6F14AF6A04h 0x00000026 xchg eax, esi 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F6F14AF69FFh 0x0000002e rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9E7115 second address: 9E7132 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F151CEA83h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9E7132 second address: 9E7138 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9E7138 second address: 9E713D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9E713D second address: 9E7142 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9E6204 second address: 9E622E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6F151CEA7Fh 0x00000008 jmp 00007F6F151CEA7Bh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 jbe 00007F6F151CEA7Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9E6321 second address: 9E632B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9E632B second address: 9E632F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9E902B second address: 9E9030 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9E9F37 second address: 9E9F7F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 mov di, si 0x0000000b push 00000000h 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007F6F151CEA78h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 jmp 00007F6F151CEA7Dh 0x0000002c push 00000000h 0x0000002e mov edi, 68A2C5E0h 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 jnl 00007F6F151CEA76h 0x0000003e rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9E9F7F second address: 9E9F85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9EAFCE second address: 9EAFD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9EAFD2 second address: 9EAFD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9EAFD8 second address: 9EB01E instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6F151CEA78h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d or bx, C0FBh 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007F6F151CEA78h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 0000001Dh 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 mov dword ptr [ebp+12645B83h], ebx 0x00000036 push eax 0x00000037 push edi 0x00000038 pushad 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9ECF73 second address: 9ECF7E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9EDFF7 second address: 9EE008 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6F151CEA76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9EE008 second address: 9EE00D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9F18F0 second address: 9F18F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9F61F1 second address: 9F6201 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 jl 00007F6F14AF69FCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9F6328 second address: 9F6340 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jng 00007F6F151CEA76h 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007F6F151CEA76h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9F6340 second address: 9F6346 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9E82BF second address: 9E82C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9E82C3 second address: 9E82D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F6F14AF69F6h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9E7393 second address: 9E7398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9E7398 second address: 9E739E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9E91D8 second address: 9E91DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9E91DC second address: 9E91E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9EA1F8 second address: 9EA20B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F151CEA7Eh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9EC106 second address: 9EC14B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 js 00007F6F14AF69F8h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e nop 0x0000000f sbb di, D23Ah 0x00000014 push dword ptr fs:[00000000h] 0x0000001b sub dword ptr [ebp+12642E88h], esi 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 mov dword ptr [ebp+1270832Ah], ebx 0x0000002e mov eax, dword ptr [ebp+12640599h] 0x00000034 xor ebx, dword ptr [ebp+12642D4Dh] 0x0000003a push FFFFFFFFh 0x0000003c mov di, si 0x0000003f nop 0x00000040 push ecx 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9EC14B second address: 9EC14F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9ED109 second address: 9ED11F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F14AF6A02h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9ED11F second address: 9ED1CC instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6F151CEA78h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d xor ebx, dword ptr [ebp+12641834h] 0x00000013 sub dword ptr [ebp+12643241h], eax 0x00000019 push dword ptr fs:[00000000h] 0x00000020 push 00000000h 0x00000022 push eax 0x00000023 call 00007F6F151CEA78h 0x00000028 pop eax 0x00000029 mov dword ptr [esp+04h], eax 0x0000002d add dword ptr [esp+04h], 0000001Dh 0x00000035 inc eax 0x00000036 push eax 0x00000037 ret 0x00000038 pop eax 0x00000039 ret 0x0000003a mov bx, si 0x0000003d mov dword ptr fs:[00000000h], esp 0x00000044 push 00000000h 0x00000046 push edi 0x00000047 call 00007F6F151CEA78h 0x0000004c pop edi 0x0000004d mov dword ptr [esp+04h], edi 0x00000051 add dword ptr [esp+04h], 00000016h 0x00000059 inc edi 0x0000005a push edi 0x0000005b ret 0x0000005c pop edi 0x0000005d ret 0x0000005e movzx ebx, bx 0x00000061 mov eax, dword ptr [ebp+126412F9h] 0x00000067 mov ebx, dword ptr [ebp+12642B85h] 0x0000006d mov edi, dword ptr [ebp+12642A99h] 0x00000073 push FFFFFFFFh 0x00000075 xor edi, 06C6648Ch 0x0000007b nop 0x0000007c jmp 00007F6F151CEA89h 0x00000081 push eax 0x00000082 push eax 0x00000083 push edx 0x00000084 push ebx 0x00000085 pushad 0x00000086 popad 0x00000087 pop ebx 0x00000088 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9ED1CC second address: 9ED1D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9EE209 second address: 9EE213 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F6F151CEA76h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9EE213 second address: 9EE231 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6F14AF69F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F6F14AF69FFh 0x00000014 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9EE231 second address: 9EE237 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9EE237 second address: 9EE23B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A06C36 second address: A06C3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A06C3D second address: A06C6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jng 00007F6F14AF6A07h 0x0000000e jmp 00007F6F14AF6A01h 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 jl 00007F6F14AF6A00h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A06C6A second address: A06C78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A06DAE second address: A06DCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F6F14AF69FFh 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A06DCD second address: A06DD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A06DD1 second address: A06DD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A06E79 second address: A06E7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A06E7E second address: A06E83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A06F51 second address: A06F62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6F151CEA7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A08377 second address: A08395 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jns 00007F6F14AF6A09h 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A08395 second address: A0839A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A0CD9A second address: A0CD9F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A0C5E7 second address: A0C5EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A0C5EE second address: A0C619 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F14AF6A04h 0x00000007 jng 00007F6F14AF69FEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A0C7BD second address: A0C7D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F6F151CEA76h 0x00000009 push edi 0x0000000a pop edi 0x0000000b jno 00007F6F151CEA76h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A0C7D0 second address: A0C7D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A0C7D9 second address: A0C7DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A0CC26 second address: A0CC50 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6F14AF69F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnl 00007F6F14AF6A09h 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A0CC50 second address: A0CC5C instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6F151CEA76h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A111F9 second address: A1121C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F6F14AF69FDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jnp 00007F6F14AF69F6h 0x00000014 jbe 00007F6F14AF69F6h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A1121C second address: A1123F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 jbe 00007F6F151CEA76h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F6F151CEA7Dh 0x00000015 jc 00007F6F151CEA76h 0x0000001b rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A1123F second address: A11243 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A11355 second address: A11360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A117A3 second address: A117E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F14AF6A07h 0x00000009 jnl 00007F6F14AF6A0Dh 0x0000000f popad 0x00000010 jnp 00007F6F14AF69FEh 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A11950 second address: A11954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A10F01 second address: A10F16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F14AF69FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A151EE second address: A15211 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6F151CEA76h 0x00000008 jmp 00007F6F151CEA81h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jng 00007F6F151CEA76h 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A18B7F second address: A18B85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D3E01 second address: 9D3E2F instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6F151CEA8Bh 0x00000008 jmp 00007F6F151CEA85h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jnc 00007F6F151CEA7Ch 0x00000018 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D3E2F second address: 9D3E45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6F14AF6A01h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D3E45 second address: 9BF20E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov dword ptr [ebp+1264388Fh], eax 0x0000000e call dword ptr [ebp+12641AD1h] 0x00000014 pushad 0x00000015 pushad 0x00000016 jp 00007F6F151CEA76h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D426A second address: 9D426F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D442F second address: 9D4439 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6F151CEA76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D4525 second address: 9D4542 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F14AF6A09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D4BD0 second address: 9D4BD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D4BD4 second address: 9D4BDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D4F11 second address: 9D4F24 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007F6F151CEA78h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D4F24 second address: 9D4F42 instructions: 0x00000000 rdtsc 0x00000002 je 00007F6F14AF69FCh 0x00000008 jl 00007F6F14AF69F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jne 00007F6F14AF69F8h 0x0000001c rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D4F42 second address: 9D4F47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A18EBD second address: A18EC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A18EC3 second address: A18EFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F151CEA81h 0x00000009 jmp 00007F6F151CEA88h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jp 00007F6F151CEA76h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A18EFB second address: A18F05 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6F14AF69F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A1962A second address: A1963F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F6F151CEA76h 0x0000000a popad 0x0000000b jc 00007F6F151CEA9Dh 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A1992F second address: A19935 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A1E9A8 second address: A1E9AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A1E9AD second address: A1E9CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F14AF69FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007F6F14AF6A19h 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007F6F14AF69F6h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A1D593 second address: A1D599 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A1D810 second address: A1D816 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A1D961 second address: A1D965 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A1D965 second address: A1D96B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A1D96B second address: A1D97B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jl 00007F6F151CEA76h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A1D97B second address: A1D987 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007F6F14AF69F6h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A1DAD8 second address: A1DADE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A1DC26 second address: A1DC2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A1DC2C second address: A1DC30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A1DC30 second address: A1DC34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A1DC34 second address: A1DC6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnl 00007F6F151CEA76h 0x0000000d jmp 00007F6F151CEA85h 0x00000012 jnl 00007F6F151CEA76h 0x00000018 popad 0x00000019 pushad 0x0000001a jmp 00007F6F151CEA7Ch 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A1DDB1 second address: A1DDB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A1DDB5 second address: A1DDD9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6F151CEA76h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F6F151CEA88h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A1DF1B second address: A1DF27 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6F14AF69FEh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A1DF27 second address: A1DF2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A1E0BA second address: A1E0D4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 jo 00007F6F14AF69FEh 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A1E827 second address: A1E82D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A1E82D second address: A1E86E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F6F14AF6A00h 0x0000000a jmp 00007F6F14AF69FEh 0x0000000f popad 0x00000010 pushad 0x00000011 jmp 00007F6F14AF6A09h 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A1E86E second address: A1E876 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A1D100 second address: A1D11E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F14AF6A04h 0x00000009 popad 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A227E5 second address: A227F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A227F0 second address: A227F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A227F4 second address: A227FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A227FA second address: A22800 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A246A2 second address: A246C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F151CEA84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F6F151CEA7Eh 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 991CA3 second address: 991CA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 991CA9 second address: 991CC7 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6F151CEA76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007F6F151CEA7Ah 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 je 00007F6F151CEA76h 0x0000001a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 991CC7 second address: 991CEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F14AF6A04h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007F6F14AF69FCh 0x00000012 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A28376 second address: A2838C instructions: 0x00000000 rdtsc 0x00000002 js 00007F6F151CEA76h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d je 00007F6F151CEA76h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A2CBC3 second address: A2CBD7 instructions: 0x00000000 rdtsc 0x00000002 js 00007F6F14AF69F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007F6F14AF69F6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A2CBD7 second address: A2CBDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A2C663 second address: A2C66A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A2E3A8 second address: A2E3B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A2E3B0 second address: A2E3B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A2E3B8 second address: A2E3C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A2E3C3 second address: A2E3C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A2E3C9 second address: A2E3D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A318CA second address: A318CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A318CE second address: A318D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A30DC4 second address: A30DCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A30DCA second address: A30DD1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A310D1 second address: A310E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F6F14AF69F6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A34FA0 second address: A34FAA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A34FAA second address: A34FAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A3523E second address: A35256 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F151CEA83h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A35256 second address: A35277 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F14AF69FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F6F14AF6A10h 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007F6F14AF69F6h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A353BB second address: A353D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F151CEA85h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A353D4 second address: A353ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F14AF6A04h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A353ED second address: A353FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F151CEA7Ch 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A353FF second address: A35413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 jg 00007F6F14AF69F8h 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D49C2 second address: 9D49C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D49C8 second address: 9D49E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F14AF6A05h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D49E1 second address: 9D4A18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b sub dl, FFFFFFA5h 0x0000000e mov ebx, dword ptr [ebp+12735B10h] 0x00000014 adc dx, B390h 0x00000019 add eax, ebx 0x0000001b sub dword ptr [ebp+1271BFCDh], edi 0x00000021 nop 0x00000022 push edx 0x00000023 pushad 0x00000024 pushad 0x00000025 popad 0x00000026 pushad 0x00000027 popad 0x00000028 popad 0x00000029 pop edx 0x0000002a push eax 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e pushad 0x0000002f popad 0x00000030 jo 00007F6F151CEA76h 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 9D4A18 second address: 9D4A52 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6F14AF69F8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov ecx, dword ptr [ebp+12641B46h] 0x00000011 push 00000004h 0x00000013 sub dword ptr [ebp+126438CBh], ebx 0x00000019 mov ecx, dword ptr [ebp+12642AB5h] 0x0000001f nop 0x00000020 jbe 00007F6F14AF69FEh 0x00000026 push ecx 0x00000027 jo 00007F6F14AF69F6h 0x0000002d pop ecx 0x0000002e push eax 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 jne 00007F6F14AF69F6h 0x00000038 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A3D495 second address: A3D4E8 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6F151CEA76h 0x00000008 jno 00007F6F151CEA76h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F6F151CEA85h 0x00000015 pushad 0x00000016 jmp 00007F6F151CEA83h 0x0000001b jmp 00007F6F151CEA81h 0x00000020 push esi 0x00000021 pop esi 0x00000022 popad 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 push ecx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A3D4E8 second address: A3D4ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A3D4ED second address: A3D4FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jbe 00007F6F151CEA76h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A3B6AD second address: A3B6C8 instructions: 0x00000000 rdtsc 0x00000002 je 00007F6F14AF69F6h 0x00000008 jl 00007F6F14AF69F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jne 00007F6F14AF69F6h 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A3B6C8 second address: A3B6D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A3BB15 second address: A3BB3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F6F14AF6A01h 0x0000000f jmp 00007F6F14AF69FFh 0x00000014 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A3BB3F second address: A3BB43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A3BDD1 second address: A3BDD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A3BDD9 second address: A3BDDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A3BDDD second address: A3BDED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007F6F14AF6A02h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A3BDED second address: A3BDFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F6F151CEA76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A3BDFE second address: A3BE02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A3BE02 second address: A3BE34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6F151CEA80h 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007F6F151CEA76h 0x00000013 jmp 00007F6F151CEA84h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A3C368 second address: A3C36D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A3C36D second address: A3C38E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F6F151CEA89h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A3C38E second address: A3C39A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A3C39A second address: A3C3BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F151CEA85h 0x00000009 pushad 0x0000000a popad 0x0000000b jng 00007F6F151CEA76h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A3C3BC second address: A3C3C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A3C681 second address: A3C685 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A3C685 second address: A3C68B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A3CC3B second address: A3CC57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F151CEA88h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A3CC57 second address: A3CC5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A3CC5B second address: A3CC74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6F151CEA7Bh 0x0000000d jp 00007F6F151CEA76h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A40BAE second address: A40BCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F6F14AF6A09h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A40BCC second address: A40BD1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A3FCF1 second address: A3FD10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 jmp 00007F6F14AF6A07h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A3FD10 second address: A3FD23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 js 00007F6F151CEAADh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A3FD23 second address: A3FD27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A3FD27 second address: A3FD48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F151CEA89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A3FD48 second address: A3FD4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A3FD4C second address: A3FD50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A40017 second address: A4004D instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6F14AF6A11h 0x00000008 push ecx 0x00000009 jmp 00007F6F14AF6A00h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A4018D second address: A40191 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A40191 second address: A4019B instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6F14AF69F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A40715 second address: A4071A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A4071A second address: A40736 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F14AF6A01h 0x00000007 pushad 0x00000008 jp 00007F6F14AF69F6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A40736 second address: A4073C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A4B16F second address: A4B183 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F14AF6A00h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A4B183 second address: A4B1A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F6F151CEA7Bh 0x0000000c jmp 00007F6F151CEA7Ah 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A4B1A3 second address: A4B1AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A4B1AF second address: A4B1EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F6F151CEA76h 0x0000000a popad 0x0000000b jo 00007F6F151CEA78h 0x00000011 push edx 0x00000012 pop edx 0x00000013 popad 0x00000014 jnp 00007F6F151CEAB8h 0x0000001a jmp 00007F6F151CEA7Dh 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F6F151CEA86h 0x00000026 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 99496B second address: 99496F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: 99496F second address: 9949B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F151CEA89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6F151CEA7Ah 0x00000011 js 00007F6F151CEA8Bh 0x00000017 jmp 00007F6F151CEA85h 0x0000001c rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A4985F second address: A49865 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A499AA second address: A499AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A49B07 second address: A49B15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F14AF69FAh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A49B15 second address: A49B29 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jnl 00007F6F151CEA76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007F6F151CEA76h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A49DCC second address: A49DE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push esi 0x00000006 jc 00007F6F14AF69F6h 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007F6F14AF69F6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A49DE3 second address: A49DE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A49F27 second address: A49F3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F14AF6A01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A49F3C second address: A49F55 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6F151CEA78h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007F6F151CEA78h 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A49F55 second address: A49F5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A49F5C second address: A49F62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A4B04D second address: A4B053 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A517FD second address: A51801 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A51AB8 second address: A51ADE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F6F14AF6A07h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A51ADE second address: A51B20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F151CEA86h 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F6F151CEA7Eh 0x00000010 popad 0x00000011 jl 00007F6F151CEA87h 0x00000017 jmp 00007F6F151CEA7Fh 0x0000001c push ebx 0x0000001d pop ebx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A5E862 second address: A5E892 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6F14AF6A14h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c js 00007F6F14AF69F6h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A5E892 second address: A5E8A8 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6F151CEA76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f jnp 00007F6F151CEA76h 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A5E8A8 second address: A5E8AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A5EFCB second address: A5EFD1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A5EFD1 second address: A5EFF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6F14AF6A08h 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A5F453 second address: A5F45D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6F151CEA7Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A5F5AC second address: A5F5D0 instructions: 0x00000000 rdtsc 0x00000002 js 00007F6F14AF6A0Bh 0x00000008 jmp 00007F6F14AF6A05h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A5F5D0 second address: A5F5D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A5F8A4 second address: A5F8A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A5F8A9 second address: A5F8CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 push esi 0x00000007 pop esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6F151CEA87h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A5FA2B second address: A5FA31 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A5FA31 second address: A5FA3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jbe 00007F6F151CEA76h 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A5FB73 second address: A5FB79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A5FC9E second address: A5FCC0 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6F151CEA76h 0x00000008 jnp 00007F6F151CEA76h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F6F151CEA7Eh 0x00000019 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A5FCC0 second address: A5FCE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6F14AF69FBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007F6F14AF69FFh 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 push edi 0x00000016 pop edi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A5FCE9 second address: A5FCF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A600E6 second address: A60104 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F6F14AF6A02h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A60104 second address: A6010C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A603D1 second address: A603D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A603D8 second address: A6040C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F6F151CEA87h 0x00000011 pop edi 0x00000012 push ebx 0x00000013 jmp 00007F6F151CEA7Ch 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a pop ebx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A6040C second address: A60412 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A60412 second address: A60418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A6085B second address: A60867 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A60867 second address: A6086B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A67D46 second address: A67D52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F6F14AF69F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A67D52 second address: A67D56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A6BD04 second address: A6BD1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6F14AF69FAh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A6BD1D second address: A6BD21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A6BD21 second address: A6BD36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F14AF69FFh 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A6B7E2 second address: A6B7E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A6B8FD second address: A6B902 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A6B902 second address: A6B919 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F151CEA82h 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A6E6EB second address: A6E6F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A6E6F1 second address: A6E6FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A6E6FA second address: A6E704 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F6F14AF69F6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A6E704 second address: A6E70A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A6E881 second address: A6E886 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A73FF1 second address: A74018 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F151CEA84h 0x00000007 pushad 0x00000008 jmp 00007F6F151CEA7Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A79D9C second address: A79DC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F14AF6A01h 0x00000007 jmp 00007F6F14AF6A06h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A79DC7 second address: A79DD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jp 00007F6F151CEA76h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A79DD3 second address: A79E06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jne 00007F6F14AF69F6h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 jmp 00007F6F14AF6A07h 0x00000018 popad 0x00000019 jc 00007F6F14AF6A0Ah 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A79E06 second address: A79E18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F151CEA7Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A79C33 second address: A79C42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6F14AF69FAh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A8125B second address: A81262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A81262 second address: A81267 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A81418 second address: A81422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F6F151CEA76h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A8159F second address: A815A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A8172C second address: A8177B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F151CEA7Fh 0x00000007 jmp 00007F6F151CEA82h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e js 00007F6F151CEA9Fh 0x00000014 push edi 0x00000015 jmp 00007F6F151CEA83h 0x0000001a pop edi 0x0000001b push edx 0x0000001c jmp 00007F6F151CEA7Ch 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A8602B second address: A86031 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A86031 second address: A86050 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6F151CEA87h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A86050 second address: A8605A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6F14AF69F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A9078F second address: A9079E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: A9079E second address: A907DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F14AF69FCh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jnc 00007F6F14AF69F6h 0x00000012 jmp 00007F6F14AF6A01h 0x00000017 jmp 00007F6F14AF6A04h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: AA4C93 second address: AA4C9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: AA4C9D second address: AA4CA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: AA4CA3 second address: AA4CA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: AA6499 second address: AA649E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: AAC9CC second address: AAC9D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: AAC9D0 second address: AAC9DA instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6F14AF69F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: AAC9DA second address: AAC9E4 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6F151CEA82h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: AABD4F second address: AABD5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F6F14AF69F6h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: AABD5F second address: AABD65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: AABD65 second address: AABD6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: AABD6B second address: AABD70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: AABD70 second address: AABD76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: AABD76 second address: AABD7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: AB49B6 second address: AB49C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F6F14AF69F6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: AB8A44 second address: AB8A4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: AB8A4A second address: AB8A62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F14AF6A04h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: AB8A62 second address: AB8A88 instructions: 0x00000000 rdtsc 0x00000002 js 00007F6F151CEA8Fh 0x00000008 jmp 00007F6F151CEA89h 0x0000000d push esi 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: AB8A88 second address: AB8A9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007F6F14AF69F6h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: AB8A9A second address: AB8A9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: ABA89C second address: ABA8B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F14AF6A03h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: AB0822 second address: AB0852 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F151CEA82h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6F151CEA87h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: AAF470 second address: AAF476 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: AAF476 second address: AAF48C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F151CEA82h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: AAF48C second address: AAF490 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: AAF5DB second address: AAF5DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: AAF5DF second address: AAF5ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: AAF5ED second address: AAF5F3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: AAF5F3 second address: AAF5F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: AB06E8 second address: AB06F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSpecial instruction interceptor: First address: 9CA510 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSpecial instruction interceptor: First address: 9C8CA4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSpecial instruction interceptor: First address: 8DF332 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSpecial instruction interceptor: First address: 9F193C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSpecial instruction interceptor: First address: A5374A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeMemory allocated: 51F0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeMemory allocated: 5560000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeMemory allocated: 5320000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeMemory allocated: BC80000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeMemory allocated: 10C80000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWindow / User API: threadDelayed 1054Jump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWindow / User API: threadDelayed 1080Jump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWindow / User API: threadDelayed 1470Jump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWindow / User API: threadDelayed 1104Jump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWindow / User API: threadDelayed 354Jump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWindow / User API: threadDelayed 445Jump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWindow / User API: threadDelayed 948Jump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWindow / User API: threadDelayed 1429Jump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWindow / User API: foregroundWindowGot 376Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\LangDLL.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\System.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor-uninstaller.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe TID: 5268Thread sleep time: -72036s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe TID: 4544Thread sleep time: -2109054s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe TID: 3820Thread sleep time: -40000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe TID: 5896Thread sleep time: -2161080s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe TID: 5696Thread sleep time: -2941470s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe TID: 5692Thread sleep time: -2209104s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe TID: 3384Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe TID: 5712Thread sleep time: -1896948s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe TID: 5808Thread sleep time: -2859429s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe TID: 3384Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeCode function: 0_2_0040290B FindFirstFileW,0_2_0040290B
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeCode function: 0_2_004069C3 FindFirstFileW,FindClose,0_2_004069C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeCode function: 0_2_00405D99 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405D99
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile opened: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup ExtractorJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile opened: C:\Users\user\AppData\Roaming\ReincubateJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile opened: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: BlackBerryBackupExtractor.exe, BlackBerryBackupExtractor.exe, 00000009.00000002.4646560649.00000000009AC000.00000040.00000001.01000000.0000000D.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: BlackBerryBackupExtractor.exe, 00000009.00000002.4656608036.0000000007B6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll|
Source: explorer.exe, 00000008.00000003.2844911030.00000000014BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: BlackBerryBackupExtractor.exe, 00000009.00000002.4646560649.00000000009AC000.00000040.00000001.01000000.0000000D.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000002.2242677975.0000000000781000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c1
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeAPI call chain: ExitProcess graph end nodegraph_0-3424
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeOpen window title or class name: regmonclass
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeOpen window title or class name: ollydbg
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeOpen window title or class name: filemonclass
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeFile opened: NTICE
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeFile opened: SICE
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeFile opened: SIWVID
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 9_2_09DB07FB LdrInitializeThunk,9_2_09DB07FB
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Performs DNS TXT record lookups
Source: TrafficDNS traffic detected: queries for: uds.reincubate.com
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c taskkill /f /im "BlackBerryBackupExtractor.exe"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im "BlackBerryBackupExtractor.exe"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im "BlackBerryBackupExtractor.exe"Jump to behavior
Source: BlackBerryBackupExtractor.exe, BlackBerryBackupExtractor.exe, 00000009.00000002.4646560649.00000000009AC000.00000040.00000001.01000000.0000000D.sdmpBinary or memory string: 'Program Manager
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\DroidSans.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\DroidSans-Bold.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\DroidSans.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\DroidSans-Bold.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeCode function: 0_2_00403665 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403665
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeDirectory queried: C:\Users\user\Documents\UNKRLCVOHVJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeDirectory queried: C:\Users\user\Documents\UNKRLCVOHVJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
Windows Management Instrumentation		1
DLL Side-Loading		1
DLL Side-Loading		11
Disable or Modify Tools		1
Input Capture		13
File and Directory Discovery		Remote Services1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		1
DLL Search Order Hijacking		1
DLL Search Order Hijacking		2
Obfuscated Files or Information		LSASS Memory226
System Information Discovery		Remote Desktop Protocol1
Data from Local System		11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
Windows Service		1
Access Token Manipulation		12
Software Packing		Security Account Manager1
Query Registry		SMB/Windows Admin Shares1
Input Capture		2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCron1
Registry Run Keys / Startup Folder		1
Windows Service		1
DLL Side-Loading		NTDS641
Security Software Discovery		Distributed Component Object Model1
Clipboard Data		3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
Process Injection		1
DLL Search Order Hijacking		LSA Secrets2
Process Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
Registry Run Keys / Startup Folder		11
Masquerading		Cached Domain Credentials271
Virtualization/Sandbox Evasion		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items271
Virtualization/Sandbox Evasion		DCSync1
Application Window Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Access Token Manipulation		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
Process Injection		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1510318 Sample: SecuriteInfo.com.W32.Possib... Startdate: 12/09/2024 Architecture: WINDOWS Score: 42 33 uds.reincubate.com 2->33 39 Detected unpacking (changes PE section rights) 2->39 41 Performs DNS TXT record lookups 2->41 43 Tries to detect sandboxes and other dynamic analysis tools (window names) 2->43 45 4 other signatures 2->45 8 explorer.exe 2->8         started        10 SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe 16 43 2->10         started        signatures3 process4 file5 13 BlackBerryBackupExtractor.exe 21 18 8->13         started        25 C:\Users\...\BlackBerryBackupExtractor.exe, PE32 10->25 dropped 27 BlackBerryBackupEx...tor-uninstaller.exe, PE32 10->27 dropped 29 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 10->29 dropped 31 2 other files (none is malicious) 10->31 dropped 17 cmd.exe 1 10->17         started        19 explorer.exe 1 10->19         started        process6 dnsIp7 35 uds.reincubate.com 13->35 37 uds.reincubate.com 104.26.7.161, 443, 64531 CLOUDFLARENETUS United States 13->37 47 Hides threads from debuggers 13->47 49 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->49 51 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 13->51 21 taskkill.exe 1 17->21         started        23 conhost.exe 17->23         started        signatures8 53 Performs DNS TXT record lookups 35->53 process9

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe3%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\LangDLL.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\System.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\nsExec.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor-uninstaller.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe12%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://sectigo.com/CPS00%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
http://uds.reincubate.comd0%Avira URL Cloudsafe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%Avira URL Cloudsafe
https://uds.reincubate.com/client-auth/0%Avira URL Cloudsafe
http://www.blackberryconverter.com/register/?utm_source=app&utm_campaign=2.0.8.50%Avira URL Cloudsafe
http://www.blackberryconverter.com/?utm_source=app&utm_campaign=2.0.8.50%Avira URL Cloudsafe
http://www.ascendercorp.com/0%Avira URL Cloudsafe
http://ascendercorp.com/eula10.html0%Avira URL Cloudsafe
http://www.droidfonts.com/0%Avira URL Cloudsafe
http://www.blackberryconverter.com/help-howto-and-support/#running0%Avira URL Cloudsafe
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#0%Avira URL Cloudsafe
https://uds.reincubate.com0%Avira URL Cloudsafe
https://www.reincubate.com/support/ipbe/what-iphone-backup-extractor-does/#compatibility0%Avira URL Cloudsafe
http://www.ascendercorp.com/http://ascendercorp.com/eula10.html0%Avira URL Cloudsafe
https://uds.reincubate.com/latest-version/D306C1B115846349DC76/0%Avira URL Cloudsafe
http://james.newtonking.com/projects/json0%Avira URL Cloudsafe
http://www.blackberryconverter.com/upgrade-key/?utm_source=app&utm_campaign=2.0.8.50%Avira URL Cloudsafe
https://uds.reincubate.com/client-auth-reset/0%Avira URL Cloudsafe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y0%Avira URL Cloudsafe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%Avira URL Cloudsafe
http://www.oreans.com0%Avira URL Cloudsafe
https://reincubate.com/res/labs/bbbe/bbbe-latest.exe0%Avira URL Cloudsafe
https://uds.reincubate.com/client-status/0%Avira URL Cloudsafe
http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.htmlThis0%Avira URL Cloudsafe
http://www.ascendercorp.com/typedesigners.htmlhDroid0%Avira URL Cloudsafe
http://www.blackberryconverter.com/help-howto-and-support/?utm_source=app&utm_campaign=2.0.8.50%Avira URL Cloudsafe
http://uds.reincubate.com0%Avira URL Cloudsafe
http://www.ascendercorp.com/typedesigners.html%0%Avira URL Cloudsafe
http://www.blackberryconverter.com/terms-and-conditions/?utm_source=app&utm_campaign=2.0.8.50%Avira URL Cloudsafe
http://www.blackberryconverter.com/help-howto-and-support/0%Avira URL Cloudsafe
http://www.blackberryconverter.com/blog/0%Avira URL Cloudsafe
http://led24.de/0%Avira URL Cloudsafe
http://www.ascendercorp.com/$http://ascendercorp.com/eula10.html0%Avira URL Cloudsafe
https://appexceptions.reincubate.com/error-report/D306C1B115846349DC76/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
uds.reincubate.com
104.26.7.161
truetrue
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://uds.reincubate.com/latest-version/D306C1B115846349DC76/false
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://www.droidfonts.com/SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000003.2229831094.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000002.2241646485.000000000019A000.00000004.00000010.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000003.2229725069.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000002.2242677975.0000000000784000.00000004.00000020.00020000.00000000.sdmp, nsqFEF.tmp.0.dr, License.txt.0.drfalse
    • Avira URL Cloud: safe
    		unknown
    https://sectigo.com/CPS0SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, nsqFEF.tmp.0.dr, BlackBerryBackupExtractor.exe.0.drfalse
    • URL Reputation: safe
    		unknown
    http://www.ascendercorp.com/BlackBerryBackupExtractor.exe, 00000009.00000002.4658048723.00000000095B2000.00000004.00000800.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000009.00000002.4657661580.0000000007DC0000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://uds.reincubate.comdBlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.0000000005773000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, nsqFEF.tmp.0.dr, BlackBerryBackupExtractor.exe.0.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://ocsp.sectigo.com0BlackBerryBackupExtractor.exe.0.drfalse
    • URL Reputation: safe
    		unknown
    http://www.blackberryconverter.com/register/?utm_source=app&utm_campaign=2.0.8.5BlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.00000000056CC000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.blackberryconverter.com/?utm_source=app&utm_campaign=2.0.8.5BlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.00000000056CC000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://uds.reincubate.com/client-auth/BlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.0000000005589000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, nsqFEF.tmp.0.dr, BlackBerryBackupExtractor.exe.0.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://ascendercorp.com/eula10.htmlBlackBerryBackupExtractor.exe, 00000009.00000002.4657661580.0000000007DC0000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.blackberryconverter.com/help-howto-and-support/#runningnsqFEF.tmp.0.dr, README.txt.0.drfalse
    • Avira URL Cloud: safe
    		unknown
    https://uds.reincubate.comBlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.0000000005747000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, nsqFEF.tmp.0.dr, BlackBerryBackupExtractor.exe.0.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://nsis.sf.net/NSIS_ErrorErrorSecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, BlackBerryBackupExtractor-uninstaller.exe.0.drfalse
    • URL Reputation: safe
    		unknown
    http://www.ascendercorp.com/http://ascendercorp.com/eula10.htmlSecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmp, BlackBerryBackupExtractor.exe, 00000009.00000002.4658441180.0000000009F90000.00000002.00000001.00040000.00000015.sdmp, BlackBerryBackupExtractor.exe, 00000009.00000002.4658394641.0000000009F70000.00000002.00000001.00040000.00000014.sdmp, nsqFEF.tmp.0.dr, DroidSans-Bold.ttf.0.dr, DroidSans.ttf.0.drfalse
    • Avira URL Cloud: safe
    		unknown
    https://uds.reincubate.com/client-auth-reset/BlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.0000000005589000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://www.reincubate.com/support/ipbe/what-iphone-backup-extractor-does/#compatibilityBlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.00000000057CC000.00000004.00000800.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.00000000057BD000.00000004.00000800.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.00000000057C1000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://james.newtonking.com/projects/jsonBlackBerryBackupExtractor.exe, 00000009.00000002.4652504209.0000000006801000.00000004.00000800.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.0000000005589000.00000004.00000800.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000009.00000002.4652504209.0000000006749000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.oreans.comBlackBerryBackupExtractor.exe, 00000009.00000002.4646560649.00000000008DE000.00000040.00000001.01000000.0000000D.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.blackberryconverter.com/upgrade-key/?utm_source=app&utm_campaign=2.0.8.5BlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.00000000056CC000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0ySecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, nsqFEF.tmp.0.dr, BlackBerryBackupExtractor.exe.0.drfalse
    • Avira URL Cloud: safe
    		unknown
    https://reincubate.com/res/labs/bbbe/bbbe-latest.exeBlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.00000000057CC000.00000004.00000800.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.00000000057C1000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://uds.reincubate.com/client-status/BlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.0000000005589000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.htmlThisnsqFEF.tmp.0.dr, DroidSans-Bold.ttf.0.dr, DroidSans.ttf.0.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.ascendercorp.com/typedesigners.htmlhDroidBlackBerryBackupExtractor.exe, 00000009.00000002.4658048723.00000000095B2000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.blackberryconverter.com/help-howto-and-support/nsqFEF.tmp.0.dr, README.txt.0.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.blackberryconverter.com/help-howto-and-support/?utm_source=app&utm_campaign=2.0.8.5BlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.00000000056CC000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://uds.reincubate.comBlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.0000000005773000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.ascendercorp.com/typedesigners.html%BlackBerryBackupExtractor.exe, 00000009.00000003.2441321716.0000000007DE2000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.blackberryconverter.com/blog/nsqFEF.tmp.0.dr, README.txt.0.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.blackberryconverter.com/terms-and-conditions/?utm_source=app&utm_campaign=2.0.8.5BlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.00000000056CC000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://led24.de/SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000003.2229831094.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000002.2241646485.000000000019A000.00000004.00000010.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000003.2229725069.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000002.2242677975.0000000000784000.00000004.00000020.00020000.00000000.sdmp, nsqFEF.tmp.0.dr, License.txt.0.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameBlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.0000000005747000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.ascendercorp.com/$http://ascendercorp.com/eula10.htmlBlackBerryBackupExtractor.exe, 00000009.00000002.4658048723.00000000095B2000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://appexceptions.reincubate.com/error-report/D306C1B115846349DC76/BlackBerryBackupExtractor.exe, 00000009.00000002.4651635358.00000000056B8000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    104.26.7.161
    		uds.reincubate.comUnited States
    		13335CLOUDFLARENETUStrue

    General Information

    Joe Sandbox version:40.0.0 Tourmaline
    Analysis ID:1510318
    Start date and time:2024-09-12 20:20:23 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 9m 32s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:16
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
    Detection:MAL
    Classification:mal42.evad.winEXE@11/15@2/1
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:
    • Successful, ratio: 77%
    • Number of executed functions: 244
    • Number of non-executed functions: 23
    Cookbook Comments:
    • Found application associated with file extension: .exe
    • Override analysis time to 240000 for current running targets taking high CPU consumption

    Warnings

    • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
    • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
    • Not all processes where analyzed, report is missing behavior information
    • Report size exceeded maximum capacity and may have missing behavior information.
    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
    • Report size getting too big, too many NtEnumerateKey calls found.
    • Report size getting too big, too many NtOpenKeyEx calls found.
    • Report size getting too big, too many NtProtectVirtualMemory calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.
    • Report size getting too big, too many NtReadVirtualMemory calls found.
    • VT rate limit hit for: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe

    Simulations

    Behavior and APIs

    TimeTypeDescription
    14:21:54API Interceptor10065716x Sleep call for process: BlackBerryBackupExtractor.exe modified

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    uds.reincubate.comdmge-latest.exeGet hashmaliciousUnknownBrowse
    • 97.107.131.51

    ASNs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    CLOUDFLARENETUShttps://aurubatourismauthority.projectfileshare.com/Get hashmaliciousHtmlDropperBrowse
    • 188.114.96.3
    test doc joesandbox.htmlGet hashmaliciousUnknownBrowse
    • 104.17.25.14
    https://www.google.co.uk/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2FGlobalp.%E2%80%8Bkj%C2%ADdc%C2%ADuh%C2%ADn%E2%80%8B.o%C2%ADne%E2%80%8B/bB4C1mGet hashmaliciousHTMLPhisherBrowse
    • 104.21.35.64
    f380122b-c637-edef-70b2-6adee77f4bad.emlGet hashmaliciousUnknownBrowse
    • 188.114.96.3
    Play_VM-Now(Desireem)CQDM.htmlGet hashmaliciousUnknownBrowse
    • 1.1.1.1
    https://eficensitcom-my.sharepoint.com/:f:/g/personal/prathyushap_eficensit_com/EmmWsEjkvfRJorJdypQBJdYBR0PBdaEDGU2Tg4-Q6_4WZw?e=8wSnKh&xsdata=MDV8MDJ8dGhvbWFzLmhvZXZlbEBoeWRyYXRpZ2h0LmNvbXwyZjliZjI0NTdmZDI0NDRiNzk1NzA4ZGNkMmYxZTdlNXwxNjAyYWU4MjAyNjY0MGQ2OTEwYjExNjgwZmUwZjZhNXwwfDB8NjM4NjE3MTgzNjU0MDEzNTQyfFVua25vd258VFdGcGJHWnNiM2Q4ZXlKV0lqb2lNQzR3TGpBd01EQWlMQ0pRSWpvaVYybHVNeklpTENKQlRpSTZJazFoYVd3aUxDSlhWQ0k2TW4wPXwwfHx8&sdata=UWhyaGFVOWYxMGt6Z1piU1hUTDdKa2VCeVdQWUZwd2NwR09TSmE2eC9xVT0%3dGet hashmaliciousHTMLPhisherBrowse
    • 188.114.96.3
    SecuriteInfo.com.Riskware.Application.5189.31489.exeGet hashmaliciousUnknownBrowse
    • 172.64.154.146
    Untitled.emlGet hashmaliciousEvilProxy, HTMLPhisherBrowse
    • 172.67.74.152
    P09Qwe9fqsKdQIyTGnGxNs8xS[1]Get hashmaliciousTycoon2FABrowse
    • 104.26.0.100
    https://drive.google.com/file/d/1hLMDa8ExxGe0PYtL7YM5OZBLtBMMvZFb/view?usp=sharingGet hashmaliciousUnknownBrowse
    • 104.18.95.41

    JA3 Fingerprints

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    3b5074b1b5d032e5620f69f9f700ff0ebot_library.exeGet hashmaliciousUnknownBrowse
    • 104.26.7.161
    bot_library.exeGet hashmaliciousUnknownBrowse
    • 104.26.7.161
    signed contract and order confirmation.exeGet hashmaliciousAgentTeslaBrowse
    • 104.26.7.161
    https://ftp.hp.com/pub/softlib/software13/HPSA/HPSupportSolutionsFramework-13.0.1.131.exeGet hashmaliciousUnknownBrowse
    • 104.26.7.161
    http://www.nanpfund.com/Get hashmaliciousUnknownBrowse
    • 104.26.7.161
    https://profile.datasbase.click/administration.html?now=Angela.Tremblay@CSC-SCC.GC.CAGet hashmaliciousUnknownBrowse
    • 104.26.7.161
    Confirmare de plat#U0103_shrunk.exeGet hashmaliciousAgentTeslaBrowse
    • 104.26.7.161
    #U00d6deme Bildirimi_shrunk.exeGet hashmaliciousAgentTeslaBrowse
    • 104.26.7.161
    Play_VM-Now(Bstilz)CLQD.htmlGet hashmaliciousHTMLPhisherBrowse
    • 104.26.7.161
    is homemade pepper spray legal uk 42639.jsGet hashmaliciousGookitLoaderBrowse
    • 104.26.7.161

    Dropped Files

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\System.dllf_00622c.exeGet hashmaliciousUnknownBrowse
      https://github.com/angryip/ipscan/releases/download/3.9.1/ipscan-3.9.1-setup.exeGet hashmaliciousUnknownBrowse
        47#U0627.vbsGet hashmaliciousFormBook, GuLoaderBrowse
          Request for Quotation - sample catalog.vbsGet hashmaliciousFormBook, GuLoaderBrowse
            47#U0627.vbsGet hashmaliciousGuLoaderBrowse
              Request for Quotation - sample catalog.vbsGet hashmaliciousGuLoaderBrowse
                tKr6T60C1r.exeGet hashmaliciousUnknownBrowse
                  #U0423#U0432#U0435#U0434#U043e#U043c#U043b#U0435#U043d#U0438#U0435_#U2116_24357 .exeGet hashmaliciousFormBook, GuLoaderBrowse
                    #U0423#U0432#U0435#U0434#U043e#U043c#U043b#U0435#U043d#U0438#U0435_#U2116_24357 .exeGet hashmaliciousGuLoaderBrowse
                      ipscan-3.9.1-setup (1).exeGet hashmaliciousUnknownBrowse
                        C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\LangDLL.dllf9GwN5TLpA.htaGet hashmaliciousCobalt Strike, GuLoaderBrowse
                          eDHL.exeGet hashmaliciousGuLoaderBrowse
                            eDHL.exeGet hashmaliciousGuLoaderBrowse
                              Pepsico Company Profile.exeGet hashmaliciousGuLoaderBrowse
                                Pepsico Company Profile.exeGet hashmaliciousGuLoaderBrowse
                                  SecuriteInfo.com.MSExcel.CVE_2017_0199.G1.exploit.3568.4683.xlsxGet hashmaliciousGuLoaderBrowse
                                    SecuriteInfo.com.FileRepMalware.11227.27096.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                      SecuriteInfo.com.FileRepMalware.11227.27096.exeGet hashmaliciousGuLoaderBrowse
                                        SecuriteInfo.com.X97M.DownLoader.1509.23983.22740.xlsxGet hashmaliciousGuLoaderBrowse
                                          SecuriteInfo.com.FileRepMalware.15088.20650.exeGet hashmaliciousGuLoaderBrowse

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Temp\nsqFEF.tmp

                                            Download File
                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):3141402
                                            Entropy (8bit):7.860092883256183
                                            Encrypted:false
                                            SSDEEP:49152:ScfrILOClKr1PVn7wJj2ExFDcJd+6iVAATi9EpoNjSfInTcubjnlG68uBshYb6S0:DILOCSFVnMJKEXkVPEp/aG68uBsthZ
                                            MD5:C83A97178B92EBFBA03616B612469672
                                            SHA1:698E8D8061CC8D53074640F7BA266AD0E62562C3
                                            SHA-256:2A60B230818467D8C538D4DEFE222402CB6520404FEE8B212C405E5095BED50E
                                            SHA-512:8E61EDD1187FBEE082B21D61E46DE7323A4DA81465455C1327A6AEC4A75F2238DCAFCF726587B4C5684C2B63C46F301644D12C4049903DA42DB4B5B657D5AA68
                                            Malicious:false
                                            Reputation:low
                                            Preview: .......,...................j....M..............................................................................J...Z.......3.......[.......................................................................................................................................................G...U............F..f.......................q.......................s...............j.......................q...................................................................................................................i.......4...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\LangDLL.dll

                                            Download File
                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):5632
                                            Entropy (8bit):3.81812520226775
                                            Encrypted:false
                                            SSDEEP:48:S46+/nTKYKxbWsptIpBtWZ0iV8jAWiAJCvxft2O2B8mFofjLl:zFuPbOBtWZBV8jAWiAJCdv2Cm0L
                                            MD5:68B287F4067BA013E34A1339AFDB1EA8
                                            SHA1:45AD585B3CC8E5A6AF7B68F5D8269C97992130B3
                                            SHA-256:18E8B40BA22C7A1687BD16E8D585380BC2773FFF5002D7D67E9485FCC0C51026
                                            SHA-512:06C38BBB07FB55256F3CDC24E77B3C8F3214F25BFD140B521A39D167113BF307A7E8D24E445D510BC5E4E41D33C9173BB14E3F2A38BC29A0E3D08C1F0DCA4BDB
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            Joe Sandbox View:
                                            • Filename: f9GwN5TLpA.hta, Detection: malicious, Browse
                                            • Filename: eDHL.exe, Detection: malicious, Browse
                                            • Filename: eDHL.exe, Detection: malicious, Browse
                                            • Filename: Pepsico Company Profile.exe, Detection: malicious, Browse
                                            • Filename: Pepsico Company Profile.exe, Detection: malicious, Browse
                                            • Filename: SecuriteInfo.com.MSExcel.CVE_2017_0199.G1.exploit.3568.4683.xlsx, Detection: malicious, Browse
                                            • Filename: SecuriteInfo.com.FileRepMalware.11227.27096.exe, Detection: malicious, Browse
                                            • Filename: SecuriteInfo.com.FileRepMalware.11227.27096.exe, Detection: malicious, Browse
                                            • Filename: SecuriteInfo.com.X97M.DownLoader.1509.23983.22740.xlsx, Detection: malicious, Browse
                                            • Filename: SecuriteInfo.com.FileRepMalware.15088.20650.exe, Detection: malicious, Browse
                                            Reputation:moderate, very likely benign file
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................>..........:..........Rich..........................PE..L....Oa...........!........."......?........ ...............................p............@.........................`"..I...\ ..P....P..`....................`....................................................... ..\............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...`....P......................@..@.reloc..`....`......................@..B................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\System.dll

                                            Download File
                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):12288
                                            Entropy (8bit):5.814115788739565
                                            Encrypted:false
                                            SSDEEP:192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
                                            MD5:CFF85C549D536F651D4FB8387F1976F2
                                            SHA1:D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
                                            SHA-256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
                                            SHA-512:531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            Joe Sandbox View:
                                            • Filename: f_00622c.exe, Detection: malicious, Browse
                                            • Filename: , Detection: malicious, Browse
                                            • Filename: 47#U0627.vbs, Detection: malicious, Browse
                                            • Filename: Request for Quotation - sample catalog.vbs, Detection: malicious, Browse
                                            • Filename: 47#U0627.vbs, Detection: malicious, Browse
                                            • Filename: Request for Quotation - sample catalog.vbs, Detection: malicious, Browse
                                            • Filename: tKr6T60C1r.exe, Detection: malicious, Browse
                                            • Filename: #U0423#U0432#U0435#U0434#U043e#U043c#U043b#U0435#U043d#U0438#U0435_#U2116_24357 .exe, Detection: malicious, Browse
                                            • Filename: #U0423#U0432#U0435#U0434#U043e#U043c#U043b#U0435#U043d#U0438#U0435_#U2116_24357 .exe, Detection: malicious, Browse
                                            • Filename: ipscan-3.9.1-setup (1).exe, Detection: malicious, Browse
                                            Reputation:high, very likely benign file
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\modern-header.bmp

                                            Download File
                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
                                            File Type:PC bitmap, Windows 3.x format, 150 x 57 x 24, image size 25766, resolution 2834 x 2834 px/m, cbSize 25820, bits offset 54
                                            Category:dropped
                                            Size (bytes):25820
                                            Entropy (8bit):3.085809376818384
                                            Encrypted:false
                                            SSDEEP:192:eu3qVJNobSxVeObb4hBZLE9oOAbz3YsShFc:e2qVPrxbP/oOAJN
                                            MD5:EA1BCBB019BB35C193D1805042435A38
                                            SHA1:1F466FDA34754F87FBF564EC012BEA8920CDBA3F
                                            SHA-256:450DA4202CB619E532863A26BA369420EA5D8DF136C3243D4635ECDC83C3EC39
                                            SHA-512:FE256B54EEFC745F531566C3F925CD532B293DA7977D4E193B6D0736F693B831D239AB9A2BDAA3A5EFB2D83295939A9296DBCDFC61B16A1D06A75819FE73EBA7
                                            Malicious:false
                                            Preview:BM.d......6...(.......9............d....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\nsExec.dll

                                            Download File
                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):7168
                                            Entropy (8bit):5.298362543684714
                                            Encrypted:false
                                            SSDEEP:96:J9zdzBzMDByZtr/HDQIUIq9m6v6vBckzu9wSBpLEgvElHlernNQaSGYuH2DQ:JykDr/HA5v6G2IElFernNQZGdHW
                                            MD5:675C4948E1EFC929EDCABFE67148EDDD
                                            SHA1:F5BDD2C4329ED2732ECFE3423C3CC482606EB28E
                                            SHA-256:1076CA39C449ED1A968021B76EF31F22A5692DFAFEEA29460E8D970A63C59906
                                            SHA-512:61737021F86F54279D0A4E35DB0D0808E9A55D89784A31D597F2E4B65B7BBEEC99AA6C79D65258259130EEDA2E5B2820F4F1247777A3010F2DC53E30C612A683
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L.....Oa...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Reincubate\BlackBerry Backup Extractor\BlackBerry Backup Extractor.lnk

                                            Download File
                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Jun 15 10:44:34 2023, mtime=Thu Sep 12 17:21:29 2024, atime=Thu Jun 15 10:44:34 2023, length=2611648, window=hide
                                            Category:dropped
                                            Size (bytes):1350
                                            Entropy (8bit):4.753873627566255
                                            Encrypted:false
                                            SSDEEP:24:8mz7J2fDolXUptgGczRLx5DUFBAD8lXUAcpu3ao8RZDUFTD8lOb8RZDUFRI5m:8mXJ2fDolutgGczdx5DU8D8ZcI3ao8/p
                                            MD5:2959ED3689BDD5EC7994FD4EA0FBF4E7
                                            SHA1:4321E9DC7617795BA4A9DB1060AADA9994143E83
                                            SHA-256:FDFF41E5E4945E952C6FEA0153E445AFE7DB3C9ACE624DD3DB2EE9C86AADBE52
                                            SHA-512:92718130D8F874F9DF96EA58574B6C2FD10ED9471EC68DB04163835003886C51C41E51FEF272ECD94410D8CAF711C03BDB7CF63E11339DD38D6E778C8392C086
                                            Malicious:false
                                            Preview:L..................F.... ....=0.~.....;.@....=0.~.....'.....................z.:..DG..Yr?.D..U..k0.&...&.......$..S.......@...D;L.@.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2,Y.............................^.A.p.p.D.a.t.a...B.V.1.....,Y....Roaming.@......EW<2,Y....../.......................c.R.o.a.m.i.n.g.....^.1.....,Y....REINCU~1..F......,Y..,Y......m ......................c.R.e.i.n.c.u.b.a.t.e.......1.....,Y....BLACKB~1..h......,Y..,Y....... ....................`:N.B.l.a.c.k.B.e.r.r.y. .B.a.c.k.u.p. .E.x.t.r.a.c.t.o.r.......2...'..V.] .BLACKB~2.EXE..l.......V.],Y....... ........................B.l.a.c.k.B.e.r.r.y.B.a.c.k.u.p.E.x.t.r.a.c.t.o.r...e.x.e.......................-...................R.o......C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe..V.....\.....\.....\.....\.....\.....\.R.e.i.n.c.u.b.a.t.e.\.B.l.a.c.k.B.e.r.r.y. .B.a.c.k.u.p. .E.x.t.r.a.c.t.o.r.\.B.l.a.c.k.B.e.r.r.y.B.a

                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Reincubate\BlackBerry Backup Extractor\Uninstall.lnk

                                            Download File
                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Sep 12 17:21:29 2024, mtime=Thu Sep 12 17:21:29 2024, atime=Thu Sep 12 17:21:29 2024, length=163369, window=hide
                                            Category:dropped
                                            Size (bytes):1410
                                            Entropy (8bit):4.7354727288557745
                                            Encrypted:false
                                            SSDEEP:24:8mhNNJ2fDolXUptgGczRLx5DUFN3MD8lY1AYpu3a/iP8RZDUFTD8lYHb8RZDUFR7:8mDNJ2fDolutgGczdx5DUHMD8aeYI3aJ
                                            MD5:8CFD2C1DC3B7FD73379CE202DFF08693
                                            SHA1:8FABBD13429D8085F15A1A8F293075D60D1BC843
                                            SHA-256:F8D01037E11A2370AD5EDB75EB3CD0345D6112F2E7F5AD51F39D57CCC4CFAE68
                                            SHA-512:87DDD5918B4EE57F0648578031895D7E92EAE7F6C8FB586657A9AF642607EEED984BB408B96560EF67B2141DDB71E723EDE5174B28FC313B7B2150E1D3480ADD
                                            Malicious:false
                                            Preview:L..................F.... .....2.@.....6.@.....6.@...)~........................:..DG..Yr?.D..U..k0.&...&.......$..S.......@...D;L.@.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2,Y.............................^.A.p.p.D.a.t.a...B.V.1.....,Y....Roaming.@......EW<2,Y....../.......................c.R.o.a.m.i.n.g.....^.1.....,Y....REINCU~1..F......,Y..,Y......m ......................c.R.e.i.n.c.u.b.a.t.e.......1.....,Y....BLACKB~1..h......,Y..,Y....... ....................`:N.B.l.a.c.k.B.e.r.r.y. .B.a.c.k.u.p. .E.x.t.r.a.c.t.o.r.......2.)~..,Y.. .BLACKB~1.EXE.........,Y..,Y....... ......................^.B.l.a.c.k.B.e.r.r.y.B.a.c.k.u.p.E.x.t.r.a.c.t.o.r.-.u.n.i.n.s.t.a.l.l.e.r...e.x.e.......................-...................R.o......C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor-uninstaller.exe..b.....\.....\.....\.....\.....\.....\.R.e.i.n.c.u.b.a.t.e.\.B.l.a.c.k.B.e.r.r.y. .B.a.c.k.u.p. .E.x.t.r

                                            C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor-uninstaller.exe

                                            Download File
                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                            Category:dropped
                                            Size (bytes):163369
                                            Entropy (8bit):7.361411491018553
                                            Encrypted:false
                                            SSDEEP:3072:JFZoCDi1UE1uvgQYeNYjek4XDmNmLHta09dzo4oGh7K1ibb0wkll0PVxK6S9yl8:JF2d1UqINVTg0KGcKbsf0bK6uQ8
                                            MD5:8DD5778933E2ED5D213EEA9459F332DC
                                            SHA1:26FBA7CCC27D94E86EA21CD1DF743025899C0E50
                                            SHA-256:2D5D35251CEB380C781297AA2D3F31206DD4BB0AAB556761EC4E3B42D3FDDEEC
                                            SHA-512:629C29B5B5DE1D3F6F5E038AAD430DABFC11D333ACCEE8B3196E6995DD4712FBA13AA09D969458EF410AE85D503A02D794DEB855097B0BE7F36DDD758544B64A
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................j..........e6............@.......................................@..........................................................#...W...........................................................................................text....i.......j.................. ..`.rdata...............n..............@..@.data...X...........................@....ndata.......`...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe

                                            Download File
                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):2611648
                                            Entropy (8bit):7.971383117448041
                                            Encrypted:false
                                            SSDEEP:49152:0frILOClKr1PVn7wJj2ExFDcJd+6iVAATi9EpoNjSfInTcubjnlG68uBshYbD:oILOCSFVnMJKEXkVPEp/aG68uBsQ
                                            MD5:8CD8B27DAB255BA25B5283FB4496709D
                                            SHA1:00EE08878A837F4CE9D08F025DBCA041042AF653
                                            SHA-256:DB0AB43D4018BBC1AA3774CFADFD6304AB4A362CB2ECFD39A04F5028C0D2E89D
                                            SHA-512:527A63976F782DAA00CE77CF981A5B02B13D33F9FDB6C636E2F71BD2738F0BC33C8DC0A9E450B7FC2318200172A6B592E38F830FFE6DB15A075A22D785C7711E
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 12%
                                            Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.....................j ......@T.. ... ....@.. .......................`T.....@S(...@.................................m. ......@..Xi............'..W.... ..................................................................................... . . ... ....... ..............@....rsrc...Xi...@...f...&..............@....idata . .... .....................@... .`.... .....................@...ebblbqjy.....@?.....................@...jwuvegyw. ...@T.......'.............@...................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\License.txt

                                            Download File
                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
                                            File Type:Unicode text, UTF-8 text, with very long lines (457), with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):14226
                                            Entropy (8bit):4.474976705134131
                                            Encrypted:false
                                            SSDEEP:192:Y+vcYGR8xfv7/NI7lhBBi5WqSlEpYcZSSj5BSr4QNu/9u1XqxglWS/dshCSvhWUG:gRCfvOlhXit9pJ5U4Qt04JlGIU/O
                                            MD5:100D4189ECCF072145C5634BCB24CB05
                                            SHA1:26DE3E68A1431103C8956A9A44EF53BE7290ED5E
                                            SHA-256:6DA42184E41FDA8FFCCE1B64541313F991525145311799D96D88E5EAEF9DBA4E
                                            SHA-512:0953D73D8D194969E27F1019C59EEE9E612FB8618A4FDDC43349552D007652312681507D145AF340011405ACCA46BD91764F22B1DD6B7CFE44C3162190725F2B
                                            Malicious:false
                                            Preview:License Contents.... A. Reincubate Software Ltd Terms & Conditions.. B. Droid Font Family Copyright Notice.. C. LED Icon Set Copyright Notice......A. Reincubate Software Ltd Terms & Conditions....Thank you for choosing a Reincubate product or service. Please read the following terms & conditions carefully as they govern your use of our products, services and our websites. Occasionally a particular product or service will require its own specific terms & conditions. If this is the case please read those in addition to these terms.....Terms....In these terms & conditions the following definitions apply:...."We", "us", "our" and "Reincubate" refer to Reincubate Software Ltd, a company registered in England number 5189175....."You" refers to the person or company currently reading these terms & conditions....."Product" or "application" refers to any product developed and sold by Reincubate....."service" refers to any online service provided by Reincubate, whether free or subscript

                                            C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\README.txt

                                            Download File
                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1717
                                            Entropy (8bit):4.904813470551442
                                            Encrypted:false
                                            SSDEEP:48:n343otV1gLi8LnezOLbzKovvfMywV8LJHM:bP1gLi8r/PLvf2QJs
                                            MD5:630CDF7EADE2819F63EC22D6FA1DE958
                                            SHA1:A744E5494FA0E5654D51763C829BFC4E9E7C0C81
                                            SHA-256:12157EE78C2B851C2859C55091908BB0B4246AD24E5B380AB42E658D26E1512B
                                            SHA-512:511D005DBBFB8EA965588B9EFEFFEF5EA0417C5EF6F0AC41D7EA7A0B8F78D855627F88A206B2DF725CFA34CABF36E092D8B59FB2617CFA7EFB7E3D56BC4FED58
                                            Malicious:false
                                            Preview:BlackBerry Backup Extractor....~ About:....The BlackBerry Backup Extractor can recover contacts, call histories, BBM, MMS, SMS and text messages, calendar entries, memos, app files and data that might otherwise be inaccessible.....The application automatically converts the extracted database into CSV and VCard formats, so they can be easily imported into Excel, Outlook, or Webmail.......~ Features:....Uses all versions of BlackBerry Desktop Software IPD backup files....Works with any BlackBerry device ..(All phone types and also the Blackberry PlayBook)....Will run on any Windows XP, Vista or Windows 7 computer, in 32 or 64-bit mode....Can also run on Linux or OS X computers....Recover data from IPD backups whether you have lost or broken your BlackBerry? Deleted something important? Or run a failed update?....Extract files from the backups BlackBerry Desktop Software automatically makes from your Device....Easy to use software, no technical knowledge required....No spyware or ads....P

                                            C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\bbbe-document-icon.ico

                                            Download File
                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
                                            File Type:MS Windows icon resource - 4 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, 48x48, 32 bits/pixel
                                            Category:dropped
                                            Size (bytes):49119
                                            Entropy (8bit):7.330118311356384
                                            Encrypted:false
                                            SSDEEP:768:EK0cb08Zuk75gfVosqln3V5a+1HRG4ad1iBIjz7agp:EK0crszfVoLl3V5Z1xeHuUygp
                                            MD5:528CB601B4BFBF03A5660C88CF813977
                                            SHA1:47FD7BC65370B24405170AAAA4D92E6EA481BDC4
                                            SHA-256:856CA1A97E4B11F5A544A86883796F5A2E6B4C8744607E4EAAA38DF975B65064
                                            SHA-512:E3EA27802A0AA80CCF795CCAFE22035BA9F1549AE012FE7D15D252AFD7C89738BBB61243C8C7DB879C4EE9FBFC1288BA65589BE3A4CDA21A1A2F66DD4E88D6D4
                                            Malicious:false
                                            Preview:............ ....F...00.... ..%..'... .... .............. .h...w....PNG........IHDR.............\r.f....IDATx..}..[.....iz.g.q/T.m.......M7...R $..7.&dS..Hv.l.T.@.)KI!..$..j...`.{.{f<..K.....y.5...=...t_..;.).\..Vh.6a..~.@..Z.......Vh.......m.....Z.M.V..B+.....Ph.6.[.....&p+.@....n..(.B......Vh.......m.....Z.M.v$..b.l.s=...n:.}~.mF.o..w....H.&.m....z$.s....MKmz.V.........E...R[a`......;....L...*2A.........K........~.X..V.B.-.>.....-....G&+(.<.#......VF.{.U......U.hT;...R.f...u........m....G.}..~.>....sG.....@ ..H.&'mE0..............'Uh....@__.....|.....utt....K.6.... O...O..._..w.{K".0OZ..i.#.X.:6.%o.o.4M...q.u=.....MUU....>......x<hkk.....G.~../PW=0....t..@ .........<..-<`..1...G..~..{}\.`g.....@ .?.~R.ycp.D".....3gb...x.....t.M.jnn~..I .....s. ......7.p.Z>.....~?...w.\.5.L".......BMM..,X...n,[...-[...LG.5ZPh..I....#.K.J...,.....n.....??g.....q}.]t.z{{q..g.l.......>....F;...5.........~.-... `..H.`.....F.v.............+W....o.......Hs....&.../.

                                            C:\Users\user\Desktop\BlackBerry Backup Extractor.lnk

                                            Download File
                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Jun 15 10:44:34 2023, mtime=Thu Sep 12 17:21:29 2024, atime=Thu Jun 15 10:44:34 2023, length=2611648, window=hide
                                            Category:dropped
                                            Size (bytes):1352
                                            Entropy (8bit):4.752343025776632
                                            Encrypted:false
                                            SSDEEP:24:8mz9J2fDolXUptgGczRLx5DUFBAD8lXUAcpu3a7Vb8RZDUFTD8lOb8RZDUFRI5m:8mRJ2fDolutgGczdx5DU8D8ZcI3a7R8B
                                            MD5:7B4F3143F96B28627B9F42157884A3E1
                                            SHA1:30F71D09BDF263073E15211CDA5362CE95B0613F
                                            SHA-256:B359FD29188D1E0FF0B1A9BDA8BBCD15EE2EF904F5D314D49C1637E74023D44D
                                            SHA-512:CE755BE3D9967DE691C7485BC0C7C1AD4179D8AB36348848B197FC53EBC8CA0DCDF3CC9E285812DF7212D8D31D155614FD036AC0AFD6960D393C262F54E351C5
                                            Malicious:false
                                            Preview:L..................F.... ....=0.~.....\.@....=0.~.....'.....................z.:..DG..Yr?.D..U..k0.&...&.......$..S.......@...D;L.@.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2,Y.............................^.A.p.p.D.a.t.a...B.V.1.....,Y....Roaming.@......EW<2,Y....../.......................c.R.o.a.m.i.n.g.....^.1.....,Y....REINCU~1..F......,Y..,Y......m ......................c.R.e.i.n.c.u.b.a.t.e.......1.....,Y....BLACKB~1..h......,Y..,Y....... ....................`:N.B.l.a.c.k.B.e.r.r.y. .B.a.c.k.u.p. .E.x.t.r.a.c.t.o.r.......2...'..V.] .BLACKB~2.EXE..l.......V.],Y....... ........................B.l.a.c.k.B.e.r.r.y.B.a.c.k.u.p.E.x.t.r.a.c.t.o.r...e.x.e.......................-...................R.o......C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe..W.....\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.R.e.i.n.c.u.b.a.t.e.\.B.l.a.c.k.B.e.r.r.y. .B.a.c.k.u.p. .E.x.t.r.a.c.t.o.r.\.B.l.a.c.k.B.e.r.r.y.B

                                            C:\Windows\Fonts\DroidSans-Bold.ttf

                                            Download File
                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
                                            File Type:TrueType Font data, 17 tables, 1st "LTSH", 25 names, Macintosh, Digitized data copyright \251 2006, Google Corporation.Droid SansBoldAscender - Droid Sans BoldV
                                            Category:dropped
                                            Size (bytes):148484
                                            Entropy (8bit):6.5125162403200605
                                            Encrypted:false
                                            SSDEEP:3072:j0M77wfFWtStY60Gn66U2XheFFlG07fOFH/yb/1q6RAg6L:49WYCNIXXgFj7fwfyb/z6L
                                            MD5:CC7B7106612676AC9B4CC5017576F0C0
                                            SHA1:9550ACFB025061AFA6E278F721C4EA5C018374B0
                                            SHA-256:EE9B77A21790BFB0B2DBF2BAE5C590E548BA60215EB2AA230601DAEC3D0FA4AC
                                            SHA-512:A97789C885E3F2F216D032F253CC07B23DD2835852988E8AAC0E1BF265FF730A5E010150ED76FDA9CD8C85BF5FCEE8168A172219CE80141D5F14DBD57A82B26A
                                            Malicious:false
                                            Preview:............LTSH..:....8...TOS/2..W........`cmap... ..2.....cvt K.RQ..@0....fpgms.#...6.....gasp......C.....glyf......F.....hdmx..d.......%Hhead.".........6hhea.......T...$hmtx.!.........>kern.#,...Zp... locah.&...B8....maxp...b...x... nameM.SO..'.....post.<$o..3.....prepeq...=....b.........T=_.<...........2...... X..w.......................m.......w.y...................O.....P.....y......./.Z.....&.................3.......3.....f..................@. [...(....1ASC. . .........m.. ........^..... ...................J.u.....+.-.h.b...?...R.!.....R...=.\.?.h.X.R.?...=.H.u.N...h.?.h.\.h.N.h.9.h...h.V.h.L.h.7.h.H.h.?.H.u.R.?.h.X.h.X.h.X.......f.3...#.....w.....{...d.....w.......B...9.....H...N...D.....w.......w.....1.^.d.).........j...........P.1.....N.....3.B...J.....L...V.......f...f...f...).j.......q...q.......q.............f.......f.y.....b.P./.....P...s...b...P.....7.....h.......h.X.....J.u.h...h.R.h.\.h...h.....j.......d.../...R.h.X...=...d.....m.\.h.X.../...;...L.....=.q.H.u.......\

                                            C:\Windows\Fonts\DroidSans.ttf

                                            Download File
                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
                                            File Type:TrueType Font data, 17 tables, 1st "LTSH", 25 names, Macintosh, Digitized data copyright \251 2006, Google Corporation.Droid SansRegularAscender - Droid SansVer
                                            Category:dropped
                                            Size (bytes):108796
                                            Entropy (8bit):6.6821115583084625
                                            Encrypted:false
                                            SSDEEP:1536:LPAzMOZingTtTlor4nfboz3q7WK0M0+a5K9mkdyrSsCfEsiavHjs7NGDabv:WTK4M+6bMa5Tvp1aPjs7Ndbv
                                            MD5:205EF3CF1E8C6B008BC74EC0D287199E
                                            SHA1:68C63F287D7A7C132A1E3B1139EC22482EFACDF0
                                            SHA-256:12F0210759B1716B822043A6179047EF5F751A793ABBFDA150B566AE57D83F68
                                            SHA-512:362A46825A2D0B9E2866FB0FF982A98F17144A2A18797F403AD7F43E86B960D8C948A7F0DDC9567C3408CF44B160A0BF65070D504BF893ABF9B75DDC2E08395C
                                            Malicious:false
                                            Preview:............LTSH.).....<...UOS/2..UX.......`cmap./."..9.....cvt 9.=...G.....fpgms.#...=.....gasp............glyfn....NP....hdmxDwb5......,Dhead.\WX.......6hhea...j...T...$hmtx q.........Bkern.".p..U...7.loca.`...I.....maxp...>...x... name..........jpostx..A........prep;....D.............w..W_.<...........3........p.........................m.....Z.......................P.....Q.....z......./.Z.............h.........3.......3.....f..................@. [...(....1ASC.@. .........m.. ........J..... ...................'...7...+.3.h.{...f...m.....h.R.h.=.h.R.h.f...?...R.%.......h.b.h...h.`.h.R.h...h...h.q.h.Z.h.j.h.j.%...%.?.h.f.h.f.h.f.h.%...m...........}.y...9.........}.......R.+.H...................}.......}.....'.h.'...............`...7...P.R.m.......m.3.B.).J.......?.^.......q...q.H.q.....%.%.....................+.........q.......q.1.....Z...!...............#.......R...=.h.....3.h.f.....'...h...h.D.h.{.h...h.....y...3...d...D...R.h.f...R...d.....m.{.h.f...1.............=.q.%.....#...?

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                            Entropy (8bit):7.987090569617577
                                            TrID:
                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                            • DOS Executable Generic (2002/1) 0.02%
                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                            File name:SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
                                            File size:3'046'224 bytes
                                            MD5:7268329d169f985be48d34007c4fd957
                                            SHA1:c44b9bbb1a384b146e758316532164df963bdb50
                                            SHA256:f1ce6d3956c9ec05c7fdc5cc58828b62e698d9a9b27733b2df03166f9242f2a3
                                            SHA512:d4493e5d48331c8e5a3e2af8ae64b43346f8d0d82e9a5e8421adeb5c262a90a75b7b9497e9fb9327307a632817e2eba1c0724dbe3907b6eda404c597c329242e
                                            SSDEEP:49152:L7aVeL8C5jSd0vWKApi/POWRH7hxdDjYkCcRJEGlTISD9jXP9WDldjcauKdWu:LseL8CVS2v+p2VV9xtHC8DlFLPEHjw4z
                                            TLSH:D4E533407338C10BDEA36E3729A5B5132FF05BC56264977AB35A0F963BB1750CAABD40
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................j.........

                                            File Icon

                                            Icon Hash:0e1f3b174d23370e

                                            Static PE Info

                                            General

                                            Entrypoint:0x403665
                                            Entrypoint Section:.text
                                            Digitally signed:true
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x614F9B95 [Sat Sep 25 21:58:45 2021 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:61259b55b8912888e90f516ca08dc514

                                            Authenticode Signature

                                            Signature Valid:true
                                            Signature Issuer:CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
                                            Signature Validation Error:The operation completed successfully
                                            Error Number:0
                                            Not Before, Not After
                                            • 14/04/2023 02:00:00 14/04/2026 01:59:59
                                            Subject Chain
                                            • CN=Reincubate Limited, O=Reincubate Limited, S=London, C=GB
                                            Version:3
                                            Thumbprint MD5:A408EDF7146B9AE688D31163740598FB
                                            Thumbprint SHA-1:6384649DEB6A53E869CF42BDF6966E0925924863
                                            Thumbprint SHA-256:FD28555BB46CA0D7729232010CE72238599B44B4043F9A8E5913C26980A9AF50
                                            Serial:00D2DF2902998F046489806C134CE087DF

                                            Entrypoint Preview

                                            Instruction
                                            push ebp
                                            mov ebp, esp
                                            sub esp, 000003F4h
                                            push ebx
                                            push esi
                                            push edi
                                            push 00000020h
                                            pop edi
                                            xor ebx, ebx
                                            push 00008001h
                                            mov dword ptr [ebp-14h], ebx
                                            mov dword ptr [ebp-04h], 0040A230h
                                            mov dword ptr [ebp-10h], ebx
                                            call dword ptr [004080C8h]
                                            mov esi, dword ptr [004080CCh]
                                            lea eax, dword ptr [ebp-00000140h]
                                            push eax
                                            mov dword ptr [ebp-0000012Ch], ebx
                                            mov dword ptr [ebp-2Ch], ebx
                                            mov dword ptr [ebp-28h], ebx
                                            mov dword ptr [ebp-00000140h], 0000011Ch
                                            call esi
                                            test eax, eax
                                            jne 00007F6F1489F45Ah
                                            lea eax, dword ptr [ebp-00000140h]
                                            mov dword ptr [ebp-00000140h], 00000114h
                                            push eax
                                            call esi
                                            mov ax, word ptr [ebp-0000012Ch]
                                            mov ecx, dword ptr [ebp-00000112h]
                                            sub ax, 00000053h
                                            add ecx, FFFFFFD0h
                                            neg ax
                                            sbb eax, eax
                                            mov byte ptr [ebp-26h], 00000004h
                                            not eax
                                            and eax, ecx
                                            mov word ptr [ebp-2Ch], ax
                                            cmp dword ptr [ebp-0000013Ch], 0Ah
                                            jnc 00007F6F1489F42Ah
                                            and word ptr [ebp-00000132h], 0000h
                                            mov eax, dword ptr [ebp-00000134h]
                                            movzx ecx, byte ptr [ebp-00000138h]
                                            mov dword ptr [00434FF8h], eax
                                            xor eax, eax
                                            mov ah, byte ptr [ebp-0000013Ch]
                                            movzx eax, ax
                                            or eax, ecx
                                            xor ecx, ecx
                                            mov ch, byte ptr [ebp-2Ch]
                                            movzx ecx, cx
                                            shl eax, 10h
                                            or eax, ecx

                                            Rich Headers

                                            Programming Language:
                                            • [EXP] VC++ 6.0 SP5 build 8804

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x86100xa0.rdata
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x510000x1a280.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x2e23900x57c0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x10000x69e70x6a0012c53d7ffb6b83e91537cb4b804b29cfFalse0.6724646226415094data6.507877508414709IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rdata0x80000x14a60x1600d62f92f8344c212b4300774af029d966False0.43892045454545453data5.021834416829947IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .data0xa0000x2b0580x8006a14c223334afc5fc8671e26593f587fFalse0.40234375data3.4211269010192864IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .ndata0x360000x1b0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .rsrc0x510000x1a2800x1a40003d4e9a1091a0c8c18e409f8d60c6156False0.7676990327380953data6.947707826168857IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_ICON0x514480x11db3PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9992753524111623
                                            RT_ICON0x632000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.462344398340249
                                            RT_ICON0x657a80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.5330675422138836
                                            RT_ICON0x668500xea8Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.21721748400852878
                                            RT_ICON0x676f80x988dataEnglishUnited States0.010245901639344262
                                            RT_ICON0x680800x8a8dataEnglishUnited States0.01128158844765343
                                            RT_ICON0x689280x6c8dataEnglishUnited States0.012672811059907835
                                            RT_ICON0x68ff00x668dataEnglishUnited States0.012804878048780487
                                            RT_ICON0x696580x568dataEnglishUnited States0.014450867052023121
                                            RT_ICON0x69bc00x468dataEnglishUnited States0.015957446808510637
                                            RT_ICON0x6a0280x2e8dataEnglishUnited States0.020161290322580645
                                            RT_ICON0x6a3100x1e8dataEnglishUnited States0.028688524590163935
                                            RT_ICON0x6a4f80x128dataEnglishUnited States0.04391891891891892
                                            RT_DIALOG0x6a6200xb4dataEnglishUnited States0.6111111111111112
                                            RT_DIALOG0x6a6d80x200dataEnglishUnited States0.40234375
                                            RT_DIALOG0x6a8d80xf8dataEnglishUnited States0.6290322580645161
                                            RT_DIALOG0x6a9d00xeedataEnglishUnited States0.6302521008403361
                                            RT_GROUP_ICON0x6aac00xbcTarga image data - Map 32 x 7603 x 1 +1EnglishUnited States0.28191489361702127
                                            RT_VERSION0x6ab800x2ccdataEnglishUnited States0.44972067039106145
                                            RT_MANIFEST0x6ae500x42eXML 1.0 document, ASCII text, with very long lines (1070), with no line terminatorsEnglishUnited States0.5130841121495328

                                            Imports

                                            DLLImport
                                            ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
                                            SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
                                            ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
                                            COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                            USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
                                            GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                            KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

                                            Possible Origin

                                            Language of compilation systemCountry where language is spokenMap
                                            EnglishUnited States

                                            Network Behavior

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Sep 12, 2024 20:21:45.629827023 CEST6453053192.168.2.61.1.1.1
                                            Sep 12, 2024 20:21:45.634838104 CEST53645301.1.1.1192.168.2.6
                                            Sep 12, 2024 20:21:45.634977102 CEST6453053192.168.2.61.1.1.1
                                            Sep 12, 2024 20:21:45.650760889 CEST53645301.1.1.1192.168.2.6
                                            Sep 12, 2024 20:21:46.442902088 CEST6453053192.168.2.61.1.1.1
                                            Sep 12, 2024 20:21:46.442975044 CEST6453053192.168.2.61.1.1.1
                                            Sep 12, 2024 20:21:46.453954935 CEST53645301.1.1.1192.168.2.6
                                            Sep 12, 2024 20:21:46.454248905 CEST6453053192.168.2.61.1.1.1
                                            Sep 12, 2024 20:21:52.167412043 CEST64531443192.168.2.6104.26.7.161
                                            Sep 12, 2024 20:21:52.167484999 CEST44364531104.26.7.161192.168.2.6
                                            Sep 12, 2024 20:21:52.167562008 CEST64531443192.168.2.6104.26.7.161
                                            Sep 12, 2024 20:21:52.203191996 CEST64531443192.168.2.6104.26.7.161
                                            Sep 12, 2024 20:21:52.203234911 CEST44364531104.26.7.161192.168.2.6
                                            Sep 12, 2024 20:21:52.727405071 CEST44364531104.26.7.161192.168.2.6
                                            Sep 12, 2024 20:21:52.727509022 CEST64531443192.168.2.6104.26.7.161
                                            Sep 12, 2024 20:21:52.732294083 CEST64531443192.168.2.6104.26.7.161
                                            Sep 12, 2024 20:21:52.732325077 CEST44364531104.26.7.161192.168.2.6
                                            Sep 12, 2024 20:21:52.732827902 CEST44364531104.26.7.161192.168.2.6
                                            Sep 12, 2024 20:21:52.786732912 CEST64531443192.168.2.6104.26.7.161
                                            Sep 12, 2024 20:21:52.831418037 CEST44364531104.26.7.161192.168.2.6
                                            Sep 12, 2024 20:21:52.979820013 CEST44364531104.26.7.161192.168.2.6
                                            Sep 12, 2024 20:21:52.980097055 CEST44364531104.26.7.161192.168.2.6
                                            Sep 12, 2024 20:21:52.980166912 CEST64531443192.168.2.6104.26.7.161
                                            Sep 12, 2024 20:21:52.983248949 CEST64531443192.168.2.6104.26.7.161

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Sep 12, 2024 20:21:45.611355066 CEST53589151.1.1.1192.168.2.6
                                            Sep 12, 2024 20:21:51.822254896 CEST5130553192.168.2.61.1.1.1
                                            Sep 12, 2024 20:21:51.829935074 CEST53513051.1.1.1192.168.2.6
                                            Sep 12, 2024 20:21:51.982045889 CEST5130653192.168.2.61.1.1.1
                                            Sep 12, 2024 20:21:52.000319004 CEST53513061.1.1.1192.168.2.6

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Sep 12, 2024 20:21:51.822254896 CEST192.168.2.61.1.1.10xb5b5Standard query (0)uds.reincubate.comA (IP address)IN (0x0001)false
                                            Sep 12, 2024 20:21:51.982045889 CEST192.168.2.61.1.1.10x8fc2Standard query (0)uds.reincubate.com16IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Sep 12, 2024 20:21:51.829935074 CEST1.1.1.1192.168.2.60xb5b5No error (0)uds.reincubate.com104.26.7.161A (IP address)IN (0x0001)false
                                            Sep 12, 2024 20:21:51.829935074 CEST1.1.1.1192.168.2.60xb5b5No error (0)uds.reincubate.com104.26.6.161A (IP address)IN (0x0001)false
                                            Sep 12, 2024 20:21:51.829935074 CEST1.1.1.1192.168.2.60xb5b5No error (0)uds.reincubate.com172.67.75.19A (IP address)IN (0x0001)false
                                            Sep 12, 2024 20:21:52.000319004 CEST1.1.1.1192.168.2.60x8fc2No error (0)uds.reincubate.comTXT (Text strings)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • uds.reincubate.com

                                            HTTPS Proxied Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.664531104.26.7.161443420C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe
                                            TimestampBytes transferredDirectionData
                                            2024-09-12 18:21:52 UTC129OUTGET /latest-version/D306C1B115846349DC76/ HTTP/1.1
                                            User-Agent: bbbe-2.0.8.5-1-1
                                            Host: uds.reincubate.com
                                            Connection: Close
                                            2024-09-12 18:21:52 UTC649INHTTP/1.1 200 OK
                                            Date: Thu, 12 Sep 2024 18:21:52 GMT
                                            Content-Type: application/json
                                            Transfer-Encoding: chunked
                                            Connection: close
                                            vary: Origin
                                            via: 1.1 google
                                            alt-svc: h3=":443"; ma=86400
                                            CF-Cache-Status: DYNAMIC
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VrqPiWhk2%2BCSIBzjU1%2BuKJaDfwFoz%2BrB%2FUrxDFbBYCu6ShNRAuXh8TYJneV8F71HUAahypIkaUhNPMmy1QqEKbS9y00vWzHSOSTCHtHGiQJSzVZYOIZm7SpMnrtjJp8LaUHxRw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Strict-Transport-Security: max-age=2592000
                                            Server: cloudflare
                                            CF-RAY: 8c21eb753c5341d3-EWR
                                            2024-09-12 18:21:52 UTC720INData Raw: 34 31 34 0d 0a 7b 0a 20 20 20 20 22 61 63 74 69 6f 6e 22 3a 20 22 6e 6f 74 69 66 79 5f 69 66 5f 6e 65 77 65 72 22 2c 0a 20 20 20 20 22 76 65 72 73 69 6f 6e 22 3a 20 22 32 2e 30 2e 36 2e 32 22 2c 0a 20 20 20 20 22 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 72 65 69 6e 63 75 62 61 74 65 2e 63 6f 6d 2f 72 65 73 2f 6c 61 62 73 2f 62 62 62 65 2f 62 62 62 65 2d 6c 61 74 65 73 74 2e 65 78 65 22 2c 0a 20 20 20 20 22 6d 65 73 73 61 67 65 22 3a 20 22 22 2c 0a 20 20 20 20 22 72 65 6c 65 61 73 65 5f 6e 6f 74 65 73 22 3a 20 22 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 5c 6e 3c 73 74 79 6c 65 3e 5c 6e 20 20 68 33 2c 20 6c 69 2c 20 70 20 7b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 61 72 69 61 6c 3b 20 7d 5c 6e 20 20 6c 69 2c 20 70 20 7b 20 63 6f 6c 6f 72 3a 20 23 36 35 36
                                            Data Ascii: 414{ "action": "notify_if_newer", "version": "2.0.6.2", "url": "https://reincubate.com/res/labs/bbbe/bbbe-latest.exe", "message": "", "release_notes": "<html><body>\n<style>\n h3, li, p { font-family: arial; }\n li, p { color: #656
                                            2024-09-12 18:21:52 UTC331INData Raw: 67 72 6f 75 6e 64 3a 20 23 32 31 37 32 38 42 3b 20 7d 5c 6e 20 20 73 70 61 6e 2e 69 6d 70 72 6f 76 65 6d 65 6e 74 20 7b 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 33 43 42 45 42 41 3b 20 7d 5c 6e 3c 2f 73 74 79 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 22 2c 0a 20 20 20 20 22 63 6f 6e 66 69 67 22 3a 20 7b 7d 2c 0a 20 20 20 20 22 73 74 61 74 75 73 22 3a 20 7b 0a 20 20 20 20 20 20 20 20 22 69 63 6c 6f 75 64 22 3a 20 22 53 79 73 74 65 6d 20 73 74 61 74 75 73 3a 20 72 65 61 6c 2d 74 69 6d 65 20 3c 66 6f 6e 74 20 63 6f 6c 6f 72 3d 5c 22 23 37 34 44 44 37 34 5c 22 3e 5c 75 32 37 33 61 3c 2f 66 6f 6e 74 3e 20 53 65 65 20 3c 61 20 68 72 65 66 3d 5c 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 72 65 69 6e 63 75 62 61 74 65 2e 63 6f 6d 2f 73 75 70 70 6f 72 74 2f
                                            Data Ascii: ground: #21728B; }\n span.improvement { background: #3CBEBA; }\n</style></body></html>", "config": {}, "status": { "icloud": "System status: real-time <font color=\"#74DD74\">\u273a</font> See <a href=\"https://www.reincubate.com/support/
                                            2024-09-12 18:21:52 UTC5INData Raw: 30 0d 0a 0d 0a
                                            Data Ascii: 0


                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:14:21:24
                                            Start date:12/09/2024
                                            Path:C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe"
                                            Imagebase:0x400000
                                            File size:3'046'224 bytes
                                            MD5 hash:7268329D169F985BE48D34007C4FD957
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:2
                                            Start time:14:21:29
                                            Start date:12/09/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:"cmd.exe" /c taskkill /f /im "BlackBerryBackupExtractor.exe"
                                            Imagebase:0x1c0000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:3
                                            Start time:14:21:29
                                            Start date:12/09/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff66e660000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:4
                                            Start time:14:21:29
                                            Start date:12/09/2024
                                            Path:C:\Windows\SysWOW64\taskkill.exe
                                            Wow64 process (32bit):true
                                            Commandline:taskkill /f /im "BlackBerryBackupExtractor.exe"
                                            Imagebase:0x3f0000
                                            File size:74'240 bytes
                                            MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:6
                                            Start time:14:21:29
                                            Start date:12/09/2024
                                            Path:C:\Windows\explorer.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\explorer.exe" C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe
                                            Imagebase:0x7ff609140000
                                            File size:5'141'208 bytes
                                            MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:8
                                            Start time:14:21:30
                                            Start date:12/09/2024
                                            Path:C:\Windows\explorer.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                                            Imagebase:0x7ff609140000
                                            File size:5'141'208 bytes
                                            MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:9
                                            Start time:14:21:30
                                            Start date:12/09/2024
                                            Path:C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe"
                                            Imagebase:0x6d0000
                                            File size:2'611'648 bytes
                                            MD5 hash:8CD8B27DAB255BA25B5283FB4496709D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Antivirus matches:
                                            • Detection: 12%, ReversingLabs
                                            Reputation:low
                                            Has exited:false

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:31.4%
                                              Dynamic/Decrypted Code Coverage:0%
                                              Signature Coverage:16.5%
                                              Total number of Nodes:1356
                                              Total number of Limit Nodes:39
                                              execution_graph 2938 4015c1 2957 402da6 2938->2957 2942 401631 2944 401663 2942->2944 2945 401636 2942->2945 2947 401423 24 API calls 2944->2947 2981 401423 2945->2981 2949 40165b 2947->2949 2953 40164a SetCurrentDirectoryW 2953->2949 2954 4015d1 2954->2942 2955 401617 GetFileAttributesW 2954->2955 2969 405f89 2954->2969 2973 405c58 2954->2973 2976 405bbe CreateDirectoryW 2954->2976 2985 405c3b CreateDirectoryW 2954->2985 2955->2954 2958 402db2 2957->2958 2988 4066ca 2958->2988 2961 4015c8 2963 406007 CharNextW CharNextW 2961->2963 2964 406024 2963->2964 2965 406036 2963->2965 2964->2965 2966 406031 CharNextW 2964->2966 2967 405f89 CharNextW 2965->2967 2968 40605a 2965->2968 2966->2968 2967->2965 2968->2954 2970 405f8f 2969->2970 2971 405fa5 2970->2971 2972 405f96 CharNextW 2970->2972 2971->2954 2972->2970 3026 406a5a GetModuleHandleA 2973->3026 2977 405c0b 2976->2977 2978 405c0f GetLastError 2976->2978 2977->2954 2978->2977 2979 405c1e SetFileSecurityW 2978->2979 2979->2977 2980 405c34 GetLastError 2979->2980 2980->2977 3035 4056ef 2981->3035 2984 40668d lstrcpynW 2984->2953 2986 405c4b 2985->2986 2987 405c4f GetLastError 2985->2987 2986->2954 2987->2986 3003 4066d7 2988->3003 2989 4068fa 2990 402dd3 2989->2990 3021 40668d lstrcpynW 2989->3021 2990->2961 3005 406914 2990->3005 2992 4068c8 lstrlenW 2992->3003 2993 4066ca 10 API calls 2993->2992 2994 4067df GetSystemDirectoryW 2994->3003 2998 4067f2 GetWindowsDirectoryW 2998->3003 2999 406869 lstrcatW 2999->3003 3000 4066ca 10 API calls 3000->3003 3001 406914 5 API calls 3001->3003 3002 406821 SHGetSpecialFolderLocation 3002->3003 3004 406839 SHGetPathFromIDListW CoTaskMemFree 3002->3004 3003->2989 3003->2992 3003->2993 3003->2994 3003->2998 3003->2999 3003->3000 3003->3001 3003->3002 3014 40655b 3003->3014 3019 4065d4 wsprintfW 3003->3019 3020 40668d lstrcpynW 3003->3020 3004->3003 3012 406921 3005->3012 3006 406997 3007 40699c CharPrevW 3006->3007 3009 4069bd 3006->3009 3007->3006 3008 40698a CharNextW 3008->3006 3008->3012 3009->2961 3010 405f89 CharNextW 3010->3012 3011 406976 CharNextW 3011->3012 3012->3006 3012->3008 3012->3010 3012->3011 3013 406985 CharNextW 3012->3013 3013->3008 3022 4064fa 3014->3022 3017 4065bf 3017->3003 3018 40658f RegQueryValueExW RegCloseKey 3018->3017 3019->3003 3020->3003 3021->2990 3023 406509 3022->3023 3024 406512 RegOpenKeyExW 3023->3024 3025 40650d 3023->3025 3024->3025 3025->3017 3025->3018 3027 406a80 GetProcAddress 3026->3027 3028 406a76 3026->3028 3030 405c5f 3027->3030 3032 4069ea GetSystemDirectoryW 3028->3032 3030->2954 3031 406a7c 3031->3027 3031->3030 3033 406a0c wsprintfW LoadLibraryExW 3032->3033 3033->3031 3036 40570a 3035->3036 3045 401431 3035->3045 3037 405726 lstrlenW 3036->3037 3038 4066ca 17 API calls 3036->3038 3039 405734 lstrlenW 3037->3039 3040 40574f 3037->3040 3038->3037 3041 405746 lstrcatW 3039->3041 3039->3045 3042 405762 3040->3042 3043 405755 SetWindowTextW 3040->3043 3041->3040 3044 405768 SendMessageW SendMessageW SendMessageW 3042->3044 3042->3045 3043->3042 3044->3045 3045->2984 3046 401941 3047 401943 3046->3047 3048 402da6 17 API calls 3047->3048 3049 401948 3048->3049 3052 405d99 3049->3052 3088 406064 3052->3088 3055 405dc1 DeleteFileW 3085 401951 3055->3085 3056 405dd8 3057 405ef8 3056->3057 3102 40668d lstrcpynW 3056->3102 3057->3085 3120 4069c3 FindFirstFileW 3057->3120 3059 405dfe 3060 405e11 3059->3060 3061 405e04 lstrcatW 3059->3061 3103 405fa8 lstrlenW 3060->3103 3062 405e17 3061->3062 3065 405e27 lstrcatW 3062->3065 3067 405e32 lstrlenW FindFirstFileW 3062->3067 3065->3067 3067->3057 3068 405e54 3067->3068 3071 405edb FindNextFileW 3068->3071 3080 405d99 60 API calls 3068->3080 3084 4056ef 24 API calls 3068->3084 3086 4056ef 24 API calls 3068->3086 3107 40668d lstrcpynW 3068->3107 3108 405d51 3068->3108 3116 40644d MoveFileExW 3068->3116 3071->3068 3075 405ef1 FindClose 3071->3075 3072 405d51 5 API calls 3074 405f33 3072->3074 3076 405f4d 3074->3076 3079 405f37 3074->3079 3075->3057 3078 4056ef 24 API calls 3076->3078 3078->3085 3081 4056ef 24 API calls 3079->3081 3079->3085 3080->3068 3082 405f44 3081->3082 3083 40644d 36 API calls 3082->3083 3083->3085 3084->3071 3086->3068 3126 40668d lstrcpynW 3088->3126 3090 406075 3091 406007 4 API calls 3090->3091 3092 40607b 3091->3092 3093 405db9 3092->3093 3094 406914 5 API calls 3092->3094 3093->3055 3093->3056 3100 40608b 3094->3100 3095 4060bc lstrlenW 3096 4060c7 3095->3096 3095->3100 3098 405f5c 3 API calls 3096->3098 3097 4069c3 2 API calls 3097->3100 3099 4060cc GetFileAttributesW 3098->3099 3099->3093 3100->3093 3100->3095 3100->3097 3101 405fa8 2 API calls 3100->3101 3101->3095 3102->3059 3104 405fb6 3103->3104 3105 405fc8 3104->3105 3106 405fbc CharPrevW 3104->3106 3105->3062 3106->3104 3106->3105 3107->3068 3127 406158 GetFileAttributesW 3108->3127 3111 405d7e 3111->3068 3112 405d74 DeleteFileW 3114 405d7a 3112->3114 3113 405d6c RemoveDirectoryW 3113->3114 3114->3111 3115 405d8a SetFileAttributesW 3114->3115 3115->3111 3117 40646e 3116->3117 3118 406461 3116->3118 3117->3068 3130 4062d3 3118->3130 3121 405f1d 3120->3121 3122 4069d9 FindClose 3120->3122 3121->3085 3123 405f5c lstrlenW CharPrevW 3121->3123 3122->3121 3124 405f27 3123->3124 3125 405f78 lstrcatW 3123->3125 3124->3072 3125->3124 3126->3090 3128 405d5d 3127->3128 3129 40616a SetFileAttributesW 3127->3129 3128->3111 3128->3112 3128->3113 3129->3128 3131 406303 3130->3131 3132 406329 GetShortPathNameW 3130->3132 3157 40617d GetFileAttributesW CreateFileW 3131->3157 3133 406448 3132->3133 3134 40633e 3132->3134 3133->3117 3134->3133 3136 406346 wsprintfA 3134->3136 3139 4066ca 17 API calls 3136->3139 3137 40630d CloseHandle GetShortPathNameW 3137->3133 3138 406321 3137->3138 3138->3132 3138->3133 3140 40636e 3139->3140 3158 40617d GetFileAttributesW CreateFileW 3140->3158 3142 40637b 3142->3133 3143 40638a GetFileSize GlobalAlloc 3142->3143 3144 406441 CloseHandle 3143->3144 3145 4063ac 3143->3145 3144->3133 3159 406200 ReadFile 3145->3159 3150 4063cb lstrcpyA 3153 4063ed 3150->3153 3151 4063df 3152 4060e2 4 API calls 3151->3152 3152->3153 3154 406424 SetFilePointer 3153->3154 3166 40622f WriteFile 3154->3166 3157->3137 3158->3142 3160 40621e 3159->3160 3160->3144 3161 4060e2 lstrlenA 3160->3161 3162 406123 lstrlenA 3161->3162 3163 40612b 3162->3163 3164 4060fc lstrcmpiA 3162->3164 3163->3150 3163->3151 3164->3163 3165 40611a CharNextA 3164->3165 3165->3162 3167 40624d GlobalFree 3166->3167 3167->3144 3182 401c43 3183 402d84 17 API calls 3182->3183 3184 401c4a 3183->3184 3185 402d84 17 API calls 3184->3185 3186 401c57 3185->3186 3187 401c6c 3186->3187 3188 402da6 17 API calls 3186->3188 3189 401c7c 3187->3189 3190 402da6 17 API calls 3187->3190 3188->3187 3191 401cd3 3189->3191 3192 401c87 3189->3192 3190->3189 3194 402da6 17 API calls 3191->3194 3193 402d84 17 API calls 3192->3193 3196 401c8c 3193->3196 3195 401cd8 3194->3195 3197 402da6 17 API calls 3195->3197 3198 402d84 17 API calls 3196->3198 3199 401ce1 FindWindowExW 3197->3199 3200 401c98 3198->3200 3203 401d03 3199->3203 3201 401cc3 SendMessageW 3200->3201 3202 401ca5 SendMessageTimeoutW 3200->3202 3201->3203 3202->3203 3941 4028c4 3942 4028ca 3941->3942 3943 4028d2 FindClose 3942->3943 3944 402c2a 3942->3944 3943->3944 3573 403c4a 3574 403c65 3573->3574 3575 403c5b CloseHandle 3573->3575 3576 403c79 3574->3576 3577 403c6f CloseHandle 3574->3577 3575->3574 3582 403ca7 3576->3582 3577->3576 3580 405d99 67 API calls 3581 403c8a 3580->3581 3583 403cb5 3582->3583 3584 403c7e 3583->3584 3585 403cba FreeLibrary GlobalFree 3583->3585 3584->3580 3585->3584 3585->3585 3948 4016cc 3949 402da6 17 API calls 3948->3949 3950 4016d2 GetFullPathNameW 3949->3950 3951 40170e 3950->3951 3952 4016ec 3950->3952 3953 401723 GetShortPathNameW 3951->3953 3954 402c2a 3951->3954 3952->3951 3955 4069c3 2 API calls 3952->3955 3953->3954 3956 4016fe 3955->3956 3956->3951 3958 40668d lstrcpynW 3956->3958 3958->3951 3959 401e4e GetDC 3960 402d84 17 API calls 3959->3960 3961 401e60 GetDeviceCaps MulDiv ReleaseDC 3960->3961 3962 402d84 17 API calls 3961->3962 3963 401e91 3962->3963 3964 4066ca 17 API calls 3963->3964 3965 401ece CreateFontIndirectW 3964->3965 3966 402638 3965->3966 3823 402950 3824 402da6 17 API calls 3823->3824 3826 40295c 3824->3826 3825 402972 3828 406158 2 API calls 3825->3828 3826->3825 3827 402da6 17 API calls 3826->3827 3827->3825 3829 402978 3828->3829 3851 40617d GetFileAttributesW CreateFileW 3829->3851 3831 402985 3832 402a3b 3831->3832 3833 4029a0 GlobalAlloc 3831->3833 3834 402a23 3831->3834 3835 402a42 DeleteFileW 3832->3835 3836 402a55 3832->3836 3833->3834 3837 4029b9 3833->3837 3838 403396 40 API calls 3834->3838 3835->3836 3852 40361d SetFilePointer 3837->3852 3840 402a30 CloseHandle 3838->3840 3840->3832 3841 4029bf 3842 403607 ReadFile 3841->3842 3843 4029c8 GlobalAlloc 3842->3843 3844 4029d8 3843->3844 3845 402a0c 3843->3845 3847 403396 40 API calls 3844->3847 3846 40622f WriteFile 3845->3846 3848 402a18 GlobalFree 3846->3848 3850 4029e5 3847->3850 3848->3834 3849 402a03 GlobalFree 3849->3845 3850->3849 3851->3831 3852->3841 3967 405056 GetDlgItem GetDlgItem 3968 4050a8 7 API calls 3967->3968 3974 4052cd 3967->3974 3969 405142 SendMessageW 3968->3969 3970 40514f DeleteObject 3968->3970 3969->3970 3971 405158 3970->3971 3972 40518f 3971->3972 3975 4066ca 17 API calls 3971->3975 3976 4045e9 18 API calls 3972->3976 3973 4053af 3977 40545b 3973->3977 3982 4052c0 3973->3982 3987 405408 SendMessageW 3973->3987 3974->3973 4001 40533c 3974->4001 4021 404fa4 SendMessageW 3974->4021 3980 405171 SendMessageW SendMessageW 3975->3980 3981 4051a3 3976->3981 3978 405465 SendMessageW 3977->3978 3979 40546d 3977->3979 3978->3979 3989 405486 3979->3989 3990 40547f ImageList_Destroy 3979->3990 3998 405496 3979->3998 3980->3971 3986 4045e9 18 API calls 3981->3986 3984 404650 8 API calls 3982->3984 3983 4053a1 SendMessageW 3983->3973 3988 40565c 3984->3988 4002 4051b4 3986->4002 3987->3982 3992 40541d SendMessageW 3987->3992 3993 40548f GlobalFree 3989->3993 3989->3998 3990->3989 3991 405610 3991->3982 3996 405622 ShowWindow GetDlgItem ShowWindow 3991->3996 3995 405430 3992->3995 3993->3998 3994 40528f GetWindowLongW SetWindowLongW 3997 4052a8 3994->3997 4007 405441 SendMessageW 3995->4007 3996->3982 3999 4052c5 3997->3999 4000 4052ad ShowWindow 3997->4000 3998->3991 4012 4054d1 3998->4012 4026 405024 3998->4026 4020 40461e SendMessageW 3999->4020 4019 40461e SendMessageW 4000->4019 4001->3973 4001->3983 4002->3994 4003 40528a 4002->4003 4006 405207 SendMessageW 4002->4006 4008 405245 SendMessageW 4002->4008 4009 405259 SendMessageW 4002->4009 4003->3994 4003->3997 4006->4002 4007->3977 4008->4002 4009->4002 4011 4055db 4013 4055e6 InvalidateRect 4011->4013 4015 4055f2 4011->4015 4014 4054ff SendMessageW 4012->4014 4017 405515 4012->4017 4013->4015 4014->4017 4015->3991 4035 404f5f 4015->4035 4016 405589 SendMessageW SendMessageW 4016->4017 4017->4011 4017->4016 4019->3982 4020->3974 4022 405003 SendMessageW 4021->4022 4023 404fc7 GetMessagePos ScreenToClient SendMessageW 4021->4023 4025 404ffb 4022->4025 4024 405000 4023->4024 4023->4025 4024->4022 4025->4001 4038 40668d lstrcpynW 4026->4038 4028 405037 4039 4065d4 wsprintfW 4028->4039 4030 405041 4031 40140b 2 API calls 4030->4031 4032 40504a 4031->4032 4040 40668d lstrcpynW 4032->4040 4034 405051 4034->4012 4041 404e96 4035->4041 4037 404f74 4037->3991 4038->4028 4039->4030 4040->4034 4042 404eaf 4041->4042 4043 4066ca 17 API calls 4042->4043 4044 404f13 4043->4044 4045 4066ca 17 API calls 4044->4045 4046 404f1e 4045->4046 4047 4066ca 17 API calls 4046->4047 4048 404f34 lstrlenW wsprintfW SetDlgItemTextW 4047->4048 4048->4037 4049 401956 4050 402da6 17 API calls 4049->4050 4051 40195d lstrlenW 4050->4051 4052 402638 4051->4052 3863 4014d7 3864 402d84 17 API calls 3863->3864 3865 4014dd Sleep 3864->3865 3867 402c2a 3865->3867 3868 4020d8 3869 4020ea 3868->3869 3879 40219c 3868->3879 3870 402da6 17 API calls 3869->3870 3872 4020f1 3870->3872 3871 401423 24 API calls 3877 4022f6 3871->3877 3873 402da6 17 API calls 3872->3873 3874 4020fa 3873->3874 3875 402110 LoadLibraryExW 3874->3875 3876 402102 GetModuleHandleW 3874->3876 3878 402121 3875->3878 3875->3879 3876->3875 3876->3878 3888 406ac9 3878->3888 3879->3871 3882 402132 3885 401423 24 API calls 3882->3885 3886 402142 3882->3886 3883 40216b 3884 4056ef 24 API calls 3883->3884 3884->3886 3885->3886 3886->3877 3887 40218e FreeLibrary 3886->3887 3887->3877 3893 4066af WideCharToMultiByte 3888->3893 3890 406ae6 3891 406aed GetProcAddress 3890->3891 3892 40212c 3890->3892 3891->3892 3892->3882 3892->3883 3893->3890 4053 404759 lstrlenW 4054 404778 4053->4054 4055 40477a WideCharToMultiByte 4053->4055 4054->4055 4056 402b59 4057 402b60 4056->4057 4058 402bab 4056->4058 4061 402d84 17 API calls 4057->4061 4062 402ba9 4057->4062 4059 406a5a 5 API calls 4058->4059 4060 402bb2 4059->4060 4063 402da6 17 API calls 4060->4063 4064 402b6e 4061->4064 4065 402bbb 4063->4065 4066 402d84 17 API calls 4064->4066 4065->4062 4068 402bbf IIDFromString 4065->4068 4067 402b7a 4066->4067 4073 4065d4 wsprintfW 4067->4073 4068->4062 4069 402bce 4068->4069 4069->4062 4074 40668d lstrcpynW 4069->4074 4071 402beb CoTaskMemFree 4071->4062 4073->4062 4074->4071 4075 404ada 4076 404b06 4075->4076 4077 404b17 4075->4077 4136 405cd1 GetDlgItemTextW 4076->4136 4079 404b23 GetDlgItem 4077->4079 4112 404b82 4077->4112 4083 404b37 4079->4083 4080 404b11 4082 406914 5 API calls 4080->4082 4081 404c66 4084 404e15 4081->4084 4138 405cd1 GetDlgItemTextW 4081->4138 4082->4077 4086 404b4b SetWindowTextW 4083->4086 4091 406007 4 API calls 4083->4091 4090 404650 8 API calls 4084->4090 4089 4045e9 18 API calls 4086->4089 4087 4066ca 17 API calls 4093 404bf6 SHBrowseForFolderW 4087->4093 4088 404c96 4094 406064 18 API calls 4088->4094 4095 404b67 4089->4095 4096 404e29 4090->4096 4092 404b41 4091->4092 4092->4086 4100 405f5c 3 API calls 4092->4100 4093->4081 4097 404c0e CoTaskMemFree 4093->4097 4098 404c9c 4094->4098 4099 4045e9 18 API calls 4095->4099 4101 405f5c 3 API calls 4097->4101 4139 40668d lstrcpynW 4098->4139 4102 404b75 4099->4102 4100->4086 4103 404c1b 4101->4103 4137 40461e SendMessageW 4102->4137 4106 404c52 SetDlgItemTextW 4103->4106 4111 4066ca 17 API calls 4103->4111 4106->4081 4107 404b7b 4109 406a5a 5 API calls 4107->4109 4108 404cb3 4110 406a5a 5 API calls 4108->4110 4109->4112 4118 404cba 4110->4118 4113 404c3a lstrcmpiW 4111->4113 4112->4081 4112->4084 4112->4087 4113->4106 4116 404c4b lstrcatW 4113->4116 4114 404cfb 4140 40668d lstrcpynW 4114->4140 4116->4106 4117 404d02 4119 406007 4 API calls 4117->4119 4118->4114 4122 405fa8 2 API calls 4118->4122 4124 404d53 4118->4124 4120 404d08 GetDiskFreeSpaceW 4119->4120 4123 404d2c MulDiv 4120->4123 4120->4124 4122->4118 4123->4124 4125 404dc4 4124->4125 4127 404f5f 20 API calls 4124->4127 4126 404de7 4125->4126 4128 40140b 2 API calls 4125->4128 4141 40460b KiUserCallbackDispatcher 4126->4141 4129 404db1 4127->4129 4128->4126 4131 404dc6 SetDlgItemTextW 4129->4131 4132 404db6 4129->4132 4131->4125 4134 404e96 20 API calls 4132->4134 4133 404e03 4133->4084 4135 404a33 SendMessageW 4133->4135 4134->4125 4135->4084 4136->4080 4137->4107 4138->4088 4139->4108 4140->4117 4141->4133 3917 40175c 3918 402da6 17 API calls 3917->3918 3919 401763 3918->3919 3920 4061ac 2 API calls 3919->3920 3921 40176a 3920->3921 3922 4061ac 2 API calls 3921->3922 3922->3921 4142 401d5d 4143 402d84 17 API calls 4142->4143 4144 401d6e SetWindowLongW 4143->4144 4145 402c2a 4144->4145 3923 4028de 3924 4028e6 3923->3924 3925 4028ea FindNextFileW 3924->3925 3928 4028fc 3924->3928 3926 402943 3925->3926 3925->3928 3929 40668d lstrcpynW 3926->3929 3929->3928 4146 405663 4147 405673 4146->4147 4148 405687 4146->4148 4149 405679 4147->4149 4158 4056d0 4147->4158 4150 40568f IsWindowVisible 4148->4150 4154 4056a6 4148->4154 4152 404635 SendMessageW 4149->4152 4153 40569c 4150->4153 4150->4158 4151 4056d5 CallWindowProcW 4155 405683 4151->4155 4152->4155 4156 404fa4 5 API calls 4153->4156 4154->4151 4157 405024 4 API calls 4154->4157 4156->4154 4157->4158 4158->4151 4159 401563 4160 402ba4 4159->4160 4163 4065d4 wsprintfW 4160->4163 4162 402ba9 4163->4162 3230 403665 SetErrorMode GetVersionExW 3231 4036b7 GetVersionExW 3230->3231 3232 4036ef 3230->3232 3231->3232 3233 403748 3232->3233 3234 406a5a 5 API calls 3232->3234 3235 4069ea 3 API calls 3233->3235 3234->3233 3236 40375e lstrlenA 3235->3236 3236->3233 3237 40376e 3236->3237 3238 406a5a 5 API calls 3237->3238 3239 403775 3238->3239 3240 406a5a 5 API calls 3239->3240 3241 40377c 3240->3241 3242 406a5a 5 API calls 3241->3242 3243 403788 #17 OleInitialize SHGetFileInfoW 3242->3243 3320 40668d lstrcpynW 3243->3320 3246 4037d5 GetCommandLineW 3321 40668d lstrcpynW 3246->3321 3248 4037e7 3249 405f89 CharNextW 3248->3249 3250 40380d CharNextW 3249->3250 3255 40381e 3250->3255 3251 40391c 3252 403930 GetTempPathW 3251->3252 3322 403634 3252->3322 3254 403948 3256 4039a2 DeleteFileW 3254->3256 3257 40394c GetWindowsDirectoryW lstrcatW 3254->3257 3255->3251 3258 405f89 CharNextW 3255->3258 3265 40391e 3255->3265 3332 4030d0 GetTickCount GetModuleFileNameW 3256->3332 3259 403634 12 API calls 3257->3259 3258->3255 3261 403968 3259->3261 3261->3256 3264 40396c GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3261->3264 3262 4039b5 3263 403b91 ExitProcess CoUninitialize 3262->3263 3270 405f89 CharNextW 3262->3270 3304 403a6a 3262->3304 3267 403ba1 3263->3267 3268 403bb6 3263->3268 3269 403634 12 API calls 3264->3269 3417 40668d lstrcpynW 3265->3417 3422 405ced 3267->3422 3273 403c34 ExitProcess 3268->3273 3274 403bbe GetCurrentProcess OpenProcessToken 3268->3274 3275 40399a 3269->3275 3286 4039d7 3270->3286 3279 403c04 3274->3279 3280 403bd5 LookupPrivilegeValueW AdjustTokenPrivileges 3274->3280 3275->3256 3275->3263 3276 403a79 3276->3263 3281 406a5a 5 API calls 3279->3281 3280->3279 3284 403c0b 3281->3284 3282 403a40 3288 406064 18 API calls 3282->3288 3283 403a81 3287 405c58 5 API calls 3283->3287 3285 403c20 ExitWindowsEx 3284->3285 3289 403c2d 3284->3289 3285->3273 3285->3289 3286->3282 3286->3283 3290 403a86 lstrcatW 3287->3290 3291 403a4c 3288->3291 3426 40140b 3289->3426 3293 403aa2 lstrcatW lstrcmpiW 3290->3293 3294 403a97 lstrcatW 3290->3294 3291->3263 3418 40668d lstrcpynW 3291->3418 3293->3276 3295 403ac2 3293->3295 3294->3293 3297 403ac7 3295->3297 3298 403ace 3295->3298 3301 405bbe 4 API calls 3297->3301 3302 405c3b 2 API calls 3298->3302 3299 403a5f 3419 40668d lstrcpynW 3299->3419 3305 403acc 3301->3305 3303 403ad3 SetCurrentDirectoryW 3302->3303 3306 403af0 3303->3306 3307 403ae5 3303->3307 3361 403d3c 3304->3361 3305->3303 3421 40668d lstrcpynW 3306->3421 3420 40668d lstrcpynW 3307->3420 3310 4066ca 17 API calls 3311 403b32 DeleteFileW 3310->3311 3312 403b3e CopyFileW 3311->3312 3317 403afd 3311->3317 3312->3317 3313 403b88 3314 40644d 36 API calls 3313->3314 3314->3276 3315 40644d 36 API calls 3315->3317 3316 4066ca 17 API calls 3316->3317 3317->3310 3317->3313 3317->3315 3317->3316 3318 405c70 2 API calls 3317->3318 3319 403b72 CloseHandle 3317->3319 3318->3317 3319->3317 3320->3246 3321->3248 3323 406914 5 API calls 3322->3323 3325 403640 3323->3325 3324 40364a 3324->3254 3325->3324 3326 405f5c 3 API calls 3325->3326 3327 403652 3326->3327 3328 405c3b 2 API calls 3327->3328 3329 403658 3328->3329 3429 4061ac 3329->3429 3433 40617d GetFileAttributesW CreateFileW 3332->3433 3334 403113 3360 403120 3334->3360 3434 40668d lstrcpynW 3334->3434 3336 403136 3337 405fa8 2 API calls 3336->3337 3338 40313c 3337->3338 3435 40668d lstrcpynW 3338->3435 3340 403147 GetFileSize 3341 403246 3340->3341 3359 40315e 3340->3359 3436 40302e 3341->3436 3345 403289 GlobalAlloc 3349 4061ac 2 API calls 3345->3349 3346 403305 3347 40302e 32 API calls 3346->3347 3347->3360 3350 4032d5 CreateFileW 3349->3350 3352 40330f 3350->3352 3350->3360 3351 40326a 3353 403607 ReadFile 3351->3353 3451 40361d SetFilePointer 3352->3451 3356 403275 3353->3356 3354 40302e 32 API calls 3354->3359 3356->3345 3356->3360 3357 40331d 3452 403396 3357->3452 3359->3341 3359->3346 3359->3354 3359->3360 3467 403607 3359->3467 3360->3262 3362 406a5a 5 API calls 3361->3362 3363 403d50 3362->3363 3364 403d68 3363->3364 3367 403d56 3363->3367 3365 40655b 3 API calls 3364->3365 3366 403d98 3365->3366 3369 403db7 lstrcatW 3366->3369 3371 40655b 3 API calls 3366->3371 3502 4065d4 wsprintfW 3367->3502 3370 403d66 3369->3370 3487 404012 3370->3487 3371->3369 3374 406064 18 API calls 3375 403de9 3374->3375 3376 403e7d 3375->3376 3379 40655b 3 API calls 3375->3379 3377 406064 18 API calls 3376->3377 3378 403e83 3377->3378 3381 403e93 LoadImageW 3378->3381 3382 4066ca 17 API calls 3378->3382 3380 403e1b 3379->3380 3380->3376 3385 403e3c lstrlenW 3380->3385 3389 405f89 CharNextW 3380->3389 3383 403f39 3381->3383 3384 403eba RegisterClassW 3381->3384 3382->3381 3388 40140b 2 API calls 3383->3388 3386 403ef0 SystemParametersInfoW CreateWindowExW 3384->3386 3387 403f43 3384->3387 3390 403e70 3385->3390 3391 403e4a lstrcmpiW 3385->3391 3386->3383 3387->3276 3392 403f3f 3388->3392 3393 403e39 3389->3393 3395 405f5c 3 API calls 3390->3395 3391->3390 3394 403e5a GetFileAttributesW 3391->3394 3392->3387 3397 404012 18 API calls 3392->3397 3393->3385 3396 403e66 3394->3396 3398 403e76 3395->3398 3396->3390 3399 405fa8 2 API calls 3396->3399 3400 403f50 3397->3400 3503 40668d lstrcpynW 3398->3503 3399->3390 3402 403f5c ShowWindow 3400->3402 3403 403fdf 3400->3403 3405 4069ea 3 API calls 3402->3405 3495 4057c2 OleInitialize 3403->3495 3406 403f74 3405->3406 3408 403f82 GetClassInfoW 3406->3408 3411 4069ea 3 API calls 3406->3411 3407 403fe5 3409 404001 3407->3409 3410 403fe9 3407->3410 3413 403f96 GetClassInfoW RegisterClassW 3408->3413 3414 403fac DialogBoxParamW 3408->3414 3412 40140b 2 API calls 3409->3412 3410->3387 3416 40140b 2 API calls 3410->3416 3411->3408 3412->3387 3413->3414 3415 40140b 2 API calls 3414->3415 3415->3387 3416->3387 3417->3252 3418->3299 3419->3304 3420->3306 3421->3317 3423 405d02 3422->3423 3424 403bae ExitProcess 3423->3424 3425 405d16 MessageBoxIndirectW 3423->3425 3425->3424 3427 401389 2 API calls 3426->3427 3428 401420 3427->3428 3428->3273 3430 4061b9 GetTickCount GetTempFileNameW 3429->3430 3431 4061ef 3430->3431 3432 403663 3430->3432 3431->3430 3431->3432 3432->3254 3433->3334 3434->3336 3435->3340 3437 403057 3436->3437 3438 40303f 3436->3438 3440 403067 GetTickCount 3437->3440 3441 40305f 3437->3441 3439 403048 DestroyWindow 3438->3439 3444 40304f 3438->3444 3439->3444 3443 403075 3440->3443 3440->3444 3442 406a96 2 API calls 3441->3442 3442->3444 3445 4030aa CreateDialogParamW ShowWindow 3443->3445 3446 40307d 3443->3446 3444->3345 3444->3360 3470 40361d SetFilePointer 3444->3470 3445->3444 3446->3444 3471 403012 3446->3471 3448 40308b wsprintfW 3449 4056ef 24 API calls 3448->3449 3450 4030a8 3449->3450 3450->3444 3451->3357 3453 4033c1 3452->3453 3454 4033a5 SetFilePointer 3452->3454 3474 40349e GetTickCount 3453->3474 3454->3453 3457 40345e 3457->3360 3458 406200 ReadFile 3459 4033e1 3458->3459 3459->3457 3460 40349e 38 API calls 3459->3460 3461 4033f8 3460->3461 3461->3457 3462 403464 ReadFile 3461->3462 3464 403407 3461->3464 3462->3457 3464->3457 3465 406200 ReadFile 3464->3465 3466 40622f WriteFile 3464->3466 3465->3464 3466->3464 3468 406200 ReadFile 3467->3468 3469 40361a 3468->3469 3469->3359 3470->3351 3472 403021 3471->3472 3473 403023 MulDiv 3471->3473 3472->3473 3473->3448 3475 4035f6 3474->3475 3476 4034cc 3474->3476 3477 40302e 32 API calls 3475->3477 3486 40361d SetFilePointer 3476->3486 3483 4033c8 3477->3483 3479 4034d7 SetFilePointer 3482 4034fc 3479->3482 3480 403607 ReadFile 3480->3482 3481 40302e 32 API calls 3481->3482 3482->3480 3482->3481 3482->3483 3484 40622f WriteFile 3482->3484 3485 4035d7 SetFilePointer 3482->3485 3483->3457 3483->3458 3484->3482 3485->3475 3486->3479 3488 404026 3487->3488 3504 4065d4 wsprintfW 3488->3504 3490 404097 3505 4040cb 3490->3505 3492 403dc7 3492->3374 3493 40409c 3493->3492 3494 4066ca 17 API calls 3493->3494 3494->3493 3508 404635 3495->3508 3497 4057e5 3501 40580c 3497->3501 3511 401389 3497->3511 3498 404635 SendMessageW 3499 40581e CoUninitialize 3498->3499 3499->3407 3501->3498 3502->3370 3503->3376 3504->3490 3506 4066ca 17 API calls 3505->3506 3507 4040d9 SetWindowTextW 3506->3507 3507->3493 3509 40464d 3508->3509 3510 40463e SendMessageW 3508->3510 3509->3497 3510->3509 3513 401390 3511->3513 3512 4013fe 3512->3497 3513->3512 3514 4013cb MulDiv SendMessageW 3513->3514 3514->3513 4164 401968 4165 402d84 17 API calls 4164->4165 4166 40196f 4165->4166 4167 402d84 17 API calls 4166->4167 4168 40197c 4167->4168 4169 402da6 17 API calls 4168->4169 4170 401993 lstrlenW 4169->4170 4172 4019a4 4170->4172 4171 4019e5 4172->4171 4176 40668d lstrcpynW 4172->4176 4174 4019d5 4174->4171 4175 4019da lstrlenW 4174->4175 4175->4171 4176->4174 3586 4040ea 3587 404102 3586->3587 3588 404263 3586->3588 3587->3588 3589 40410e 3587->3589 3590 4042b4 3588->3590 3591 404274 GetDlgItem GetDlgItem 3588->3591 3593 404119 SetWindowPos 3589->3593 3594 40412c 3589->3594 3592 40430e 3590->3592 3600 401389 2 API calls 3590->3600 3595 4045e9 18 API calls 3591->3595 3596 404635 SendMessageW 3592->3596 3613 40425e 3592->3613 3593->3594 3597 404135 ShowWindow 3594->3597 3598 404177 3594->3598 3599 40429e SetClassLongW 3595->3599 3626 404320 3596->3626 3601 404250 3597->3601 3602 404155 GetWindowLongW 3597->3602 3603 404196 3598->3603 3604 40417f DestroyWindow 3598->3604 3605 40140b 2 API calls 3599->3605 3608 4042e6 3600->3608 3609 404650 8 API calls 3601->3609 3602->3601 3610 40416e ShowWindow 3602->3610 3606 40419b SetWindowLongW 3603->3606 3607 4041ac 3603->3607 3658 404572 3604->3658 3605->3590 3606->3613 3607->3601 3611 4041b8 GetDlgItem 3607->3611 3608->3592 3612 4042ea SendMessageW 3608->3612 3609->3613 3610->3598 3616 4041e6 3611->3616 3617 4041c9 SendMessageW IsWindowEnabled 3611->3617 3612->3613 3614 40140b 2 API calls 3614->3626 3615 404574 DestroyWindow KiUserCallbackDispatcher 3615->3658 3620 4041f3 3616->3620 3623 40423a SendMessageW 3616->3623 3624 404206 3616->3624 3632 4041eb 3616->3632 3617->3613 3617->3616 3618 4045a3 ShowWindow 3618->3613 3619 4066ca 17 API calls 3619->3626 3620->3623 3620->3632 3622 4045e9 18 API calls 3622->3626 3623->3601 3627 404223 3624->3627 3628 40420e 3624->3628 3625 404221 3625->3601 3626->3613 3626->3614 3626->3615 3626->3619 3626->3622 3633 4045e9 18 API calls 3626->3633 3649 4044b4 DestroyWindow 3626->3649 3629 40140b 2 API calls 3627->3629 3630 40140b 2 API calls 3628->3630 3631 40422a 3629->3631 3630->3632 3631->3601 3631->3632 3662 4045c2 3632->3662 3634 40439b GetDlgItem 3633->3634 3635 4043b0 3634->3635 3636 4043b8 ShowWindow KiUserCallbackDispatcher 3634->3636 3635->3636 3659 40460b KiUserCallbackDispatcher 3636->3659 3638 4043e2 KiUserCallbackDispatcher 3642 4043f6 3638->3642 3639 4043fb GetSystemMenu EnableMenuItem SendMessageW 3640 40442b SendMessageW 3639->3640 3639->3642 3640->3642 3642->3639 3643 4040cb 18 API calls 3642->3643 3660 40461e SendMessageW 3642->3660 3661 40668d lstrcpynW 3642->3661 3643->3642 3645 40445a lstrlenW 3646 4066ca 17 API calls 3645->3646 3647 404470 SetWindowTextW 3646->3647 3648 401389 2 API calls 3647->3648 3648->3626 3650 4044ce CreateDialogParamW 3649->3650 3649->3658 3651 404501 3650->3651 3650->3658 3652 4045e9 18 API calls 3651->3652 3653 40450c GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3652->3653 3654 401389 2 API calls 3653->3654 3655 404552 3654->3655 3655->3613 3656 40455a ShowWindow 3655->3656 3657 404635 SendMessageW 3656->3657 3657->3658 3658->3613 3658->3618 3659->3638 3660->3642 3661->3645 3663 4045c9 3662->3663 3664 4045cf SendMessageW 3662->3664 3663->3664 3664->3625 4177 40166a 4178 402da6 17 API calls 4177->4178 4179 401670 4178->4179 4180 4069c3 2 API calls 4179->4180 4181 401676 4180->4181 4182 402aeb 4183 402d84 17 API calls 4182->4183 4184 402af1 4183->4184 4185 4066ca 17 API calls 4184->4185 4186 40292e 4184->4186 4185->4186 4187 4026ec 4188 402d84 17 API calls 4187->4188 4195 4026fb 4188->4195 4189 402745 ReadFile 4189->4195 4199 402838 4189->4199 4190 406200 ReadFile 4190->4195 4192 402785 MultiByteToWideChar 4192->4195 4193 40283a 4209 4065d4 wsprintfW 4193->4209 4195->4189 4195->4190 4195->4192 4195->4193 4196 4027ab SetFilePointer MultiByteToWideChar 4195->4196 4197 40284b 4195->4197 4195->4199 4200 40625e SetFilePointer 4195->4200 4196->4195 4198 40286c SetFilePointer 4197->4198 4197->4199 4198->4199 4201 40627a 4200->4201 4208 406292 4200->4208 4202 406200 ReadFile 4201->4202 4203 406286 4202->4203 4204 4062c3 SetFilePointer 4203->4204 4205 40629b SetFilePointer 4203->4205 4203->4208 4204->4208 4205->4204 4206 4062a6 4205->4206 4207 40622f WriteFile 4206->4207 4207->4208 4208->4195 4209->4199 3782 40176f 3783 402da6 17 API calls 3782->3783 3784 401776 3783->3784 3785 401796 3784->3785 3786 40179e 3784->3786 3821 40668d lstrcpynW 3785->3821 3822 40668d lstrcpynW 3786->3822 3789 40179c 3793 406914 5 API calls 3789->3793 3790 4017a9 3791 405f5c 3 API calls 3790->3791 3792 4017af lstrcatW 3791->3792 3792->3789 3797 4017bb 3793->3797 3794 4069c3 2 API calls 3794->3797 3795 406158 2 API calls 3795->3797 3797->3794 3797->3795 3798 4017cd CompareFileTime 3797->3798 3799 40188d 3797->3799 3800 401864 3797->3800 3803 40668d lstrcpynW 3797->3803 3808 4066ca 17 API calls 3797->3808 3818 405ced MessageBoxIndirectW 3797->3818 3820 40617d GetFileAttributesW CreateFileW 3797->3820 3798->3797 3801 4056ef 24 API calls 3799->3801 3802 4056ef 24 API calls 3800->3802 3811 401879 3800->3811 3804 401897 3801->3804 3802->3811 3803->3797 3805 403396 40 API calls 3804->3805 3806 4018aa 3805->3806 3807 4018be SetFileTime 3806->3807 3809 4018d0 CloseHandle 3806->3809 3807->3809 3808->3797 3810 4018e1 3809->3810 3809->3811 3812 4018e6 3810->3812 3813 4018f9 3810->3813 3814 4066ca 17 API calls 3812->3814 3815 4066ca 17 API calls 3813->3815 3816 4018ee lstrcatW 3814->3816 3817 401901 3815->3817 3816->3817 3819 405ced MessageBoxIndirectW 3817->3819 3818->3797 3819->3811 3820->3797 3821->3789 3822->3790 4210 401a72 4211 402d84 17 API calls 4210->4211 4212 401a7b 4211->4212 4213 402d84 17 API calls 4212->4213 4214 401a20 4213->4214 4215 401573 4216 401583 ShowWindow 4215->4216 4217 40158c 4215->4217 4216->4217 4218 402c2a 4217->4218 4219 40159a ShowWindow 4217->4219 4219->4218 4220 4023f4 4221 402da6 17 API calls 4220->4221 4222 402403 4221->4222 4223 402da6 17 API calls 4222->4223 4224 40240c 4223->4224 4225 402da6 17 API calls 4224->4225 4226 402416 GetPrivateProfileStringW 4225->4226 4227 4014f5 SetForegroundWindow 4228 402c2a 4227->4228 4229 401ff6 4230 402da6 17 API calls 4229->4230 4231 401ffd 4230->4231 4232 4069c3 2 API calls 4231->4232 4233 402003 4232->4233 4235 402014 4233->4235 4236 4065d4 wsprintfW 4233->4236 4236->4235 4237 401b77 4238 402da6 17 API calls 4237->4238 4239 401b7e 4238->4239 4240 402d84 17 API calls 4239->4240 4241 401b87 wsprintfW 4240->4241 4242 402c2a 4241->4242 4243 403cfa 4244 403d05 4243->4244 4245 403d0c GlobalAlloc 4244->4245 4246 403d09 4244->4246 4245->4246 4247 40167b 4248 402da6 17 API calls 4247->4248 4249 401682 4248->4249 4250 402da6 17 API calls 4249->4250 4251 40168b 4250->4251 4252 402da6 17 API calls 4251->4252 4253 401694 MoveFileW 4252->4253 4254 4016a0 4253->4254 4255 4016a7 4253->4255 4256 401423 24 API calls 4254->4256 4257 4069c3 2 API calls 4255->4257 4259 4022f6 4255->4259 4256->4259 4258 4016b6 4257->4258 4258->4259 4260 40644d 36 API calls 4258->4260 4260->4254 4261 4019ff 4262 402da6 17 API calls 4261->4262 4263 401a06 4262->4263 4264 402da6 17 API calls 4263->4264 4265 401a0f 4264->4265 4266 401a16 lstrcmpiW 4265->4266 4267 401a28 lstrcmpW 4265->4267 4268 401a1c 4266->4268 4267->4268 4269 4022ff 4270 402da6 17 API calls 4269->4270 4271 402305 4270->4271 4272 402da6 17 API calls 4271->4272 4273 40230e 4272->4273 4274 402da6 17 API calls 4273->4274 4275 402317 4274->4275 4276 4069c3 2 API calls 4275->4276 4277 402320 4276->4277 4278 402331 lstrlenW lstrlenW 4277->4278 4279 402324 4277->4279 4281 4056ef 24 API calls 4278->4281 4280 4056ef 24 API calls 4279->4280 4283 40232c 4279->4283 4280->4283 4282 40236f SHFileOperationW 4281->4282 4282->4279 4282->4283 4284 401000 4285 401037 BeginPaint GetClientRect 4284->4285 4286 40100c DefWindowProcW 4284->4286 4288 4010f3 4285->4288 4291 401179 4286->4291 4289 401073 CreateBrushIndirect FillRect DeleteObject 4288->4289 4290 4010fc 4288->4290 4289->4288 4292 401102 CreateFontIndirectW 4290->4292 4293 401167 EndPaint 4290->4293 4292->4293 4294 401112 6 API calls 4292->4294 4293->4291 4294->4293 3168 401d81 3169 401d94 GetDlgItem 3168->3169 3170 401d87 3168->3170 3172 401d8e 3169->3172 3179 402d84 3170->3179 3173 401dd5 GetClientRect LoadImageW SendMessageW 3172->3173 3174 402da6 17 API calls 3172->3174 3176 401e33 3173->3176 3178 401e3f 3173->3178 3174->3173 3177 401e38 DeleteObject 3176->3177 3176->3178 3177->3178 3180 4066ca 17 API calls 3179->3180 3181 402d99 3180->3181 3181->3172 4295 401503 4296 40150b 4295->4296 4298 40151e 4295->4298 4297 402d84 17 API calls 4296->4297 4297->4298 4299 402383 4300 40238a 4299->4300 4303 40239d 4299->4303 4301 4066ca 17 API calls 4300->4301 4302 402397 4301->4302 4304 405ced MessageBoxIndirectW 4302->4304 4304->4303 4305 402c05 SendMessageW 4306 402c1f InvalidateRect 4305->4306 4307 402c2a 4305->4307 4306->4307 3665 40248a 3666 402da6 17 API calls 3665->3666 3667 40249c 3666->3667 3668 402da6 17 API calls 3667->3668 3669 4024a6 3668->3669 3682 402e36 3669->3682 3672 40292e 3673 4024de 3675 4024ea 3673->3675 3677 402d84 17 API calls 3673->3677 3674 402da6 17 API calls 3676 4024d4 lstrlenW 3674->3676 3678 402509 RegSetValueExW 3675->3678 3679 403396 40 API calls 3675->3679 3676->3673 3677->3675 3680 40251f RegCloseKey 3678->3680 3679->3678 3680->3672 3683 402e51 3682->3683 3686 406528 3683->3686 3687 406537 3686->3687 3688 406542 RegCreateKeyExW 3687->3688 3689 4024b6 3687->3689 3688->3689 3689->3672 3689->3673 3689->3674 3723 40290b 3724 402da6 17 API calls 3723->3724 3725 402912 FindFirstFileW 3724->3725 3726 40293a 3725->3726 3730 402925 3725->3730 3731 4065d4 wsprintfW 3726->3731 3728 402943 3732 40668d lstrcpynW 3728->3732 3731->3728 3732->3730 4308 40190c 4309 401943 4308->4309 4310 402da6 17 API calls 4309->4310 4311 401948 4310->4311 4312 405d99 67 API calls 4311->4312 4313 401951 4312->4313 4314 40190f 4315 402da6 17 API calls 4314->4315 4316 401916 4315->4316 4317 405ced MessageBoxIndirectW 4316->4317 4318 40191f 4317->4318 3853 402891 3854 402898 3853->3854 3856 402ba9 3853->3856 3855 402d84 17 API calls 3854->3855 3857 40289f 3855->3857 3858 4028ae SetFilePointer 3857->3858 3858->3856 3859 4028be 3858->3859 3861 4065d4 wsprintfW 3859->3861 3861->3856 4319 401491 4320 4056ef 24 API calls 4319->4320 4321 401498 4320->4321 4322 401f12 4323 402da6 17 API calls 4322->4323 4324 401f18 4323->4324 4325 402da6 17 API calls 4324->4325 4326 401f21 4325->4326 4327 402da6 17 API calls 4326->4327 4328 401f2a 4327->4328 4329 402da6 17 API calls 4328->4329 4330 401f33 4329->4330 4331 401423 24 API calls 4330->4331 4332 401f3a 4331->4332 4339 405cb3 ShellExecuteExW 4332->4339 4334 401f82 4335 406b05 5 API calls 4334->4335 4337 40292e 4334->4337 4336 401f9f CloseHandle 4335->4336 4336->4337 4339->4334 4340 402f93 4341 402fa5 SetTimer 4340->4341 4342 402fbe 4340->4342 4341->4342 4343 40300c 4342->4343 4344 403012 MulDiv 4342->4344 4345 402fcc wsprintfW SetWindowTextW SetDlgItemTextW 4344->4345 4345->4343 4347 404a93 4348 404aa3 4347->4348 4349 404ac9 4347->4349 4350 4045e9 18 API calls 4348->4350 4351 404650 8 API calls 4349->4351 4353 404ab0 SetDlgItemTextW 4350->4353 4352 404ad5 4351->4352 4353->4349 4354 401d17 4355 402d84 17 API calls 4354->4355 4356 401d1d IsWindow 4355->4356 4357 401a20 4356->4357 3894 401b9b 3895 401ba8 3894->3895 3896 401bec 3894->3896 3897 401c31 3895->3897 3902 401bbf 3895->3902 3898 401bf1 3896->3898 3899 401c16 GlobalAlloc 3896->3899 3901 4066ca 17 API calls 3897->3901 3908 40239d 3897->3908 3898->3908 3913 40668d lstrcpynW 3898->3913 3900 4066ca 17 API calls 3899->3900 3900->3897 3903 402397 3901->3903 3914 40668d lstrcpynW 3902->3914 3909 405ced MessageBoxIndirectW 3903->3909 3906 401c03 GlobalFree 3906->3908 3907 401bce 3915 40668d lstrcpynW 3907->3915 3909->3908 3911 401bdd 3916 40668d lstrcpynW 3911->3916 3913->3906 3914->3907 3915->3911 3916->3908 4358 40261c 4359 402da6 17 API calls 4358->4359 4360 402623 4359->4360 4363 40617d GetFileAttributesW CreateFileW 4360->4363 4362 40262f 4363->4362 3930 40259e 3931 402de6 17 API calls 3930->3931 3932 4025a8 3931->3932 3933 402d84 17 API calls 3932->3933 3934 4025b1 3933->3934 3935 4025d9 RegEnumValueW 3934->3935 3936 4025cd RegEnumKeyW 3934->3936 3937 40292e 3934->3937 3938 4025f5 RegCloseKey 3935->3938 3939 4025ee 3935->3939 3936->3938 3938->3937 3939->3938 4364 40149e 4365 4014ac PostQuitMessage 4364->4365 4366 40239d 4364->4366 4365->4366 4367 40471f lstrcpynW lstrlenW 4368 4015a3 4369 402da6 17 API calls 4368->4369 4370 4015aa SetFileAttributesW 4369->4370 4371 4015bc 4370->4371 3204 401fa4 3205 402da6 17 API calls 3204->3205 3206 401faa 3205->3206 3207 4056ef 24 API calls 3206->3207 3208 401fb4 3207->3208 3217 405c70 CreateProcessW 3208->3217 3211 401fdd CloseHandle 3215 40292e 3211->3215 3214 401fcf 3214->3211 3225 4065d4 wsprintfW 3214->3225 3218 405ca3 CloseHandle 3217->3218 3219 401fba 3217->3219 3218->3219 3219->3211 3219->3215 3220 406b05 WaitForSingleObject 3219->3220 3221 406b1f 3220->3221 3222 406b31 GetExitCodeProcess 3221->3222 3226 406a96 3221->3226 3222->3214 3225->3211 3227 406ab3 PeekMessageW 3226->3227 3228 406ac3 WaitForSingleObject 3227->3228 3229 406aa9 DispatchMessageW 3227->3229 3228->3221 3229->3227 3515 4047a8 3516 4047c0 3515->3516 3520 4048da 3515->3520 3546 4045e9 3516->3546 3517 404944 3518 404a0e 3517->3518 3519 40494e GetDlgItem 3517->3519 3558 404650 3518->3558 3525 404968 3519->3525 3526 4049cf 3519->3526 3520->3517 3520->3518 3522 404915 GetDlgItem SendMessageW 3520->3522 3551 40460b KiUserCallbackDispatcher 3522->3551 3523 404827 3528 4045e9 18 API calls 3523->3528 3525->3526 3530 40498e SendMessageW LoadCursorW SetCursor 3525->3530 3526->3518 3531 4049e1 3526->3531 3535 404834 CheckDlgButton 3528->3535 3529 404a09 3555 404a57 3530->3555 3532 4049f7 3531->3532 3533 4049e7 SendMessageW 3531->3533 3532->3529 3537 4049fd SendMessageW 3532->3537 3533->3532 3534 40493f 3552 404a33 3534->3552 3549 40460b KiUserCallbackDispatcher 3535->3549 3537->3529 3541 404852 GetDlgItem 3550 40461e SendMessageW 3541->3550 3543 404868 SendMessageW 3544 404885 GetSysColor 3543->3544 3545 40488e SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 3543->3545 3544->3545 3545->3529 3547 4066ca 17 API calls 3546->3547 3548 4045f4 SetDlgItemTextW 3547->3548 3548->3523 3549->3541 3550->3543 3551->3534 3553 404a41 3552->3553 3554 404a46 SendMessageW 3552->3554 3553->3554 3554->3517 3572 405cb3 ShellExecuteExW 3555->3572 3557 4049bd LoadCursorW SetCursor 3557->3526 3559 404713 3558->3559 3560 404668 GetWindowLongW 3558->3560 3559->3529 3560->3559 3561 40467d 3560->3561 3561->3559 3562 4046aa GetSysColor 3561->3562 3563 4046ad 3561->3563 3562->3563 3564 4046b3 SetTextColor 3563->3564 3565 4046bd SetBkMode 3563->3565 3564->3565 3566 4046d5 GetSysColor 3565->3566 3567 4046db 3565->3567 3566->3567 3568 4046e2 SetBkColor 3567->3568 3569 4046ec 3567->3569 3568->3569 3569->3559 3570 404706 CreateBrushIndirect 3569->3570 3571 4046ff DeleteObject 3569->3571 3570->3559 3571->3570 3572->3557 3690 4021aa 3691 402da6 17 API calls 3690->3691 3692 4021b1 3691->3692 3693 402da6 17 API calls 3692->3693 3694 4021bb 3693->3694 3695 402da6 17 API calls 3694->3695 3696 4021c5 3695->3696 3697 402da6 17 API calls 3696->3697 3698 4021cf 3697->3698 3699 402da6 17 API calls 3698->3699 3700 4021d9 3699->3700 3701 402218 CoCreateInstance 3700->3701 3702 402da6 17 API calls 3700->3702 3705 402237 3701->3705 3702->3701 3703 401423 24 API calls 3704 4022f6 3703->3704 3705->3703 3705->3704 3706 40252a 3717 402de6 3706->3717 3709 402da6 17 API calls 3710 40253d 3709->3710 3711 402548 RegQueryValueExW 3710->3711 3716 40292e 3710->3716 3712 40256e RegCloseKey 3711->3712 3713 402568 3711->3713 3712->3716 3713->3712 3722 4065d4 wsprintfW 3713->3722 3718 402da6 17 API calls 3717->3718 3719 402dfd 3718->3719 3720 4064fa RegOpenKeyExW 3719->3720 3721 402534 3720->3721 3721->3709 3722->3712 4372 40202a 4373 402da6 17 API calls 4372->4373 4374 402031 4373->4374 4375 406a5a 5 API calls 4374->4375 4376 402040 4375->4376 4377 4020cc 4376->4377 4378 40205c GlobalAlloc 4376->4378 4378->4377 4379 402070 4378->4379 4380 406a5a 5 API calls 4379->4380 4381 402077 4380->4381 4382 406a5a 5 API calls 4381->4382 4383 402081 4382->4383 4383->4377 4387 4065d4 wsprintfW 4383->4387 4385 4020ba 4388 4065d4 wsprintfW 4385->4388 4387->4385 4388->4377 3733 40582e 3734 4059d8 3733->3734 3735 40584f GetDlgItem GetDlgItem GetDlgItem 3733->3735 3737 4059e1 GetDlgItem CreateThread CloseHandle 3734->3737 3738 405a09 3734->3738 3778 40461e SendMessageW 3735->3778 3737->3738 3781 4057c2 5 API calls 3737->3781 3740 405a34 3738->3740 3741 405a20 ShowWindow ShowWindow 3738->3741 3742 405a59 3738->3742 3739 4058bf 3744 4058c6 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3739->3744 3743 405a94 3740->3743 3746 405a48 3740->3746 3747 405a6e ShowWindow 3740->3747 3780 40461e SendMessageW 3741->3780 3748 404650 8 API calls 3742->3748 3743->3742 3754 405aa2 SendMessageW 3743->3754 3752 405934 3744->3752 3753 405918 SendMessageW SendMessageW 3744->3753 3755 4045c2 SendMessageW 3746->3755 3750 405a80 3747->3750 3751 405a8e 3747->3751 3749 405a67 3748->3749 3756 4056ef 24 API calls 3750->3756 3757 4045c2 SendMessageW 3751->3757 3758 405947 3752->3758 3759 405939 SendMessageW 3752->3759 3753->3752 3754->3749 3760 405abb CreatePopupMenu 3754->3760 3755->3742 3756->3751 3757->3743 3762 4045e9 18 API calls 3758->3762 3759->3758 3761 4066ca 17 API calls 3760->3761 3763 405acb AppendMenuW 3761->3763 3764 405957 3762->3764 3765 405ae8 GetWindowRect 3763->3765 3766 405afb TrackPopupMenu 3763->3766 3767 405960 ShowWindow 3764->3767 3768 405994 GetDlgItem SendMessageW 3764->3768 3765->3766 3766->3749 3770 405b16 3766->3770 3771 405976 ShowWindow 3767->3771 3772 405983 3767->3772 3768->3749 3769 4059bb SendMessageW SendMessageW 3768->3769 3769->3749 3773 405b32 SendMessageW 3770->3773 3771->3772 3779 40461e SendMessageW 3772->3779 3773->3773 3774 405b4f OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3773->3774 3776 405b74 SendMessageW 3774->3776 3776->3776 3777 405b9d GlobalUnlock SetClipboardData CloseClipboard 3776->3777 3777->3749 3778->3739 3779->3768 3780->3740 4389 404e30 4390 404e40 4389->4390 4391 404e5c 4389->4391 4400 405cd1 GetDlgItemTextW 4390->4400 4392 404e62 SHGetPathFromIDListW 4391->4392 4393 404e8f 4391->4393 4395 404e79 SendMessageW 4392->4395 4396 404e72 4392->4396 4395->4393 4398 40140b 2 API calls 4396->4398 4397 404e4d SendMessageW 4397->4391 4398->4395 4400->4397 4401 401a30 4402 402da6 17 API calls 4401->4402 4403 401a39 ExpandEnvironmentStringsW 4402->4403 4404 401a4d 4403->4404 4406 401a60 4403->4406 4405 401a52 lstrcmpW 4404->4405 4404->4406 4405->4406 4412 4023b2 4413 4023c0 4412->4413 4414 4023ba 4412->4414 4416 402da6 17 API calls 4413->4416 4419 4023ce 4413->4419 4415 402da6 17 API calls 4414->4415 4415->4413 4416->4419 4417 402da6 17 API calls 4420 4023dc 4417->4420 4418 402da6 17 API calls 4421 4023e5 WritePrivateProfileStringW 4418->4421 4419->4417 4419->4420 4420->4418 3862 405cb3 ShellExecuteExW 4422 402434 4423 402467 4422->4423 4424 40243c 4422->4424 4426 402da6 17 API calls 4423->4426 4425 402de6 17 API calls 4424->4425 4428 402443 4425->4428 4427 40246e 4426->4427 4433 402e64 4427->4433 4430 402da6 17 API calls 4428->4430 4431 40247b 4428->4431 4432 402454 RegDeleteValueW RegCloseKey 4430->4432 4432->4431 4434 402e71 4433->4434 4435 402e78 4433->4435 4434->4431 4435->4434 4437 402ea9 4435->4437 4438 4064fa RegOpenKeyExW 4437->4438 4439 402ed7 4438->4439 4440 402ee7 RegEnumValueW 4439->4440 4444 402f0a 4439->4444 4448 402f81 4439->4448 4441 402f71 RegCloseKey 4440->4441 4440->4444 4441->4448 4442 402f46 RegEnumKeyW 4443 402f4f RegCloseKey 4442->4443 4442->4444 4445 406a5a 5 API calls 4443->4445 4444->4441 4444->4442 4444->4443 4446 402ea9 6 API calls 4444->4446 4447 402f5f 4445->4447 4446->4444 4447->4448 4449 402f63 RegDeleteKeyW 4447->4449 4448->4434 4449->4448 4450 401735 4451 402da6 17 API calls 4450->4451 4452 40173c SearchPathW 4451->4452 4453 401757 4452->4453 4454 401d38 4455 402d84 17 API calls 4454->4455 4456 401d3f 4455->4456 4457 402d84 17 API calls 4456->4457 4458 401d4b GetDlgItem 4457->4458 4459 402638 4458->4459 4460 4014b8 4461 4014be 4460->4461 4462 401389 2 API calls 4461->4462 4463 4014c6 4462->4463 4464 40263e 4465 402652 4464->4465 4466 40266d 4464->4466 4467 402d84 17 API calls 4465->4467 4468 402672 4466->4468 4469 40269d 4466->4469 4478 402659 4467->4478 4471 402da6 17 API calls 4468->4471 4470 402da6 17 API calls 4469->4470 4472 4026a4 lstrlenW 4470->4472 4473 402679 4471->4473 4472->4478 4481 4066af WideCharToMultiByte 4473->4481 4475 40268d lstrlenA 4475->4478 4476 4026d1 4477 4026e7 4476->4477 4479 40622f WriteFile 4476->4479 4478->4476 4478->4477 4480 40625e 5 API calls 4478->4480 4479->4477 4480->4476 4481->4475

                                              Executed Functions

                                              Function 00403665 Relevance: 93.2, APIs: 34, Strings: 19, Instructions: 450stringfilecomCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 403665-4036b5 SetErrorMode GetVersionExW 1 4036b7-4036eb GetVersionExW 0->1 2 4036ef-4036f6 0->2 1->2 3 403700-403740 2->3 4 4036f8 2->4 5 403742-40374a call 406a5a 3->5 6 403753 3->6 4->3 5->6 11 40374c 5->11 7 403758-40376c call 4069ea lstrlenA 6->7 13 40376e-40378a call 406a5a * 3 7->13 11->6 20 40379b-4037fd #17 OleInitialize SHGetFileInfoW call 40668d GetCommandLineW call 40668d 13->20 21 40378c-403792 13->21 28 403806-403819 call 405f89 CharNextW 20->28 29 4037ff-403801 20->29 21->20 25 403794 21->25 25->20 32 403910-403916 28->32 29->28 33 40391c 32->33 34 40381e-403824 32->34 35 403930-40394a GetTempPathW call 403634 33->35 36 403826-40382b 34->36 37 40382d-403833 34->37 46 4039a2-4039ba DeleteFileW call 4030d0 35->46 47 40394c-40396a GetWindowsDirectoryW lstrcatW call 403634 35->47 36->36 36->37 39 403835-403839 37->39 40 40383a-40383e 37->40 39->40 41 403844-40384a 40->41 42 4038fe-40390c call 405f89 40->42 44 403864-40389d 41->44 45 40384c-403853 41->45 42->32 61 40390e-40390f 42->61 51 4038b9-4038f3 44->51 52 40389f-4038a4 44->52 49 403855-403858 45->49 50 40385a 45->50 62 4039c0-4039c6 46->62 63 403b91-403b9f ExitProcess CoUninitialize 46->63 47->46 66 40396c-40399c GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403634 47->66 49->44 49->50 50->44 58 4038f5-4038f9 51->58 59 4038fb-4038fd 51->59 52->51 56 4038a6-4038ae 52->56 64 4038b0-4038b3 56->64 65 4038b5 56->65 58->59 67 40391e-40392b call 40668d 58->67 59->42 61->32 68 4039cc-4039df call 405f89 62->68 69 403a6d-403a74 call 403d3c 62->69 71 403ba1-403bb0 call 405ced ExitProcess 63->71 72 403bb6-403bbc 63->72 64->51 64->65 65->51 66->46 66->63 67->35 87 403a31-403a3e 68->87 88 4039e1-403a16 68->88 81 403a79-403a7c 69->81 77 403c34-403c3c 72->77 78 403bbe-403bd3 GetCurrentProcess OpenProcessToken 72->78 82 403c41-403c44 ExitProcess 77->82 83 403c3e 77->83 85 403c04-403c12 call 406a5a 78->85 86 403bd5-403bfe LookupPrivilegeValueW AdjustTokenPrivileges 78->86 81->63 83->82 94 403c20-403c2b ExitWindowsEx 85->94 95 403c14-403c1e 85->95 86->85 91 403a40-403a4e call 406064 87->91 92 403a81-403a95 call 405c58 lstrcatW 87->92 90 403a18-403a1c 88->90 96 403a25-403a2d 90->96 97 403a1e-403a23 90->97 91->63 108 403a54-403a6a call 40668d * 2 91->108 106 403aa2-403abc lstrcatW lstrcmpiW 92->106 107 403a97-403a9d lstrcatW 92->107 94->77 100 403c2d-403c2f call 40140b 94->100 95->94 95->100 96->90 101 403a2f 96->101 97->96 97->101 100->77 101->87 109 403ac2-403ac5 106->109 110 403b8f 106->110 107->106 108->69 112 403ac7-403acc call 405bbe 109->112 113 403ace call 405c3b 109->113 110->63 118 403ad3-403ae3 SetCurrentDirectoryW 112->118 113->118 121 403af0-403b1c call 40668d 118->121 122 403ae5-403aeb call 40668d 118->122 126 403b21-403b3c call 4066ca DeleteFileW 121->126 122->121 129 403b7c-403b86 126->129 130 403b3e-403b4e CopyFileW 126->130 129->126 131 403b88-403b8a call 40644d 129->131 130->129 132 403b50-403b70 call 40644d call 4066ca call 405c70 130->132 131->110 132->129 140 403b72-403b79 CloseHandle 132->140 140->129
                                              APIs
                                              • SetErrorMode.KERNELBASE(00008001), ref: 00403688
                                              • GetVersionExW.KERNEL32(?), ref: 004036B1
                                              • GetVersionExW.KERNEL32(0000011C), ref: 004036C8
                                              • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040375F
                                              • #17.COMCTL32(00000007,00000009,0000000B), ref: 0040379B
                                              • OleInitialize.OLE32(00000000), ref: 004037A2
                                              • SHGetFileInfoW.SHELL32(0042B268,00000000,?,000002B4,00000000), ref: 004037C0
                                              • GetCommandLineW.KERNEL32(00433F40,NSIS Error), ref: 004037D5
                                              • CharNextW.USER32(00000000,"C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe",00000020,"C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe",00000000), ref: 0040380E
                                              • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 00403941
                                              • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403952
                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040395E
                                              • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403972
                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040397A
                                              • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040398B
                                              • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403993
                                              • DeleteFileW.KERNELBASE(1033), ref: 004039A7
                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe",00000000,?), ref: 00403A8E
                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe",00000000,?), ref: 00403A9D
                                                • Part of subcall function 00405C3B: CreateDirectoryW.KERNELBASE(?,00000000,00403658,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403948), ref: 00405C41
                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe",00000000,?), ref: 00403AA8
                                              • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe",00000000,?), ref: 00403AB4
                                              • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403AD4
                                              • DeleteFileW.KERNEL32(0042AA68,0042AA68,?,2773,?), ref: 00403B33
                                              • CopyFileW.KERNEL32(C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe,0042AA68,00000001), ref: 00403B46
                                              • CloseHandle.KERNEL32(00000000,0042AA68,0042AA68,?,0042AA68,00000000), ref: 00403B73
                                              • ExitProcess.KERNEL32(?), ref: 00403B91
                                              • CoUninitialize.COMBASE(?), ref: 00403B96
                                              • ExitProcess.KERNEL32 ref: 00403BB0
                                              • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403BC4
                                              • OpenProcessToken.ADVAPI32(00000000), ref: 00403BCB
                                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403BDF
                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403BFE
                                              • ExitWindowsEx.USER32(00000002,80040002), ref: 00403C23
                                              • ExitProcess.KERNEL32 ref: 00403C44
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Processlstrcat$ExitFile$Directory$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
                                              • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe"$.tmp$1033$2773$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor$C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                              • API String ID: 2292928366-1448947515
                                              • Opcode ID: 4c55df234a1a169625c4d9510f8e78281ae4f2daef50c2ec046ef8ddf9a3fc35
                                              • Instruction ID: 7202d2b8b7838142eb81bebdbe26780666e8e28037d8cbf22de7a4751e5c1698
                                              • Opcode Fuzzy Hash: 4c55df234a1a169625c4d9510f8e78281ae4f2daef50c2ec046ef8ddf9a3fc35
                                              • Instruction Fuzzy Hash: 2AE12871A00210ABDB10AFB59D45BAF7AB8EB4470AF10847FF545B22D1DB7C8A41CB6D
                                              Function 0040582E Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 141 40582e-405849 142 4059d8-4059df 141->142 143 40584f-405916 GetDlgItem * 3 call 40461e call 404f77 GetClientRect GetSystemMetrics SendMessageW * 2 141->143 145 4059e1-405a03 GetDlgItem CreateThread CloseHandle 142->145 146 405a09-405a16 142->146 164 405934-405937 143->164 165 405918-405932 SendMessageW * 2 143->165 145->146 148 405a34-405a3e 146->148 149 405a18-405a1e 146->149 153 405a40-405a46 148->153 154 405a94-405a98 148->154 151 405a20-405a2f ShowWindow * 2 call 40461e 149->151 152 405a59-405a62 call 404650 149->152 151->148 161 405a67-405a6b 152->161 158 405a48-405a54 call 4045c2 153->158 159 405a6e-405a7e ShowWindow 153->159 154->152 156 405a9a-405aa0 154->156 156->152 166 405aa2-405ab5 SendMessageW 156->166 158->152 162 405a80-405a89 call 4056ef 159->162 163 405a8e-405a8f call 4045c2 159->163 162->163 163->154 170 405947-40595e call 4045e9 164->170 171 405939-405945 SendMessageW 164->171 165->164 172 405bb7-405bb9 166->172 173 405abb-405ae6 CreatePopupMenu call 4066ca AppendMenuW 166->173 180 405960-405974 ShowWindow 170->180 181 405994-4059b5 GetDlgItem SendMessageW 170->181 171->170 172->161 178 405ae8-405af8 GetWindowRect 173->178 179 405afb-405b10 TrackPopupMenu 173->179 178->179 179->172 183 405b16-405b2d 179->183 184 405983 180->184 185 405976-405981 ShowWindow 180->185 181->172 182 4059bb-4059d3 SendMessageW * 2 181->182 182->172 187 405b32-405b4d SendMessageW 183->187 186 405989-40598f call 40461e 184->186 185->186 186->181 187->187 188 405b4f-405b72 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 187->188 190 405b74-405b9b SendMessageW 188->190 190->190 191 405b9d-405bb1 GlobalUnlock SetClipboardData CloseClipboard 190->191 191->172
                                              APIs
                                              • GetDlgItem.USER32(?,00000403), ref: 0040588C
                                              • GetDlgItem.USER32(?,000003EE), ref: 0040589B
                                              • GetClientRect.USER32(?,?), ref: 004058D8
                                              • GetSystemMetrics.USER32(00000002), ref: 004058DF
                                              • SendMessageW.USER32(?,00001061,00000000,?), ref: 00405900
                                              • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405911
                                              • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405924
                                              • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405932
                                              • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405945
                                              • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405967
                                              • ShowWindow.USER32(?,00000008), ref: 0040597B
                                              • GetDlgItem.USER32(?,000003EC), ref: 0040599C
                                              • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004059AC
                                              • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004059C5
                                              • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004059D1
                                              • GetDlgItem.USER32(?,000003F8), ref: 004058AA
                                                • Part of subcall function 0040461E: SendMessageW.USER32(00000028,?,00000001,00404449), ref: 0040462C
                                              • GetDlgItem.USER32(?,000003EC), ref: 004059EE
                                              • CreateThread.KERNELBASE(00000000,00000000,Function_000057C2,00000000), ref: 004059FC
                                              • CloseHandle.KERNELBASE(00000000), ref: 00405A03
                                              • ShowWindow.USER32(00000000), ref: 00405A27
                                              • ShowWindow.USER32(?,00000008), ref: 00405A2C
                                              • ShowWindow.USER32(00000008), ref: 00405A76
                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405AAA
                                              • CreatePopupMenu.USER32 ref: 00405ABB
                                              • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405ACF
                                              • GetWindowRect.USER32(?,?), ref: 00405AEF
                                              • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405B08
                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B40
                                              • OpenClipboard.USER32(00000000), ref: 00405B50
                                              • EmptyClipboard.USER32 ref: 00405B56
                                              • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405B62
                                              • GlobalLock.KERNEL32(00000000), ref: 00405B6C
                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B80
                                              • GlobalUnlock.KERNEL32(00000000), ref: 00405BA0
                                              • SetClipboardData.USER32(0000000D,00000000), ref: 00405BAB
                                              • CloseClipboard.USER32 ref: 00405BB1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                              • String ID: TQx${
                                              • API String ID: 590372296-350062123
                                              • Opcode ID: 594e09f59107cca7157d15a5a23896bf4c5370f9eabdd5831dabeea937b03c7e
                                              • Instruction ID: ad0e61e05fba8a1df39cdb997e21152ba8bbf2b4b8703c5d6f74bcbe2795bbf3
                                              • Opcode Fuzzy Hash: 594e09f59107cca7157d15a5a23896bf4c5370f9eabdd5831dabeea937b03c7e
                                              • Instruction Fuzzy Hash: 09B158B0900608FFDB119FA1DD899AE7BB9FB48315F00403AFA45BA1A0CB755E51DF68
                                              Function 00405D99 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 544 405d99-405dbf call 406064 547 405dc1-405dd3 DeleteFileW 544->547 548 405dd8-405ddf 544->548 549 405f55-405f59 547->549 550 405de1-405de3 548->550 551 405df2-405e02 call 40668d 548->551 552 405f03-405f08 550->552 553 405de9-405dec 550->553 557 405e11-405e12 call 405fa8 551->557 558 405e04-405e0f lstrcatW 551->558 552->549 555 405f0a-405f0d 552->555 553->551 553->552 559 405f17-405f1f call 4069c3 555->559 560 405f0f-405f15 555->560 561 405e17-405e1b 557->561 558->561 559->549 568 405f21-405f35 call 405f5c call 405d51 559->568 560->549 564 405e27-405e2d lstrcatW 561->564 565 405e1d-405e25 561->565 567 405e32-405e4e lstrlenW FindFirstFileW 564->567 565->564 565->567 569 405e54-405e5c 567->569 570 405ef8-405efc 567->570 584 405f37-405f3a 568->584 585 405f4d-405f50 call 4056ef 568->585 573 405e7c-405e90 call 40668d 569->573 574 405e5e-405e66 569->574 570->552 572 405efe 570->572 572->552 586 405e92-405e9a 573->586 587 405ea7-405eb2 call 405d51 573->587 576 405e68-405e70 574->576 577 405edb-405eeb FindNextFileW 574->577 576->573 580 405e72-405e7a 576->580 577->569 583 405ef1-405ef2 FindClose 577->583 580->573 580->577 583->570 584->560 590 405f3c-405f4b call 4056ef call 40644d 584->590 585->549 586->577 591 405e9c-405ea5 call 405d99 586->591 597 405ed3-405ed6 call 4056ef 587->597 598 405eb4-405eb7 587->598 590->549 591->577 597->577 600 405eb9-405ec9 call 4056ef call 40644d 598->600 601 405ecb-405ed1 598->601 600->577 601->577
                                              APIs
                                              • DeleteFileW.KERNELBASE(?,?,76233420,76232EE0,00000000), ref: 00405DC2
                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\*.*,\*.*,C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\*.*,?,?,76233420,76232EE0,00000000), ref: 00405E0A
                                              • lstrcatW.KERNEL32(?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\*.*,?,?,76233420,76232EE0,00000000), ref: 00405E2D
                                              • lstrlenW.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\*.*,?,?,76233420,76232EE0,00000000), ref: 00405E33
                                              • FindFirstFileW.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\*.*,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\*.*,?,?,76233420,76232EE0,00000000), ref: 00405E43
                                              • FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405EE3
                                              • FindClose.KERNEL32(00000000), ref: 00405EF2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                              • String ID: .$.$C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\*.*$\*.*
                                              • API String ID: 2035342205-3518075476
                                              • Opcode ID: 252f33129f6abad13087e64fb92cbb60fd1a4d3dc83bffe141fc161afd94df17
                                              • Instruction ID: 3bf7406ac91ec4dd5ee52beca3a565466598d16321ce9fad4ed104e0e91c8342
                                              • Opcode Fuzzy Hash: 252f33129f6abad13087e64fb92cbb60fd1a4d3dc83bffe141fc161afd94df17
                                              • Instruction Fuzzy Hash: 7F41D130800A15AACB21AB61CC49BAF7678EF81718F24417FF945B11D1D77C4E86DEAE
                                              Function 004069C3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNELBASE(?,004302F8,C:\,004060AD,C:\,C:\,00000000,C:\,C:\, 4#v.#v,?,76232EE0,00405DB9,?,76233420,76232EE0), ref: 004069CE
                                              • FindClose.KERNELBASE(00000000), ref: 004069DA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Find$CloseFileFirst
                                              • String ID: C:\
                                              • API String ID: 2295610775-3404278061
                                              • Opcode ID: 3880175e769e76fa77aae8c7cfa12813b322c012e9387fc66468c7031057106f
                                              • Instruction ID: 3c057573fcaabf10d705fd9a8bc3d0837248d5ed29ac60a78c5b2b67310fc299
                                              • Opcode Fuzzy Hash: 3880175e769e76fa77aae8c7cfa12813b322c012e9387fc66468c7031057106f
                                              • Instruction Fuzzy Hash: 1CD012715481205FC34017386E0C85B7A989F163357218B37B4A6F15E0CB34CC3287AC
                                              Function 004021AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CoCreateInstance.OLE32(004085F0,?,00000001,004085E0,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229
                                              Strings
                                              • C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor, xrefs: 00402269
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CreateInstance
                                              • String ID: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor
                                              • API String ID: 542301482-3506704879
                                              • Opcode ID: 70dc6ecbecee9357e60868247212f995677eb957e081adbb0ea1a54d331089b8
                                              • Instruction ID: 2d2e5bbc6e5ef502b098ca75eaee8a225efadfc65403042a85a9f29fa5c0db88
                                              • Opcode Fuzzy Hash: 70dc6ecbecee9357e60868247212f995677eb957e081adbb0ea1a54d331089b8
                                              • Instruction Fuzzy Hash: 37411571A00208EFCF40DFE4C989E9D7BB5BF49348B20456AF505EB2D1DB799981CB94
                                              Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040291A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: FileFindFirst
                                              • String ID:
                                              • API String ID: 1974802433-0
                                              • Opcode ID: ba7edad31f9b469188afe4470049fe2ddcb16a652daf74fb1c246c9531100aa4
                                              • Instruction ID: 48794005611725ab24a66c32a3ce206bb79c4e5d10a9c3449c21b72c90bd16c7
                                              • Opcode Fuzzy Hash: ba7edad31f9b469188afe4470049fe2ddcb16a652daf74fb1c246c9531100aa4
                                              • Instruction Fuzzy Hash: CCF05E71904104AED701DBA4D949AAEB378FF14314F20467BE115F21D0E7B88E159B29
                                              Function 004040EA Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357windowstringCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 192 4040ea-4040fc 193 404102-404108 192->193 194 404263-404272 192->194 193->194 195 40410e-404117 193->195 196 4042c1-4042d6 194->196 197 404274-4042bc GetDlgItem * 2 call 4045e9 SetClassLongW call 40140b 194->197 200 404119-404126 SetWindowPos 195->200 201 40412c-404133 195->201 198 404316-40431b call 404635 196->198 199 4042d8-4042db 196->199 197->196 211 404320-40433b 198->211 203 4042dd-4042e8 call 401389 199->203 204 40430e-404310 199->204 200->201 206 404135-40414f ShowWindow 201->206 207 404177-40417d 201->207 203->204 228 4042ea-404309 SendMessageW 203->228 204->198 210 4045b6 204->210 212 404250-40425e call 404650 206->212 213 404155-404168 GetWindowLongW 206->213 214 404196-404199 207->214 215 40417f-404191 DestroyWindow 207->215 217 4045b8-4045bf 210->217 224 404344-40434a 211->224 225 40433d-40433f call 40140b 211->225 212->217 213->212 226 40416e-404171 ShowWindow 213->226 220 40419b-4041a7 SetWindowLongW 214->220 221 4041ac-4041b2 214->221 218 404593-404599 215->218 218->210 231 40459b-4045a1 218->231 220->217 221->212 227 4041b8-4041c7 GetDlgItem 221->227 232 404350-40435b 224->232 233 404574-40458d DestroyWindow KiUserCallbackDispatcher 224->233 225->224 226->207 234 4041e6-4041e9 227->234 235 4041c9-4041e0 SendMessageW IsWindowEnabled 227->235 228->217 231->210 236 4045a3-4045ac ShowWindow 231->236 232->233 237 404361-4043ae call 4066ca call 4045e9 * 3 GetDlgItem 232->237 233->218 239 4041eb-4041ec 234->239 240 4041ee-4041f1 234->240 235->210 235->234 236->210 264 4043b0-4043b5 237->264 265 4043b8-4043f4 ShowWindow KiUserCallbackDispatcher call 40460b KiUserCallbackDispatcher 237->265 242 40421c-404221 call 4045c2 239->242 243 4041f3-4041f9 240->243 244 4041ff-404204 240->244 242->212 247 40423a-40424a SendMessageW 243->247 248 4041fb-4041fd 243->248 244->247 249 404206-40420c 244->249 247->212 248->242 252 404223-40422c call 40140b 249->252 253 40420e-404214 call 40140b 249->253 252->212 261 40422e-404238 252->261 262 40421a 253->262 261->262 262->242 264->265 268 4043f6-4043f7 265->268 269 4043f9 265->269 270 4043fb-404429 GetSystemMenu EnableMenuItem SendMessageW 268->270 269->270 271 40442b-40443c SendMessageW 270->271 272 40443e 270->272 273 404444-404483 call 40461e call 4040cb call 40668d lstrlenW call 4066ca SetWindowTextW call 401389 271->273 272->273 273->211 284 404489-40448b 273->284 284->211 285 404491-404495 284->285 286 4044b4-4044c8 DestroyWindow 285->286 287 404497-40449d 285->287 286->218 288 4044ce-4044fb CreateDialogParamW 286->288 287->210 289 4044a3-4044a9 287->289 288->218 291 404501-404558 call 4045e9 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 288->291 289->211 290 4044af 289->290 290->210 291->210 296 40455a-40456d ShowWindow call 404635 291->296 298 404572 296->298 298->218
                                              APIs
                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404126
                                              • ShowWindow.USER32(?), ref: 00404146
                                              • GetWindowLongW.USER32(?,000000F0), ref: 00404158
                                              • ShowWindow.USER32(?,00000004), ref: 00404171
                                              • DestroyWindow.USER32 ref: 00404185
                                              • SetWindowLongW.USER32(?,00000000,00000000), ref: 0040419E
                                              • GetDlgItem.USER32(?,?), ref: 004041BD
                                              • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004041D1
                                              • IsWindowEnabled.USER32(00000000), ref: 004041D8
                                              • GetDlgItem.USER32(?,00000001), ref: 00404283
                                              • GetDlgItem.USER32(?,00000002), ref: 0040428D
                                              • SetClassLongW.USER32(?,000000F2,?), ref: 004042A7
                                              • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004042F8
                                              • GetDlgItem.USER32(?,00000003), ref: 0040439E
                                              • ShowWindow.USER32(00000000,?), ref: 004043BF
                                              • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004043D1
                                              • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004043EC
                                              • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404402
                                              • EnableMenuItem.USER32(00000000), ref: 00404409
                                              • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404421
                                              • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404434
                                              • lstrlenW.KERNEL32(0042D2A8,?,0042D2A8,00000000), ref: 0040445E
                                              • SetWindowTextW.USER32(?,0042D2A8), ref: 00404472
                                              • ShowWindow.USER32(?,0000000A), ref: 004045A6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Window$Item$MessageSendShow$Long$CallbackDispatcherMenuUser$ClassDestroyEnableEnabledSystemTextlstrlen
                                              • String ID: TQx
                                              • API String ID: 3964124867-1770703461
                                              • Opcode ID: a909010d8c72ebaa78a2a8cb2f30679cc7e32d907dd9b02ea1346e9f086c6b13
                                              • Instruction ID: de9aa89a916c8b209ea0d52822f85574d94c23603a42d9a5d354d97988027e5a
                                              • Opcode Fuzzy Hash: a909010d8c72ebaa78a2a8cb2f30679cc7e32d907dd9b02ea1346e9f086c6b13
                                              • Instruction Fuzzy Hash: 28C1D0B1A00204FBDB21AF61EE45E2B3BB8EB85745B50053EFB41B11F1CB3998419B6D
                                              Function 00403D3C Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 299 403d3c-403d54 call 406a5a 302 403d56-403d66 call 4065d4 299->302 303 403d68-403d9f call 40655b 299->303 312 403dc2-403deb call 404012 call 406064 302->312 308 403da1-403db2 call 40655b 303->308 309 403db7-403dbd lstrcatW 303->309 308->309 309->312 317 403df1-403df6 312->317 318 403e7d-403e85 call 406064 312->318 317->318 320 403dfc-403e24 call 40655b 317->320 324 403e93-403eb8 LoadImageW 318->324 325 403e87-403e8e call 4066ca 318->325 320->318 326 403e26-403e2a 320->326 328 403f39-403f41 call 40140b 324->328 329 403eba-403eea RegisterClassW 324->329 325->324 330 403e3c-403e48 lstrlenW 326->330 331 403e2c-403e39 call 405f89 326->331 342 403f43-403f46 328->342 343 403f4b-403f56 call 404012 328->343 332 403ef0-403f34 SystemParametersInfoW CreateWindowExW 329->332 333 404008 329->333 337 403e70-403e78 call 405f5c call 40668d 330->337 338 403e4a-403e58 lstrcmpiW 330->338 331->330 332->328 336 40400a-404011 333->336 337->318 338->337 341 403e5a-403e64 GetFileAttributesW 338->341 345 403e66-403e68 341->345 346 403e6a-403e6b call 405fa8 341->346 342->336 352 403f5c-403f76 ShowWindow call 4069ea 343->352 353 403fdf-403fe0 call 4057c2 343->353 345->337 345->346 346->337 358 403f82-403f94 GetClassInfoW 352->358 359 403f78-403f7d call 4069ea 352->359 357 403fe5-403fe7 353->357 360 404001-404003 call 40140b 357->360 361 403fe9-403fef 357->361 364 403f96-403fa6 GetClassInfoW RegisterClassW 358->364 365 403fac-403fcf DialogBoxParamW call 40140b 358->365 359->358 360->333 361->342 366 403ff5-403ffc call 40140b 361->366 364->365 370 403fd4-403fdd call 403c8c 365->370 366->342 370->336
                                              APIs
                                                • Part of subcall function 00406A5A: GetModuleHandleA.KERNEL32(?,00000020,?,00403775,0000000B), ref: 00406A6C
                                                • Part of subcall function 00406A5A: GetProcAddress.KERNEL32(00000000,?), ref: 00406A87
                                              • lstrcatW.KERNEL32(1033,0042D2A8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D2A8,00000000,00000002,76233420,C:\Users\user\AppData\Local\Temp\,?,00000000,?), ref: 00403DBD
                                              • lstrlenW.KERNEL32(Remove folder: ,?,?,?,Remove folder: ,00000000,C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor,1033,0042D2A8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D2A8,00000000,00000002,76233420), ref: 00403E3D
                                              • lstrcmpiW.KERNEL32(?,.exe,Remove folder: ,?,?,?,Remove folder: ,00000000,C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor,1033,0042D2A8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D2A8,00000000), ref: 00403E50
                                              • GetFileAttributesW.KERNEL32(Remove folder: ,?,00000000,?), ref: 00403E5B
                                              • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor), ref: 00403EA4
                                                • Part of subcall function 004065D4: wsprintfW.USER32 ref: 004065E1
                                              • RegisterClassW.USER32(00433EE0), ref: 00403EE1
                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403EF9
                                              • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403F2E
                                              • ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403F64
                                              • GetClassInfoW.USER32(00000000,RichEdit20W,00433EE0), ref: 00403F90
                                              • GetClassInfoW.USER32(00000000,RichEdit,00433EE0), ref: 00403F9D
                                              • RegisterClassW.USER32(00433EE0), ref: 00403FA6
                                              • DialogBoxParamW.USER32(?,00000000,004040EA,00000000), ref: 00403FC5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                              • String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor$Control Panel\Desktop\ResourceLocale$Remove folder: $RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$>C
                                              • API String ID: 1975747703-4032131805
                                              • Opcode ID: 125b924c795658e2fb6f2b424cc5b2ba0af3e0ec064c37c13f72d94e5ebd84ad
                                              • Instruction ID: da25d123fd33bceb9cd954dc55613c71382b45676866b2bca109948a29669d0c
                                              • Opcode Fuzzy Hash: 125b924c795658e2fb6f2b424cc5b2ba0af3e0ec064c37c13f72d94e5ebd84ad
                                              • Instruction Fuzzy Hash: 7C61C970540300BFD620AF66AD46E2B3A7CEB8474AF50453FFA45B22E1CB7D99118A6D
                                              Function 004047A8 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 373 4047a8-4047ba 374 4047c0-4047c8 373->374 375 4048da-4048e7 373->375 376 4047ca-4047d9 374->376 377 4047db-4047ff 374->377 378 404944-404948 375->378 379 4048e9-4048f2 375->379 376->377 382 404801 377->382 383 404808-404883 call 4045e9 * 2 CheckDlgButton call 40460b GetDlgItem call 40461e SendMessageW 377->383 384 404a0e-404a15 378->384 385 40494e-404966 GetDlgItem 378->385 380 4048f8-4048fe 379->380 381 404a1d 379->381 380->381 386 404904-40490f 380->386 389 404a20-404a27 call 404650 381->389 382->383 415 404885-404888 GetSysColor 383->415 416 40488e-4048d5 SendMessageW * 2 lstrlenW SendMessageW * 2 383->416 384->381 388 404a17 384->388 390 404968-40496f 385->390 391 4049cf-4049d6 385->391 386->381 392 404915-40493f GetDlgItem SendMessageW call 40460b call 404a33 386->392 388->381 399 404a2c-404a30 389->399 390->391 395 404971-40498c 390->395 391->389 396 4049d8-4049df 391->396 392->378 395->391 400 40498e-4049cc SendMessageW LoadCursorW SetCursor call 404a57 LoadCursorW SetCursor 395->400 396->389 401 4049e1-4049e5 396->401 400->391 402 4049f7-4049fb 401->402 403 4049e7-4049f5 SendMessageW 401->403 407 404a09-404a0c 402->407 408 4049fd-404a07 SendMessageW 402->408 403->402 407->399 408->407 415->416 416->399
                                              APIs
                                              • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404846
                                              • GetDlgItem.USER32(?,000003E8), ref: 0040485A
                                              • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404877
                                              • GetSysColor.USER32(?), ref: 00404888
                                              • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404896
                                              • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004048A4
                                              • lstrlenW.KERNEL32(?), ref: 004048A9
                                              • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004048B6
                                              • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004048CB
                                              • GetDlgItem.USER32(?,0000040A), ref: 00404924
                                              • SendMessageW.USER32(00000000), ref: 0040492B
                                              • GetDlgItem.USER32(?,000003E8), ref: 00404956
                                              • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404999
                                              • LoadCursorW.USER32(00000000,00007F02), ref: 004049A7
                                              • SetCursor.USER32(00000000), ref: 004049AA
                                              • LoadCursorW.USER32(00000000,00007F00), ref: 004049C3
                                              • SetCursor.USER32(00000000), ref: 004049C6
                                              • SendMessageW.USER32(00000111,00000001,00000000), ref: 004049F5
                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404A07
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                              • String ID: N$TQx$.C
                                              • API String ID: 3103080414-2588303462
                                              • Opcode ID: 2c2edbd67907794629cef93c5f20fe49d7483b4f1c50941cc9e49a96c5bda95e
                                              • Instruction ID: 04e69940b6acc2fd086222b6b6ea3ba721d9538463f901576bc41ccddba7bb55
                                              • Opcode Fuzzy Hash: 2c2edbd67907794629cef93c5f20fe49d7483b4f1c50941cc9e49a96c5bda95e
                                              • Instruction Fuzzy Hash: F86190B1A00209FFDF10AF60DD45A6A7B69FB84314F00853AFA01B62D0C778A951DF9C
                                              Function 004030D0 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 208memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 417 4030d0-40311e GetTickCount GetModuleFileNameW call 40617d 420 403120-403125 417->420 421 40312a-403158 call 40668d call 405fa8 call 40668d GetFileSize 417->421 422 40338f-403393 420->422 429 403246-403254 call 40302e 421->429 430 40315e-403175 421->430 436 403349-40334e 429->436 437 40325a-40325d 429->437 432 403177 430->432 433 403179-403186 call 403607 430->433 432->433 441 403305-40330d call 40302e 433->441 442 40318c-403192 433->442 436->422 439 403289-4032f9 GlobalAlloc call 4061ac CreateFileW 437->439 440 40325f-403277 call 40361d call 403607 437->440 456 4032fb-403300 439->456 457 40330f-40333f call 40361d call 403396 439->457 440->436 469 40327d-403283 440->469 441->436 446 403212-403216 442->446 447 403194-4031ac call 406138 442->447 452 403218-40321e call 40302e 446->452 453 40321f-403225 446->453 447->453 462 4031ae-4031b5 447->462 452->453 454 403227-403235 call 406b47 453->454 455 403238-403240 453->455 454->455 455->429 455->430 456->422 473 403344-403347 457->473 462->453 467 4031b7-4031be 462->467 467->453 470 4031c0-4031c7 467->470 469->436 469->439 470->453 472 4031c9-4031d0 470->472 472->453 474 4031d2-4031f2 472->474 473->436 475 403350-403361 473->475 474->436 476 4031f8-4031fc 474->476 477 403363 475->477 478 403369-40336c 475->478 479 403204-40320c 476->479 480 4031fe-403202 476->480 477->478 481 40336e-403373 478->481 479->453 482 40320e-403210 479->482 480->429 480->479 481->481 483 403375-40338d call 406138 481->483 482->453 483->422
                                              APIs
                                              • GetTickCount.KERNEL32 ref: 004030E4
                                              • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe,00000400), ref: 00403100
                                                • Part of subcall function 0040617D: GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe,80000000,00000003), ref: 00406181
                                                • Part of subcall function 0040617D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004061A3
                                              • GetFileSize.KERNEL32(00000000,00000000,00444000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe,C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe,80000000,00000003), ref: 00403149
                                              • GlobalAlloc.KERNELBASE(00000040,?), ref: 0040328E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                              • String ID: @@$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                              • API String ID: 2803837635-3123266434
                                              • Opcode ID: bad2e3b01d9b3b13e63a1b39e6cc5da044d3535b7ab0fa3027879e4241c96e0e
                                              • Instruction ID: 364f6887d48bc7b951d8ae4203d579f58ecc863924d2f457b4153bb80ab2427c
                                              • Opcode Fuzzy Hash: bad2e3b01d9b3b13e63a1b39e6cc5da044d3535b7ab0fa3027879e4241c96e0e
                                              • Instruction Fuzzy Hash: 9871EF31900204AFDB20DFA5EE81B9E7FA8AB44315F20817FE915B62D1DB389E40CB5D
                                              Function 004066CA Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 196stringCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 486 4066ca-4066d5 487 4066d7-4066e6 486->487 488 4066e8-4066fe 486->488 487->488 489 406700-40670d 488->489 490 406716-40671f 488->490 489->490 491 40670f-406712 489->491 492 406725 490->492 493 4068fa-406905 490->493 491->490 494 40672a-406737 492->494 495 406910-406911 493->495 496 406907-40690b call 40668d 493->496 494->493 497 40673d-406746 494->497 496->495 499 4068d8 497->499 500 40674c-406789 497->500 501 4068e6-4068e9 499->501 502 4068da-4068e4 499->502 503 40687c-406881 500->503 504 40678f-406796 500->504 505 4068eb-4068f4 501->505 502->505 506 406883-406889 503->506 507 4068b4-4068b9 503->507 508 406798-40679a 504->508 509 40679b-40679d 504->509 505->493 510 406727 505->510 511 406899-4068a5 call 40668d 506->511 512 40688b-406897 call 4065d4 506->512 515 4068c8-4068d6 lstrlenW 507->515 516 4068bb-4068c3 call 4066ca 507->516 508->509 513 4067da-4067dd 509->513 514 40679f-4067c6 call 40655b 509->514 510->494 527 4068aa-4068b0 511->527 512->527 518 4067ed-4067f0 513->518 519 4067df-4067eb GetSystemDirectoryW 513->519 529 406863-406867 514->529 531 4067cc-4067d5 call 4066ca 514->531 515->505 516->515 524 4067f2-406800 GetWindowsDirectoryW 518->524 525 406859-40685b 518->525 523 40685d-406861 519->523 523->529 530 406874-40687a call 406914 523->530 524->525 525->523 533 406802-40680a 525->533 527->515 532 4068b2 527->532 529->530 534 406869-40686f lstrcatW 529->534 530->515 531->523 532->530 537 406821-406837 SHGetSpecialFolderLocation 533->537 538 40680c-406815 533->538 534->530 541 406855 537->541 542 406839-406853 SHGetPathFromIDListW CoTaskMemFree 537->542 543 40681d-40681f 538->543 541->525 542->523 542->541 543->523 543->537
                                              APIs
                                              • GetSystemDirectoryW.KERNEL32(Remove folder: ,00000400), ref: 004067E5
                                              • GetWindowsDirectoryW.KERNEL32(Remove folder: ,00000400,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\,?,00405726,Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\,00000000,00000000,00000000,00000000), ref: 004067F8
                                              • lstrcatW.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 0040686F
                                              • lstrlenW.KERNEL32(Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\,?,00405726,Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\,00000000), ref: 004068C9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Directory$SystemWindowslstrcatlstrlen
                                              • String ID: &W@$2773$Remove folder: $Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                              • API String ID: 4260037668-1238364349
                                              • Opcode ID: 3e400c5343cfc33d28fc060edae60873890dd6f9eb032d48237974229c953048
                                              • Instruction ID: 222baa3488ebd17d4188baabad1ccaa5edf8f2b789f9d6ace106459298ebb4c1
                                              • Opcode Fuzzy Hash: 3e400c5343cfc33d28fc060edae60873890dd6f9eb032d48237974229c953048
                                              • Instruction Fuzzy Hash: A461EE72901205AADF10AF65CD40AAE37A5EF44318F22C13FE907B62D0DB7D99A1CB4D
                                              Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 608 40176f-401794 call 402da6 call 405fd3 613 401796-40179c call 40668d 608->613 614 40179e-4017b0 call 40668d call 405f5c lstrcatW 608->614 619 4017b5-4017b6 call 406914 613->619 614->619 623 4017bb-4017bf 619->623 624 4017c1-4017cb call 4069c3 623->624 625 4017f2-4017f5 623->625 633 4017dd-4017ef 624->633 634 4017cd-4017db CompareFileTime 624->634 627 4017f7-4017f8 call 406158 625->627 628 4017fd-401819 call 40617d 625->628 627->628 635 40181b-40181e 628->635 636 40188d-4018b6 call 4056ef call 403396 628->636 633->625 634->633 637 401820-40185e call 40668d * 2 call 4066ca call 40668d call 405ced 635->637 638 40186f-401879 call 4056ef 635->638 650 4018b8-4018bc 636->650 651 4018be-4018ca SetFileTime 636->651 637->623 670 401864-401865 637->670 648 401882-401888 638->648 652 402c33 648->652 650->651 654 4018d0-4018db CloseHandle 650->654 651->654 657 402c35-402c39 652->657 655 4018e1-4018e4 654->655 656 402c2a-402c2d 654->656 659 4018e6-4018f7 call 4066ca lstrcatW 655->659 660 4018f9-4018fc call 4066ca 655->660 656->652 666 401901-4023a2 call 405ced 659->666 660->666 666->656 666->657 670->648 672 401867-401868 670->672 672->638
                                              APIs
                                              • lstrcatW.KERNEL32(00000000,00000000,open,C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor,?,?,00000031), ref: 004017B0
                                              • CompareFileTime.KERNEL32(-00000014,?,open,open,00000000,00000000,open,C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor,?,?,00000031), ref: 004017D5
                                                • Part of subcall function 0040668D: lstrcpynW.KERNEL32(?,?,00000400,004037D5,00433F40,NSIS Error), ref: 0040669A
                                                • Part of subcall function 004056EF: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405727
                                                • Part of subcall function 004056EF: lstrlenW.KERNEL32(004030A8,Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405737
                                                • Part of subcall function 004056EF: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\,004030A8,004030A8,Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\,00000000,00000000,00000000), ref: 0040574A
                                                • Part of subcall function 004056EF: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\), ref: 0040575C
                                                • Part of subcall function 004056EF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405782
                                                • Part of subcall function 004056EF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040579C
                                                • Part of subcall function 004056EF: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057AA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                              • String ID: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor$C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe$open$open C:\Windows\explorer.exe
                                              • API String ID: 1941528284-635122291
                                              • Opcode ID: 3eb7c47ae52ee09527a3e83c3e24da30cf40b2af24631dbd23c86e1c2bf12060
                                              • Instruction ID: 3917aaa0535afdaa8150d035ffb2f8f3de46a25fb5f3ebe939534b09b008d861
                                              • Opcode Fuzzy Hash: 3eb7c47ae52ee09527a3e83c3e24da30cf40b2af24631dbd23c86e1c2bf12060
                                              • Instruction Fuzzy Hash: 0C41AE31800108BACF11AFB5CD85DAE7A79EF45368B21473FF412B10E1DB3D89519A6E
                                              Function 004056EF Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 674 4056ef-405704 675 40570a-40571b 674->675 676 4057bb-4057bf 674->676 677 405726-405732 lstrlenW 675->677 678 40571d-405721 call 4066ca 675->678 680 405734-405744 lstrlenW 677->680 681 40574f-405753 677->681 678->677 680->676 682 405746-40574a lstrcatW 680->682 683 405762-405766 681->683 684 405755-40575c SetWindowTextW 681->684 682->681 685 405768-4057aa SendMessageW * 3 683->685 686 4057ac-4057ae 683->686 684->683 685->686 686->676 687 4057b0-4057b3 686->687 687->676
                                              APIs
                                              • lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405727
                                              • lstrlenW.KERNEL32(004030A8,Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405737
                                              • lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\,004030A8,004030A8,Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\,00000000,00000000,00000000), ref: 0040574A
                                              • SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\), ref: 0040575C
                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405782
                                              • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040579C
                                              • SendMessageW.USER32(?,00001013,?,00000000), ref: 004057AA
                                                • Part of subcall function 004066CA: lstrcatW.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 0040686F
                                                • Part of subcall function 004066CA: lstrlenW.KERNEL32(Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\,?,00405726,Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\,00000000), ref: 004068C9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: MessageSendlstrlen$lstrcat$TextWindow
                                              • String ID: Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\
                                              • API String ID: 1495540970-1662825058
                                              • Opcode ID: 278353603dcbb75a668f8a71779c99bfd23b7d47d2199f18e2ce94613a8461f0
                                              • Instruction ID: 1b676207b4a0a1055a3a12a699133e47920e8c41e9ca1950a47408d5e63b7e6c
                                              • Opcode Fuzzy Hash: 278353603dcbb75a668f8a71779c99bfd23b7d47d2199f18e2ce94613a8461f0
                                              • Instruction Fuzzy Hash: 3E218975900518FACB119FA5DD84ACFBFB8EF49350F10803AF904B22A0C7798A519FA8
                                              Function 004069EA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 688 4069ea-406a0a GetSystemDirectoryW 689 406a0c 688->689 690 406a0e-406a10 688->690 689->690 691 406a21-406a23 690->691 692 406a12-406a1b 690->692 694 406a24-406a57 wsprintfW LoadLibraryExW 691->694 692->691 693 406a1d-406a1f 692->693 693->694
                                              APIs
                                              • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406A01
                                              • wsprintfW.USER32 ref: 00406A3C
                                              • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406A50
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: DirectoryLibraryLoadSystemwsprintf
                                              • String ID: %s%S.dll$UXTHEME$\
                                              • API String ID: 2200240437-1946221925
                                              • Opcode ID: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
                                              • Instruction ID: dddb1bef5f3f5ee0ffb7d6c9f59c350f03ebda43387605203a83eddebe2ff1d2
                                              • Opcode Fuzzy Hash: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
                                              • Instruction Fuzzy Hash: 47F09C7065011967DB14BB58DD0DFAB365CAB01705F11447AE646F10D0EB7CDA68CB98
                                              Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 695 402950-402969 call 402da6 call 405fd3 700 402972-40298b call 406158 call 40617d 695->700 701 40296b-40296d call 402da6 695->701 707 402991-40299a 700->707 708 402a3b-402a40 700->708 701->700 709 4029a0-4029b7 GlobalAlloc 707->709 710 402a23-402a35 call 403396 CloseHandle 707->710 711 402a42-402a4e DeleteFileW 708->711 712 402a55 708->712 709->710 713 4029b9-4029d6 call 40361d call 403607 GlobalAlloc 709->713 710->708 711->712 720 4029d8-4029e0 call 403396 713->720 721 402a0c-402a1f call 40622f GlobalFree 713->721 725 4029e5 720->725 721->710 726 4029ff-402a01 725->726 727 402a03-402a06 GlobalFree 726->727 728 4029e7-4029fc call 406138 726->728 727->721 728->726
                                              APIs
                                              • GlobalAlloc.KERNELBASE(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
                                              • GlobalFree.KERNEL32(?), ref: 00402A06
                                              • GlobalFree.KERNELBASE(00000000), ref: 00402A19
                                              • CloseHandle.KERNELBASE(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
                                              • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Global$AllocFree$CloseDeleteFileHandle
                                              • String ID:
                                              • API String ID: 2667972263-0
                                              • Opcode ID: c27a12bb1b371df456bad0cb2fc82cd344a309b2c83eb080518c5475c9ab4ebb
                                              • Instruction ID: 9452f222c2943755f981640e626c36c4c8fc1fb7f7789119dd72cb871a19e56f
                                              • Opcode Fuzzy Hash: c27a12bb1b371df456bad0cb2fc82cd344a309b2c83eb080518c5475c9ab4ebb
                                              • Instruction Fuzzy Hash: ED31C071D00124BBCF216FA9CE89DDEBE79AF49364F14023AF550762E1CB794C429B98
                                              Function 0040349E Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 101COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 731 40349e-4034c6 GetTickCount 732 4035f6-4035fe call 40302e 731->732 733 4034cc-4034f7 call 40361d SetFilePointer 731->733 738 403600-403604 732->738 739 4034fc-40350e 733->739 740 403510 739->740 741 403512-403520 call 403607 739->741 740->741 744 403526-403532 741->744 745 4035e8-4035eb 741->745 746 403538-40353e 744->746 745->738 747 403540-403546 746->747 748 403569-403585 call 406bb5 746->748 747->748 749 403548-403568 call 40302e 747->749 754 4035f1 748->754 755 403587-40358f 748->755 749->748 756 4035f3-4035f4 754->756 757 403591-403599 call 40622f 755->757 758 4035b2-4035b8 755->758 756->738 761 40359e-4035a0 757->761 758->754 760 4035ba-4035bc 758->760 760->754 762 4035be-4035d1 760->762 763 4035a2-4035ae 761->763 764 4035ed-4035ef 761->764 762->739 765 4035d7-4035e6 SetFilePointer 762->765 763->746 766 4035b0 763->766 764->756 765->732 766->762
                                              APIs
                                              • GetTickCount.KERNEL32 ref: 004034B2
                                                • Part of subcall function 0040361D: SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040331D,?), ref: 0040362B
                                              • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004033C8,00000004,00000000,00000000,?,?,00403344,000000FF,00000000,00000000,?,?), ref: 004034E5
                                              • SetFilePointer.KERNELBASE(002E680E,00000000,00000000,0040CE90,afii10065afii10066afii10067afii10068afii10069afii10070afii10072afii10073afii10074afii10075afii10076afii10077afii10078afii10079afii10080afii10081afii10082afii10083afii10084afii10085afii10086afii10087afii10088afii10089afii10090afii10091,00004000,?,00000000,004033C8,00000004,00000000,00000000,?,?,00403344,000000FF), ref: 004035E0
                                              Strings
                                              • afii10065afii10066afii10067afii10068afii10069afii10070afii10072afii10073afii10074afii10075afii10076afii10077afii10078afii10079afii10080afii10081afii10082afii10083afii10084afii10085afii10086afii10087afii10088afii10089afii10090afii10091, xrefs: 00403512, 00403518
                                              • PjA, xrefs: 004034F7
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: FilePointer$CountTick
                                              • String ID: afii10065afii10066afii10067afii10068afii10069afii10070afii10072afii10073afii10074afii10075afii10076afii10077afii10078afii10079afii10080afii10081afii10082afii10083afii10084afii10085afii10086afii10087afii10088afii10089afii10090afii10091$PjA
                                              • API String ID: 1092082344-2470023004
                                              • Opcode ID: 9ce1662b015069013aad91297686e64e48a83dbe4dcecd47c05504c3ad461c8e
                                              • Instruction ID: f9242c332a4440439c60d59a0742db288cd856b70a60ad5ac0c55a234a5691a7
                                              • Opcode Fuzzy Hash: 9ce1662b015069013aad91297686e64e48a83dbe4dcecd47c05504c3ad461c8e
                                              • Instruction Fuzzy Hash: F2317E72600201EFDB209F29EF819163BA8EB40356758023BF805B26F0C7799E55DB5E
                                              Function 00405BBE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 767 405bbe-405c09 CreateDirectoryW 768 405c0b-405c0d 767->768 769 405c0f-405c1c GetLastError 767->769 770 405c36-405c38 768->770 769->770 771 405c1e-405c32 SetFileSecurityW 769->771 771->768 772 405c34 GetLastError 771->772 772->770
                                              APIs
                                              • CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405C01
                                              • GetLastError.KERNEL32 ref: 00405C15
                                              • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405C2A
                                              • GetLastError.KERNEL32 ref: 00405C34
                                              Strings
                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405BE4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ErrorLast$CreateDirectoryFileSecurity
                                              • String ID: C:\Users\user\AppData\Local\Temp\
                                              • API String ID: 3449924974-3936084776
                                              • Opcode ID: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
                                              • Instruction ID: 83cbdc828edc03ec969cff9db7e05ee4047ca164e5c91e20edd7243e9c57a5c6
                                              • Opcode Fuzzy Hash: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
                                              • Instruction Fuzzy Hash: E90108B1D0421DEAEF109BA0C944BEFBBB8EF04314F00403AD545B6180E77896488B99
                                              Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 773 401d81-401d85 774 401d94-401d9a GetDlgItem 773->774 775 401d87-401d92 call 402d84 773->775 777 401da0-401dcc 774->777 775->777 778 401dd7 777->778 779 401dce-401dd5 call 402da6 777->779 782 401ddb-401e31 GetClientRect LoadImageW SendMessageW 778->782 779->782 784 401e33-401e36 782->784 785 401e3f-401e42 782->785 784->785 786 401e38-401e39 DeleteObject 784->786 787 401e48 785->787 788 402c2a-402c39 785->788 786->785 787->788
                                              APIs
                                              • GetDlgItem.USER32(?,?), ref: 00401D9A
                                              • GetClientRect.USER32(?,?), ref: 00401DE5
                                              • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
                                              • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
                                              • DeleteObject.GDI32(00000000), ref: 00401E39
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                              • String ID:
                                              • API String ID: 1849352358-0
                                              • Opcode ID: 3043d85d86b90f5b5396c33957a01327d121a2023d37ed61208decb0b3137206
                                              • Instruction ID: 2f6f3c36036cdbb9089b0383ba4f4cbfc48a317e9096f9b837de44549e037801
                                              • Opcode Fuzzy Hash: 3043d85d86b90f5b5396c33957a01327d121a2023d37ed61208decb0b3137206
                                              • Instruction Fuzzy Hash: 4321F672904119AFCB05DBA4DE45AEEBBB5FF08304F14003AF945F62A0DB389D51DB98
                                              Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
                                              • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: MessageSend$Timeout
                                              • String ID: !
                                              • API String ID: 1777923405-2657877971
                                              • Opcode ID: 0df20d807e71c32f2e7a06027160097b2d0fc48425b0cade28e6ea958b081efc
                                              • Instruction ID: 370c909e2e73d1f6fe44a55a7d7bb6cb0e832c487cf9fbdb9b52faa9c3bc30de
                                              • Opcode Fuzzy Hash: 0df20d807e71c32f2e7a06027160097b2d0fc48425b0cade28e6ea958b081efc
                                              • Instruction Fuzzy Hash: 7C219C7190420AAFEF05AFA4D94AAAE7BB4FF84304F14453EF601B61D0D7B88941CB98
                                              Function 004020D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402103
                                                • Part of subcall function 004056EF: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405727
                                                • Part of subcall function 004056EF: lstrlenW.KERNEL32(004030A8,Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405737
                                                • Part of subcall function 004056EF: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\,004030A8,004030A8,Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\,00000000,00000000,00000000), ref: 0040574A
                                                • Part of subcall function 004056EF: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\), ref: 0040575C
                                                • Part of subcall function 004056EF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405782
                                                • Part of subcall function 004056EF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040579C
                                                • Part of subcall function 004056EF: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057AA
                                              • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402114
                                              • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402191
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                              • String ID: PO}
                                              • API String ID: 334405425-3400051177
                                              • Opcode ID: 0e1c26a5bf56fc850ad3554e1c335fc627687a4e605940a2150547e6b950aef5
                                              • Instruction ID: a321a58b122e5769608c0d537d44edacf3bc60c8a4d9086c5487ffa21be87ae2
                                              • Opcode Fuzzy Hash: 0e1c26a5bf56fc850ad3554e1c335fc627687a4e605940a2150547e6b950aef5
                                              • Instruction Fuzzy Hash: F921D431904104FADF11AFA5CF48A9E7A71BF48358F60413BF505B91E0DBBD8A829A5D
                                              Function 0040248A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrlenW.KERNEL32(C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe,00000023,00000011,00000002), ref: 004024D5
                                              • RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe,00000000,00000011,00000002), ref: 00402515
                                              • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe,00000000,00000011,00000002), ref: 004025FD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CloseValuelstrlen
                                              • String ID: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe
                                              • API String ID: 2655323295-1561305280
                                              • Opcode ID: 907eb9ad1105a09e04069cca1f3e1d61c916a6a4e724c7a160cfa59f566c54f2
                                              • Instruction ID: 12e8642c4e4b4d640cc525bd6b04ad739d3cc6f192bf8d9ddfd4a5f785b5dc43
                                              • Opcode Fuzzy Hash: 907eb9ad1105a09e04069cca1f3e1d61c916a6a4e724c7a160cfa59f566c54f2
                                              • Instruction Fuzzy Hash: A0117C71E00118BEEF10AFA5DE49EAEBAB8FB44354F11443AF404F61C1D7B98D419A58
                                              Function 00406064 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0040668D: lstrcpynW.KERNEL32(?,?,00000400,004037D5,00433F40,NSIS Error), ref: 0040669A
                                                • Part of subcall function 00406007: CharNextW.USER32(?,?,C:\,?,0040607B,C:\,C:\, 4#v.#v,?,76232EE0,00405DB9,?,76233420,76232EE0,00000000), ref: 00406015
                                                • Part of subcall function 00406007: CharNextW.USER32(00000000), ref: 0040601A
                                                • Part of subcall function 00406007: CharNextW.USER32(00000000), ref: 00406032
                                              • lstrlenW.KERNEL32(C:\,00000000,C:\,C:\, 4#v.#v,?,76232EE0,00405DB9,?,76233420,76232EE0,00000000), ref: 004060BD
                                              • GetFileAttributesW.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\, 4#v.#v,?,76232EE0,00405DB9,?,76233420,76232EE0), ref: 004060CD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                              • String ID: 4#v.#v$C:\
                                              • API String ID: 3248276644-3425723832
                                              • Opcode ID: ceab7f6141c97bd95801e758521eaa2340c4166b8ffd449cb058fd8e326b7757
                                              • Instruction ID: 3d96d79a6bf6e9154c2ce5442b990e62448fd6ed276594ad5baef106ced42e1b
                                              • Opcode Fuzzy Hash: ceab7f6141c97bd95801e758521eaa2340c4166b8ffd449cb058fd8e326b7757
                                              • Instruction Fuzzy Hash: 3CF0F43614496219DA22F23A4C05AAF15448E82364B1B463BFC97B12C1CF3C8973847E
                                              Function 004061AC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetTickCount.KERNEL32 ref: 004061CA
                                              • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,00403663,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403948), ref: 004061E5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CountFileNameTempTick
                                              • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                              • API String ID: 1716503409-1857211195
                                              • Opcode ID: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
                                              • Instruction ID: fdeb3f6c26f57af455627ae7e74bc600c6faa16c265c20ecce0caf76aa503c20
                                              • Opcode Fuzzy Hash: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
                                              • Instruction Fuzzy Hash: ABF09076700204BFDB008F59DD05E9BB7BCEBA5710F11803EEA05E7141E6B499659768
                                              Function 00401B9B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 72memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GlobalFree.KERNELBASE(007D4F50), ref: 00401C0B
                                              • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C1D
                                                • Part of subcall function 004066CA: lstrcatW.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 0040686F
                                                • Part of subcall function 004066CA: lstrlenW.KERNEL32(Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\,?,00405726,Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\,00000000), ref: 004068C9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Global$AllocFreelstrcatlstrlen
                                              • String ID: PO}$open
                                              • API String ID: 3292104215-2223956572
                                              • Opcode ID: e44648b2847528073b7ea023ce46eb1f8e5f4ef5fcdd82f597a9323f2c2e4c3e
                                              • Instruction ID: 90824dc58898cdbd7663888cd0f434ed115bd306e5074048f8633ee4ba0fe65e
                                              • Opcode Fuzzy Hash: e44648b2847528073b7ea023ce46eb1f8e5f4ef5fcdd82f597a9323f2c2e4c3e
                                              • Instruction Fuzzy Hash: 57219672904210DBDB10AFA4DE84A6E72A4EB043147150A3BF956F72D0D7B99C498B9D
                                              Function 00403C4A Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                                              Download Yara Rule
                                              APIs
                                              • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,00403B96,?), ref: 00403C5C
                                              • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,00403B96,?), ref: 00403C70
                                              Strings
                                              • C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\, xrefs: 00403C80
                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00403C4F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CloseHandle
                                              • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\
                                              • API String ID: 2962429428-2305721878
                                              • Opcode ID: 9571c11899c35297b6ebd84899c65c6a73d40b7c1d7f594ffb6386dbdd5b959e
                                              • Instruction ID: 7b84d4da0dc678c8153cc4de85347ab916e1b3437e0ab70bc8e42d0d677741ea
                                              • Opcode Fuzzy Hash: 9571c11899c35297b6ebd84899c65c6a73d40b7c1d7f594ffb6386dbdd5b959e
                                              • Instruction Fuzzy Hash: DCE0863240471496D120AF7CBE4D9853B185F413357204326F078F20F0C7389A574A9D
                                              Function 00403396 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetFilePointer.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,00403344,000000FF,00000000,00000000,?,?), ref: 004033BB
                                              Strings
                                              • afii10065afii10066afii10067afii10068afii10069afii10070afii10072afii10073afii10074afii10075afii10076afii10077afii10078afii10079afii10080afii10081afii10082afii10083afii10084afii10085afii10086afii10087afii10088afii10089afii10090afii10091, xrefs: 00403410, 00403427, 0040343D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: FilePointer
                                              • String ID: afii10065afii10066afii10067afii10068afii10069afii10070afii10072afii10073afii10074afii10075afii10076afii10077afii10078afii10079afii10080afii10081afii10082afii10083afii10084afii10085afii10086afii10087afii10088afii10089afii10090afii10091
                                              • API String ID: 973152223-3450027178
                                              • Opcode ID: a8c288b3f372f050feaf29e92bc45c0714d3d1efbc66f040d379b470514232d5
                                              • Instruction ID: 879c1cfb3023fffcbe0c0e2ea75a253ce7de77ab076c6aeeb6356754f21bc02d
                                              • Opcode Fuzzy Hash: a8c288b3f372f050feaf29e92bc45c0714d3d1efbc66f040d379b470514232d5
                                              • Instruction Fuzzy Hash: DD316D30600219BFDB12DF65EE48A9E3F68EF00359F10443BB905FA190D2389A51DBA9
                                              Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00406007: CharNextW.USER32(?,?,C:\,?,0040607B,C:\,C:\, 4#v.#v,?,76232EE0,00405DB9,?,76233420,76232EE0,00000000), ref: 00406015
                                                • Part of subcall function 00406007: CharNextW.USER32(00000000), ref: 0040601A
                                                • Part of subcall function 00406007: CharNextW.USER32(00000000), ref: 00406032
                                              • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                                • Part of subcall function 00405BBE: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405C01
                                              • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor,?,00000000,000000F0), ref: 0040164D
                                              Strings
                                              • C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor, xrefs: 00401640
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                              • String ID: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor
                                              • API String ID: 1892508949-3506704879
                                              • Opcode ID: 5fdaf71305cc2eebf81003d9ed1838ab7ff08b26dd653175ac811ad0fbb09da4
                                              • Instruction ID: e73362fd3d85cb6548b28c60964109a8c874feb3c7e239491ccc939b3b9f7cdb
                                              • Opcode Fuzzy Hash: 5fdaf71305cc2eebf81003d9ed1838ab7ff08b26dd653175ac811ad0fbb09da4
                                              • Instruction Fuzzy Hash: 5A11E231508114EBDF316FA5CD4099E36A0EF15369B28093BF905B12F1DA3E89819B4D
                                              Function 00401F12 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 54COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00405CB3: ShellExecuteExW.SHELL32(?), ref: 00405CC2
                                                • Part of subcall function 00406B05: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406B16
                                                • Part of subcall function 00406B05: GetExitCodeProcess.KERNEL32(?,?), ref: 00406B38
                                              • CloseHandle.KERNELBASE(?,?,?,?,?,?), ref: 00401FEB
                                              Strings
                                              • C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor, xrefs: 00401F6A
                                              • @, xrefs: 00401F8A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CloseCodeExecuteExitHandleObjectProcessShellSingleWait
                                              • String ID: @$C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor
                                              • API String ID: 165873841-180413337
                                              • Opcode ID: 36db43ef3e927bd04da0962e8effbc096c84322674ef5c9c80db41dbe1f2cbc2
                                              • Instruction ID: 6aead98af9dea84bc66228ccdd4905e447fd33a6d514b7a3bc928a4b4fa65473
                                              • Opcode Fuzzy Hash: 36db43ef3e927bd04da0962e8effbc096c84322674ef5c9c80db41dbe1f2cbc2
                                              • Instruction Fuzzy Hash: 93114971E042189ADB61EFB9CA49B8CB6F4BF04304F24457AE005F72C1EBBC89459B18
                                              Function 0040259E Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025D1
                                              • RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 004025E4
                                              • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe,00000000,00000011,00000002), ref: 004025FD
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Enum$CloseValue
                                              • String ID:
                                              • API String ID: 397863658-0
                                              • Opcode ID: a52ea4e95114893f1214cc9d7383c7dfe67ecb6e144a2ad09a8b9bac2c3cb168
                                              • Instruction ID: 37dacb53ad9a055d943042c5f940af4a435521b0350b712bcdcabe01861b578f
                                              • Opcode Fuzzy Hash: a52ea4e95114893f1214cc9d7383c7dfe67ecb6e144a2ad09a8b9bac2c3cb168
                                              • Instruction Fuzzy Hash: 02017CB1904105ABEB159F94DE58AAEB66CFF40348F10403AF501B61C0EBB85E44966D
                                              Function 00405D51 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00406158: GetFileAttributesW.KERNELBASE(?,?,00405D5D,?,?,00000000,00405F33,?,?,?,?), ref: 0040615D
                                                • Part of subcall function 00406158: SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406171
                                              • RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405F33), ref: 00405D6C
                                              • DeleteFileW.KERNELBASE(?,?,?,00000000,00405F33), ref: 00405D74
                                              • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D8C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: File$Attributes$DeleteDirectoryRemove
                                              • String ID:
                                              • API String ID: 1655745494-0
                                              • Opcode ID: 80ad4dccc83bd5cfbcd7ef077da852fe0cb096cb549a199170c52783d075929e
                                              • Instruction ID: 6423c5750aabc8c703f34b5ef79d46a41281dcb2f393b60bcf192cc7258de457
                                              • Opcode Fuzzy Hash: 80ad4dccc83bd5cfbcd7ef077da852fe0cb096cb549a199170c52783d075929e
                                              • Instruction Fuzzy Hash: 79E0E531104AA156C31067308D0CB5F6994EFC6314F05C93BF892B51C1D77888078A69
                                              Function 00406200 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ReadFile.KERNELBASE(?,00000000,00000000,00000000,00000000,afii10065afii10066afii10067afii10068afii10069afii10070afii10072afii10073afii10074afii10075afii10076afii10077afii10078afii10079afii10080afii10081afii10082afii10083afii10084afii10085afii10086afii10087afii10088afii10089afii10090afii10091,00416A50,0040361A,?,?,0040351E,afii10065afii10066afii10067afii10068afii10069afii10070afii10072afii10073afii10074afii10075afii10076afii10077afii10078afii10079afii10080afii10081afii10082afii10083afii10084afii10085afii10086afii10087afii10088afii10089afii10090afii10091,00004000,?,00000000,004033C8), ref: 00406214
                                              Strings
                                              • afii10065afii10066afii10067afii10068afii10069afii10070afii10072afii10073afii10074afii10075afii10076afii10077afii10078afii10079afii10080afii10081afii10082afii10083afii10084afii10085afii10086afii10087afii10088afii10089afii10090afii10091, xrefs: 00406203
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: FileRead
                                              • String ID: afii10065afii10066afii10067afii10068afii10069afii10070afii10072afii10073afii10074afii10075afii10076afii10077afii10078afii10079afii10080afii10081afii10082afii10083afii10084afii10085afii10086afii10087afii10088afii10089afii10090afii10091
                                              • API String ID: 2738559852-3450027178
                                              • Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                              • Instruction ID: 0c8818240235829ee2caa456c12b7fe7948c2218b6bfb3ad10962a89f26fd1e7
                                              • Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                              • Instruction Fuzzy Hash: 70E08C3220025BBBCF10AE61AC00AEB3BACEB05360F014C7AFD12E2140E234E82187A4
                                              Function 0040252A Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 0040255B
                                              • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe,00000000,00000011,00000002), ref: 004025FD
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CloseQueryValue
                                              • String ID:
                                              • API String ID: 3356406503-0
                                              • Opcode ID: c7cbaee71969ef2f8bac58d28aa888dda5e6e41e75dc4d2b1362c79011206805
                                              • Instruction ID: ce94e06674b2063eb830c91d8a42ee3caf534e634ce57701022dee7af47e3e9b
                                              • Opcode Fuzzy Hash: c7cbaee71969ef2f8bac58d28aa888dda5e6e41e75dc4d2b1362c79011206805
                                              • Instruction Fuzzy Hash: 73116A71900219EBDF14DFA4DE589AEB7B4FF04345B20843BE002B62C0E7B88A45EB5D
                                              Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                              • SendMessageW.USER32(?,00000402,00000000), ref: 004013F4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID:
                                              • API String ID: 3850602802-0
                                              • Opcode ID: 7b87da26941d3aa668fa355f933a5313dcdb5a3521c9a42cb06613eba6504328
                                              • Instruction ID: 3318a6deb1fecedd1d8049cd847474dd1034ca6a2abc63ecceb067bb8a78016f
                                              • Opcode Fuzzy Hash: 7b87da26941d3aa668fa355f933a5313dcdb5a3521c9a42cb06613eba6504328
                                              • Instruction Fuzzy Hash: 4C01F431A24220DBE7094B389D05B6A36A8E714315F14813FF851F65F1E778CC029B4D
                                              Function 004057C2 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OleInitialize.OLE32(00000000), ref: 004057D2
                                                • Part of subcall function 00404635: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404647
                                              • CoUninitialize.COMBASE(00000404,00000000,?,00000000,?), ref: 0040581E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: InitializeMessageSendUninitialize
                                              • String ID:
                                              • API String ID: 2896919175-0
                                              • Opcode ID: fc1388026c54a09b95de14390a5393f9e9ed8c547e3e5077fba47ed0ae551c4e
                                              • Instruction ID: 97d44b5ca4adf0d0d7323f517b99f76dbd520b04f20c21dbe704a453cc6936e4
                                              • Opcode Fuzzy Hash: fc1388026c54a09b95de14390a5393f9e9ed8c547e3e5077fba47ed0ae551c4e
                                              • Instruction Fuzzy Hash: CAF090774006409AE3416754AD01B9773A8EBD4705F09D43FEF85632E0D7795C018B6D
                                              Function 00406A5A Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleA.KERNEL32(?,00000020,?,00403775,0000000B), ref: 00406A6C
                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00406A87
                                                • Part of subcall function 004069EA: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406A01
                                                • Part of subcall function 004069EA: wsprintfW.USER32 ref: 00406A3C
                                                • Part of subcall function 004069EA: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406A50
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                              • String ID:
                                              • API String ID: 2547128583-0
                                              • Opcode ID: a89557e88259ac32882439a66efe2bded2b7fe37332f597cb2162f61758b0433
                                              • Instruction ID: d56d102e99fd3101cdb8aec338c2f50177d10d048057f994065b24068ac66ad8
                                              • Opcode Fuzzy Hash: a89557e88259ac32882439a66efe2bded2b7fe37332f597cb2162f61758b0433
                                              • Instruction Fuzzy Hash: 28E086326042215BD210A6705D08D3773A89BD5740306853EF95AF2040DB38DC35AB7E
                                              Function 00403CA7 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                              Download Yara Rule
                                              APIs
                                              • FreeLibrary.KERNELBASE(?,76233420,00000000,76232EE0,00403C7E,C:\Users\user\AppData\Local\Temp\,00403B96,?), ref: 00403CC1
                                              • GlobalFree.KERNEL32(?), ref: 00403CC8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Free$GlobalLibrary
                                              • String ID:
                                              • API String ID: 1100898210-0
                                              • Opcode ID: 52bae1a00f641985f8d901fbc550cdcf9aca1cab1693d867321a06d4c530aff9
                                              • Instruction ID: 71155446bc0b73c9347c443766f8a52f6ca226953ad014e307e6a41b6b2137c9
                                              • Opcode Fuzzy Hash: 52bae1a00f641985f8d901fbc550cdcf9aca1cab1693d867321a06d4c530aff9
                                              • Instruction Fuzzy Hash: 8DE0123360A62097D6316F45FE0875EB76DAF44B22F05407BEC84BB26087745D428BE8
                                              Function 0040617D Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe,80000000,00000003), ref: 00406181
                                              • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004061A3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: File$AttributesCreate
                                              • String ID:
                                              • API String ID: 415043291-0
                                              • Opcode ID: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
                                              • Instruction ID: 0e1b57c135d9ed337dcee0f1630d7a3ffd6699826ab823f4ff8c6da5104765b0
                                              • Opcode Fuzzy Hash: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
                                              • Instruction Fuzzy Hash: DCD09E71254201AFEF0D8F20DF16F2E7AA2EB94B04F11952CB682940E1DAB15C15AB19
                                              Function 00406158 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileAttributesW.KERNELBASE(?,?,00405D5D,?,?,00000000,00405F33,?,?,?,?), ref: 0040615D
                                              • SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406171
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AttributesFile
                                              • String ID:
                                              • API String ID: 3188754299-0
                                              • Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                              • Instruction ID: 0723e86848f5330ec6f90e3c76412c46a8a36ecb04b7045f48d893429f4a9222
                                              • Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                              • Instruction Fuzzy Hash: 05D012765041317FC2102728EF0C89BBFA5EF64371B014B35F9A5A62F0CB304C638A98
                                              Function 00405C3B Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateDirectoryW.KERNELBASE(?,00000000,00403658,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403948), ref: 00405C41
                                              • GetLastError.KERNEL32 ref: 00405C4F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CreateDirectoryErrorLast
                                              • String ID:
                                              • API String ID: 1375471231-0
                                              • Opcode ID: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
                                              • Instruction ID: 04a9a840500a1faae1428a8721403a6602e48d21a4d0f4853d09d499ab864726
                                              • Opcode Fuzzy Hash: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
                                              • Instruction Fuzzy Hash: 31C04C30208601AEEB505B609F08B177A949B50781F11443D6247E41A4DA788455DD2D
                                              Function 00402891 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004028AF
                                                • Part of subcall function 004065D4: wsprintfW.USER32 ref: 004065E1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: FilePointerwsprintf
                                              • String ID:
                                              • API String ID: 327478801-0
                                              • Opcode ID: 911f81caf7f6a85de1c8215937790c797343221fa9c872a56ab6e19d05cabded
                                              • Instruction ID: d3f61a6b652c36d323ffa4745d65a27fd9b4ce70cee92daaf366dae8ce959304
                                              • Opcode Fuzzy Hash: 911f81caf7f6a85de1c8215937790c797343221fa9c872a56ab6e19d05cabded
                                              • Instruction Fuzzy Hash: E7E01271904105BFDB01AFA5BE499AEB3B8EF44319B10493BF102F10D1DA794D519B2D
                                              Function 004028DE Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindNextFileW.KERNELBASE(00000000,?,?), ref: 004028F2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: FileFindNext
                                              • String ID:
                                              • API String ID: 2029273394-0
                                              • Opcode ID: e3c1db33ff94f9492508707642f8a866c7dc6783fb47d8f406cf324d72a7e5ba
                                              • Instruction ID: d6b4e108d485a6d9ae59b3d82497b8fd92684bf00ab7ad0ed4119ffb0bf3b79c
                                              • Opcode Fuzzy Hash: e3c1db33ff94f9492508707642f8a866c7dc6783fb47d8f406cf324d72a7e5ba
                                              • Instruction Fuzzy Hash: 49E06D72A04105AFDB11DFA0EE88AAE73B4EF40308F20457BD102F20D0E7B89E55AB19
                                              Function 00406528 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E57,00000000,?,?), ref: 00406551
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                                              • Instruction ID: 9dc2e05faf14d98d07d01530fc29406d3e42f20afa7b541e6caf9ca19718b436
                                              • Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                                              • Instruction Fuzzy Hash: AAE0E6B2010109BEDF095F50EC0AD7B371DE704304F01452EF957D4051E6B5AD705634
                                              Function 0040622F Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000,00419DBB,00416A50,0040359E,00416A50,00419DBB,0040CE90,afii10065afii10066afii10067afii10068afii10069afii10070afii10072afii10073afii10074afii10075afii10076afii10077afii10078afii10079afii10080afii10081afii10082afii10083afii10084afii10085afii10086afii10087afii10088afii10089afii10090afii10091,00004000,?,00000000,004033C8), ref: 00406243
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: FileWrite
                                              • String ID:
                                              • API String ID: 3934441357-0
                                              • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                              • Instruction ID: 5b734f92b1dc7b123c5c272c0027e6cf43796c1bbbaf0e44fea3265e2477ecc1
                                              • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                              • Instruction Fuzzy Hash: DEE08C3224025AABCF20BE609C00BEB3B6DFB01360F01447AFA1AE3040D234E83087A4
                                              Function 004064FA Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,?,?,?,00406588,?,00000000,?,?,Remove folder: ,?), ref: 0040651E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Open
                                              • String ID:
                                              • API String ID: 71445658-0
                                              • Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                                              • Instruction ID: b6e5496c941c17b2b5574e89bf7b365a59fee3d89c9ab4e4d75452d2b85434ad
                                              • Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                                              • Instruction Fuzzy Hash: 3ED0123204020EBBDF115F90ED01FAB3B6DEB08314F014426FE06A4091D775D630AB69
                                              Function 004045E9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004066CA: lstrcatW.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 0040686F
                                                • Part of subcall function 004066CA: lstrlenW.KERNEL32(Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\,?,00405726,Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\,00000000), ref: 004068C9
                                              • SetDlgItemTextW.USER32(?,?,00000000), ref: 00404603
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ItemTextlstrcatlstrlen
                                              • String ID:
                                              • API String ID: 281422827-0
                                              • Opcode ID: e3843e70eb5d9dcbb5370903225d5acf726ac4879fd88bc540f8ea1a0a7f924d
                                              • Instruction ID: d409525a4702a70ccaeefb4a9c4cd5b1d7f1f13d8284e09b1dfcac6adae530d2
                                              • Opcode Fuzzy Hash: e3843e70eb5d9dcbb5370903225d5acf726ac4879fd88bc540f8ea1a0a7f924d
                                              • Instruction Fuzzy Hash: 00C04C75158700BFE641A795CC42F1FB7A9EFA432AF40C92EB15DA11E1C63588249A2A
                                              Function 00404635 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404647
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID:
                                              • API String ID: 3850602802-0
                                              • Opcode ID: 79349130b84a71d7d24d15bb86ebc2430f6dcd2e3aeaf46f87cddf0983e00a96
                                              • Instruction ID: f009f2a1c1a45d547a2a1c50361a24df8b21343da8ac70265c7cea7dbb18a530
                                              • Opcode Fuzzy Hash: 79349130b84a71d7d24d15bb86ebc2430f6dcd2e3aeaf46f87cddf0983e00a96
                                              • Instruction Fuzzy Hash: D3C04C71A44600BADE108B659E45F0677646790701F144429B651A60D0D679D410D61C
                                              Function 0040361D Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040331D,?), ref: 0040362B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: FilePointer
                                              • String ID:
                                              • API String ID: 973152223-0
                                              • Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                              • Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
                                              • Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                              • Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D
                                              Function 0040461E Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000028,?,00000001,00404449), ref: 0040462C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID:
                                              • API String ID: 3850602802-0
                                              • Opcode ID: 4768057bedefbb6777ed1c67ba1ab4b6976a3bd61fd77b5d4e8e7cabab1a8cb3
                                              • Instruction ID: 1288f5754442609c71cc13eb59ca165896558465cf736fd1b329baf66f62a9e4
                                              • Opcode Fuzzy Hash: 4768057bedefbb6777ed1c67ba1ab4b6976a3bd61fd77b5d4e8e7cabab1a8cb3
                                              • Instruction Fuzzy Hash: CBB01239181A00FBDE518B00DE09F857E62F7A4701F158078F341250F0CEB200A4DB08
                                              Function 00405CB3 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                              Download Yara Rule
                                              APIs
                                              • ShellExecuteExW.SHELL32(?), ref: 00405CC2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ExecuteShell
                                              • String ID:
                                              • API String ID: 587946157-0
                                              • Opcode ID: 34af207f7f04f37b2a6a243a8c8041682423b78b35e6f682d2e1a111f695392f
                                              • Instruction ID: 155326c85e208380d9db810c36285a9e1b4200be200639c8195ffcf147e959ee
                                              • Opcode Fuzzy Hash: 34af207f7f04f37b2a6a243a8c8041682423b78b35e6f682d2e1a111f695392f
                                              • Instruction Fuzzy Hash: BEC092B2000200EFE301CF80CB09F067BE8AF54306F028068E185DA060C7788840CB29
                                              Function 0040460B Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                              Download Yara Rule
                                              APIs
                                              • KiUserCallbackDispatcher.NTDLL(?,004043E2), ref: 00404615
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CallbackDispatcherUser
                                              • String ID:
                                              • API String ID: 2492992576-0
                                              • Opcode ID: ab55b9bd48f224c8aa1db7185d130912a98e56434272dcc4edc3d698b70dace1
                                              • Instruction ID: bb054eceab77ac383eef7cace4fb2d685cb9460f7e53505dec8a849b25ea0a96
                                              • Opcode Fuzzy Hash: ab55b9bd48f224c8aa1db7185d130912a98e56434272dcc4edc3d698b70dace1
                                              • Instruction Fuzzy Hash: 83A00275505501DFDE115B51DF09D057B75EB547017414579A54554034C6318461EB1D
                                              Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004056EF: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405727
                                                • Part of subcall function 004056EF: lstrlenW.KERNEL32(004030A8,Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405737
                                                • Part of subcall function 004056EF: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\,004030A8,004030A8,Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\,00000000,00000000,00000000), ref: 0040574A
                                                • Part of subcall function 004056EF: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\), ref: 0040575C
                                                • Part of subcall function 004056EF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405782
                                                • Part of subcall function 004056EF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040579C
                                                • Part of subcall function 004056EF: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057AA
                                                • Part of subcall function 00405C70: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004302B0,00000000,00000000), ref: 00405C99
                                                • Part of subcall function 00405C70: CloseHandle.KERNEL32(?), ref: 00405CA6
                                              • CloseHandle.KERNELBASE(?,?,?,?,?,?), ref: 00401FEB
                                                • Part of subcall function 00406B05: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406B16
                                                • Part of subcall function 00406B05: GetExitCodeProcess.KERNEL32(?,?), ref: 00406B38
                                                • Part of subcall function 004065D4: wsprintfW.USER32 ref: 004065E1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                              • String ID:
                                              • API String ID: 2972824698-0
                                              • Opcode ID: d908a64bc98e64b5c753e16f2107be5d0a72c37192d028a9905f96d597801fd4
                                              • Instruction ID: c052c412f22659a8f46e6200f408dd4d6040b692da9eb56a480fef8ace216da0
                                              • Opcode Fuzzy Hash: d908a64bc98e64b5c753e16f2107be5d0a72c37192d028a9905f96d597801fd4
                                              • Instruction Fuzzy Hash: E6F0B472905122EBDB21BBA59A84DDE76F4DF01319F25453BE102B21E0D77C4E428B5E
                                              Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Sleep.KERNELBASE(00000000), ref: 004014EA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Sleep
                                              • String ID:
                                              • API String ID: 3472027048-0
                                              • Opcode ID: ac6988d6737da0f8f374dd9beb112762d7b6513219a14d0013161243766bad8c
                                              • Instruction ID: dfa9e5455b4c4888305db9676ff2fb7d432735461a62d31c9e3fa16f187ead4d
                                              • Opcode Fuzzy Hash: ac6988d6737da0f8f374dd9beb112762d7b6513219a14d0013161243766bad8c
                                              • Instruction Fuzzy Hash: 79D05E73A141018BD704EBB8BE8545E73A8EB503193208837D402E10D1E67888464618

                                              Non-executed Functions

                                              Function 00404ADA Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 275stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDlgItem.USER32(?,000003FB), ref: 00404B29
                                              • SetWindowTextW.USER32(00000000,?), ref: 00404B53
                                              • SHBrowseForFolderW.SHELL32(?), ref: 00404C04
                                              • CoTaskMemFree.OLE32(00000000), ref: 00404C0F
                                              • lstrcmpiW.KERNEL32(Remove folder: ,0042D2A8,00000000,?,?), ref: 00404C41
                                              • lstrcatW.KERNEL32(?,Remove folder: ), ref: 00404C4D
                                              • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404C5F
                                                • Part of subcall function 00405CD1: GetDlgItemTextW.USER32(?,?,00000400,00404C96), ref: 00405CE4
                                                • Part of subcall function 00406914: CharNextW.USER32(?,*?|<>/":,00000000,00000000,76233420,C:\Users\user\AppData\Local\Temp\,?,00403640,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403948), ref: 00406977
                                                • Part of subcall function 00406914: CharNextW.USER32(?,?,?,00000000,?,00403640,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403948), ref: 00406986
                                                • Part of subcall function 00406914: CharNextW.USER32(?,00000000,76233420,C:\Users\user\AppData\Local\Temp\,?,00403640,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403948), ref: 0040698B
                                                • Part of subcall function 00406914: CharPrevW.USER32(?,?,76233420,C:\Users\user\AppData\Local\Temp\,?,00403640,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403948), ref: 0040699E
                                              • GetDiskFreeSpaceW.KERNEL32(0042B278,?,?,0000040F,?,0042B278,0042B278,?,00000001,0042B278,?,?,000003FB,?), ref: 00404D22
                                              • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404D3D
                                                • Part of subcall function 00404E96: lstrlenW.KERNEL32(0042D2A8,0042D2A8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F37
                                                • Part of subcall function 00404E96: wsprintfW.USER32 ref: 00404F40
                                                • Part of subcall function 00404E96: SetDlgItemTextW.USER32(?,0042D2A8), ref: 00404F53
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                              • String ID: 2773$A$C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor$Remove folder: $TQx
                                              • API String ID: 2624150263-3095640471
                                              • Opcode ID: f9501cdbfdd5d593f78db5f5bbadcc5a3fe73e371e435490aaee45e8f5b25fe8
                                              • Instruction ID: 8de460b93a94d9638e4c8340bf91bde38678985932417c8a19f49581c71f127f
                                              • Opcode Fuzzy Hash: f9501cdbfdd5d593f78db5f5bbadcc5a3fe73e371e435490aaee45e8f5b25fe8
                                              • Instruction Fuzzy Hash: E2A18FB1900209ABDB11AFA5CD45AEFB7B8EF84314F11843BF601B62D1DB7C99418B6D
                                              Function 00406ED5 Relevance: .3, Instructions: 334COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: afe72c06ea602c3cf127e44642a3c9ca6d5fbe7b283cf6e54b2e0cfe85c279f0
                                              • Instruction ID: 12099141196d994b6db1118544d6ad0bf95dcc2611d7ca72b0b76a467cae004c
                                              • Opcode Fuzzy Hash: afe72c06ea602c3cf127e44642a3c9ca6d5fbe7b283cf6e54b2e0cfe85c279f0
                                              • Instruction Fuzzy Hash: B9E18B7190470ADFDB24CF59D880BAAB7F1FB44305F15852FE496A72C1D778AA81CB05
                                              Function 004076AC Relevance: .3, Instructions: 300COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 832179d8bf6c187bd03c7ed6ec4b7c5e86b82aa6766dc48a69ce732bdecf8ca0
                                              • Instruction ID: d77a6006860e8e10b6e55c443759483099a9f2afa151c81c3c632ace6f25aa93
                                              • Opcode Fuzzy Hash: 832179d8bf6c187bd03c7ed6ec4b7c5e86b82aa6766dc48a69ce732bdecf8ca0
                                              • Instruction Fuzzy Hash: C7C14672E04259CBDF18CF68C4906EEBBB2BF88354F25826AC85677380D7347942CB95
                                              Function 00405056 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDlgItem.USER32(?,000003F9), ref: 0040506E
                                              • GetDlgItem.USER32(?,00000408), ref: 00405079
                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 004050C3
                                              • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 004050DA
                                              • SetWindowLongW.USER32(?,000000FC,00405663), ref: 004050F3
                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00405107
                                              • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00405119
                                              • SendMessageW.USER32(?,00001109,00000002), ref: 0040512F
                                              • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 0040513B
                                              • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 0040514D
                                              • DeleteObject.GDI32(00000000), ref: 00405150
                                              • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0040517B
                                              • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405187
                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405222
                                              • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405252
                                                • Part of subcall function 0040461E: SendMessageW.USER32(00000028,?,00000001,00404449), ref: 0040462C
                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405266
                                              • GetWindowLongW.USER32(?,000000F0), ref: 00405294
                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004052A2
                                              • ShowWindow.USER32(?,00000005), ref: 004052B2
                                              • SendMessageW.USER32(?,00000419,00000000,?), ref: 004053AD
                                              • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00405412
                                              • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405427
                                              • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 0040544B
                                              • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040546B
                                              • ImageList_Destroy.COMCTL32(?), ref: 00405480
                                              • GlobalFree.KERNEL32(?), ref: 00405490
                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405509
                                              • SendMessageW.USER32(?,00001102,?,?), ref: 004055B2
                                              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004055C1
                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 004055EC
                                              • ShowWindow.USER32(?,00000000), ref: 0040563A
                                              • GetDlgItem.USER32(?,000003FE), ref: 00405645
                                              • ShowWindow.USER32(00000000), ref: 0040564C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                              • String ID: $M$N
                                              • API String ID: 2564846305-813528018
                                              • Opcode ID: a9908f137ce661955d3d445f73b9b734142551124249dbd1ac239f916e43fbdf
                                              • Instruction ID: 802e29ad9049053b1e5f0954b56f66994214d628c42b5479e99464951c8be7a9
                                              • Opcode Fuzzy Hash: a9908f137ce661955d3d445f73b9b734142551124249dbd1ac239f916e43fbdf
                                              • Instruction Fuzzy Hash: 4B028A70900608EFDB20DFA5DD85AAF7BB5FB84314F10857AEA10BA2E1D7799941CF18
                                              Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                              Download Yara Rule
                                              APIs
                                              • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                              • BeginPaint.USER32(?,?), ref: 00401047
                                              • GetClientRect.USER32(?,?), ref: 0040105B
                                              • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                              • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                              • DeleteObject.GDI32(?), ref: 004010ED
                                              • CreateFontIndirectW.GDI32(?), ref: 00401105
                                              • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                              • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                              • SelectObject.GDI32(00000000,?), ref: 00401140
                                              • DrawTextW.USER32(00000000,00433F40,000000FF,00000010,00000820), ref: 00401156
                                              • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                              • DeleteObject.GDI32(?), ref: 00401165
                                              • EndPaint.USER32(?,?), ref: 0040116E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                              • String ID: F
                                              • API String ID: 941294808-1304234792
                                              • Opcode ID: 2f1e5daefa1e974f7702a4f04cca372f11bc15e8f7964d7cb9a588415a687d31
                                              • Instruction ID: 51bbb84c6bc3822f31e30dcd4a70f84438cd96ed0ad77071a061e55a22a78342
                                              • Opcode Fuzzy Hash: 2f1e5daefa1e974f7702a4f04cca372f11bc15e8f7964d7cb9a588415a687d31
                                              • Instruction Fuzzy Hash: 48418C71800209AFCF058F95DE459AF7BB9FF44315F04802AF991AA1A0CB34EA55DFA4
                                              Function 004062D3 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 130memorystringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,0040646E,?,?), ref: 0040630E
                                              • GetShortPathNameW.KERNEL32(?,00430948,00000400), ref: 00406317
                                                • Part of subcall function 004060E2: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063C7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060F2
                                                • Part of subcall function 004060E2: lstrlenA.KERNEL32(00000000,?,00000000,004063C7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406124
                                              • GetShortPathNameW.KERNEL32(?,00431148,00000400), ref: 00406334
                                              • wsprintfA.USER32 ref: 00406352
                                              • GetFileSize.KERNEL32(00000000,00000000,00431148,C0000000,00000004,00431148,?,?,?,?,?), ref: 0040638D
                                              • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 0040639C
                                              • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004063D4
                                              • SetFilePointer.KERNEL32(0040A5B0,00000000,00000000,00000000,00000000,00430548,00000000,-0000000A,0040A5B0,00000000,[Rename],00000000,00000000,00000000), ref: 0040642A
                                              • GlobalFree.KERNEL32(00000000), ref: 0040643B
                                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406442
                                                • Part of subcall function 0040617D: GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe,80000000,00000003), ref: 00406181
                                                • Part of subcall function 0040617D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004061A3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                              • String ID: %ls=%ls$HC$[Rename]
                                              • API String ID: 2171350718-751199019
                                              • Opcode ID: 02b6072bb31f1d68e91523ae5e330492c5079dd9865bc02a0e86606110766321
                                              • Instruction ID: 74bdd788cb8b4ee040e55f76e0ef7417015a071b3de06053f844a7372032ebef
                                              • Opcode Fuzzy Hash: 02b6072bb31f1d68e91523ae5e330492c5079dd9865bc02a0e86606110766321
                                              • Instruction Fuzzy Hash: D7312470100325BFD2206B659D49F6B3A6CEF45758F26003AFD46F62D2DA7CD82186BD
                                              Function 00404650 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowLongW.USER32(?,000000EB), ref: 0040466D
                                              • GetSysColor.USER32(00000000), ref: 004046AB
                                              • SetTextColor.GDI32(?,00000000), ref: 004046B7
                                              • SetBkMode.GDI32(?,?), ref: 004046C3
                                              • GetSysColor.USER32(?), ref: 004046D6
                                              • SetBkColor.GDI32(?,?), ref: 004046E6
                                              • DeleteObject.GDI32(?), ref: 00404700
                                              • CreateBrushIndirect.GDI32(?), ref: 0040470A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                              • String ID:
                                              • API String ID: 2320649405-0
                                              • Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                                              • Instruction ID: 6121d008a9b7ecf76a81997280e59ba99a2e493cbb0db5da31d436609754e44e
                                              • Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                                              • Instruction Fuzzy Hash: 0F2177715007059FC7309F68D948B5BBBF8AF82714B05892EE992B36E1D738D904CB59
                                              Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ReadFile.KERNEL32(?,?,?,?), ref: 00402758
                                              • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
                                              • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
                                              • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC
                                                • Part of subcall function 0040625E: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406274
                                              • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: File$Pointer$ByteCharMultiWide$Read
                                              • String ID: 9
                                              • API String ID: 163830602-2366072709
                                              • Opcode ID: 67c81ffb95277c01c66448ee03bc1d149d7ee8f033b4707ba9551d335eed2048
                                              • Instruction ID: 166ceabb3e2238d138e74452bf92276f4d80c89d812dfbd6cc667926565fca09
                                              • Opcode Fuzzy Hash: 67c81ffb95277c01c66448ee03bc1d149d7ee8f033b4707ba9551d335eed2048
                                              • Instruction Fuzzy Hash: 9651F975D00219ABDF20EF95CA88AAEBB79FF04304F10817BE541B62D4D7B49D82CB58
                                              Function 00406914 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON
                                              Download Yara Rule
                                              APIs
                                              • CharNextW.USER32(?,*?|<>/":,00000000,00000000,76233420,C:\Users\user\AppData\Local\Temp\,?,00403640,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403948), ref: 00406977
                                              • CharNextW.USER32(?,?,?,00000000,?,00403640,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403948), ref: 00406986
                                              • CharNextW.USER32(?,00000000,76233420,C:\Users\user\AppData\Local\Temp\,?,00403640,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403948), ref: 0040698B
                                              • CharPrevW.USER32(?,?,76233420,C:\Users\user\AppData\Local\Temp\,?,00403640,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403948), ref: 0040699E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Char$Next$Prev
                                              • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
                                              • API String ID: 589700163-826357637
                                              • Opcode ID: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
                                              • Instruction ID: e7b68e4bab7b21d1a9feacd00843ba5077d54604f9afa7ebb0505ef274780ca8
                                              • Opcode Fuzzy Hash: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
                                              • Instruction Fuzzy Hash: 2A11E69580071299D7303B188C40B77A2E8AF54760F52443FED8A736C1E7BC4C9286BD
                                              Function 0040302E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                              Download Yara Rule
                                              APIs
                                              • DestroyWindow.USER32(00000000,00000000), ref: 00403049
                                              • GetTickCount.KERNEL32 ref: 00403067
                                              • wsprintfW.USER32 ref: 00403095
                                                • Part of subcall function 004056EF: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405727
                                                • Part of subcall function 004056EF: lstrlenW.KERNEL32(004030A8,Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405737
                                                • Part of subcall function 004056EF: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\,004030A8,004030A8,Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\,00000000,00000000,00000000), ref: 0040574A
                                                • Part of subcall function 004056EF: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\), ref: 0040575C
                                                • Part of subcall function 004056EF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405782
                                                • Part of subcall function 004056EF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040579C
                                                • Part of subcall function 004056EF: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057AA
                                              • CreateDialogParamW.USER32(0000006F,00000000,00402F93,00000000), ref: 004030B9
                                              • ShowWindow.USER32(00000000,00000005), ref: 004030C7
                                                • Part of subcall function 00403012: MulDiv.KERNEL32(00000000,00000064,0000336B), ref: 00403027
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                              • String ID: ... %d%%
                                              • API String ID: 722711167-2449383134
                                              • Opcode ID: b5cbcf955adf1b998350fb665a9b45eb4fb8a209939906c4e4281ae41dacce0d
                                              • Instruction ID: f5c9a828d9b77ec8a4b8d889384ec28a22608ac642f349807ce7d694f809b17b
                                              • Opcode Fuzzy Hash: b5cbcf955adf1b998350fb665a9b45eb4fb8a209939906c4e4281ae41dacce0d
                                              • Instruction Fuzzy Hash: B701AD70913610ABC721BF60AE08A9A7F6CAB00B06F14403BF841B21E9DA385644CB9E
                                              Function 00404FA4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404FBF
                                              • GetMessagePos.USER32 ref: 00404FC7
                                              • ScreenToClient.USER32(?,?), ref: 00404FE1
                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404FF3
                                              • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00405019
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Message$Send$ClientScreen
                                              • String ID: f
                                              • API String ID: 41195575-1993550816
                                              • Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                              • Instruction ID: 854ec97d9aec7fbf1761168e703054b56d1c17fff8591377de73e048a42af4f7
                                              • Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                              • Instruction Fuzzy Hash: F8014C31900619BADB00DBA4DD85BFFBBBCAB54B15F10012BBA50B61C0D6B49A058BA5
                                              Function 00401E4E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDC.USER32(?), ref: 00401E51
                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
                                              • MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
                                              • ReleaseDC.USER32(?,00000000), ref: 00401E84
                                                • Part of subcall function 004066CA: lstrcatW.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 0040686F
                                                • Part of subcall function 004066CA: lstrlenW.KERNEL32(Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\,?,00405726,Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\,00000000), ref: 004068C9
                                              • CreateFontIndirectW.GDI32(0040CE20), ref: 00401ED3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
                                              • String ID: MS Shell Dlg
                                              • API String ID: 2584051700-76309092
                                              • Opcode ID: 92f01be67c811d73aea03585c7e288fe3df1721f994b097e0014ee00e04dbc5a
                                              • Instruction ID: 7c51e5a73a22c87430a112b3afc2fa3cc1ee70618efc563a88b6ad89211de1e7
                                              • Opcode Fuzzy Hash: 92f01be67c811d73aea03585c7e288fe3df1721f994b097e0014ee00e04dbc5a
                                              • Instruction Fuzzy Hash: C6017571905641EFEB005BB4EE8DB9A3FB4BB16305F104A79F545B61E2C7B904058BAC
                                              Function 00402F93 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
                                              • wsprintfW.USER32 ref: 00402FE5
                                              • SetWindowTextW.USER32(?,?), ref: 00402FF5
                                              • SetDlgItemTextW.USER32(?,00000406,?), ref: 00403007
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Text$ItemTimerWindowwsprintf
                                              • String ID: unpacking data: %d%%$verifying installer: %d%%
                                              • API String ID: 1451636040-1158693248
                                              • Opcode ID: 1544cb4517f93d8949c53ea1ad77390297e2a2b2a304bbe75cac4b66005c9a0b
                                              • Instruction ID: d2bb70d987cc30a978c8a103495d1f2f68561e9b24ca436dc3171362fb91f73a
                                              • Opcode Fuzzy Hash: 1544cb4517f93d8949c53ea1ad77390297e2a2b2a304bbe75cac4b66005c9a0b
                                              • Instruction Fuzzy Hash: FFF0367050020DABEF206F50DD4ABEA3B69EB00309F00813AF615B51D0DBB999559F59
                                              Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402EFD
                                              • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
                                              • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
                                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
                                              • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CloseEnum$DeleteValue
                                              • String ID:
                                              • API String ID: 1354259210-0
                                              • Opcode ID: 1bc60eb0e66f615d2d3d061c5866a638354d38a2b8b306f581c9a959db7e233a
                                              • Instruction ID: 6b95dc3500511dce4e5de31b38d7436f6fd5a8a345ad3081b8d117c02f9ef813
                                              • Opcode Fuzzy Hash: 1bc60eb0e66f615d2d3d061c5866a638354d38a2b8b306f581c9a959db7e233a
                                              • Instruction Fuzzy Hash: EB212A7150010ABFDF11AF90CE89EEF7B7DEB54384F110076F909B21A0D7B59E54AA68
                                              Function 00404E96 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrlenW.KERNEL32(0042D2A8,0042D2A8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F37
                                              • wsprintfW.USER32 ref: 00404F40
                                              • SetDlgItemTextW.USER32(?,0042D2A8), ref: 00404F53
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ItemTextlstrlenwsprintf
                                              • String ID: %u.%u%s%s
                                              • API String ID: 3540041739-3551169577
                                              • Opcode ID: 397c4eefef7c4fd46db2786e05f81ea67758746fc016b33e0f79fd620f39338b
                                              • Instruction ID: 95f330d89eb615a081aaf18d4b62896d2d727392bfc7759752ebdb1328b7b6c0
                                              • Opcode Fuzzy Hash: 397c4eefef7c4fd46db2786e05f81ea67758746fc016b33e0f79fd620f39338b
                                              • Instruction Fuzzy Hash: 5211D87390412837DB0065ADDC41EAF3298EB81339F150637FA26F21D1D979C82642E8
                                              Function 00406007 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                              Download Yara Rule
                                              APIs
                                              • CharNextW.USER32(?,?,C:\,?,0040607B,C:\,C:\, 4#v.#v,?,76232EE0,00405DB9,?,76233420,76232EE0,00000000), ref: 00406015
                                              • CharNextW.USER32(00000000), ref: 0040601A
                                              • CharNextW.USER32(00000000), ref: 00406032
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CharNext
                                              • String ID: C:\
                                              • API String ID: 3213498283-3404278061
                                              • Opcode ID: 57a0f749dedf01e66309fd0a2db08218b059d7c159d1474e7fdd1c0f95484055
                                              • Instruction ID: 128a25df78dd06359cb7b9c1fd5de48d27faf8bc0378c0985d39fa9dfcfcc245
                                              • Opcode Fuzzy Hash: 57a0f749dedf01e66309fd0a2db08218b059d7c159d1474e7fdd1c0f95484055
                                              • Instruction Fuzzy Hash: 73F0F62199072195DF31F6584C54A7756BCEB55391B02803FD642B71C1D3F94CA082DA
                                              Function 00405F5C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403652,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403948), ref: 00405F62
                                              • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403652,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403948), ref: 00405F6C
                                              • lstrcatW.KERNEL32(?,0040A014), ref: 00405F7E
                                              Strings
                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405F5C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CharPrevlstrcatlstrlen
                                              • String ID: C:\Users\user\AppData\Local\Temp\
                                              • API String ID: 2659869361-3936084776
                                              • Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
                                              • Instruction ID: f916046b62cc2aa89770169b94aadace9c2e82a4a7df0b7432f73ae3ee9d266f
                                              • Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
                                              • Instruction Fuzzy Hash: 4AD0A731111930ABC1116B459C04CDF629CAE85300341083BF501B31E0C77D1D628BFD
                                              Function 0040263E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrlenA.KERNEL32(open C:\Windows\explorer.exe), ref: 00402695
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: lstrlen
                                              • String ID: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe$open C:\Windows\explorer.exe
                                              • API String ID: 1659193697-3843435200
                                              • Opcode ID: 339cda3b6240c2b4372ebba86d340f3574c2dbc1eb9f31013044c8f79a9c9593
                                              • Instruction ID: 62d20b05a3357d934ec4866fba63d5b78b50cde32abaa7e104bc331bec961829
                                              • Opcode Fuzzy Hash: 339cda3b6240c2b4372ebba86d340f3574c2dbc1eb9f31013044c8f79a9c9593
                                              • Instruction Fuzzy Hash: D211E772E40204AACF10BFB18E4AA9E7670AF44758F21483FE002B61C1D6FD8D51479E
                                              Function 00405663 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • IsWindowVisible.USER32(?), ref: 00405692
                                              • CallWindowProcW.USER32(?,?,?,?), ref: 004056E3
                                                • Part of subcall function 00404635: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404647
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Window$CallMessageProcSendVisible
                                              • String ID:
                                              • API String ID: 3748168415-3916222277
                                              • Opcode ID: 14138667baaff432bd57aba462d359ac5a3867fb529480fe1940324c389a3283
                                              • Instruction ID: 49dc673acd963005c08682070ecd0f599ab8459687fb68577aa77c07b07ccbf5
                                              • Opcode Fuzzy Hash: 14138667baaff432bd57aba462d359ac5a3867fb529480fe1940324c389a3283
                                              • Instruction Fuzzy Hash: 27017131500609AFEF205F11ED91A9B3765EB84354FA04837FA09762D0D77B8CA29E6D
                                              Function 0040655B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000000,?,00000000,?,?,Remove folder: ,?,?,004067C2,80000002), ref: 004065A1
                                              • RegCloseKey.ADVAPI32(?,?,004067C2,80000002,Software\Microsoft\Windows\CurrentVersion,Remove folder: ,Remove folder: ,Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsqFF0.tmp\), ref: 004065AC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CloseQueryValue
                                              • String ID: Remove folder:
                                              • API String ID: 3356406503-1958208860
                                              • Opcode ID: c51c7f91b14884c04d5a49d2292e28a4eee82ba6fe5fe9d4b8ccfb8c6b524185
                                              • Instruction ID: e4ac7359a1b659a9f59a634dbd82e0f580ad783f88516533abd6ea308344e3a8
                                              • Opcode Fuzzy Hash: c51c7f91b14884c04d5a49d2292e28a4eee82ba6fe5fe9d4b8ccfb8c6b524185
                                              • Instruction Fuzzy Hash: 1A019E72510209BECF218F54DC05EDB3BA8EF54364F018039FD1A92190D738D968DB94
                                              Function 00405FA8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,0040313C,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe,C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe,80000000,00000003), ref: 00405FAE
                                              • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,0040313C,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe,C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe,80000000,00000003), ref: 00405FBE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CharPrevlstrlen
                                              • String ID: C:\Users\user\Desktop
                                              • API String ID: 2709904686-3125694417
                                              • Opcode ID: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
                                              • Instruction ID: 535f5ccac895b1779bb0ecd95b90d1ca11060359cda8f514803827ef2a973a34
                                              • Opcode Fuzzy Hash: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
                                              • Instruction Fuzzy Hash: B6D05EB34119209AD712A704DD0099F67A8EF5130074A442AE441E61A1D77C5C918AA9
                                              Function 004060E2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063C7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060F2
                                              • lstrcmpiA.KERNEL32(00000000,00000000), ref: 0040610A
                                              • CharNextA.USER32(00000000,?,00000000,004063C7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040611B
                                              • lstrlenA.KERNEL32(00000000,?,00000000,004063C7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406124
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2241681832.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2241666192.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241698110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2241712581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2242475569.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: lstrlen$CharNextlstrcmpi
                                              • String ID:
                                              • API String ID: 190613189-0
                                              • Opcode ID: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
                                              • Instruction ID: 08f1e04cea81bf1613d6e43d8f1348f64120c3bc5a4528e71377fff87bf4f4b2
                                              • Opcode Fuzzy Hash: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
                                              • Instruction Fuzzy Hash: 19F0C231604018EFC7029FA8DD0099EBFA8DF06250B2640BAE841FB211D674DE11A798

                                              Execution Graph

                                              Execution Coverage:13.7%
                                              Dynamic/Decrypted Code Coverage:90.7%
                                              Signature Coverage:2.1%
                                              Total number of Nodes:483
                                              Total number of Limit Nodes:50
                                              execution_graph 78526 bc315a0 78528 bc315a7 78526->78528 78527 bc315e4 78528->78527 78531 bc31600 78528->78531 78534 bc315f8 78528->78534 78537 bc31648 78531->78537 78532 bc3160e 78532->78527 78535 bc3160e 78534->78535 78536 bc31648 2 API calls 78534->78536 78535->78527 78536->78535 78539 bc3166f 78537->78539 78538 bc31673 78538->78532 78539->78538 78540 bc31793 KiUserCallbackDispatcher 78539->78540 78541 bc31798 KiUserCallbackDispatcher 78539->78541 78540->78538 78541->78538 78579 9db5a58 78580 9db5a66 78579->78580 78581 9db5a6a 78579->78581 78585 9db5ae8 SendMessageW 78581->78585 78587 9db5ae0 78581->78587 78582 9db5ad1 78586 9db5b54 78585->78586 78586->78582 78588 9db5aeb SendMessageW 78587->78588 78589 9db5b54 78588->78589 78589->78582 78691 9db7f18 78692 9db7f5d GetClassInfoW 78691->78692 78694 9db7fa3 78692->78694 78590 55409d1 78594 9570f78 78590->78594 78599 9570ee1 78590->78599 78591 5540a07 78596 95701e7 2 API calls 78594->78596 78597 9570218 2 API calls 78594->78597 78598 9570228 2 API calls 78594->78598 78595 9570f8e 78595->78591 78596->78595 78597->78595 78598->78595 78600 9570f64 78599->78600 78601 9570eef 78599->78601 78603 95701e7 2 API calls 78600->78603 78604 9570218 2 API calls 78600->78604 78605 9570228 2 API calls 78600->78605 78601->78591 78602 9570f8e 78602->78591 78603->78602 78604->78602 78605->78602 78824 51f76f8 78825 51f7704 78824->78825 78826 51f7883 78825->78826 78831 b27ce91 78825->78831 78837 9db3763 78825->78837 78843 b27cea0 78825->78843 78849 b27d0a0 78825->78849 78833 b27cea0 78831->78833 78832 b27d47c 78832->78826 78833->78832 78836 9db04e8 5 API calls 78833->78836 78855 9db04d8 78833->78855 78834 b27d337 78834->78826 78836->78834 78838 9db3780 78837->78838 78839 9db3777 78837->78839 78838->78826 78863 9db3798 78839->78863 78867 9db3728 78839->78867 78871 9db378b 78839->78871 78845 b27cecd 78843->78845 78844 b27d47c 78844->78826 78845->78844 78847 9db04d8 5 API calls 78845->78847 78848 9db04e8 5 API calls 78845->78848 78846 b27d337 78846->78826 78847->78846 78848->78846 78851 b27d045 78849->78851 78850 b27d47c 78850->78826 78851->78850 78853 9db04d8 5 API calls 78851->78853 78854 9db04e8 5 API calls 78851->78854 78852 b27d337 78852->78826 78853->78852 78854->78852 78856 9db04e8 78855->78856 78860 9db0628 3 API calls 78856->78860 78857 9db052b 78858 9db05b2 78857->78858 78861 9db07cb LdrInitializeThunk 78857->78861 78862 9db07fb LdrInitializeThunk 78857->78862 78858->78834 78859 9db0567 78859->78834 78860->78857 78861->78859 78862->78859 78864 9db37aa 78863->78864 78875 9db33bc 78864->78875 78868 9db36c3 78867->78868 78868->78867 78869 9db33bc 5 API calls 78868->78869 78870 9db37ca 78869->78870 78870->78838 78872 9db3793 78871->78872 78873 9db33bc 5 API calls 78872->78873 78874 9db37ca 78873->78874 78874->78838 78877 9db33c7 78875->78877 78879 9db3458 78877->78879 78878 9db3a3c 78878->78878 78880 9db3463 78879->78880 78881 9db3ce2 78880->78881 78884 bc3de3f 78880->78884 78891 bc3de48 78880->78891 78881->78878 78890 bc3de4b 78884->78890 78885 bc3ce18 PeekMessageW 78885->78890 78887 bc3e310 WaitMessage 78887->78890 78888 bc3defa 78888->78881 78890->78885 78890->78887 78890->78888 78898 bc3ce30 78890->78898 78901 bc3ce64 78890->78901 78896 bc3dead 78891->78896 78892 bc3ce18 PeekMessageW 78892->78896 78893 bc3ce30 KiUserCallbackDispatcher 78893->78896 78894 bc3e310 WaitMessage 78894->78896 78895 bc3ce64 DispatchMessageW 78895->78896 78896->78892 78896->78893 78896->78894 78896->78895 78897 bc3defa 78896->78897 78897->78881 78899 bc3e638 KiUserCallbackDispatcher 78898->78899 78900 bc3e6ac 78899->78900 78900->78890 78902 bc3eb08 DispatchMessageW 78901->78902 78903 bc3eb74 78902->78903 78903->78890 78517 11faa0b0 78518 11faa0fe EnumThreadWindows 78517->78518 78519 11faa0f4 78517->78519 78520 11faa130 78518->78520 78519->78518 78542 11fa5490 78543 11fa54a0 78542->78543 78545 bc34c07 2 API calls 78543->78545 78546 bc34c2b 2 API calls 78543->78546 78544 11fa550b 78544->78544 78545->78544 78546->78544 78547 bc359a8 78548 bc359af 78547->78548 78550 bc359d5 78548->78550 78553 bc34798 78548->78553 78551 bc35a1b 78550->78551 78552 bc34798 OleInitialize 78550->78552 78552->78551 78554 bc347a3 78553->78554 78555 bc35a46 78554->78555 78558 bc35e78 78554->78558 78563 bc35e80 78554->78563 78555->78550 78560 bc35e80 78558->78560 78559 bc35eb1 78559->78555 78560->78559 78569 bc32c84 78560->78569 78562 bc35ed4 78564 bc36188 78563->78564 78565 bc35ea8 78563->78565 78564->78555 78566 bc35eb1 78565->78566 78567 bc32c84 OleInitialize 78565->78567 78566->78555 78568 bc35ed4 78567->78568 78570 bc32c8f 78569->78570 78572 bc3376b 78570->78572 78573 bc32c94 78570->78573 78572->78562 78574 bc337a0 OleInitialize 78573->78574 78575 bc33804 78574->78575 78575->78572 78904 bc33728 78905 bc33730 78904->78905 78906 bc32c84 OleInitialize 78905->78906 78907 bc33739 78906->78907 78695 51f7dd0 78697 51f7df7 78695->78697 78696 51f7ed4 78696->78696 78697->78696 78699 51f7a30 78697->78699 78700 51f8e60 CreateActCtxA 78699->78700 78702 51f8f23 78700->78702 78702->78702 78703 9574598 78707 95745d0 78703->78707 78711 95745c0 78703->78711 78704 95745b7 78708 95745d9 78707->78708 78715 9574609 78708->78715 78709 95745fe 78709->78704 78712 95745d0 78711->78712 78714 9574609 DrawTextExW 78712->78714 78713 95745fe 78713->78704 78714->78713 78716 9574642 78715->78716 78717 9574653 78715->78717 78716->78709 78718 95746e1 78717->78718 78721 9574d30 78717->78721 78726 9574d40 78717->78726 78718->78709 78722 9574d40 78721->78722 78723 9574e6e 78722->78723 78731 9579290 78722->78731 78736 9579282 78722->78736 78723->78716 78727 9574d68 78726->78727 78728 9574e6e 78727->78728 78729 9579282 DrawTextExW 78727->78729 78730 9579290 DrawTextExW 78727->78730 78728->78716 78729->78728 78730->78728 78732 95792a6 78731->78732 78741 95796f8 78732->78741 78745 95796ea 78732->78745 78733 957931c 78733->78723 78737 9579290 78736->78737 78739 95796ea DrawTextExW 78737->78739 78740 95796f8 DrawTextExW 78737->78740 78738 957931c 78738->78723 78739->78738 78740->78738 78749 9579738 78741->78749 78754 9579728 78741->78754 78742 9579716 78742->78733 78746 9579716 78745->78746 78747 9579738 DrawTextExW 78745->78747 78748 9579728 DrawTextExW 78745->78748 78746->78733 78747->78746 78748->78746 78750 9579769 78749->78750 78751 9579796 78750->78751 78759 95797a8 78750->78759 78764 95797b8 78750->78764 78751->78742 78755 9579735 78754->78755 78756 9579796 78755->78756 78757 95797b8 DrawTextExW 78755->78757 78758 95797a8 DrawTextExW 78755->78758 78756->78742 78757->78756 78758->78756 78761 95797d9 78759->78761 78760 95797ee 78760->78751 78761->78760 78769 95780a8 78761->78769 78763 9579849 78766 95797d9 78764->78766 78765 95797ee 78765->78751 78766->78765 78767 95780a8 DrawTextExW 78766->78767 78768 9579849 78767->78768 78771 95780b3 78769->78771 78770 9579bd9 78770->78763 78771->78770 78775 957a621 78771->78775 78779 957a630 78771->78779 78772 9579ceb 78772->78763 78776 957a630 78775->78776 78782 9579fa4 78776->78782 78780 9579fa4 DrawTextExW 78779->78780 78781 957a64d 78780->78781 78781->78772 78783 957a668 DrawTextExW 78782->78783 78785 957a64d 78783->78785 78785->78772 78377 11fa96c8 78378 11fa9721 78377->78378 78379 11fa9769 GetActiveWindow 78378->78379 78380 11fa98b6 78378->78380 78384 11fa9797 78378->78384 78379->78384 78409 11fa9a68 GetProcessWindowStation 78380->78409 78382 11fa9a57 78383 11fa9aa8 GetProcessWindowStation 78382->78383 78385 11fa9ad0 78382->78385 78383->78385 78391 11fa9ca8 78384->78391 78410 11fa9d36 78391->78410 78394 11faa5ef 78395 11faa5ff 78394->78395 78398 11faa645 78395->78398 78442 11fa8e18 78395->78442 78398->78380 78399 11fa9360 78400 11fa9373 78399->78400 78401 11fa8e18 2 API calls 78400->78401 78403 11fa93c3 78400->78403 78402 11faa641 78401->78402 78402->78380 78403->78380 78404 11fa935f 78405 11fa9373 78404->78405 78406 11fa8e18 2 API calls 78405->78406 78408 11fa93c3 78405->78408 78407 11faa641 78406->78407 78407->78380 78408->78380 78409->78382 78413 11fa8d80 78410->78413 78414 11fa8d8b 78413->78414 78419 11faa2d0 78414->78419 78426 11faa3b6 78414->78426 78431 11faa38e GetFocus 78414->78431 78415 11fa98a8 78415->78394 78415->78399 78415->78404 78420 11faa316 78419->78420 78423 11faa34f 78419->78423 78421 11faa321 GetActiveWindow 78420->78421 78420->78423 78421->78423 78422 11faa387 78422->78415 78423->78422 78437 bc31798 KiUserCallbackDispatcher 78423->78437 78439 bc31793 78423->78439 78427 11faa3bb 78426->78427 78428 11faa413 78427->78428 78429 bc31793 KiUserCallbackDispatcher 78427->78429 78430 bc31798 KiUserCallbackDispatcher 78427->78430 78428->78415 78429->78427 78430->78427 78432 11faa3b5 78431->78432 78433 11faa3bc 78431->78433 78434 11faa413 78433->78434 78435 bc31793 KiUserCallbackDispatcher 78433->78435 78436 bc31798 KiUserCallbackDispatcher 78433->78436 78434->78415 78435->78433 78436->78433 78438 bc3180e 78437->78438 78438->78423 78440 bc31798 KiUserCallbackDispatcher 78439->78440 78441 bc3180e 78440->78441 78441->78423 78443 11fa8e23 78442->78443 78444 11faafdb 78443->78444 78447 11fab4a8 78443->78447 78453 11fab499 78443->78453 78448 11fab4cd 78447->78448 78459 11fab230 78448->78459 78451 11fab534 78451->78444 78454 11fab49f 78453->78454 78455 11fab230 2 API calls 78454->78455 78456 11fab4e8 78455->78456 78457 11fab534 78456->78457 78458 11fab748 2 API calls 78456->78458 78457->78444 78458->78457 78460 11fab23b 78459->78460 78461 11fab4e8 78460->78461 78462 11fab748 2 API calls 78460->78462 78461->78451 78464 11fab748 78461->78464 78463 11fab737 78462->78463 78469 11fab2fc 78464->78469 78468 11fab77c 78468->78451 78470 11fab7b8 SHILCreateFromPath 78469->78470 78472 11fab768 78470->78472 78472->78468 78473 11fab308 78472->78473 78474 11fab870 SHCreateShellItem 78473->78474 78475 11fab8fb 78474->78475 78476 11fa6ec8 78479 11fa6ee0 78476->78479 78478 11fa6ecf 78488 11fa64b0 GetKeyState 78479->78488 78481 11fa6ee7 78482 11fa64b0 5 API calls 78481->78482 78483 11fa6f1b 78481->78483 78484 11fa6f49 78482->78484 78483->78478 78485 11fa6f4d 78484->78485 78486 11fa64b0 5 API calls 78484->78486 78485->78478 78487 11fa6f6e 78486->78487 78487->78478 78489 11fa6510 GetKeyState 78488->78489 78491 11fa6555 GetKeyState 78489->78491 78493 11fa659a GetKeyState 78491->78493 78495 11fa65df GetKeyState 78493->78495 78497 11fa6624 78495->78497 78497->78481 78576 bc338b0 78577 bc33902 RegisterDragDrop 78576->78577 78578 bc33945 78577->78578 78606 51fb5a8 78607 51fb5e2 78606->78607 78608 51fb65e 78607->78608 78609 51fb673 78607->78609 78614 51fb244 78608->78614 78610 51fb244 3 API calls 78609->78610 78612 51fb682 78610->78612 78616 51fb24f 78614->78616 78615 51fb669 78616->78615 78619 51fcd18 78616->78619 78625 51fcd07 78616->78625 78632 51fb92c 78619->78632 78622 51fcd3f 78622->78615 78623 51fcd68 CreateIconFromResourceEx 78624 51fcde6 78623->78624 78624->78615 78626 51fcd18 78625->78626 78627 51fb92c CreateIconFromResourceEx 78626->78627 78628 51fcd32 78627->78628 78629 51fcd3f 78628->78629 78630 51fcd68 CreateIconFromResourceEx 78628->78630 78629->78615 78631 51fcde6 78630->78631 78631->78615 78633 51fcd68 CreateIconFromResourceEx 78632->78633 78634 51fcd32 78633->78634 78634->78622 78634->78623 78521 5540a0d 78522 5540a2a 78521->78522 78524 95701e7 2 API calls 78522->78524 78525 95701f8 2 API calls 78522->78525 78523 5540a6f 78524->78523 78525->78523 78498 11fa54c0 78499 11fa54e7 78498->78499 78503 bc34c07 78499->78503 78508 bc34c2b 78499->78508 78500 11fa550b 78500->78500 78504 bc34c2c 78503->78504 78505 bc34c0d 78503->78505 78513 bc34f08 PostMessageW 78504->78513 78515 bc34f00 PostMessageW 78504->78515 78505->78500 78509 bc34c3e 78508->78509 78511 bc34f00 PostMessageW 78509->78511 78512 bc34f08 PostMessageW 78509->78512 78510 bc34c61 78510->78500 78511->78510 78512->78510 78514 bc34f74 78513->78514 78514->78505 78516 bc34f74 78515->78516 78516->78505 78786 9db2d00 78789 9db04e8 78786->78789 78788 9db2d21 78790 9db0503 78789->78790 78797 9db0628 78790->78797 78791 9db052b 78792 9db05b2 78791->78792 78805 9db07fb 78791->78805 78809 9db07cb 78791->78809 78792->78788 78793 9db0567 78793->78788 78798 9db065d 78797->78798 78799 9db0696 78798->78799 78803 9db0628 2 API calls 78798->78803 78814 9db06c7 78798->78814 78819 9db06b8 78798->78819 78799->78791 78800 9db06ed KiUserExceptionDispatcher 78799->78800 78801 9db069c 78799->78801 78800->78801 78801->78791 78803->78799 78806 9db0804 78805->78806 78807 9db0810 LdrInitializeThunk 78806->78807 78808 9db0866 78806->78808 78807->78793 78807->78808 78810 9db07d3 78809->78810 78811 9db0804 78809->78811 78810->78793 78812 9db0810 LdrInitializeThunk 78811->78812 78813 9db0866 78811->78813 78812->78793 78812->78813 78815 9db06ea KiUserExceptionDispatcher 78814->78815 78817 9db071d 78814->78817 78818 9db0700 78815->78818 78817->78799 78818->78799 78820 9db06bb 78819->78820 78821 9db06ec KiUserExceptionDispatcher 78819->78821 78820->78821 78822 9db06ed KiUserExceptionDispatcher 78820->78822 78823 9db06f0 78821->78823 78822->78823 78823->78799 78635 9578dea 78636 9578df3 78635->78636 78637 9578dac 78635->78637 78640 9578e12 78636->78640 78638 9578e0b 78641 9578e1b 78640->78641 78642 9578dbb 78641->78642 78646 9578e30 78641->78646 78655 9578e40 78641->78655 78642->78638 78643 9578e26 78643->78638 78647 9578e40 78646->78647 78648 9578e70 78647->78648 78664 9578f18 78647->78664 78671 9578f28 78647->78671 78677 9578fa2 78647->78677 78648->78643 78649 9578e94 78650 9578ea4 78649->78650 78651 9578fa2 2 API calls 78649->78651 78650->78643 78651->78650 78657 9578e53 78655->78657 78656 9578e70 78656->78643 78657->78656 78660 9578fa2 2 API calls 78657->78660 78661 9578f18 2 API calls 78657->78661 78662 9578f28 2 API calls 78657->78662 78658 9578e94 78659 9578ea4 78658->78659 78663 9578fa2 2 API calls 78658->78663 78659->78643 78660->78658 78661->78658 78662->78658 78663->78659 78665 9578eb2 78664->78665 78666 9578f1b 78664->78666 78665->78649 78667 9578f7e 78666->78667 78683 9db5299 78666->78683 78687 9db52a0 78666->78687 78667->78649 78668 9578f79 78668->78649 78672 9578f2f 78671->78672 78673 9578f7e 78672->78673 78675 9db5299 SetWindowTextW 78672->78675 78676 9db52a0 SetWindowTextW 78672->78676 78673->78649 78674 9578f79 78674->78649 78675->78674 78676->78674 78678 9578f4b 78677->78678 78680 9578faf 78678->78680 78681 9db5299 SetWindowTextW 78678->78681 78682 9db52a0 SetWindowTextW 78678->78682 78679 9578f79 78679->78649 78680->78649 78681->78679 78682->78679 78684 9db52a3 SetWindowTextW 78683->78684 78686 9db5319 78684->78686 78686->78668 78688 9db52e8 SetWindowTextW 78687->78688 78689 9db52e2 78687->78689 78690 9db5319 78688->78690 78689->78688 78690->78668 78304 b270738 78308 b270750 78304->78308 78312 b270760 78304->78312 78305 b27074c 78309 b270760 78308->78309 78315 b27083a 78309->78315 78314 b27083a 2 API calls 78312->78314 78313 b27079e 78313->78305 78314->78313 78317 b270864 78315->78317 78316 b27079e 78316->78305 78320 95701f8 78317->78320 78325 95701e7 78317->78325 78322 95701e7 2 API calls 78320->78322 78337 9570218 78320->78337 78344 9570228 78320->78344 78321 957020f 78321->78316 78322->78321 78326 95701f2 78325->78326 78328 9570227 78325->78328 78334 95701e7 2 API calls 78326->78334 78335 9570218 2 API calls 78326->78335 78336 9570228 2 API calls 78326->78336 78327 957020f 78327->78316 78329 9570292 78328->78329 78330 9570c57 KiUserCallbackDispatcher 78328->78330 78331 95774c0 KiUserCallbackDispatcher 78328->78331 78332 95774b0 KiUserCallbackDispatcher 78328->78332 78333 9570c68 KiUserCallbackDispatcher 78328->78333 78329->78316 78330->78329 78331->78329 78332->78329 78333->78329 78334->78327 78335->78327 78336->78327 78338 9570228 78337->78338 78339 9570292 78338->78339 78351 95774c0 78338->78351 78356 95774b0 78338->78356 78361 9570c68 78338->78361 78365 9570c57 78338->78365 78339->78321 78345 9570241 78344->78345 78346 9570292 78345->78346 78347 9570c57 KiUserCallbackDispatcher 78345->78347 78348 95774c0 KiUserCallbackDispatcher 78345->78348 78349 95774b0 KiUserCallbackDispatcher 78345->78349 78350 9570c68 KiUserCallbackDispatcher 78345->78350 78346->78321 78347->78346 78348->78346 78349->78346 78350->78346 78352 95774d9 78351->78352 78369 95774f8 78352->78369 78373 9577508 78352->78373 78353 95774ef 78353->78339 78357 95774c0 78356->78357 78359 9577508 KiUserCallbackDispatcher 78357->78359 78360 95774f8 KiUserCallbackDispatcher 78357->78360 78358 95774ef 78358->78339 78359->78358 78360->78358 78362 9570c97 78361->78362 78363 9570d1e 78362->78363 78364 9570da9 KiUserCallbackDispatcher 78362->78364 78364->78363 78366 9570c68 78365->78366 78367 9570d1e 78366->78367 78368 9570da9 KiUserCallbackDispatcher 78366->78368 78368->78367 78370 9577508 78369->78370 78371 9570c68 KiUserCallbackDispatcher 78370->78371 78372 9577581 78371->78372 78372->78353 78374 9577528 78373->78374 78375 9570c68 KiUserCallbackDispatcher 78374->78375 78376 9577581 78375->78376 78376->78353

                                              Executed Functions

                                              Function 0BC43D1F Relevance: 1.9, Strings: 1, Instructions: 696COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 600 bc43d1f-bc43e47 606 bc43e4d-bc43f19 600->606 607 bc43f1e-bc43f28 600->607 617 bc44257-bc44263 606->617 608 bc440c5-bc4424b 607->608 609 bc43f2e-bc440b4 607->609 608->617 635 bc440c0 609->635 620 bc44265-bc4426c 617->620 621 bc44298-bc442c1 617->621 622 bc44275-bc4427c 620->622 623 bc4426e-bc44273 620->623 624 bc44334-bc44389 621->624 628 bc44282-bc44291 622->628 629 bc4427e-bc44280 622->629 627 bc44294-bc44296 623->627 637 bc44394-bc44427 624->637 638 bc4438b 624->638 627->621 631 bc442c3-bc4432d 627->631 628->627 629->627 631->624 635->617 648 bc44432-bc444a6 637->648 649 bc44429 637->649 638->637 639 bc4438d 638->639 639->637 658 bc44561-bc44597 648->658 659 bc444ac-bc44551 648->659 649->648 650 bc4442b 649->650 650->648 665 bc44599 658->665 666 bc445ab-bc445b8 658->666 659->658 662 bc44553-bc44560 659->662 662->658 665->666 667 bc4459b-bc445a9 665->667 670 bc445b9-bc445c3 666->670 667->670 671 bc445c5-bc445dd 670->671 672 bc44633-bc44643 670->672 675 bc44644-bc447a4 671->675 676 bc445df-bc445e6 671->676 672->675 699 bc447a6 675->699 700 bc447b2 675->700 677 bc445ef-bc445f6 676->677 678 bc445e8-bc445ed 676->678 681 bc445fc-bc4460b 677->681 682 bc445f8-bc445fa 677->682 680 bc4460e-bc44610 678->680 680->675 683 bc44612-bc44631 680->683 681->680 682->680 683->675 699->700
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: fff?
                                              • API String ID: 0-4136771917
                                              • Opcode ID: 3537949ed50be93a6945fadb95e3d92d7e23fa5b9f474823fb7202436cece733
                                              • Instruction ID: 931e4f961e792483430b3ab4dcb5897d2144d8b403bf01c2d58fc384467593eb
                                              • Opcode Fuzzy Hash: 3537949ed50be93a6945fadb95e3d92d7e23fa5b9f474823fb7202436cece733
                                              • Instruction Fuzzy Hash: DE62183681061ADFCF15DF50C884BD9B7B2FF99304F158695E9086B221EBB1AAD5CF80
                                              Function 0BC3DE48 Relevance: 1.9, APIs: 1, Instructions: 396COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 701 bc3de48-bc3deab 702 bc3deda-bc3def8 701->702 703 bc3dead-bc3ded7 701->703 708 bc3df01-bc3df38 702->708 709 bc3defa-bc3defc 702->709 703->702 713 bc3e369 708->713 714 bc3df3e-bc3df52 708->714 710 bc3e3ba-bc3e3cf 709->710 717 bc3e36e-bc3e384 713->717 715 bc3df81-bc3dfa0 714->715 716 bc3df54-bc3df7e 714->716 723 bc3dfa2-bc3dfa8 715->723 724 bc3dfb8-bc3dfba 715->724 716->715 717->710 725 bc3dfaa 723->725 726 bc3dfac-bc3dfae 723->726 727 bc3dfd9-bc3dfe2 724->727 728 bc3dfbc-bc3dfd4 724->728 725->724 726->724 730 bc3dfea-bc3dff1 727->730 728->717 731 bc3dff3-bc3dff9 730->731 732 bc3dffb-bc3e002 730->732 733 bc3e00f-bc3e02c call bc3ce18 731->733 734 bc3e004-bc3e00a 732->734 735 bc3e00c 732->735 738 bc3e032-bc3e039 733->738 739 bc3e181-bc3e185 733->739 734->733 735->733 738->713 740 bc3e03f-bc3e07c 738->740 741 bc3e354-bc3e367 739->741 742 bc3e18b-bc3e18f 739->742 750 bc3e082-bc3e087 740->750 751 bc3e34a-bc3e34e 740->751 741->717 743 bc3e191-bc3e1a4 742->743 744 bc3e1a9-bc3e1b2 742->744 743->717 746 bc3e1e1-bc3e1e8 744->746 747 bc3e1b4-bc3e1de 744->747 748 bc3e287-bc3e29c 746->748 749 bc3e1ee-bc3e1f5 746->749 747->746 748->751 762 bc3e2a2-bc3e2a4 748->762 752 bc3e1f7-bc3e221 749->752 753 bc3e224-bc3e246 749->753 754 bc3e0b9-bc3e0ce call bc3ce3c 750->754 755 bc3e089-bc3e097 call bc3ce24 750->755 751->730 751->741 752->753 753->748 789 bc3e248-bc3e252 753->789 760 bc3e0d3-bc3e0d7 754->760 755->754 770 bc3e099-bc3e0b2 call bc3ce30 755->770 766 bc3e0d9-bc3e0eb call bc3ce48 760->766 767 bc3e148-bc3e155 760->767 768 bc3e2f1-bc3e307 call bc3ce18 762->768 769 bc3e2a6-bc3e2df 762->769 794 bc3e12b-bc3e143 766->794 795 bc3e0ed-bc3e11d 766->795 767->751 781 bc3e15b-bc3e165 call bc3ce58 767->781 778 bc3e30c-bc3e30e 768->778 784 bc3e2e1-bc3e2e7 769->784 785 bc3e2e8-bc3e2ef 769->785 779 bc3e0b7 770->779 778->751 787 bc3e310-bc3e33c WaitMessage 778->787 779->760 797 bc3e167-bc3e16a call bc3ce64 781->797 798 bc3e174-bc3e17c call bc3ce70 781->798 784->785 785->751 791 bc3e343 787->791 792 bc3e33e 787->792 802 bc3e254-bc3e25a 789->802 803 bc3e26a-bc3e285 789->803 791->751 792->791 794->717 809 bc3e124 795->809 810 bc3e11f 795->810 805 bc3e16f 797->805 798->751 807 bc3e25e-bc3e260 802->807 808 bc3e25c 802->808 803->748 803->789 805->751 807->803 808->803 809->794 810->809
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659514512.000000000BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc30000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: DispatchMessage
                                              • String ID:
                                              • API String ID: 2061451462-0
                                              • Opcode ID: ac74a2c935650cb8a23c0f8caff8b94d962e3f513f3e0e0b96024a9b36ad701f
                                              • Instruction ID: fde0505d1be87c48d7f5f83e07a941ed03e114d9890b5e917f90d722d8bb7f9f
                                              • Opcode Fuzzy Hash: ac74a2c935650cb8a23c0f8caff8b94d962e3f513f3e0e0b96024a9b36ad701f
                                              • Instruction Fuzzy Hash: 6CF15D70A10309CFEB14DFA9C889B9DBBF2FF48B14F558168E415AB291DB70A945CF50
                                              Function 09DB07FB Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4658285729.0000000009DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DB0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_9db0000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 9fac10e31c0a6aaa989734456d2a120643b9145498511364455abd5265c6b692
                                              • Instruction ID: 7e190923ad4128c9fed9fc82e0ebf93cc2adfe132e76dcbe13bb56bcfe987477
                                              • Opcode Fuzzy Hash: 9fac10e31c0a6aaa989734456d2a120643b9145498511364455abd5265c6b692
                                              • Instruction Fuzzy Hash: C3D0A7301062408FC305DF20C4A19853FE49F4720130A40EAC009CF267C721A807CB00
                                              Function 0BC42CB0 Relevance: .6, Instructions: 635COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 71afd0c621c6801bd2db0fbf463220535c71def987f7785f776f24b0b04b7e4a
                                              • Instruction ID: d33fd2596fa435557959b08a3c3bd1c0d95519777f9146b879dbd80e12177896
                                              • Opcode Fuzzy Hash: 71afd0c621c6801bd2db0fbf463220535c71def987f7785f776f24b0b04b7e4a
                                              • Instruction Fuzzy Hash: 9F524935921659CFCB21DF65C844AE9B7B1FF89300F1485E9E859AB261EB31EB81CF40
                                              Function 0BC46EC0 Relevance: .5, Instructions: 519COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 23360183511cc8548df000fe0a8c534b6fa901dcca5d4310b0c8171f1a3883e7
                                              • Instruction ID: bac3dc48b1475fe7dc523c70dfe18e39ee69e15cc2e773f641fddea222fc5ff3
                                              • Opcode Fuzzy Hash: 23360183511cc8548df000fe0a8c534b6fa901dcca5d4310b0c8171f1a3883e7
                                              • Instruction Fuzzy Hash: 0C321635A10619CFDB21DF65C944BD9B7B2FF89300F1485EAE409AB261EB71AE85CF40
                                              Function 11FAB2FC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 371 11fab2fc-11fab801 373 11fab809-11fab83c SHILCreateFromPath 371->373 374 11fab803-11fab806 371->374 375 11fab83e-11fab844 373->375 376 11fab845-11fab859 373->376 374->373 375->376
                                              APIs
                                              • SHILCreateFromPath.SHELL32(00000000,?,?), ref: 11FAB82F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4661771675.0000000011FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 11FA0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_11fa0000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: CreateFromPath
                                              • String ID: Q-H3
                                              • API String ID: 2014392061-1700438896
                                              • Opcode ID: 9a19e32975ba86248a6e65a8742c520821e08c96943e48a10413c07d05b8c10e
                                              • Instruction ID: 1d71ed6651602695a35f41ef0f32f1fb3263bb63fd6c8aea1f8cde4be6d489d8
                                              • Opcode Fuzzy Hash: 9a19e32975ba86248a6e65a8742c520821e08c96943e48a10413c07d05b8c10e
                                              • Instruction Fuzzy Hash: 5E21E2B5C01209DFDB10CF9AD584A9EFBF4FB48310F20846EE919A7200D3756945CBA5
                                              Function 11FA96C8 Relevance: 3.3, APIs: 2, Instructions: 265COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 378 11fa96c8-11fa9737 383 11fa9a0a-11fa9aa2 call 11fa9a68 378->383 384 11fa973d-11fa974e 378->384 418 11fa9aa8-11fa9ace GetProcessWindowStation 383->418 419 11fa9b3f 383->419 385 11fa975b-11fa9767 384->385 386 11fa9750-11fa9758 384->386 391 11fa97a8-11fa97b4 385->391 392 11fa9769-11fa9795 GetActiveWindow 385->392 386->385 398 11fa97f8-11fa980e 391->398 399 11fa97b6-11fa97f5 391->399 393 11fa979e-11fa97a5 392->393 394 11fa9797-11fa979d 392->394 393->391 394->393 404 11fa9820-11fa9898 398->404 405 11fa9810-11fa981b 398->405 399->398 434 11fa989a-11fa989f 404->434 435 11fa98a2-11fa98b0 call 11fa9ca8 404->435 405->404 420 11fa9ad0-11fa9ad6 418->420 421 11fa9ad7-11fa9ae2 418->421 423 11fa9b46-11fa9b5f 419->423 420->421 421->423 424 11fa9ae4-11fa9aeb 421->424 424->423 427 11fa9aed-11fa9b25 call 11fa8d0c 424->427 439 11fa9b37-11fa9b3d 427->439 440 11fa9b27-11fa9b2e 427->440 434->435 449 11fa98b3 call 11fa935f 435->449 450 11fa98b3 call 11faa5ef 435->450 451 11fa98b3 call 11fa9360 435->451 439->423 440->439 441 11fa9b30 440->441 441->439 442 11fa98b6-11fa98b8 443 11fa98ba-11fa98bf 442->443 444 11fa98c1 442->444 445 11fa98c6-11fa98e4 443->445 444->445 445->383 449->442 450->442 451->442
                                              APIs
                                              • GetActiveWindow.USER32 ref: 11FA9781
                                              • GetProcessWindowStation.USER32 ref: 11FA9ABD
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4661771675.0000000011FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 11FA0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_11fa0000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: Window$ActiveProcessStation
                                              • String ID:
                                              • API String ID: 2153864693-0
                                              • Opcode ID: e838db16f3b0d865a82b32d06634cc4ff8118b2fe23c7ddf9616495f082a7ea3
                                              • Instruction ID: 30bebc32acf30f3f331eaaf040b92595722a5c0e0ceb84e77cc457f396505bb8
                                              • Opcode Fuzzy Hash: e838db16f3b0d865a82b32d06634cc4ff8118b2fe23c7ddf9616495f082a7ea3
                                              • Instruction Fuzzy Hash: 61A19BB4E00349CFEB04DFA9D45469EBBF5BF88310F14852ED816AB350EB799844CBA1
                                              Function 09570C68 Relevance: 1.7, APIs: 1, Instructions: 168COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 813 9570c68-9570c99 815 9570caf-9570cb5 813->815 816 9570c9b-9570ca8 813->816 817 9570cb7-9570cbd 815->817 818 9570cd6-9570d1c 815->818 816->815 817->818 819 9570cbf-9570cc8 817->819 828 9570d45-9570d4f 818->828 829 9570d1e-9570d26 818->829 819->818 821 9570cca-9570cd0 819->821 821->818 823 9570dcb-9570dde 821->823 825 9570de0-9570df8 823->825 832 9570dfa-9570e42 825->832 833 9570e49 825->833 828->823 831 9570d51-9570d5e 828->831 850 9570d28 call 95715b8 829->850 851 9570d28 call 95715a8 829->851 835 9570d60-9570d66 831->835 836 9570d6c-9570d75 831->836 832->833 840 9570e4a 833->840 834 9570d2d-9570d40 834->825 835->836 839 9570d68 835->839 837 9570d77-9570d7d 836->837 838 9570d83-9570dc6 KiUserCallbackDispatcher 836->838 837->838 841 9570d7f 837->841 838->823 839->836 840->840 841->838 850->834 851->834
                                              APIs
                                              • KiUserCallbackDispatcher.NTDLL(00000014,?,?,06818858,0561BDB8,?,00000000), ref: 09570DC6
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4657982477.0000000009570000.00000040.00000800.00020000.00000000.sdmp, Offset: 09570000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_9570000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: CallbackDispatcherUser
                                              • String ID:
                                              • API String ID: 2492992576-0
                                              • Opcode ID: 49c84416b53681656cf52e1c375a716330f34a38ed28edb08af9925b9452ee66
                                              • Instruction ID: 136dca1d5e99e703b399151b2d937ffbad5c32c7a5ecd9137d728b667fe1caaf
                                              • Opcode Fuzzy Hash: 49c84416b53681656cf52e1c375a716330f34a38ed28edb08af9925b9452ee66
                                              • Instruction Fuzzy Hash: 49718F74A01208EFCB15DF69E884DAEBBB6BF48714F114499F901AB361DB31ED81CB50
                                              Function 11FA96C0 Relevance: 1.7, APIs: 1, Instructions: 158COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 852 11fa96c0-11fa9737 858 11fa9a0a-11fa9aa2 call 11fa9a68 852->858 859 11fa973d-11fa974e 852->859 893 11fa9aa8-11fa9ace GetProcessWindowStation 858->893 894 11fa9b3f 858->894 860 11fa975b-11fa9767 859->860 861 11fa9750-11fa9758 859->861 866 11fa97a8-11fa97b4 860->866 867 11fa9769-11fa9795 GetActiveWindow 860->867 861->860 873 11fa97f8-11fa980e 866->873 874 11fa97b6-11fa97f5 866->874 868 11fa979e-11fa97a5 867->868 869 11fa9797-11fa979d 867->869 868->866 869->868 879 11fa9820-11fa9898 873->879 880 11fa9810-11fa981b 873->880 874->873 909 11fa989a 879->909 910 11fa98a2-11fa98b0 call 11fa9ca8 879->910 880->879 895 11fa9ad0-11fa9ad6 893->895 896 11fa9ad7-11fa9ae2 893->896 898 11fa9b46-11fa9b5f 894->898 895->896 896->898 899 11fa9ae4-11fa9aeb 896->899 899->898 902 11fa9aed-11fa9b25 call 11fa8d0c 899->902 914 11fa9b37-11fa9b3d 902->914 915 11fa9b27-11fa9b2e 902->915 912 11fa989f 909->912 924 11fa98b3 call 11fa935f 910->924 925 11fa98b3 call 11faa5ef 910->925 926 11fa98b3 call 11fa9360 910->926 912->910 914->898 915->914 916 11fa9b30 915->916 916->914 917 11fa98b6-11fa98b8 918 11fa98ba-11fa98bf 917->918 919 11fa98c1 917->919 920 11fa98c6-11fa98e4 918->920 919->920 920->858 924->917 925->917 926->917
                                              APIs
                                              • GetActiveWindow.USER32 ref: 11FA9781
                                              • GetProcessWindowStation.USER32 ref: 11FA9ABD
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4661771675.0000000011FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 11FA0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_11fa0000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: Window$ActiveProcessStation
                                              • String ID:
                                              • API String ID: 2153864693-0
                                              • Opcode ID: 91494ef8e6c2d06188dd2b5eb74911919a997c21d2a104697ed8660a0bccdb76
                                              • Instruction ID: ab3dc2c2d89b746e385ee403904d6fdece4bc34f43be19ddf142c24b4a2b9c35
                                              • Opcode Fuzzy Hash: 91494ef8e6c2d06188dd2b5eb74911919a997c21d2a104697ed8660a0bccdb76
                                              • Instruction Fuzzy Hash: 085189B8E00348CFDB05DFA9D454A9DBBB6BF88710F108529D806AB354EB399845CFA0
                                              Function 051F8E56 Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 927 51f8e56-51f8e59 928 51f8e5b-51f8e5f 927->928 929 51f8df0-51f8e21 927->929 930 51f8e60-51f8f21 CreateActCtxA 928->930 932 51f8e2a-51f8e4b 929->932 933 51f8e23-51f8e29 929->933 935 51f8f2a-51f8f84 930->935 936 51f8f23-51f8f29 930->936 933->932 944 51f8f86-51f8f89 935->944 945 51f8f93-51f8f97 935->945 936->935 944->945 946 51f8f99-51f8fa5 945->946 947 51f8fa8 945->947 946->947 949 51f8fa9 947->949 949->949
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 051F8F11
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651125429.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 7aa4057399c541266b59bad3310f9b7f2c0588fab213c5f8cc5971981aad98af
                                              • Instruction ID: 2e431434fff73776a74755d338f1dcea7402bf43fbd6f154c64b002ff2759906
                                              • Opcode Fuzzy Hash: 7aa4057399c541266b59bad3310f9b7f2c0588fab213c5f8cc5971981aad98af
                                              • Instruction Fuzzy Hash: B8510FB1C00619DFEB24CFA9C8447DEBBF1AF89304F20816AD508AB251D779694ACF91
                                              Function 051F7A30 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 950 51f7a30-51f8f21 CreateActCtxA 953 51f8f2a-51f8f84 950->953 954 51f8f23-51f8f29 950->954 961 51f8f86-51f8f89 953->961 962 51f8f93-51f8f97 953->962 954->953 961->962 963 51f8f99-51f8fa5 962->963 964 51f8fa8 962->964 963->964 966 51f8fa9 964->966 966->966
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 051F8F11
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651125429.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 1786751e39eac140fba1318464acb351693d1f5119dfeabcc2b7b4c6d4f8dc6f
                                              • Instruction ID: 757327db60ed1d984c9d5dde8afdd35f42a392e58d3e382b8aa2d162a293ad3b
                                              • Opcode Fuzzy Hash: 1786751e39eac140fba1318464acb351693d1f5119dfeabcc2b7b4c6d4f8dc6f
                                              • Instruction Fuzzy Hash: FA41E0B0C0071DDFEB24CFA9C844B9DBBB6BF89304F20816AD508AB255D7756945CF91
                                              Function 051FCD18 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651125429.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: CreateFromIconResource
                                              • String ID:
                                              • API String ID: 3668623891-0
                                              • Opcode ID: 6e9984966a5a1bacde4cc0b6dc758359cd1c8ea46e295d1bc2547dca70ad7d56
                                              • Instruction ID: f87bf957a0e81a1a1bc8bd687fa253c59294d811684c75918aec2b13ffc9d601
                                              • Opcode Fuzzy Hash: 6e9984966a5a1bacde4cc0b6dc758359cd1c8ea46e295d1bc2547dca70ad7d56
                                              • Instruction Fuzzy Hash: 83318976908359DFCB11CFA9D840AEEBFF8EF09210F14805AEA54AB221C3359954DFE1
                                              Function 09579FA4 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                              Download Yara Rule
                                              APIs
                                              • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0957A64D,?,?), ref: 0957A6FF
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4657982477.0000000009570000.00000040.00000800.00020000.00000000.sdmp, Offset: 09570000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_9570000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: DrawText
                                              • String ID:
                                              • API String ID: 2175133113-0
                                              • Opcode ID: 3af4a940738232f1dc2af264f3c994dd08159768fbca27f42c059e5f60645c1b
                                              • Instruction ID: 5db1943ae6fe7c1dcfbd6c8060079e40a1df3bbbbd33425b5a1f547059690756
                                              • Opcode Fuzzy Hash: 3af4a940738232f1dc2af264f3c994dd08159768fbca27f42c059e5f60645c1b
                                              • Instruction Fuzzy Hash: 3F31C4B5D013499FDB10CF9AD884A9EFBF4FB48310F14842AE919A7310D374AA44CBA4
                                              Function 0957A660 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                              Download Yara Rule
                                              APIs
                                              • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0957A64D,?,?), ref: 0957A6FF
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4657982477.0000000009570000.00000040.00000800.00020000.00000000.sdmp, Offset: 09570000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_9570000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: DrawText
                                              • String ID:
                                              • API String ID: 2175133113-0
                                              • Opcode ID: 893897bd97d6b0dd00ad4c6fc3f9509b992a7d3e30796ee96a3c4ca91758827d
                                              • Instruction ID: 6f99a8ebcd75142a876bd6413027b4a9679bc368c5d3fe76441868048a2c318b
                                              • Opcode Fuzzy Hash: 893897bd97d6b0dd00ad4c6fc3f9509b992a7d3e30796ee96a3c4ca91758827d
                                              • Instruction Fuzzy Hash: 1E31E2B5D003499FDB10CF9AD884ADEFBF5BB48320F14842AE919A7310D774A944CBA1
                                              Function 11FAB308 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                              Download Yara Rule
                                              APIs
                                              • SHCreateShellItem.SHELL32(00000000,00000000,?,11FAB737), ref: 11FAB8E9
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4661771675.0000000011FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 11FA0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_11fa0000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: CreateItemShell
                                              • String ID:
                                              • API String ID: 2884959600-0
                                              • Opcode ID: 989a5364aac120b5727355ba637d1b73e8264bb986eb209fa33521efba51d437
                                              • Instruction ID: 98cdb5df804522fbdb4a3de0a6897b79dfe7cbb50de692d14a460d9a041e19c3
                                              • Opcode Fuzzy Hash: 989a5364aac120b5727355ba637d1b73e8264bb986eb209fa33521efba51d437
                                              • Instruction Fuzzy Hash: 5A31D6B1D1120CEFDB10CFA9D884BDEBBF4AB08314F14846AE505BB250D77AA945CFA5
                                              Function 11FAB866 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                              Download Yara Rule
                                              APIs
                                              • SHCreateShellItem.SHELL32(00000000,00000000,?,11FAB737), ref: 11FAB8E9
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4661771675.0000000011FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 11FA0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_11fa0000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: CreateItemShell
                                              • String ID:
                                              • API String ID: 2884959600-0
                                              • Opcode ID: 80cf570c1b33fc09a3b9f44e01519da8c7d5ec0206d3c990af4ec26cd64fdaa2
                                              • Instruction ID: 87c75b44d59856667899607f7c83e9c6a44442ed6fda494b5c7c89d5689d50ed
                                              • Opcode Fuzzy Hash: 80cf570c1b33fc09a3b9f44e01519da8c7d5ec0206d3c990af4ec26cd64fdaa2
                                              • Instruction Fuzzy Hash: 3E31E2B1D1120CEFDB10CFA9D884BDEBBF4AB08314F10846AE515BB290D775A944CFA5
                                              Function 09DB7F11 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetClassInfoW.USER32(?,00000000), ref: 09DB7F94
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4658285729.0000000009DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DB0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_9db0000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: ClassInfo
                                              • String ID:
                                              • API String ID: 3534257612-0
                                              • Opcode ID: a21b8375e0dbc4c233332c68ac993c3b5b04632cd855037613c035bd4b4c0617
                                              • Instruction ID: 66ca374f5e746b2f82e7de7676c7093a4f960cd9a0b74b0d02323a8d106d26ed
                                              • Opcode Fuzzy Hash: a21b8375e0dbc4c233332c68ac993c3b5b04632cd855037613c035bd4b4c0617
                                              • Instruction Fuzzy Hash: D92107B5D01609DFDB10CF9AC884ADEFBF4BB88310F14842AE519A7740D374A504CB65
                                              Function 0BC33798 Relevance: 1.6, APIs: 1, Instructions: 63comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OleInitialize.OLE32(00000000), ref: 0BC337F5
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659514512.000000000BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc30000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: Initialize
                                              • String ID:
                                              • API String ID: 2538663250-0
                                              • Opcode ID: 4f2abbbda3e08799084b4c1b8dd0e705136fc24421527533180934323d2dd29f
                                              • Instruction ID: 8bab1482ce21e335a0f82b4adf8b0c1838021778cacbe9d41a0eb96ed4d1fb3c
                                              • Opcode Fuzzy Hash: 4f2abbbda3e08799084b4c1b8dd0e705136fc24421527533180934323d2dd29f
                                              • Instruction Fuzzy Hash: C2218BB1811388CFDB20CFAAD949BDABFF4AF89714F20845AD419A7250C379A544CFA5
                                              Function 09DB0628 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                              Download Yara Rule
                                              APIs
                                              • KiUserExceptionDispatcher.NTDLL ref: 09DB06EE
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4658285729.0000000009DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DB0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_9db0000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: DispatcherExceptionUser
                                              • String ID:
                                              • API String ID: 6842923-0
                                              • Opcode ID: e71d7c60ac665f301ea9a644539030ed1ad01af47c3426b1a7431bc140b8ea06
                                              • Instruction ID: 0b3cd1fe85c563afbc3c463f86407d39d38ef2a25a7761cd416922bb52427728
                                              • Opcode Fuzzy Hash: e71d7c60ac665f301ea9a644539030ed1ad01af47c3426b1a7431bc140b8ea06
                                              • Instruction Fuzzy Hash: 7A113B75909380CFCF06E7B4E4994AA7FB5AF8635070644ABD446CB266DA34C905CB11
                                              Function 0BC338A7 Relevance: 1.6, APIs: 1, Instructions: 62registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegisterDragDrop.OLE32(?,?), ref: 0BC33933
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659514512.000000000BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc30000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: DragDropRegister
                                              • String ID:
                                              • API String ID: 1555377906-0
                                              • Opcode ID: a3722cf12e0d0b9295aa3c00ceb57594a5d8535900016b6cf4f67eb1b9711659
                                              • Instruction ID: 3de9909d07f95db1b2ece94b196fba80a6b7628aee352e710ccecd4f5e06275e
                                              • Opcode Fuzzy Hash: a3722cf12e0d0b9295aa3c00ceb57594a5d8535900016b6cf4f67eb1b9711659
                                              • Instruction Fuzzy Hash: 3B2104B0C11248EFDB14CF99D899B8EBBF1EB88714F24801AE414BB290C775A945CF65
                                              Function 09DB7F18 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetClassInfoW.USER32(?,00000000), ref: 09DB7F94
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4658285729.0000000009DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DB0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_9db0000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: ClassInfo
                                              • String ID:
                                              • API String ID: 3534257612-0
                                              • Opcode ID: d931e101dea7ab4a0d6868b3c3996ef8ffaa11dbb37c667c0d3e1389a8bef5c0
                                              • Instruction ID: e2b7e784e834584210e4402816ad43dde86f0f7f42e0c7ff632608b01c623460
                                              • Opcode Fuzzy Hash: d931e101dea7ab4a0d6868b3c3996ef8ffaa11dbb37c667c0d3e1389a8bef5c0
                                              • Instruction Fuzzy Hash: 1C21E5B5D05709DFDB14CF9AC884ADEFBF4FB88210F14842AE919A7740D374A548CB65
                                              Function 11FAA0A8 Relevance: 1.6, APIs: 1, Instructions: 61threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • EnumThreadWindows.USER32(?,00000000,?), ref: 11FAA121
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4661771675.0000000011FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 11FA0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_11fa0000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: EnumThreadWindows
                                              • String ID:
                                              • API String ID: 2941952884-0
                                              • Opcode ID: a50e0fc3409d4fa9e7a99f9b5605d0aff91469f25aec3da5dd60f73a63be9b86
                                              • Instruction ID: aac70d9b5e9e883f5a7ad91974bc48ead0ba2ab1677c5fee20077af42148f774
                                              • Opcode Fuzzy Hash: a50e0fc3409d4fa9e7a99f9b5605d0aff91469f25aec3da5dd60f73a63be9b86
                                              • Instruction Fuzzy Hash: 90210471D00259DFEB14CFAAD844BEEFBF5AB88320F10842AD419A3250D779A948CF61
                                              Function 0BC338B0 Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegisterDragDrop.OLE32(?,?), ref: 0BC33933
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659514512.000000000BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc30000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: DragDropRegister
                                              • String ID:
                                              • API String ID: 1555377906-0
                                              • Opcode ID: 8233e8222813afc4222eddd90c63355818c2b9d3fc0a3d26f5750c89408d5cc8
                                              • Instruction ID: 23b9280c028624499a7967d2b650d69b9ed9ed2948b312fd73046be36ea60061
                                              • Opcode Fuzzy Hash: 8233e8222813afc4222eddd90c63355818c2b9d3fc0a3d26f5750c89408d5cc8
                                              • Instruction Fuzzy Hash: CF21F4B0D11348EFDB14CF99D499B8EBBF4EB88714F24801AE414AB250C7759944CF65
                                              Function 11FAA0B0 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • EnumThreadWindows.USER32(?,00000000,?), ref: 11FAA121
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4661771675.0000000011FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 11FA0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_11fa0000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: EnumThreadWindows
                                              • String ID:
                                              • API String ID: 2941952884-0
                                              • Opcode ID: fc0b5d8eb4d7867abb8a9f1eff81c7f59cce91ac72d95f201fba09325e4ed716
                                              • Instruction ID: 649f98d7fd9eac182e670c953cf3ba6242454d62ef18e5c14b97d63c62b3e3ee
                                              • Opcode Fuzzy Hash: fc0b5d8eb4d7867abb8a9f1eff81c7f59cce91ac72d95f201fba09325e4ed716
                                              • Instruction Fuzzy Hash: 19213871D00249DFEB10CFAAC840BEEFBF4EB88310F10842AD419A3250D779A948CFA5
                                              Function 11FAB7B0 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                              Download Yara Rule
                                              APIs
                                              • SHILCreateFromPath.SHELL32(00000000,?,?), ref: 11FAB82F
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4661771675.0000000011FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 11FA0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_11fa0000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: CreateFromPath
                                              • String ID:
                                              • API String ID: 2014392061-0
                                              • Opcode ID: d186fa2eecc95684835871e4d5410abb6f72e52edec201df53df49c38b768b29
                                              • Instruction ID: 70a4f068003f78952892d30146e1422cb85c0debf9f3b8b72e91bfcb40c11a7d
                                              • Opcode Fuzzy Hash: d186fa2eecc95684835871e4d5410abb6f72e52edec201df53df49c38b768b29
                                              • Instruction Fuzzy Hash: EE21D0B5C01209DEDB10CF9AD584ADEFBF4FB48710F20846ED819A7240C3756945CFA5
                                              Function 051FB92C Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,051FCD32,?,?,?,?,?), ref: 051FCDD7
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651125429.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: CreateFromIconResource
                                              • String ID:
                                              • API String ID: 3668623891-0
                                              • Opcode ID: 1d6c26507cc92ce18457128a05e28f2eb378254adf35a8386374daf201dc804a
                                              • Instruction ID: 78486779dc63010261db063d4cf3df1647b962bfe75f20501af3f81764546420
                                              • Opcode Fuzzy Hash: 1d6c26507cc92ce18457128a05e28f2eb378254adf35a8386374daf201dc804a
                                              • Instruction Fuzzy Hash: 881114B580424DDFDB10CFAAC845ADEBFF8EB48314F14841AEA15A7210C379A954DFA5
                                              Function 0BC3CE18 Relevance: 1.6, APIs: 1, Instructions: 55windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,0BC3E02A,00000000,00000000,06818858,0561BDB8), ref: 0BC3E478
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659514512.000000000BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc30000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: MessagePeek
                                              • String ID:
                                              • API String ID: 2222842502-0
                                              • Opcode ID: 6c125bb139480887dc25fe541d95c8f2a1447c7ba806a5e2cb1eafffa56847f7
                                              • Instruction ID: 7b473f2102682dd6d98059d4d254b33f6185e33a4c4eb05f46701f4e40e03159
                                              • Opcode Fuzzy Hash: 6c125bb139480887dc25fe541d95c8f2a1447c7ba806a5e2cb1eafffa56847f7
                                              • Instruction Fuzzy Hash: 091129B5C04209DFDB10CF9AD844BDEFBF4EB48710F10846AE918A7210C378A544DFA5
                                              Function 09DB06C7 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                              Download Yara Rule
                                              APIs
                                              • KiUserExceptionDispatcher.NTDLL ref: 09DB06EE
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4658285729.0000000009DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DB0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_9db0000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: DispatcherExceptionUser
                                              • String ID:
                                              • API String ID: 6842923-0
                                              • Opcode ID: 6611480015746f383f08b314f49bbcc9c8e2cbf601e1c171ef877d1e3f8dcfed
                                              • Instruction ID: 6fd971daa0eabf1ef9e294ce8524dcdd3c80e9e6a4c4f157bb1c056739a1de9c
                                              • Opcode Fuzzy Hash: 6611480015746f383f08b314f49bbcc9c8e2cbf601e1c171ef877d1e3f8dcfed
                                              • Instruction Fuzzy Hash: 0E118275B00015CF8B54DA69E5085AEFBE2AFC8691B148136D81AD7344EA30CE42CBD5
                                              Function 0BC3CE30 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                              Download Yara Rule
                                              APIs
                                              • KiUserCallbackDispatcher.NTDLL(?,?,00000000,00000000,?,?,?,0BC3E0B7,00000000,06818858,0561BDB8,00000000,?), ref: 0BC3E69D
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659514512.000000000BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc30000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: CallbackDispatcherUser
                                              • String ID:
                                              • API String ID: 2492992576-0
                                              • Opcode ID: 0d91838bffcf103dbe38aff323dcc1918918c3e7139752168ae35eb39b03e5bd
                                              • Instruction ID: 19f51dd047703f31742dc381b39928ad4697662198eddcbe415e21756dda57c9
                                              • Opcode Fuzzy Hash: 0d91838bffcf103dbe38aff323dcc1918918c3e7139752168ae35eb39b03e5bd
                                              • Instruction Fuzzy Hash: 9C11F6B5804349DFDB10DF9AD844BEEFBF8EB48710F10846AE958A3240D378A944CFA5
                                              Function 0BC3E40B Relevance: 1.6, APIs: 1, Instructions: 54windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,0BC3E02A,00000000,00000000,06818858,0561BDB8), ref: 0BC3E478
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659514512.000000000BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc30000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: MessagePeek
                                              • String ID:
                                              • API String ID: 2222842502-0
                                              • Opcode ID: 1c5cd664652964bc01404d3efd10523d55e075c205a3a4e5aa390901677fbc9a
                                              • Instruction ID: b751e73df4aa3222152b8a9647ea0a29e1f7f5b0859039f98a9533a32af6a95b
                                              • Opcode Fuzzy Hash: 1c5cd664652964bc01404d3efd10523d55e075c205a3a4e5aa390901677fbc9a
                                              • Instruction Fuzzy Hash: 8A21E4B5C00249DFDB10CFAAD985BDEFBF4EB48320F10846AE958A7250C378A544DFA5
                                              Function 09DB5299 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetWindowTextW.USER32(?,00000000), ref: 09DB530A
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4658285729.0000000009DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DB0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_9db0000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: TextWindow
                                              • String ID:
                                              • API String ID: 530164218-0
                                              • Opcode ID: 11e8433ecf559a8e39811b3d2748af0da166f95671a111aac8c3f59ca1753101
                                              • Instruction ID: 5b3d4a6221e9fb79d0bdee1b386ed74b30f0ac5e09b7414416a79008100335bb
                                              • Opcode Fuzzy Hash: 11e8433ecf559a8e39811b3d2748af0da166f95671a111aac8c3f59ca1753101
                                              • Instruction Fuzzy Hash: F21103B6800649CFDB14CF9AD844BDEFBF4AB88320F14852AE869A7740D378A545CF65
                                              Function 09DB52A0 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetWindowTextW.USER32(?,00000000), ref: 09DB530A
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4658285729.0000000009DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DB0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_9db0000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: TextWindow
                                              • String ID:
                                              • API String ID: 530164218-0
                                              • Opcode ID: 76621ec7664a6c313a50e18491c4dadea73af0ca60bcda2e2fc1c8c0f151560f
                                              • Instruction ID: 7bd80b377a60104ac7bfa626d678ae8a33b8ec62297a59fd15eeed5f768033e1
                                              • Opcode Fuzzy Hash: 76621ec7664a6c313a50e18491c4dadea73af0ca60bcda2e2fc1c8c0f151560f
                                              • Instruction Fuzzy Hash: D711E4B6800649CFDB14CF9AD444BDEFBF4EB88310F14842AE869A7740D378A545CFA5
                                              Function 0BC31793 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                              Download Yara Rule
                                              APIs
                                              • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0BC317FF
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659514512.000000000BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc30000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: CallbackDispatcherUser
                                              • String ID:
                                              • API String ID: 2492992576-0
                                              • Opcode ID: 5745e8430b31446a10662a0b942e2f75cc2247db2b2f1560909151c434d8dc01
                                              • Instruction ID: 42a55c7ed5b11abacba70a67efb96f9cd2c681b4f00cae23d394eee86951a9e1
                                              • Opcode Fuzzy Hash: 5745e8430b31446a10662a0b942e2f75cc2247db2b2f1560909151c434d8dc01
                                              • Instruction Fuzzy Hash: 8A116A76800609CFDB10CF9AC445BEEFBF4EB48320F14806AD558A3340D338A644CFA6
                                              Function 0BC3E633 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                              Download Yara Rule
                                              APIs
                                              • KiUserCallbackDispatcher.NTDLL(?,?,00000000,00000000,?,?,?,0BC3E0B7,00000000,06818858,0561BDB8,00000000,?), ref: 0BC3E69D
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659514512.000000000BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc30000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: CallbackDispatcherUser
                                              • String ID:
                                              • API String ID: 2492992576-0
                                              • Opcode ID: 7204eee7c34ab38a61e1bc0ee2f1929daad3e1c52fe7864fb7a16a6f29388061
                                              • Instruction ID: 8b9933cfbe0ef5d4a2c73e85fa590c7f7ea57698d6243ce144f9e77a3cfbe57e
                                              • Opcode Fuzzy Hash: 7204eee7c34ab38a61e1bc0ee2f1929daad3e1c52fe7864fb7a16a6f29388061
                                              • Instruction Fuzzy Hash: 0611F6B5C00249DFDB10CFAAD885BEEFBF4EB48310F10842AE818A3240C378A545CFA5
                                              Function 0BC31798 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                              Download Yara Rule
                                              APIs
                                              • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0BC317FF
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659514512.000000000BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc30000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: CallbackDispatcherUser
                                              • String ID:
                                              • API String ID: 2492992576-0
                                              • Opcode ID: e44f8289971945315af70b14e561a00d1c58baefd80826ddbf127766cd1003e8
                                              • Instruction ID: 2e79a628af24745ce1470b8094bc20221f3b7a4afd804afb6067d3e9fc62f6cd
                                              • Opcode Fuzzy Hash: e44f8289971945315af70b14e561a00d1c58baefd80826ddbf127766cd1003e8
                                              • Instruction Fuzzy Hash: D51136B6810609CFDB10CF9AC445BEEFBF4EB48724F14846AD958A3340D338A644CFA5
                                              Function 0BC34F00 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,?,?,?), ref: 0BC34F65
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659514512.000000000BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc30000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: c12368f7416a308c4db949a98ceb519c5e4cec5a76e83f47bb4f72c5541c94c7
                                              • Instruction ID: c68940138b02d25a0402979ad662bbf157b4214b8d621b8e87b03197e19e7c89
                                              • Opcode Fuzzy Hash: c12368f7416a308c4db949a98ceb519c5e4cec5a76e83f47bb4f72c5541c94c7
                                              • Instruction Fuzzy Hash: 7B11F5B5801249DFEB10CFAAC885BEEFBF4EB48714F14845AE558A3340D379A544CFA5
                                              Function 0BC34F08 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,?,?,?), ref: 0BC34F65
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659514512.000000000BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc30000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: f995a51558dcdf81cb4691e93f1348a802adaad247a2151b9a484fcd34f5ffbf
                                              • Instruction ID: b456568c1b4dd90c27ee175cacaf0af1b5c912c68d129b76471782bef82d00af
                                              • Opcode Fuzzy Hash: f995a51558dcdf81cb4691e93f1348a802adaad247a2151b9a484fcd34f5ffbf
                                              • Instruction Fuzzy Hash: D411F5B5800349DFDB10CF9AC845BDEFBF8EB48724F14845AE558A3240D379A544CFA5
                                              Function 09DB5AE0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,?,?,?), ref: 09DB5B45
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4658285729.0000000009DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DB0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_9db0000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID:
                                              • API String ID: 3850602802-0
                                              • Opcode ID: f4a6cf1890e8f45289cb03fa3d1c0b5f4df4f8544cf41391378dfa5cdc0c04f5
                                              • Instruction ID: f313e3936ee327cf45e607647985375dd4fecbffff955f3e8dac1b57b610c618
                                              • Opcode Fuzzy Hash: f4a6cf1890e8f45289cb03fa3d1c0b5f4df4f8544cf41391378dfa5cdc0c04f5
                                              • Instruction Fuzzy Hash: 1B1125B5800349DFDB20CFA9D884BDEFBF4EB48320F10855AE529A7640C375A544CFA1
                                              Function 0BC32FB0 Relevance: 1.5, APIs: 1, Instructions: 47timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetTimer.USER32(?,076EF598,?,?,?,?,?,?,0BC342A8,00000000,00000000,?), ref: 0BC3484D
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659514512.000000000BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc30000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: Timer
                                              • String ID:
                                              • API String ID: 2870079774-0
                                              • Opcode ID: d5f1dc3161126943f9bf42a00ee4532cc36e6c978c6e9e8998d3414319ee8898
                                              • Instruction ID: ccf5cc3c0496d26b771f4d5bd5788bab67587fd15f679b17296844a2e22c059b
                                              • Opcode Fuzzy Hash: d5f1dc3161126943f9bf42a00ee4532cc36e6c978c6e9e8998d3414319ee8898
                                              • Instruction Fuzzy Hash: CE11F2B5800349DFDB10DF9AD885BDEBBF8EB48710F10845AE918A7300C378A944CFA5
                                              Function 0BC3EB03 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,0BC3E16F), ref: 0BC3EB65
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659514512.000000000BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc30000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: DispatchMessage
                                              • String ID:
                                              • API String ID: 2061451462-0
                                              • Opcode ID: b60bde639ccd908e56844de7f57dc1c71b1f90ad9c86212864e6dd1cc498f05a
                                              • Instruction ID: 17e4a30fb71051d1ce6c4ff64847fbb0ec49d908a20ef04fc86027b44f0d5eda
                                              • Opcode Fuzzy Hash: b60bde639ccd908e56844de7f57dc1c71b1f90ad9c86212864e6dd1cc498f05a
                                              • Instruction Fuzzy Hash: C011F2B5C04659CFDB10CFAAD484BDEFBF4EB48714F10856AD519A7200D378A544CFA5
                                              Function 0BC3CE64 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,0BC3E16F), ref: 0BC3EB65
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659514512.000000000BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc30000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: DispatchMessage
                                              • String ID:
                                              • API String ID: 2061451462-0
                                              • Opcode ID: 60edde037ee7e987bc293396804ba20e79442e802565f60472dbdf748d66cce9
                                              • Instruction ID: fa7aa62bd13dcc8a7f9d8d094474d6b47a67871b63e15e98cce610e588f0e70a
                                              • Opcode Fuzzy Hash: 60edde037ee7e987bc293396804ba20e79442e802565f60472dbdf748d66cce9
                                              • Instruction Fuzzy Hash: 5F11F2B5C04649DFDB10CF9AD484BDEFBF4EB48714F10846AE929A7600D378A544CFA9
                                              Function 0BC32C94 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OleInitialize.OLE32(00000000), ref: 0BC337F5
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659514512.000000000BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc30000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: Initialize
                                              • String ID:
                                              • API String ID: 2538663250-0
                                              • Opcode ID: 7b6ac97bd162db918abb2e17054c0ce0444b44b00408154d81c641e4b065de90
                                              • Instruction ID: 3de70d487e7bc4e4c56f325f93e974d2c2f0f1bea889b0c455443889ce4de340
                                              • Opcode Fuzzy Hash: 7b6ac97bd162db918abb2e17054c0ce0444b44b00408154d81c641e4b065de90
                                              • Instruction Fuzzy Hash: CB1133B5800388CFDB20CFAAC844BDEBBF4EB48614F20845AD518B7300C378A944CBA5
                                              Function 0BC347EB Relevance: 1.5, APIs: 1, Instructions: 46timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetTimer.USER32(?,076EF598,?,?,?,?,?,?,0BC342A8,00000000,00000000,?), ref: 0BC3484D
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659514512.000000000BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc30000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: Timer
                                              • String ID:
                                              • API String ID: 2870079774-0
                                              • Opcode ID: bf64e908c3207e1b49751f5a4103c86fa8a8fb050709ef59c125f2f7fd72aae3
                                              • Instruction ID: d260bb8272fd3d3352983f2994125e31e15d5823031bc34d641b3040f51dfd0f
                                              • Opcode Fuzzy Hash: bf64e908c3207e1b49751f5a4103c86fa8a8fb050709ef59c125f2f7fd72aae3
                                              • Instruction Fuzzy Hash: 8411F2B5800249DFDB10DF9AD885BDEBBF8EB48710F20845AE519A7310C374A944CFA5
                                              Function 09DB5AE8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,?,?,?), ref: 09DB5B45
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4658285729.0000000009DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DB0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_9db0000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID:
                                              • API String ID: 3850602802-0
                                              • Opcode ID: 75a98285be76dcb039a6ac30b71d31ba0435c0d7ac7eb4a8224ef2707ef1ba39
                                              • Instruction ID: bc8578e095c30e3b03ae1cb1765b36704128681fcb13cdf7c04be2a5113d0016
                                              • Opcode Fuzzy Hash: 75a98285be76dcb039a6ac30b71d31ba0435c0d7ac7eb4a8224ef2707ef1ba39
                                              • Instruction Fuzzy Hash: 3B11D0B5800349DFDB10CF9AD885BDEFBF8EB48724F20845AE919A7600C375A944CFA5
                                              Function 0BC34887 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetTimer.USER32(?,076EF598,?,?,?,?,?,?,0BC342A8,00000000,00000000,?), ref: 0BC3484D
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659514512.000000000BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc30000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: Timer
                                              • String ID:
                                              • API String ID: 2870079774-0
                                              • Opcode ID: d485d6a14ab8c903a64774599ee09fa708ab76ff0d40fb97ce83e4b50c1d70f7
                                              • Instruction ID: 4fe945eb142e21b5eca71a830483c382b3ba90801b6440a4e730aea241b34baf
                                              • Opcode Fuzzy Hash: d485d6a14ab8c903a64774599ee09fa708ab76ff0d40fb97ce83e4b50c1d70f7
                                              • Instruction Fuzzy Hash: 2CF0A436A01104CFEF24DE9AE885BEEFBF4EF84314F10816AD609D3211C3715115CBA1
                                              Function 09DB07CB Relevance: 1.5, APIs: 1, Instructions: 34libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4658285729.0000000009DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DB0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_9db0000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: cb008dc4f75923fd7154da8c7f1bae8b9c7970f9b21452292ee9d7543bf89347
                                              • Instruction ID: 7a1f0904ff3ef7062a96ec16c3b95e2d8fdea2faa09a5122fd3062e1bedb0cdd
                                              • Opcode Fuzzy Hash: cb008dc4f75923fd7154da8c7f1bae8b9c7970f9b21452292ee9d7543bf89347
                                              • Instruction Fuzzy Hash: 6EF0E221A0A2C08FD701DB24C8B69D53F319F9328031585DEC08A8F2D7CBA19807C712
                                              Function 09DB06B8 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                              Download Yara Rule
                                              APIs
                                              • KiUserExceptionDispatcher.NTDLL ref: 09DB06EE
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4658285729.0000000009DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DB0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_9db0000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: DispatcherExceptionUser
                                              • String ID:
                                              • API String ID: 6842923-0
                                              • Opcode ID: a621350b6b5c0393c298b1b32d40b2eb11e771df0d9fd3644ea68e08bab22a7c
                                              • Instruction ID: a26cffe8e771443b48eff978ad9da274dff576ace45d3af3c7873834fe36b581
                                              • Opcode Fuzzy Hash: a621350b6b5c0393c298b1b32d40b2eb11e771df0d9fd3644ea68e08bab22a7c
                                              • Instruction Fuzzy Hash: 52E04F35B00111CFCA14EA55F10C0AE77E6EBC82E17514561C916CB304DF319E528795
                                              Function 0BC45B70 Relevance: 1.5, Strings: 1, Instructions: 268COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @
                                              • API String ID: 0-2766056989
                                              • Opcode ID: 98670ef66eee5fd11753728352f62070855e317e2c2f364fccd8cc9adfaa80e8
                                              • Instruction ID: f5ec8c21452aa17453288a676744e87a195d36c29bbc5435d99f2da32dc06d2e
                                              • Opcode Fuzzy Hash: 98670ef66eee5fd11753728352f62070855e317e2c2f364fccd8cc9adfaa80e8
                                              • Instruction Fuzzy Hash: A1D1193591030ACFCF09CFA8C9949EDB7B1FF98314B208659D81667259DB74AA86CFC0
                                              Function 0BC49B28 Relevance: 1.5, Strings: 1, Instructions: 267COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID: 0-3916222277
                                              • Opcode ID: 6fd988826c290129c94efa5750a7d03c721af45567ff2ed2819bec5336845dfd
                                              • Instruction ID: 2d11f87d1033201bca010ddc06ee1310a7c07fa57a9fcaf94ed9add12ea7fac4
                                              • Opcode Fuzzy Hash: 6fd988826c290129c94efa5750a7d03c721af45567ff2ed2819bec5336845dfd
                                              • Instruction Fuzzy Hash: 11A13875E11218DFDF04DFA9D884AEEBBB1FF88310F148429E816A7350DB70AA55CB91
                                              Function 0BC40768 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID: 0-3916222277
                                              • Opcode ID: a75674791b122437bffd605997fadab61a459ea987021e6927418f78d7698461
                                              • Instruction ID: f6920b801d91b696d8139484e0041ada0ec55455ac3a86aa4f744b2b580afb89
                                              • Opcode Fuzzy Hash: a75674791b122437bffd605997fadab61a459ea987021e6927418f78d7698461
                                              • Instruction Fuzzy Hash: AA81B071F112089FDB18DFA9C854AAFBBF6EF88310F10852DE515EB250DB349A05CBA1
                                              Function 0BC45B60 Relevance: 1.4, Strings: 1, Instructions: 199COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID: 0-3916222277
                                              • Opcode ID: 89e6741ef0c9236cf9e4d1058cdcd5e33a122fc60313d243e394031e4d843d3f
                                              • Instruction ID: aed85b14fe6860953166fffb2ae68a9eabb3f032bf3073c6ed96978cb5847f8e
                                              • Opcode Fuzzy Hash: 89e6741ef0c9236cf9e4d1058cdcd5e33a122fc60313d243e394031e4d843d3f
                                              • Instruction Fuzzy Hash: 5AA1FA3591020ACFCF05DFA8C5948DDB7B1FF98314B208755E816AB259DB74AA96CFC0
                                              Function 0BC45B78 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID: 0-3916222277
                                              • Opcode ID: d56bf624b02ae3ab78f01ede21c8ce6425c08466148066ea4af8125e51550d2c
                                              • Instruction ID: 69cb4b9083680968cbcb9b7e752148241e27b845b90e99f26e4d3d7eb04a81a9
                                              • Opcode Fuzzy Hash: d56bf624b02ae3ab78f01ede21c8ce6425c08466148066ea4af8125e51550d2c
                                              • Instruction Fuzzy Hash: 5391F83591060ACFCF05CFA8C5948DDB7B1FF98314B208655E816AB219DB74AA9ACFC0
                                              Function 0BC49C60 Relevance: 1.3, Strings: 1, Instructions: 79COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID: 0-3916222277
                                              • Opcode ID: b92073b3e8586c31ccf1c5d1ea96a40ec7506b0b1cbd2a2ee40c30c9821ada08
                                              • Instruction ID: febc4b522ed15b1011ec2ccbb7f7d480c365aa7a8a241ec820fb0d8da365c636
                                              • Opcode Fuzzy Hash: b92073b3e8586c31ccf1c5d1ea96a40ec7506b0b1cbd2a2ee40c30c9821ada08
                                              • Instruction Fuzzy Hash: 6431CEB5D10209DFCB14CF9AD884ADEBBF5FB48320F14802AE919A7310D375AA01CFA0
                                              Function 0BC4A760 Relevance: .7, Instructions: 658COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1a0fb6d6971bbed75b3611d8898875cde1b942d12f4bc2f3c7bb5a61ac372a2b
                                              • Instruction ID: cebf3b55f9d1333028afd3641d15e402b2f2c1cb66b84974815cf60d680e83c6
                                              • Opcode Fuzzy Hash: 1a0fb6d6971bbed75b3611d8898875cde1b942d12f4bc2f3c7bb5a61ac372a2b
                                              • Instruction Fuzzy Hash: B662DA30A24619CFDB15EF64C855AEDB7B1FF49300F5085E9E549AB260EB709E85CF40
                                              Function 0BC46048 Relevance: .6, Instructions: 630COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d2221194bdbfa77cb1ee6816bd6c3e6651a64d263fdcb0ae394bb743a1493b50
                                              • Instruction ID: 69101f66ac85b8779fca523246f3e55e24281666e386b51f03688f891fc2b9ee
                                              • Opcode Fuzzy Hash: d2221194bdbfa77cb1ee6816bd6c3e6651a64d263fdcb0ae394bb743a1493b50
                                              • Instruction Fuzzy Hash: A5620931910609CFCF14EF68C8956ADB7B1FF95301F0182A9D54AAB265EF70AAC5CF81
                                              Function 0BC45F10 Relevance: .5, Instructions: 511COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9af69e6cfcc31350be4b21e6898f1654a9d2b5753f458335f0c7a3057e77e6e5
                                              • Instruction ID: ecd5388ff1570ce15333298d4fa31192b217af745cf753996dd656625e5fe777
                                              • Opcode Fuzzy Hash: 9af69e6cfcc31350be4b21e6898f1654a9d2b5753f458335f0c7a3057e77e6e5
                                              • Instruction Fuzzy Hash: B0324D31A102198FCF18DF28C89969DB7B1FF85305F0582A9D54AAB265EF709EC5CF81
                                              Function 0BC49A84 Relevance: .5, Instructions: 476COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 927c3db6beceb498277b9b32e9f085be2ea872536345b365a92efaf8436252d2
                                              • Instruction ID: 24778eaf664eb9d5e31827de34d629db0e5309c6fe804d7884e925607343de55
                                              • Opcode Fuzzy Hash: 927c3db6beceb498277b9b32e9f085be2ea872536345b365a92efaf8436252d2
                                              • Instruction Fuzzy Hash: FB221635A11619DFDB11EF64C894ADAB7B2FF49304F0581E9E609AB231DB31AE85CF40
                                              Function 0BC49279 Relevance: .5, Instructions: 465COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8d128ca400ff9a1e599d40d57e14ba395312160df2594675ead5c15a2ba612cc
                                              • Instruction ID: 80ab701e7264c6274a61c7d72d899ad661790f807fda87adbe302d7d9f5519b4
                                              • Opcode Fuzzy Hash: 8d128ca400ff9a1e599d40d57e14ba395312160df2594675ead5c15a2ba612cc
                                              • Instruction Fuzzy Hash: 16124935910218DFDB50DFA8C884AAABBF2FF49310F1485A9E51ADB261DB71DE81CF50
                                              Function 0BC46040 Relevance: .4, Instructions: 418COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d1f48f5e87307d4ae7bf100116305f44c58ceb4be83e058817b8f43dd28004aa
                                              • Instruction ID: 4a85dbbf4ec2838cc7b7ecc5ea6d94b718c1905760452988bb32cf69e3283be2
                                              • Opcode Fuzzy Hash: d1f48f5e87307d4ae7bf100116305f44c58ceb4be83e058817b8f43dd28004aa
                                              • Instruction Fuzzy Hash: B7122B319106198FCF18DF28C8956D9B7B1FF95301F0182A9D94AA7265EF70AEC5CF81
                                              Function 0BC499F4 Relevance: .4, Instructions: 366COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dedf1b437df468c9a392d064fb1a7bc6cbd2a6b2309616bb3db3003037867a80
                                              • Instruction ID: 4468e2a160dc838df5b46e6db1039caf47f488e10a2c51965b2a92ca72293497
                                              • Opcode Fuzzy Hash: dedf1b437df468c9a392d064fb1a7bc6cbd2a6b2309616bb3db3003037867a80
                                              • Instruction Fuzzy Hash: 69F11A74B10214CFDB24DF28C994BA9B7B2EF8A300F1581E8D549AB361DB71AE85CF51
                                              Function 0BC42CA0 Relevance: .3, Instructions: 346COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9de36b52aa6c7ac897a3e4eaf2059ea372d34b60a57756267cd343b7dbbd7365
                                              • Instruction ID: 8356825f7e9023e5a57cf4b150bc9efc2e9398c40cb609e0d28eca4dacddea6e
                                              • Opcode Fuzzy Hash: 9de36b52aa6c7ac897a3e4eaf2059ea372d34b60a57756267cd343b7dbbd7365
                                              • Instruction Fuzzy Hash: 31F148359112598FCB25DF65C840AE9B7B1FF88300F1481E9E859AB261EB31EF81CF51
                                              Function 0BC4FD50 Relevance: .3, Instructions: 325COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6dfc28877b6924ad0a12fdcf3d51c53f0dcaf0e24664710a20258a2c6d584c59
                                              • Instruction ID: 3d804dbb824b27515e6a08b08ad7399d2c01279c33e481224759617f70e1bbca
                                              • Opcode Fuzzy Hash: 6dfc28877b6924ad0a12fdcf3d51c53f0dcaf0e24664710a20258a2c6d584c59
                                              • Instruction Fuzzy Hash: B6F0E5323007448BE31AAB79E0243AD77F3EBC9750B54493DC52AC7681DF359D868391
                                              Function 0BC498BC Relevance: .3, Instructions: 323COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 953bc6a9b4eee90bef92ca196fc89c037e5925c67e856fe6530bf242004ec54b
                                              • Instruction ID: 4dfac573d458e7ab0754063fb916ec580c72f236f26dd62deb8a361830923920
                                              • Opcode Fuzzy Hash: 953bc6a9b4eee90bef92ca196fc89c037e5925c67e856fe6530bf242004ec54b
                                              • Instruction Fuzzy Hash: 10E11935911619DFCF11CF64C880ADAB7B2FF49304F15C199E908AB221E772EA96DF90
                                              Function 0BC458A8 Relevance: .2, Instructions: 190COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 260a07dbe78d3cce3dda54dc6c41fd54aa6f1ab13bcfbad7746405211070e3fe
                                              • Instruction ID: 2ac8097c32b7c353587a2def9073d424e9f355a5e37be638b8af62751a026805
                                              • Opcode Fuzzy Hash: 260a07dbe78d3cce3dda54dc6c41fd54aa6f1ab13bcfbad7746405211070e3fe
                                              • Instruction Fuzzy Hash: 5281D87591070ACFCB05DF68C880999FBF5FF59320B14C79AE819AB255E770EA85CB80
                                              Function 0BC48990 Relevance: .2, Instructions: 179COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 12e5165568a4374a3115d2b57176f46e331e178ea1fe9323e63a0e4660046a26
                                              • Instruction ID: 753e8e3ee381d7abf73da46a593014fcb4e81247468e2eb0e5d9aa648a5ea8f6
                                              • Opcode Fuzzy Hash: 12e5165568a4374a3115d2b57176f46e331e178ea1fe9323e63a0e4660046a26
                                              • Instruction Fuzzy Hash: 04712571E10209DFDF10DFA9C44469EFBF5FF88210F10852AE925A7250DB75AA45CF91
                                              Function 0BC4DD38 Relevance: .2, Instructions: 169COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e394c3aacb04608f438f86fa6c9335aa02ec4c07cbcd351b0f9bf8ea310af1e5
                                              • Instruction ID: cb106c3c244bf9b1c19498039fca12366021b18176d55e852bd09068a0c860ac
                                              • Opcode Fuzzy Hash: e394c3aacb04608f438f86fa6c9335aa02ec4c07cbcd351b0f9bf8ea310af1e5
                                              • Instruction Fuzzy Hash: 54516871E00209DFDF14DFA9D8846EEBBF1FF88210F14816AE859A7350D7349A15CBA5
                                              Function 0BC47D38 Relevance: .2, Instructions: 165COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d86c751f2747e7d6f33a4c36092e2172717d2c86a29580339794d21f79468963
                                              • Instruction ID: 107253902489a29939e0598270cbc075ec9f893194e3bb096f305c6ab4df6f76
                                              • Opcode Fuzzy Hash: d86c751f2747e7d6f33a4c36092e2172717d2c86a29580339794d21f79468963
                                              • Instruction Fuzzy Hash: 7351CE31B103089FDB19DFB9D4546AEBBB1EF89210F10856AE816DB391DB318E45CBA1
                                              Function 0BC48438 Relevance: .2, Instructions: 164COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9bf3247184dd472b191d0fe235f89d3ec0838ec106aae1907bddc7888b6e6e32
                                              • Instruction ID: fa07171009d55fe324761ed09704ea07ab88fefcb8663c359c42d2f0118f697e
                                              • Opcode Fuzzy Hash: 9bf3247184dd472b191d0fe235f89d3ec0838ec106aae1907bddc7888b6e6e32
                                              • Instruction Fuzzy Hash: 71710735D10719CBCF10DFA8C8506AEBBB1FF49300F20865AE859A7351EB759A86CF80
                                              Function 0BC40580 Relevance: .2, Instructions: 161COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fb925bd1e3eedecab56168372bb2d63f707329e9b80303e6a50cf4f3c08a415a
                                              • Instruction ID: 8032715949e9be38ac886daa0efa2ac8e075695cb3c121124ce554be22337359
                                              • Opcode Fuzzy Hash: fb925bd1e3eedecab56168372bb2d63f707329e9b80303e6a50cf4f3c08a415a
                                              • Instruction Fuzzy Hash: 325107B0A0060ADFDB20DF69C5849AEBBF5FF88710B108929E85AD7610D734EA55CF91
                                              Function 0BC45890 Relevance: .1, Instructions: 147COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9702641f8bbae404f685b95e66142c247d04ce73c0c31b255197450f7e40bbef
                                              • Instruction ID: 4317f060889d260333341c43339cd854c643de10d6aecce7532fc801812e1327
                                              • Opcode Fuzzy Hash: 9702641f8bbae404f685b95e66142c247d04ce73c0c31b255197450f7e40bbef
                                              • Instruction Fuzzy Hash: E951EA71D1070ACFCB01DF68C884999FBB1FF59320B14975AE859EB255EB70EA85CB80
                                              Function 0BC403B7 Relevance: .1, Instructions: 141COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 96604b55d4882745071b20de52dc4741387d133bac213a49a13234a97e8ecfb2
                                              • Instruction ID: 51b5e7089a8994e79b4e5919cb8410f6dbe4a5b2c7c708f65e18b477808b4d03
                                              • Opcode Fuzzy Hash: 96604b55d4882745071b20de52dc4741387d133bac213a49a13234a97e8ecfb2
                                              • Instruction Fuzzy Hash: 0D51E775A00209DFDB00CFA8D881ADDBBB1FF89354B14C66AE915AB321D731A956CF90
                                              Function 0BC48428 Relevance: .1, Instructions: 127COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d933c8107d53dc26e237f0ccdeddfc537f0fc5ecae1334e55b1e8a7f4760397c
                                              • Instruction ID: 8c9807f0ab532dce0454d902db528fe2ebe4297c4046c29f8042fa38b32c6116
                                              • Opcode Fuzzy Hash: d933c8107d53dc26e237f0ccdeddfc537f0fc5ecae1334e55b1e8a7f4760397c
                                              • Instruction Fuzzy Hash: 7A51F575D10218CFDF10DFA8C8506AEBBB1FF49300F14866EE859AB251EB359A46CF81
                                              Function 0BC40571 Relevance: .1, Instructions: 118COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2fd5dd9b3a5a2c7add98f5bd628db139b737c01fb8c01133229bf2ccfb3b6f7b
                                              • Instruction ID: ebba36b72ab2816d2167dd157d6e292ef0b73c9df4d1bb20f4f8ebcea5a1c6c7
                                              • Opcode Fuzzy Hash: 2fd5dd9b3a5a2c7add98f5bd628db139b737c01fb8c01133229bf2ccfb3b6f7b
                                              • Instruction Fuzzy Hash: C04126B0A0060ADFCB20DF69C5849AEBBF5FF88304B108929E45AD7611D774EA55CF90
                                              Function 0BC49CA0 Relevance: .1, Instructions: 118COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 43ba3e0f29f4201dcc1a105a7dd3d370467752888e35a0c0852765dd4b3a27b4
                                              • Instruction ID: c3a10458529132500fe7f75d3100ecb00657d66b375ba5924b289604d5a6d6dd
                                              • Opcode Fuzzy Hash: 43ba3e0f29f4201dcc1a105a7dd3d370467752888e35a0c0852765dd4b3a27b4
                                              • Instruction Fuzzy Hash: F8411630A142148FDB059BB9C5546AFBBB2EF89720F00C46AE42ADB251DBB4CE45CB91
                                              Function 0BC40940 Relevance: .1, Instructions: 115COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 49e84f56b87a93a157c7586db95806f040e34ce8a446f59a3f7a7d6dad254c35
                                              • Instruction ID: 1d0aa7aed49245e9d772452b0937946849199a2e9b5adb7e1d461fcbf8411387
                                              • Opcode Fuzzy Hash: 49e84f56b87a93a157c7586db95806f040e34ce8a446f59a3f7a7d6dad254c35
                                              • Instruction Fuzzy Hash: BB415BB0F10208AFDB14DFB5C854AAFBAFAEF88600F10852DE505E7250DB759A458BA4
                                              Function 0BC4BAED Relevance: .1, Instructions: 109COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 183c3a057a7fbee064bb0d60249dcbfea4656d0a58de7d0daab9c11baa4752f3
                                              • Instruction ID: 7a44d782fd64c5522a3b987004f8fda5333e46e442624d996222da77780120b7
                                              • Opcode Fuzzy Hash: 183c3a057a7fbee064bb0d60249dcbfea4656d0a58de7d0daab9c11baa4752f3
                                              • Instruction Fuzzy Hash: E651E735E00719CFCB14EFA8C994A9DB7B1FF89300F1586A9D5496B221DB70AE85CF81
                                              Function 0BC4F0A0 Relevance: .1, Instructions: 105COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a818c94c572d3f2c0d7e89a911ec30d81d3c3e942e7766434f77e38ebbfcd074
                                              • Instruction ID: f4319d60b23bf4dae84e862477d4bc7a8f822202e8b1d59260d2e5f79bd0f1ef
                                              • Opcode Fuzzy Hash: a818c94c572d3f2c0d7e89a911ec30d81d3c3e942e7766434f77e38ebbfcd074
                                              • Instruction Fuzzy Hash: 88413E75A402498FDB18DFA9D494AAD7BF2AF8D320F154469D405BB3A1DB30EE41CF60
                                              Function 0BC4ED10 Relevance: .1, Instructions: 97COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fc9cc8a9eb4782057c01b94c885e54736a13f08a5591e86dbf2b1dbefe3637b2
                                              • Instruction ID: 49cf90159a88d5fc997ca402d4823a5ea4d9304f141d200eb640f8b6761b61de
                                              • Opcode Fuzzy Hash: fc9cc8a9eb4782057c01b94c885e54736a13f08a5591e86dbf2b1dbefe3637b2
                                              • Instruction Fuzzy Hash: 3C318E70E1425A9FEB28DB99C544BEEBFB5BF88710F054025E805B7680DB709F40CBA4
                                              Function 0BC47BF0 Relevance: .1, Instructions: 96COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5c446e8d1952f6a3a1c7a0dc9d7a83f53a5322c5c441ce6d4a89de77ea6a1d1c
                                              • Instruction ID: 6d290d66f9cb18e1e67241540fc6ca3a91161738475c76d57d93555baa940adc
                                              • Opcode Fuzzy Hash: 5c446e8d1952f6a3a1c7a0dc9d7a83f53a5322c5c441ce6d4a89de77ea6a1d1c
                                              • Instruction Fuzzy Hash: EC3146327213188FDB147BB5D41466F37AAEF86240B04456EE866DB381EF34CE41C7A2
                                              Function 0BC4F090 Relevance: .1, Instructions: 95COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d933f7ad1c7e5ce642eda012819d0341ee9b87aa2701e80e76156e1924a2350d
                                              • Instruction ID: 74081ea41115163c48ed3945e8f70ddae9c9da7347b266655147b8f4cbde98e5
                                              • Opcode Fuzzy Hash: d933f7ad1c7e5ce642eda012819d0341ee9b87aa2701e80e76156e1924a2350d
                                              • Instruction Fuzzy Hash: BE313E75B402458FDB08DFA9D494AAD7BF2AF8D220F095569D805BB3A1DB30ED41CF60
                                              Function 0BC4EF08 Relevance: .1, Instructions: 86COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bd70a9c54999822258f6c4524e398748144f8bc773484e6cbea4c79da3efee6b
                                              • Instruction ID: d24a53ff80ae0c8e8822f22dafa76c1f533f60eea0b4493c38ed352cf9ac8f21
                                              • Opcode Fuzzy Hash: bd70a9c54999822258f6c4524e398748144f8bc773484e6cbea4c79da3efee6b
                                              • Instruction Fuzzy Hash: 04319334E1124AAFDB08DFA5D491EDDBBB7AF88300F11852AE411AB2A0DF709D45CB90
                                              Function 0BC419F0 Relevance: .1, Instructions: 80COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a9e46eb22c91a6830b30d5c028eec73e97b99db7671ac8ed68099c62aac55b13
                                              • Instruction ID: f52c4d19030c47c35d7a463b8071770571ff5eae2d65eb29460e8d7bfab8385d
                                              • Opcode Fuzzy Hash: a9e46eb22c91a6830b30d5c028eec73e97b99db7671ac8ed68099c62aac55b13
                                              • Instruction Fuzzy Hash: D6316D31E21208EFDB14DBA4E890D9DBBB6FF88310F448568F541AB361CB30AD85CB40
                                              Function 0BC4EF18 Relevance: .1, Instructions: 80COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7db9eff0daf088fc319c4ff726da94eaa24a9128bfdf5e7dbbf2bcfa2753f7df
                                              • Instruction ID: 782cba7de3304c44264dab15c8a2845fa487f6449990fb83dd15c17ee0352e8e
                                              • Opcode Fuzzy Hash: 7db9eff0daf088fc319c4ff726da94eaa24a9128bfdf5e7dbbf2bcfa2753f7df
                                              • Instruction Fuzzy Hash: 9D316130E1124AAFDB08DFA5D491EDDFBB7AF88300F11852AE401AB260DF709D45CB90
                                              Function 05542E65 Relevance: .1, Instructions: 79COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 56d48cc18bd8e14d0dfc17a36b47cc724a9358e156d6f8a15022a507b761af62
                                              • Instruction ID: b038e940811f05d29659e630d9f4b5118d338d688d6ecb0ffb37dc1cb4af1c09
                                              • Opcode Fuzzy Hash: 56d48cc18bd8e14d0dfc17a36b47cc724a9358e156d6f8a15022a507b761af62
                                              • Instruction Fuzzy Hash: 56217F6A51E3D59FC7134B30DC697923F319F13204F4A44EBD080CE1A3E669885AC766
                                              Function 0515D390 Relevance: .1, Instructions: 76COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4650471438.000000000515D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0515D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_515d000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 885407bc0b5cb7f8a18c4d1dd74460b6a2c93d2980a613bf2a271809eec982fc
                                              • Instruction ID: ff336228862646e130b02d13ef216c6e5efd0db5c285944cd9b76678d88a5a4a
                                              • Opcode Fuzzy Hash: 885407bc0b5cb7f8a18c4d1dd74460b6a2c93d2980a613bf2a271809eec982fc
                                              • Instruction Fuzzy Hash: FE2106B2504240EFDB15DF14E9C0F26BB66FB84324F20C569DD190F646C336E956CB62
                                              Function 0BC419E1 Relevance: .1, Instructions: 76COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6467d1006a2a6550d76a2a6b00019f9543f7db6196be88efb963c0881517f6fa
                                              • Instruction ID: 0f581a2cc6094648ea8f69e216842c9cdd546b8417969d892cdd702b886de279
                                              • Opcode Fuzzy Hash: 6467d1006a2a6550d76a2a6b00019f9543f7db6196be88efb963c0881517f6fa
                                              • Instruction Fuzzy Hash: 80318031E21208EFDB14DB95E89499DBBB2FF88320F448569F554AB361CB30AD85CB40
                                              Function 0516D1D4 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4650535294.000000000516D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0516D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_516d000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b32b27e0e50401d962676135d508084dd2964afd70977c430ba4813fe2b69fea
                                              • Instruction ID: 7fabd5462f71e76cd7840759eaaa80ca8473d7951eeda4b752f374cd79116b7c
                                              • Opcode Fuzzy Hash: b32b27e0e50401d962676135d508084dd2964afd70977c430ba4813fe2b69fea
                                              • Instruction Fuzzy Hash: E321D471604244EFDB15DF24E9C0F26BBA6FB88314F24C56DE9094B252C376D86ACA62
                                              Function 0516D01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4650535294.000000000516D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0516D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_516d000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4ac40de4929355865176bee4542c6ca8b59afaea7d1d40195c4774d09f720807
                                              • Instruction ID: 34bcd2ac2a4722a5a43ed83ec8ac74f805a4fab5f9a317f6c27d49e57418234f
                                              • Opcode Fuzzy Hash: 4ac40de4929355865176bee4542c6ca8b59afaea7d1d40195c4774d09f720807
                                              • Instruction Fuzzy Hash: 3B21F575604344EFDB14DF24E5C0F26BB66FB84314F64C56DD9094B246C336D457CA61
                                              Function 05541B6D Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b35c23673d1376ee738f502ea987de0e92b7c4c3ae9018d2e0ab2fc8705cf17e
                                              • Instruction ID: 3eaf72ee75dcb00f42cae52fd5ba551361d504cc4819a07d1a50087c8e9beaa6
                                              • Opcode Fuzzy Hash: b35c23673d1376ee738f502ea987de0e92b7c4c3ae9018d2e0ab2fc8705cf17e
                                              • Instruction Fuzzy Hash: 85214C6250E3C04FD7179F29C8A1A927FB1AF97204B1A45EBD4C4CB1A7C5288C1DCBA6
                                              Function 0BC4E279 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b528ee426dc9b3d049860266025a4c718c72ee8762c413e49536c43ecb4c921c
                                              • Instruction ID: 0d3b57d81f6ac9b28970b3fde00bbb3d73ac9a1de548d3f205d44945c941b4dc
                                              • Opcode Fuzzy Hash: b528ee426dc9b3d049860266025a4c718c72ee8762c413e49536c43ecb4c921c
                                              • Instruction Fuzzy Hash: C731C0B5D01249DFDB14CFA9D880ADEBBF4FB48314F14846AE918A7210D335AA14CFA5
                                              Function 0BC49C7C Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c42ec9adf8288e51617ce0936f089815999523c2fad64a366b1382eece9b2460
                                              • Instruction ID: 212b14ef49be5c95a9cd4babe51c8e937238df1d11c7e56410922fdd6282215f
                                              • Opcode Fuzzy Hash: c42ec9adf8288e51617ce0936f089815999523c2fad64a366b1382eece9b2460
                                              • Instruction Fuzzy Hash: D531CEB5D01209DFDB14CFAAD884ADEBBF4FB48310F14842AE918A3210D374AA04CFA4
                                              Function 0BC49C91 Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9729249384b22aa2f5943fba2100e2d440bb1c26280d3f7e83807582082dfcec
                                              • Instruction ID: d2554c4115aea3326d975dc78e6df7ae8b8bc91fc8cfa2ca7bd90148f7066c1b
                                              • Opcode Fuzzy Hash: 9729249384b22aa2f5943fba2100e2d440bb1c26280d3f7e83807582082dfcec
                                              • Instruction Fuzzy Hash: 2E21A1319102089FCF14AFB9C4549EEBBB6EF8C320F04C65AE925A72A0DF719D41CB90
                                              Function 0BC40F90 Relevance: .1, Instructions: 67COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: db32771b6c2d8a4f7cf8ffc86cd3c91c727678303890ce90ee00242fbf7172d5
                                              • Instruction ID: 512ba66b55567182e41e39d7e4069f89df6ad507b5a72ff8e910191a931ec825
                                              • Opcode Fuzzy Hash: db32771b6c2d8a4f7cf8ffc86cd3c91c727678303890ce90ee00242fbf7172d5
                                              • Instruction Fuzzy Hash: F1216A75900348DFDB10DFAAD845ADEBFF4AF88320F14885AD954A7250C375A544CFA1
                                              Function 0BC423A8 Relevance: .1, Instructions: 66COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 687c2b8af53042d2de0c352305a3407cccbe6f7b8e00c28ebb2686bfbac9e88a
                                              • Instruction ID: 62eaa1c3987b2872bc65831b26499839bb25782e6be2a6d036c304650de77e6c
                                              • Opcode Fuzzy Hash: 687c2b8af53042d2de0c352305a3407cccbe6f7b8e00c28ebb2686bfbac9e88a
                                              • Instruction Fuzzy Hash: E1112671B142586FDB069B688C209AF7BB6EFC6200B14456AD414D7391DA309C05C7E2
                                              Function 0BC4A751 Relevance: .1, Instructions: 64COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a429f653b79124a5d2a8f94b80850da98a7c740038dc8ed22154b86d541a6c72
                                              • Instruction ID: 38f2dcfcabcb7167547eb80fac6825ed9cc9b240e4ab1fe700f1d0496ae6817b
                                              • Opcode Fuzzy Hash: a429f653b79124a5d2a8f94b80850da98a7c740038dc8ed22154b86d541a6c72
                                              • Instruction Fuzzy Hash: D2212F31A24228CFCB25EB34D8556DDB772BF88320F4046EAD55D67290DF71AE81CB80
                                              Function 0516D006 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4650535294.000000000516D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0516D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_516d000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 881632fe5cbd34c0d058aa4364d4148d78ad10ff7eda87fad44bb88efb9f3c28
                                              • Instruction ID: 2e7e240da2f77feae5d93c6b37179a5610bdc1af201cb86b6076037e8f0315a6
                                              • Opcode Fuzzy Hash: 881632fe5cbd34c0d058aa4364d4148d78ad10ff7eda87fad44bb88efb9f3c28
                                              • Instruction Fuzzy Hash: C4215E755083849FCB06CF14E994B15BF71FB46314F28C5AAD8498B266C33AD85ACB62
                                              Function 0BC4FC70 Relevance: .1, Instructions: 61COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 054d16912de80f1d33114d75d2e3a7eca82b9081a2be5e2e2872fff9211af361
                                              • Instruction ID: f0f63701000648d1b55c23b2f1c29e6edc60cef253ae5e17dd6ca99cd5fb7a9a
                                              • Opcode Fuzzy Hash: 054d16912de80f1d33114d75d2e3a7eca82b9081a2be5e2e2872fff9211af361
                                              • Instruction Fuzzy Hash: 0911023A7142509FC7116B68D85842E3BB6EFC6264B15406BE54ACB3B2DF218C06C7A5
                                              Function 05542BF5 Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 997f0caea1ec176a84ea6385fb84771e546d2d7bde588e467130561f1d04c718
                                              • Instruction ID: 241f7e7971d8399d45894aa17bc6cc21d7f4a4c53d58c49c6b53ec9a49ee6331
                                              • Opcode Fuzzy Hash: 997f0caea1ec176a84ea6385fb84771e546d2d7bde588e467130561f1d04c718
                                              • Instruction Fuzzy Hash: 3B1193B2C093959FC702DFB898015EEBFB0AF96301F1942A7D144EB242D6744985CBA1
                                              Function 0515D38B Relevance: .1, Instructions: 57COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4650471438.000000000515D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0515D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_515d000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 88006435cbfec6173a139847be1f79da02b565ee6a2dfb1325d91d168b1309d1
                                              • Instruction ID: b7a4af5f5e6f11b3330869a5bf9ff9c1052c32aaed4bdd84271a83802028e2d6
                                              • Opcode Fuzzy Hash: 88006435cbfec6173a139847be1f79da02b565ee6a2dfb1325d91d168b1309d1
                                              • Instruction Fuzzy Hash: CE21A276504240DFCB06CF10D9C4B26BF62FB84324F24C1A9DD090F656C33AE95ACB92
                                              Function 0BC41A44 Relevance: .1, Instructions: 55COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 078b3a659343c971698afe07c7b05d63f87075a0d1274262ead32f1083aa143e
                                              • Instruction ID: f62620297c7236025343a78c8f8facc0304ffa47faecfc3605704d6436cd6d1b
                                              • Opcode Fuzzy Hash: 078b3a659343c971698afe07c7b05d63f87075a0d1274262ead32f1083aa143e
                                              • Instruction Fuzzy Hash: 34211935A11209EFCB04EFA4E494D9DBBB2FF85314F548568E5056B321DB30AD85CF80
                                              Function 0BC42850 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: de3379dc1ea3f531f480c9b530aa3e6d68d590b9534dcc8a0ddbb4fccb789b42
                                              • Instruction ID: ee149015f19fe1ae13178b085154493e7b8ba6926b6c442a7febc33b4abf9b83
                                              • Opcode Fuzzy Hash: de3379dc1ea3f531f480c9b530aa3e6d68d590b9534dcc8a0ddbb4fccb789b42
                                              • Instruction Fuzzy Hash: 7211FCB5C10249DFDB10CFAAD885ADEBBF4EB48320F10851AE925A7350D378A945CFA1
                                              Function 0516D1CF Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4650535294.000000000516D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0516D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_516d000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: eca907121eadd3cdc79724c298a1e441e783e3722d5b4ef56e8cf61f00b8ed16
                                              • Instruction ID: e3fd81167ca8ddf12ff073be4912860ebd78f1f7f7165db0bd113c36baa9d04a
                                              • Opcode Fuzzy Hash: eca907121eadd3cdc79724c298a1e441e783e3722d5b4ef56e8cf61f00b8ed16
                                              • Instruction Fuzzy Hash: AD118B75A04284DFCB15CF10D5C4B25FBA2FB84314F28C6AEDC494B656C33AD45ACB62
                                              Function 0BC429C0 Relevance: .1, Instructions: 52COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5a23ed027e29f8b3f1d35e1874d60e10441580bfefac405ee0b81d0618a9a615
                                              • Instruction ID: 2ed367d951ca5a98b154538893f968f87a0a9f9385231d8624e95a5a5b918d0c
                                              • Opcode Fuzzy Hash: 5a23ed027e29f8b3f1d35e1874d60e10441580bfefac405ee0b81d0618a9a615
                                              • Instruction Fuzzy Hash: 3F015631B305248FCF35EBA9D05267D73E2ABC8601F544419D056DB340DB75DB429B55
                                              Function 055429C8 Relevance: .1, Instructions: 51COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b5ca97aaa5c4a4fcf6356bc8d95095c22f2ea502fbf42f1f48daeaf635ecabaf
                                              • Instruction ID: a00fd172e37a7f3ffbca2d974376c845e901a764eb22f5343256e70241a2ac6e
                                              • Opcode Fuzzy Hash: b5ca97aaa5c4a4fcf6356bc8d95095c22f2ea502fbf42f1f48daeaf635ecabaf
                                              • Instruction Fuzzy Hash: 5311E135609380AFC3128B64C800A9DBFB1EF42210F1A81E7E488CB292D670A841CBA5
                                              Function 0BC42858 Relevance: .1, Instructions: 51COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ba36abc6597530e29f5ed77cda490de86a6cec20d4d448be30bb31d425ee1460
                                              • Instruction ID: 02e29c66164257c32ee2cdb3a69c3404798bf37b0cff1b8c7b41ed8ec6f71ab0
                                              • Opcode Fuzzy Hash: ba36abc6597530e29f5ed77cda490de86a6cec20d4d448be30bb31d425ee1460
                                              • Instruction Fuzzy Hash: F411D7B5C10249DFDB10CF9AD845ADEFBF8EB48310F10841AE915A7310D378AA44CFA1
                                              Function 0554142D Relevance: .0, Instructions: 50COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: be05308c3668d87173d33ecc56141e85d55258ccb9de002f953f5d34ead6f069
                                              • Instruction ID: f0488ee489375c113894af75d11128e7bcc6e87965345ca3f23cee65069355d4
                                              • Opcode Fuzzy Hash: be05308c3668d87173d33ecc56141e85d55258ccb9de002f953f5d34ead6f069
                                              • Instruction Fuzzy Hash: CB018B2260E3E04FD7139B78A8552857FB1AF43219B0E05EBC1C0CF1A3D255588AD7A2
                                              Function 05540311 Relevance: .0, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9cb9a0e09b3f76b1a20f2382446e5b851cff2221fc264c654cc52125c016475a
                                              • Instruction ID: 3b7aa751c8d90607bc59e9577360348a9fb7cfd2ef109fb6e0cdb7c627eb669f
                                              • Opcode Fuzzy Hash: 9cb9a0e09b3f76b1a20f2382446e5b851cff2221fc264c654cc52125c016475a
                                              • Instruction Fuzzy Hash: AC01AA7614E7C09FC3438B34D966A503FB0AE53225B1E00D7E484CF2B3D2299918CB22
                                              Function 0BC42398 Relevance: .0, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7b4d15be49cf2ac8028bc987aef89523a7231e0267ea502bb26d1f4a9726d7c1
                                              • Instruction ID: 84358ebb57bbcdb8f4fa9bee691ea41ec97ae49636fc506c28b92bb7afb0e4c3
                                              • Opcode Fuzzy Hash: 7b4d15be49cf2ac8028bc987aef89523a7231e0267ea502bb26d1f4a9726d7c1
                                              • Instruction Fuzzy Hash: 7A01D4B1B20119AF8F00DF58DC449BFBBFAEFC8600B10452EE81497261DB719D1197A1
                                              Function 0BC47918 Relevance: .0, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a09845e34dc222c5b63ea292f720d4aee3fda2eece567a53145d03175a6e6fd0
                                              • Instruction ID: 64243ac66b851984bd42435e62903af5ea09936412d32dda8a23e2d9a8d277f6
                                              • Opcode Fuzzy Hash: a09845e34dc222c5b63ea292f720d4aee3fda2eece567a53145d03175a6e6fd0
                                              • Instruction Fuzzy Hash: 35017135B01205DFCF10DBA9E8408AEB7BAEB8A320B10456DE66997750D771AD118BA1
                                              Function 0BC4ED00 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d9f2cd4fcd30d02f7a92e8f0975bb4aa8da057234e31702daa32b3a8fb25c8d5
                                              • Instruction ID: 9f6faa43a8d6098693fbe69f70ee772c079a0110fe331cd01643284fa4f6ef4f
                                              • Opcode Fuzzy Hash: d9f2cd4fcd30d02f7a92e8f0975bb4aa8da057234e31702daa32b3a8fb25c8d5
                                              • Instruction Fuzzy Hash: C401D671E101185BDB24DB69D841AEEBBB5EFC8730F048169EC15B7380CB719E95CBA1
                                              Function 055434C1 Relevance: .0, Instructions: 44COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3919fca6b80d5571c50438659649612e17e7915edac232a9154c36fc9a172e05
                                              • Instruction ID: 112a50f96943055c9c260288ce6c442bdf35fb410ff1a7275dceb5f74a4ebed2
                                              • Opcode Fuzzy Hash: 3919fca6b80d5571c50438659649612e17e7915edac232a9154c36fc9a172e05
                                              • Instruction Fuzzy Hash: 10018F7210E7C44FC3038B74D854A443F749F57624B0A01DBD089CF2B3D2299C4ACB12
                                              Function 0BC402F8 Relevance: .0, Instructions: 44COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6e92282dad08332f1e0e99441e833058789ff8ade55917fef7b248b9b4859508
                                              • Instruction ID: 700e7254edf80f13cc675e069019567cca20e7fe67e838bcbb7122f18ec6b6de
                                              • Opcode Fuzzy Hash: 6e92282dad08332f1e0e99441e833058789ff8ade55917fef7b248b9b4859508
                                              • Instruction Fuzzy Hash: C4012132A14B099AC700BF7CD4549AAB7B5EEC5350B04C76FE54AA7121EF70D6C0D791
                                              Function 05542ED9 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 35d0b36c94332af636827ca7cd2071b78d4bbfe9e9d3eba77da1d7fede1d7eca
                                              • Instruction ID: aebf81a07323cbba711ac12fedb4abf07a93cfded9797c9cba3e2ce9f288ab64
                                              • Opcode Fuzzy Hash: 35d0b36c94332af636827ca7cd2071b78d4bbfe9e9d3eba77da1d7fede1d7eca
                                              • Instruction Fuzzy Hash: 1BF0306A50E3C55FD3174B30AC697823F759F13A19F1E44EBD0C0DA1A3E659844CC766
                                              Function 05543035 Relevance: .0, Instructions: 41COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8202152f304b7e49ca143080e5eed4e120ded1a59cb28d6c5ac97f12adad56f6
                                              • Instruction ID: ad8c5165075f9f6ea894900027b4e8f69fec1c5100b0274a1db905bb8b98aa76
                                              • Opcode Fuzzy Hash: 8202152f304b7e49ca143080e5eed4e120ded1a59cb28d6c5ac97f12adad56f6
                                              • Instruction Fuzzy Hash: B7F0147A51E3C04FE31387349C6A7913F71AB63608F0F00EBE094CB1A3D1199809DB22
                                              Function 0BC47909 Relevance: .0, Instructions: 40COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 236ba0ec13a78bb454cd2a874916dd7c7c1a7ae6c10387f641ad2d4a44a24d64
                                              • Instruction ID: d9e949a24aec01a5f64e10ff95d7d042b49ff919678f57274526f716b73dce73
                                              • Opcode Fuzzy Hash: 236ba0ec13a78bb454cd2a874916dd7c7c1a7ae6c10387f641ad2d4a44a24d64
                                              • Instruction Fuzzy Hash: 78F0AF30B012069FCF00CAA8E8949EFBBF6EF8A350B10056ED655DB751E7706D058BA1
                                              Function 05540A0D Relevance: .0, Instructions: 39COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a6bec3949c952a5f2292f8b9e2e361f66e61486169ecd3007315e8d4876673da
                                              • Instruction ID: 2156ff531f7e8933727791532d7d574331503e23e29882e7b2248dbce7b69f6b
                                              • Opcode Fuzzy Hash: a6bec3949c952a5f2292f8b9e2e361f66e61486169ecd3007315e8d4876673da
                                              • Instruction Fuzzy Hash: 40F0177241E7C09ED3036B309D612857F34AF53205F0A45DBC080CE1A3E6298959C767
                                              Function 055429A9 Relevance: .0, Instructions: 38COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0b2e6eea8c2b3d595c5ddaf55d4a23b9f343648538cf2fedf12e2a92a1b5958e
                                              • Instruction ID: 3f215e07ac575696b5631adfb7d1cd89509c9045905c5125487b0ebc28c68243
                                              • Opcode Fuzzy Hash: 0b2e6eea8c2b3d595c5ddaf55d4a23b9f343648538cf2fedf12e2a92a1b5958e
                                              • Instruction Fuzzy Hash: 0CF0C23660C2906FC3229B14DC01B997F61EB92324F0A81E7E858DF5D2C664AC45CB95
                                              Function 0554277D Relevance: .0, Instructions: 37COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d52446f120589bfdc693f2afa758b5747d15af21f274aeadaf38561fa760aaa1
                                              • Instruction ID: a3fff6ef159c21b2f397eb7557f7a16dd7340d159b6f8dca2dba213a34c92429
                                              • Opcode Fuzzy Hash: d52446f120589bfdc693f2afa758b5747d15af21f274aeadaf38561fa760aaa1
                                              • Instruction Fuzzy Hash: B4F0F06AA0E3D00FC7034B38AC996817F619F13354F0E00E78080CF0A3C215882EC7A6
                                              Function 0BC423B0 Relevance: .0, Instructions: 37COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 770b4dbda0ae890c5c56b6a9c0c7d4a28fbf62a44020057ca4dd1a18e79d46ef
                                              • Instruction ID: 2d74b1e9a769d3da4264a101b941338da234c764a076bfdc47673c7ebacfaeb0
                                              • Opcode Fuzzy Hash: 770b4dbda0ae890c5c56b6a9c0c7d4a28fbf62a44020057ca4dd1a18e79d46ef
                                              • Instruction Fuzzy Hash: 3DF062B1B202196F8F01DF98D8408BFB7BAFFC8610B14461EE95597260DBB19E119BA1
                                              Function 055414D1 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dbd2752a174c9c2c1c8e0430f1115b6e881a6ddfb2342c898a77d8421f5ce46e
                                              • Instruction ID: e453a291b6f220d1e50ecd9b677c366ac7f072763b0569f96f01c664d45e8d2d
                                              • Opcode Fuzzy Hash: dbd2752a174c9c2c1c8e0430f1115b6e881a6ddfb2342c898a77d8421f5ce46e
                                              • Instruction Fuzzy Hash: E2F0F2A684E7C10FE3035B608C617413F709B23229F4E00EB80D2CB1A3E51C884A87B2
                                              Function 0BC479B0 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: eddaf704b810da61c5d9b7dc41aaf7bc1c0848775e57003601dea90b62d1c876
                                              • Instruction ID: 5aaa87cbf7c8cd7d4970bdf0eb5fb6198532d3e9d366bb4ed68b7578d14e7a71
                                              • Opcode Fuzzy Hash: eddaf704b810da61c5d9b7dc41aaf7bc1c0848775e57003601dea90b62d1c876
                                              • Instruction Fuzzy Hash: 34F0CD317003018FD708AFBAA46125EBBA2AF84260314C43ED86ACB381DF34D9068B91
                                              Function 0BC4BF30 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e514c8a6d5feefcbac2ec7739b172182ab372a772dbaeb560ef111e5e96c7058
                                              • Instruction ID: c481e07dd04385773645dceace183b26cb63e5b0a9e9444666e6c235d39c2aa9
                                              • Opcode Fuzzy Hash: e514c8a6d5feefcbac2ec7739b172182ab372a772dbaeb560ef111e5e96c7058
                                              • Instruction Fuzzy Hash: 8601ADB1904395DFC700DFA4E80A6C67BB1FF85314F21421AE905AB6E1DBBC2588CBE1
                                              Function 0BC4FC60 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 599d5e0ee13ba64601832e5fd479e2ec960959313f479a23170806c8b97a204d
                                              • Instruction ID: 9a132edaa9d8716f3f4d26b5e5ba7eb4f46d3ecd68ef73f93fdfdf4c8eed222a
                                              • Opcode Fuzzy Hash: 599d5e0ee13ba64601832e5fd479e2ec960959313f479a23170806c8b97a204d
                                              • Instruction Fuzzy Hash: DDF0B43A7101604FC7159B68D4A882D3BFAEFCA66531500AEE80ACB361DF21DD46C791
                                              Function 05541529 Relevance: .0, Instructions: 33COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4d6897d166c452e38209349f0226b19652e46e769e80e36bcd8b00b9dbdad342
                                              • Instruction ID: 00bcb68cc07f507f0a252f0b38a9cfcddb4cbd1584946e0d33695a6b82c48813
                                              • Opcode Fuzzy Hash: 4d6897d166c452e38209349f0226b19652e46e769e80e36bcd8b00b9dbdad342
                                              • Instruction Fuzzy Hash: ACF0F23A15EBC04FD7038B369C215847FB1AF53616B5A00DBD0C8CF9A3D179984ACB12
                                              Function 0BC47CB8 Relevance: .0, Instructions: 33COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3b914a6cda97bd6b7308c3b058c19bc5311ca1fb922f581f20a960138bd5e967
                                              • Instruction ID: 9c8c90ccee352057c3219c12a840ae673744fdad6ceaa202b38e16f71a3eb619
                                              • Opcode Fuzzy Hash: 3b914a6cda97bd6b7308c3b058c19bc5311ca1fb922f581f20a960138bd5e967
                                              • Instruction Fuzzy Hash: 39F0E93172130589EB1077B8D4116BB3364EF41340F04897BD492DA190EF35CB81E3A1
                                              Function 05540B65 Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ea3d676f2b51153c1d4b3e307b03869735c613d15f79d428b53e9d2a9e5c4f44
                                              • Instruction ID: 1bdc6f8689ec8299985ce119fdfa4dbbe17c4e41885506973172f1e92d21b374
                                              • Opcode Fuzzy Hash: ea3d676f2b51153c1d4b3e307b03869735c613d15f79d428b53e9d2a9e5c4f44
                                              • Instruction Fuzzy Hash: BCF0A7722093D46FD7129F695C60DAA7FB5DBC625030980ABF954CB293C4248C10C761
                                              Function 05543325 Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 410b8a6cdfa4ce04c05260c212eebcc4acc023763c68904122026970b150e40a
                                              • Instruction ID: 051cb2868fc239e538f68e822e94abc173305e26d2c10699caf856324a2fdd8f
                                              • Opcode Fuzzy Hash: 410b8a6cdfa4ce04c05260c212eebcc4acc023763c68904122026970b150e40a
                                              • Instruction Fuzzy Hash: D4F03A7755E7948FCB135F34EC99B813F34AF27208B1A04EAD084CB273D2299819CB22
                                              Function 05543001 Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f8d2a1f29b22e0c22fdddcf97f1926be66fb2a9e74e819cd27a62bce624153e4
                                              • Instruction ID: c5cd192b0c9ac1ccc8f53ca4c3c1274afffc7fd2cda9730be1f59968ef73b1e7
                                              • Opcode Fuzzy Hash: f8d2a1f29b22e0c22fdddcf97f1926be66fb2a9e74e819cd27a62bce624153e4
                                              • Instruction Fuzzy Hash: FFF05E7650E2C08FE703C734DC696907FB0AF53604B0E00D6D095CB5B3D6299845DB12
                                              Function 0BC4BF40 Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2ac0ca6532a20dadab7df0a9668b7be05be18fa679f0317af309d07c3d8da8af
                                              • Instruction ID: 42302b5072bd9850cb4600ed24355098a51e47dbdca5e92eb5397a4f2dff7d1f
                                              • Opcode Fuzzy Hash: 2ac0ca6532a20dadab7df0a9668b7be05be18fa679f0317af309d07c3d8da8af
                                              • Instruction Fuzzy Hash: 360162B1900355DBD740DF64E80A6C67B71FF95314F205619D9056B2D0D7BC3549CBE0
                                              Function 05540121 Relevance: .0, Instructions: 28COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0d33291306c7b52699e35a8db59f005d6ab78b2be82e10fb61db455873a6760b
                                              • Instruction ID: fd9d4e2ad9c334195a4574949eeecac5fa62971dea6a7578798774503d3aa925
                                              • Opcode Fuzzy Hash: 0d33291306c7b52699e35a8db59f005d6ab78b2be82e10fb61db455873a6760b
                                              • Instruction Fuzzy Hash: 6BF0AEA651F3C01FD7430B709C652523F719E53205B1F80EBD484CEAA3E169485AC733
                                              Function 05542A49 Relevance: .0, Instructions: 28COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e9a6a5532d1e25b916d8796e77c0b2b6d12d8555696476273419ea9a9a9437d5
                                              • Instruction ID: bb158bb0d6613b3ad818b858302c43132ffdf3d9799db68450c1e4b1baaedb49
                                              • Opcode Fuzzy Hash: e9a6a5532d1e25b916d8796e77c0b2b6d12d8555696476273419ea9a9a9437d5
                                              • Instruction Fuzzy Hash: 15F0ED2180F3C52EDB0383742C10BA47F315F43208F2D01D7E884CE0F3C1554A088765
                                              Function 0BC4988C Relevance: .0, Instructions: 28COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 74475367f2978bf2462e20b74dc0e140ea81e46e86dbc411b4b1f7c3f4f96e17
                                              • Instruction ID: 71fdf7b0777556edc94f1a4faa63a172b7f06ded28e0e66324f02879f885ce9a
                                              • Opcode Fuzzy Hash: 74475367f2978bf2462e20b74dc0e140ea81e46e86dbc411b4b1f7c3f4f96e17
                                              • Instruction Fuzzy Hash: 97F0DA36410609EFDF02AFA8C854C95BFB6FF49310B05C595F6185B131E772D5A0EB41
                                              Function 05542735 Relevance: .0, Instructions: 26COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7197da576601c570428d704591a21918806b8b0adfbbfb0b641efa08ebd396f0
                                              • Instruction ID: 207856b73419535b98bec3f3eab323da1135ba27fb092fb77823ad82ffc589a3
                                              • Opcode Fuzzy Hash: 7197da576601c570428d704591a21918806b8b0adfbbfb0b641efa08ebd396f0
                                              • Instruction Fuzzy Hash: 8CE0D82370D3905FD31356389C6471A7FA2DBDB614F1A45BBD085C7353D5188C0983A5
                                              Function 0BC49F68 Relevance: .0, Instructions: 26COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: db7f253a4fa35d0f7f2586c1a0c1f428890f5b4cead75e23c9200f78dbf6fcc6
                                              • Instruction ID: 40d2bc1cf0ffe48acdbe5b0d62313f7900b89011d054395e06d425580b78a02e
                                              • Opcode Fuzzy Hash: db7f253a4fa35d0f7f2586c1a0c1f428890f5b4cead75e23c9200f78dbf6fcc6
                                              • Instruction Fuzzy Hash: 3FF0173A410209AFDF02AFA8C944C85BFB2EF59314B09C195F6486B132E732D2B0EB00
                                              Function 0BC4FD38 Relevance: .0, Instructions: 26COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: aeb4a1bc2772996dc6676e9226bf4702ace4ddaad36484394e48e00d56a24c9a
                                              • Instruction ID: 9bf449e9aa656d858212b5126cad4c918b88a0cb35be3c9df0803ca087370a22
                                              • Opcode Fuzzy Hash: aeb4a1bc2772996dc6676e9226bf4702ace4ddaad36484394e48e00d56a24c9a
                                              • Instruction Fuzzy Hash: 59E061322007408BC335AB2DE4147DE77B6EFC8310B04453DD04D87101DF71594287D0
                                              Function 05541491 Relevance: .0, Instructions: 25COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 725b18ce3bf412657e0a74c03137d3852dbb09ef98e3500e824b9dc01d9ae06d
                                              • Instruction ID: 832b9e24d3751775fceb43bd16f6e117f3177e5ecde4a9842edfc560dc417d89
                                              • Opcode Fuzzy Hash: 725b18ce3bf412657e0a74c03137d3852dbb09ef98e3500e824b9dc01d9ae06d
                                              • Instruction Fuzzy Hash: 15E08663A0D3D00FD30796AC68612587F618B87120B0F42F7C195CF2A7C96C8C4BC366
                                              Function 05540B80 Relevance: .0, Instructions: 24COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e93cc1e7f71fd2fe2233ca0d7ba007dc41180dbe9138644367075294803eda96
                                              • Instruction ID: cd65b3ee0b641c5325f1fd780c3d5ccbc0518d995514bb5bcd69f64236ad6204
                                              • Opcode Fuzzy Hash: e93cc1e7f71fd2fe2233ca0d7ba007dc41180dbe9138644367075294803eda96
                                              • Instruction Fuzzy Hash: 39E012723042587B5B149A9F6C54CABBF9EDBC9671704803AFA18C7241C8318D1097F1
                                              Function 055408F9 Relevance: .0, Instructions: 24COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d22db4c11e718801fe2cc21666f5ab1061cf25c8f19724d0b5643f5adfc8aeee
                                              • Instruction ID: eed7bb626867c44d08d383f868a0630e4da657e2d17fa5ba9f81b37a3b2cedef
                                              • Opcode Fuzzy Hash: d22db4c11e718801fe2cc21666f5ab1061cf25c8f19724d0b5643f5adfc8aeee
                                              • Instruction Fuzzy Hash: D9F0453A00E3C49FC7038B64D955D917FB5AE0B21474E80D3E589CF5B3C66AD858DB62
                                              Function 05540749 Relevance: .0, Instructions: 23COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b9abba29846047e866462ad79f57b6e131934fba5cce2ab5a8d8f327df29fc24
                                              • Instruction ID: 109abd45a549ea8084c1a692edcf3d8acdc433c77ab2e303277f15451dbd0f9c
                                              • Opcode Fuzzy Hash: b9abba29846047e866462ad79f57b6e131934fba5cce2ab5a8d8f327df29fc24
                                              • Instruction Fuzzy Hash: B9E0E29AA0F7D01ED75766786C216DA3F648B47160B0E02E395A0CA6E3D8088E4883B3
                                              Function 05540969 Relevance: .0, Instructions: 22COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9d3b3225ba7a512f3dc4127c7f19759547900238ba7c60fd2d349f0053e17f80
                                              • Instruction ID: 8f3dc1be2dd4d0c57a7f74ddb0468b17744e98f48014573c7f0dbef8a2df49b1
                                              • Opcode Fuzzy Hash: 9d3b3225ba7a512f3dc4127c7f19759547900238ba7c60fd2d349f0053e17f80
                                              • Instruction Fuzzy Hash: CAD05E7608D7848FC3039B24EC558903F749E5761530A00D3E140CF6B3E758AC5ACB62
                                              Function 0BC49F80 Relevance: .0, Instructions: 22COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 627a83c87901e19e3f0f812135833ca52e65b9c860e491dac9cf6838be5010a8
                                              • Instruction ID: 7fdde6b69b5f2708926a7e7ee652712f4bc3a2535a5426a94a2d7d8a6571bd90
                                              • Opcode Fuzzy Hash: 627a83c87901e19e3f0f812135833ca52e65b9c860e491dac9cf6838be5010a8
                                              • Instruction Fuzzy Hash: 10F04E3A410604AFCF429F94D808C95BFB6FF99320B0AC195F6585A132D732D5A0EB00
                                              Function 0BC47768 Relevance: .0, Instructions: 22COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 523f20daac6bf580574978ed80d08135dbe04df7019209b913ac41612609f30f
                                              • Instruction ID: 5503fcf386c9bf7aae7920a01f9caa637c490edaf8d2b3e2a69164bf144747f6
                                              • Opcode Fuzzy Hash: 523f20daac6bf580574978ed80d08135dbe04df7019209b913ac41612609f30f
                                              • Instruction Fuzzy Hash: 40E02635301211CFD7182FB0E0185D93B69DF8220134000AED0028F640DFB0CE41C7E1
                                              Function 0BC47778 Relevance: .0, Instructions: 22COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0a1557233c6e56fbed8f35dad0eb29493019780236de00abf08cf4420c080ea0
                                              • Instruction ID: ed49cc4a9756cd6622adb8aecd619e81b95d7b2c1c0b221a7b9d6477445b67f5
                                              • Opcode Fuzzy Hash: 0a1557233c6e56fbed8f35dad0eb29493019780236de00abf08cf4420c080ea0
                                              • Instruction Fuzzy Hash: 95E0C2313012118BCB182EB4B4041D93B9DDF8166270000AAD50AC6A40DFB5DE40C7D0
                                              Function 05540711 Relevance: .0, Instructions: 21COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1dcde6e8dd1efaffafc4e262b7a8850348aa580562f15dcd7122d0c390f880d5
                                              • Instruction ID: 56a5e48158093ff45b13f10b89e4a0aa9bb08059718b963b57d1dd31384c3c60
                                              • Opcode Fuzzy Hash: 1dcde6e8dd1efaffafc4e262b7a8850348aa580562f15dcd7122d0c390f880d5
                                              • Instruction Fuzzy Hash: C5E0E29A20E7D11ECB5766B8AC212963F754F83114B0F00E3D480CE293D9088D89C3A7
                                              Function 05540B31 Relevance: .0, Instructions: 21COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 265522f9d21cce1a884663c58d77dbe29055fe307ad6724e6680eb16b6bca266
                                              • Instruction ID: e3094d53d149ead070e7b44eb98d96f95956ca1db8c24e52b736c618a86a6874
                                              • Opcode Fuzzy Hash: 265522f9d21cce1a884663c58d77dbe29055fe307ad6724e6680eb16b6bca266
                                              • Instruction Fuzzy Hash: FAE0927655E7C44FD3134B34E869A923F699F13619B0A00E3D580CFAA3E124A808CB67
                                              Function 05540241 Relevance: .0, Instructions: 21COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2dba5eeed20461af6a2c6f2b18f00dcffeaa6907e4fedf5940a182d4d5b8f267
                                              • Instruction ID: 60702c7ce0799c0a7308f57dfef19588b67b59069d36ab5be51ff3e9cdedff0e
                                              • Opcode Fuzzy Hash: 2dba5eeed20461af6a2c6f2b18f00dcffeaa6907e4fedf5940a182d4d5b8f267
                                              • Instruction Fuzzy Hash: F9E0B62550E3E54FC7436BB858B11853F709E5356435E04E7C4D5CF2A7D51C9C0E87A6
                                              Function 05543249 Relevance: .0, Instructions: 21COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1ab089681ae39ad00d6548a7ded55513ad694b8c7977b730fd35f56e22218516
                                              • Instruction ID: 7947dbf28ea58855d2b7394c211e87d657d3c4397404283e3f2b76e68858b4a8
                                              • Opcode Fuzzy Hash: 1ab089681ae39ad00d6548a7ded55513ad694b8c7977b730fd35f56e22218516
                                              • Instruction Fuzzy Hash: 5AD0926545F3D44FC70B5B7048755603F315D1320479E44E7C480CE1A3C66D8C19C367
                                              Function 05543219 Relevance: .0, Instructions: 21COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 464447dd142eb14268f6af31a68ef574bd21c1d1ab97afc558e12dbaf9f533f9
                                              • Instruction ID: 28078e7be3eab077a5833e78f1631653279c1eff921befd89ee2cff1adae7f87
                                              • Opcode Fuzzy Hash: 464447dd142eb14268f6af31a68ef574bd21c1d1ab97afc558e12dbaf9f533f9
                                              • Instruction Fuzzy Hash: BFD0C9AA11E3C41FE3075E34AD167823F60AB53A08F0A00DAD0D0CB2A3E5946509CBA5
                                              Function 055409D1 Relevance: .0, Instructions: 20COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6a15e8d6bebe12cf40167d5edce322b9ec28b68a14bcc7f9c6925dadd668e112
                                              • Instruction ID: 4bf426d2aba8f76771730077268eef07a38b3613dbc80db8b656de9ac59efc70
                                              • Opcode Fuzzy Hash: 6a15e8d6bebe12cf40167d5edce322b9ec28b68a14bcc7f9c6925dadd668e112
                                              • Instruction Fuzzy Hash: C0E09A7681EBC08EC3136B78D8116457F746F53215B0A45EFC0D4CE1A3E6259899C763
                                              Function 05540781 Relevance: .0, Instructions: 20COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fabfebea06fe111ebd635200829ceb644f0b510fe4387f16f496e7cc28d9612e
                                              • Instruction ID: 53bb8a917af30f0e9c5d4c6424e4afd4f1083afa1a71b2324b55056c6b1761f5
                                              • Opcode Fuzzy Hash: fabfebea06fe111ebd635200829ceb644f0b510fe4387f16f496e7cc28d9612e
                                              • Instruction Fuzzy Hash: F4E0E28A60E7E11FCB075278AC213957F758F43215F0B00D7C580CE293DA088C4983B3
                                              Function 05542A10 Relevance: .0, Instructions: 20COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ccc24baea9be40bba27aacbb93550fc1ce4f7ac5522fcd1aa856ba5228a03363
                                              • Instruction ID: e37bba42ecfb728aabdbf6abac3cf26179f2255201d01098dcbb8d74e5f88312
                                              • Opcode Fuzzy Hash: ccc24baea9be40bba27aacbb93550fc1ce4f7ac5522fcd1aa856ba5228a03363
                                              • Instruction Fuzzy Hash: BDE0C23A904215BEDB228AA19C00BAC7B31EB08234F208796FD31D91E0D6710A519A50
                                              Function 055409A1 Relevance: .0, Instructions: 19COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 14b61395aedd4be1ac0ca876b33312c614f6c074726eacc1be323360d8d83abc
                                              • Instruction ID: b81c8189d7010129c82cde933d745da8959ad2c097052acc49dd16c9d14bfa5c
                                              • Opcode Fuzzy Hash: 14b61395aedd4be1ac0ca876b33312c614f6c074726eacc1be323360d8d83abc
                                              • Instruction Fuzzy Hash: D1E0173904E3C04FC3075B34AC709903F749E0320930A00D3E1A0CF2B3E2499C09CB22
                                              Function 0554047D Relevance: .0, Instructions: 19COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d87015dcf9b3c024b70d00ee7df71b091d6954b96bc037fbc0d4bee4cbee032d
                                              • Instruction ID: 53dc3160d82953ef5358a143f5a8bbc748fa1d9ef84f309ed4efc940de427165
                                              • Opcode Fuzzy Hash: d87015dcf9b3c024b70d00ee7df71b091d6954b96bc037fbc0d4bee4cbee032d
                                              • Instruction Fuzzy Hash: 71E0463A20D280AFC7038B60C825A803FB0AF16310B1A80E7E084CF2B3C23A8855CF12
                                              Function 05543131 Relevance: .0, Instructions: 18COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2737ce281e126e4345f21352a6126d30d89a7044099f744eeb709f8e61b20e80
                                              • Instruction ID: 4b09f984d42f976bd103fa7f19733cc99dd6617cf0043cdeb1d7f89f04233ce8
                                              • Opcode Fuzzy Hash: 2737ce281e126e4345f21352a6126d30d89a7044099f744eeb709f8e61b20e80
                                              • Instruction Fuzzy Hash: B1E0B66500E7C04FC3138734D869A423F749F47608B0A00DBE085CF2B3D2949C08C726
                                              Function 05542BB9 Relevance: .0, Instructions: 18COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b770c73279e545ff77e2493340918fba837d8d40429206f9b2f52580c7f4c4cb
                                              • Instruction ID: a39a726a9a570ac9d17e624bb9b2e2614c6dbfceb8f6606f37114f793613e1d1
                                              • Opcode Fuzzy Hash: b770c73279e545ff77e2493340918fba837d8d40429206f9b2f52580c7f4c4cb
                                              • Instruction Fuzzy Hash: CDE0BDA651E7C05EE30353208C21A692F308B23202B0E00E3A180CF1E3D5588989C722
                                              Function 05542A68 Relevance: .0, Instructions: 18COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e9a5277769113abf1d79442c6adabb67ba541f952fc91d27e2e870e6b3136894
                                              • Instruction ID: 9b43bb4ce429e23d2812ce92bcae9933d06cf868ef6de36c6f209447bad361f0
                                              • Opcode Fuzzy Hash: e9a5277769113abf1d79442c6adabb67ba541f952fc91d27e2e870e6b3136894
                                              • Instruction Fuzzy Hash: A5D02B74D45309BED711DAA14800B29BBB6FB44204F1080D5FC04CB101E571CE004784
                                              Function 0BC4EE1B Relevance: .0, Instructions: 18COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 20f066f29b776ef201d7e15c03381722e5da1c85283a19ce18d9cd5ab48cf14a
                                              • Instruction ID: 5488711d8fe8df6c01e308d7e11deffd7743258540df33628929fa3339238af1
                                              • Opcode Fuzzy Hash: 20f066f29b776ef201d7e15c03381722e5da1c85283a19ce18d9cd5ab48cf14a
                                              • Instruction Fuzzy Hash: 5EE04F31A151ABCADF14CFD1D6147BDBEB07B04600F154419C451F6581CB348B00CB61
                                              Function 0554114D Relevance: .0, Instructions: 17COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4d9b9c1899488661fbc82f612ebc8ba59ba43539b577ec4fa8b95c931e023744
                                              • Instruction ID: d7a2288764ea3a27ed70ffac301fc54352c8a0a389fce675ed5cbcd3d87855c3
                                              • Opcode Fuzzy Hash: 4d9b9c1899488661fbc82f612ebc8ba59ba43539b577ec4fa8b95c931e023744
                                              • Instruction Fuzzy Hash: 83D0922840F7C05FDB4B5B609D255543F70AD8720478E45D7C894CB1E3D24C484CCB27
                                              Function 05543521 Relevance: .0, Instructions: 17COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b35f326fc09a81392da6afd66575dac33359993780a1478824d0fae1ca1f7cfa
                                              • Instruction ID: c5b5510603eaa6e558053c03e5a92dc35c31b6a8afb5c721b2f0ddb15d88aa73
                                              • Opcode Fuzzy Hash: b35f326fc09a81392da6afd66575dac33359993780a1478824d0fae1ca1f7cfa
                                              • Instruction Fuzzy Hash: 94E0E82210EBD86FC7030B78AD399403F34AA13201B0A01E7E081CA0E3C6A84928DB22
                                              Function 05543465 Relevance: .0, Instructions: 17COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6aa2f89d39e56936a3f59c5d815e748ecd4e76e87131993dd83bfb26a40282f2
                                              • Instruction ID: a3e23a2516066f0babb1728c047e49248ee6176a4f9d45cf116899dcb6fb5a33
                                              • Opcode Fuzzy Hash: 6aa2f89d39e56936a3f59c5d815e748ecd4e76e87131993dd83bfb26a40282f2
                                              • Instruction Fuzzy Hash: 2AD017724197958FCB028A68D861B417FB49F06704B0B00E2E049EB273D660EC05C612
                                              Function 055431F1 Relevance: .0, Instructions: 16COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 036e9ecbc14b6c5bd5b4d745e05716713b01a4c68d7301f5a7d8cbb5210dfd8d
                                              • Instruction ID: 4e990e4738ce39a68b8fe5215070c62615959069b67dae2479f42064b7f1906f
                                              • Opcode Fuzzy Hash: 036e9ecbc14b6c5bd5b4d745e05716713b01a4c68d7301f5a7d8cbb5210dfd8d
                                              • Instruction Fuzzy Hash: EDE048A212F3C49FD7078B209C255943FB16E53618B0E42DBD085CB5B3C618A91ACB62
                                              Function 0BC48F80 Relevance: .0, Instructions: 16COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 82d6cb3332cb154d98cc745d7bc761cc56ed0f5678c348c6a0150f665d3cf2a9
                                              • Instruction ID: c115c3dfce3c688bfb309ff86d1ebaa19ea455fccf6a78cbecbc2846fb9b8a59
                                              • Opcode Fuzzy Hash: 82d6cb3332cb154d98cc745d7bc761cc56ed0f5678c348c6a0150f665d3cf2a9
                                              • Instruction Fuzzy Hash: FED05E3600838CBFCF035FA5EC418D93F65AF46270B444952F9608A4F2C6B689A0EB65
                                              Function 05540BB5 Relevance: .0, Instructions: 14COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e3f244ed879263e62f346a68d7b532679ebebd28de8eaf85390532cf2fcbd9cd
                                              • Instruction ID: 2ece1c576244343f6494ce8a4d711d784a075cc9388cf8f59cfc43a641f2a7d1
                                              • Opcode Fuzzy Hash: e3f244ed879263e62f346a68d7b532679ebebd28de8eaf85390532cf2fcbd9cd
                                              • Instruction Fuzzy Hash: DBD0926A11A6C08FC3028B20DA99B813F65DB56209B0E04DBE188CB673E265D828CB21
                                              Function 055410F1 Relevance: .0, Instructions: 13COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: aed082f20824bd7801ad084e1097c03051acd1b9531c1226d7f097e7c2f88248
                                              • Instruction ID: 0eb4b0f9d653acb1a33f9b5fb2d54499ee1aa39b3cd5ff4ecc39bfb16b61c255
                                              • Opcode Fuzzy Hash: aed082f20824bd7801ad084e1097c03051acd1b9531c1226d7f097e7c2f88248
                                              • Instruction Fuzzy Hash: 45D0C54945F3C40ECB0757784C696546FB55D5315878F81D380C8CB1B7C64C885EC7A7
                                              Function 0BC4EBF1 Relevance: .0, Instructions: 13COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 55e3a4923632872094f06a4603366e4c550abc0c1fb5e97df6f3f30066056932
                                              • Instruction ID: d76452866b52a558777648eac1da8d2ef99d9613d679bbb5660ceaa4bd6e1b39
                                              • Opcode Fuzzy Hash: 55e3a4923632872094f06a4603366e4c550abc0c1fb5e97df6f3f30066056932
                                              • Instruction Fuzzy Hash: 50D0A7B251D1809FE745F760E846484BB209F4230070E44CBD0519B2D3CA524802CB61
                                              Function 0BC42370 Relevance: .0, Instructions: 13COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0a619a35fc4a0cdc3eab22818b11e1313b7895868caf5f29a81ba9929c302ebd
                                              • Instruction ID: f88629b8685efa921d389cf9c896cfe9c77a3ad3e55e7cc10287a2685cd3bb48
                                              • Opcode Fuzzy Hash: 0a619a35fc4a0cdc3eab22818b11e1313b7895868caf5f29a81ba9929c302ebd
                                              • Instruction Fuzzy Hash: 3CD05E3300424AAFCB034F909D408CA3F72AB05210B08445AF5444A073C27689B0FF51
                                              Function 0BC47780 Relevance: .0, Instructions: 13COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c7c093f6c4eef9a65eaf000014e1e60a051e9d0822bfcef2865616caf882934f
                                              • Instruction ID: e5f3665fe0115555ee243f8a779a9985f797c35e0e92897d7e46b3d781c92141
                                              • Opcode Fuzzy Hash: c7c093f6c4eef9a65eaf000014e1e60a051e9d0822bfcef2865616caf882934f
                                              • Instruction Fuzzy Hash: 53D01275302101CFDB0D5BB4B4580E93B27EFC57167504099D1074BA94CF759E86CB91
                                              Function 05540918 Relevance: .0, Instructions: 12COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 85169fc87b71f57d5aa492c07526c5ed712ceec0f566398e23f9cb67febdcbf1
                                              • Instruction ID: 3045b9ebbd5b0ab0e87daa25aef618a4c10ced9251c464f65d40ddb2f48428ae
                                              • Opcode Fuzzy Hash: 85169fc87b71f57d5aa492c07526c5ed712ceec0f566398e23f9cb67febdcbf1
                                              • Instruction Fuzzy Hash: B7D0C53A140508EFCB429F95D949C85BFAAEF4972174A8091F60A8B632D772E960EB50
                                              Function 0BC4ECC1 Relevance: .0, Instructions: 12COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 52146a45ae46dbb0a643edd26c630afe4b8aa4465f39a4e000d4a13df931a851
                                              • Instruction ID: ffa9fb0b3dc75a4fe6483135cc65fd3d8e838146297153bd7292131dc7c8f033
                                              • Opcode Fuzzy Hash: 52146a45ae46dbb0a643edd26c630afe4b8aa4465f39a4e000d4a13df931a851
                                              • Instruction Fuzzy Hash: 26C080355101044F9500DB3AD405C5933D86F4553430142E0E038875B1DE219C405554
                                              Function 0BC4ECD8 Relevance: .0, Instructions: 12COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 045f56a20d89cb04321715aaacdaeded43999bf1a3062485ea63b10b4972c8cc
                                              • Instruction ID: c35da128f5ae636e3923981be5430d46979490b688dc05d3ad16a9118ca0fcd3
                                              • Opcode Fuzzy Hash: 045f56a20d89cb04321715aaacdaeded43999bf1a3062485ea63b10b4972c8cc
                                              • Instruction Fuzzy Hash: D8C08055D143556FD701F7F4581438DBF613F05210F4943848874576D3951D54456772
                                              Function 0BC4F072 Relevance: .0, Instructions: 10COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 203eac561153830fd5bbb4d928db9d9a9a3f9991067dd24557776a092abe50f2
                                              • Instruction ID: f92b6d867549b299abab688a325f5142360b0886865b9bbc045e260f17ce435d
                                              • Opcode Fuzzy Hash: 203eac561153830fd5bbb4d928db9d9a9a3f9991067dd24557776a092abe50f2
                                              • Instruction Fuzzy Hash: 95C08C3704000C6ECB007AA0F902EC4BB9CAF60240F808022B5084A8628F2196A5A792
                                              Function 0BC42C80 Relevance: .0, Instructions: 10COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 02370282dd439ca58c23a27d4f7807f192d8f15cd80c789a55f7a33c747f07b8
                                              • Instruction ID: 5f3e1d8089f8ce3d328e8fbc780723c0ceb16d3412819f6dc6325d788392a389
                                              • Opcode Fuzzy Hash: 02370282dd439ca58c23a27d4f7807f192d8f15cd80c789a55f7a33c747f07b8
                                              • Instruction Fuzzy Hash: CFD0127140E3425FC7435FB1CD14449BFB1BF463307094396D264460F2E668CA95CB62
                                              Function 0BC4FC38 Relevance: .0, Instructions: 10COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 06d8091c15e0222bb165f698c453e35a49245c2d43554200272400d4a402bc1f
                                              • Instruction ID: 86a7678eac028baf93dd195b882f5a935e6346234f8a000ab6b06997c1f00745
                                              • Opcode Fuzzy Hash: 06d8091c15e0222bb165f698c453e35a49245c2d43554200272400d4a402bc1f
                                              • Instruction Fuzzy Hash: 2FD012346092409FC709CB58D5F04A07B61EB8A20432480EEFD059B366CF229C5BDB41
                                              Function 05540498 Relevance: .0, Instructions: 9COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9360f6c3753071abd6b5a8e86689413885372535260cb3c19a445abdef9116e5
                                              • Instruction ID: 740b9759760942d22b17a3cca9430a66c5404184698edbd653c299f37843b55b
                                              • Opcode Fuzzy Hash: 9360f6c3753071abd6b5a8e86689413885372535260cb3c19a445abdef9116e5
                                              • Instruction Fuzzy Hash: ECC04C39140108EFCB419F55D844C45BBA9FF19770741C051F9494B632C732E960DB50
                                              Function 0BC42380 Relevance: .0, Instructions: 9COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6074c53fc4a6c32b8fd5fc9d5dffccc4109880849b7cf1674cd8fdd2173bb7df
                                              • Instruction ID: d5386b17ff40ebb9239052756c08f0ee076cfda9ad648a05026e51e611eff93e
                                              • Opcode Fuzzy Hash: 6074c53fc4a6c32b8fd5fc9d5dffccc4109880849b7cf1674cd8fdd2173bb7df
                                              • Instruction Fuzzy Hash: 20C0483600020DBBCF02AF81EC02CDA3F6AEB19660F448815FA1808072C77399B0FBA5
                                              Function 0BC48F90 Relevance: .0, Instructions: 9COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f94904158070d344a24696f69109dca08ab4fc988077665ad872d0edc3d88565
                                              • Instruction ID: 6c781b1f73666e8639c81a500e79e415a1534fdefe17d74d823c21d1dac3bd7e
                                              • Opcode Fuzzy Hash: f94904158070d344a24696f69109dca08ab4fc988077665ad872d0edc3d88565
                                              • Instruction Fuzzy Hash: 1FC04C3600014DBBCF025E81DC01D9A3F2AAB44250F048411FA1405071C773D570FB55
                                              Function 05540B50 Relevance: .0, Instructions: 8COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0280f8fb1a0f58d08b7ce9f212045bca15be88f6dd88c2e8920af26f12947f85
                                              • Instruction ID: fecf56d22cad18bb6c711cea2b46f9b73380eaa9aa85c67cf09792972fa3c02e
                                              • Opcode Fuzzy Hash: 0280f8fb1a0f58d08b7ce9f212045bca15be88f6dd88c2e8920af26f12947f85
                                              • Instruction Fuzzy Hash: 5DB092311A45098FC310AE59E848E6137ADEF44A05B4100F0E1088BA32D622F8008A55
                                              Function 05543050 Relevance: .0, Instructions: 8COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c5e608f08ab64ae41cf1edb1fa7d790ee8a25a02bd1c52868b6dffc2521c7bd1
                                              • Instruction ID: e60a9b2934022d58ddad3e083b9af6452f7e611bae98ac8a321dce98add4d2b0
                                              • Opcode Fuzzy Hash: c5e608f08ab64ae41cf1edb1fa7d790ee8a25a02bd1c52868b6dffc2521c7bd1
                                              • Instruction Fuzzy Hash: E6B092351A45098FC310AB59D848E6077ADEF44A05B4580F0E1088BA32D622F8008A44
                                              Function 0BC49773 Relevance: .0, Instructions: 8COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 31e117911d39d0954a1c5e2818fd69ef63fa9f14701b8b512178173ce7160043
                                              • Instruction ID: ec7b7016783607a1693a1f22d620b59e01476befe0c03041945b5ec3d903a28c
                                              • Opcode Fuzzy Hash: 31e117911d39d0954a1c5e2818fd69ef63fa9f14701b8b512178173ce7160043
                                              • Instruction Fuzzy Hash: 1FB09237E040188AEB009AC9B8413EEF720E794325F104063C2225200183B103689BE1
                                              Function 0BC4977F Relevance: .0, Instructions: 8COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 31e117911d39d0954a1c5e2818fd69ef63fa9f14701b8b512178173ce7160043
                                              • Instruction ID: ec7b7016783607a1693a1f22d620b59e01476befe0c03041945b5ec3d903a28c
                                              • Opcode Fuzzy Hash: 31e117911d39d0954a1c5e2818fd69ef63fa9f14701b8b512178173ce7160043
                                              • Instruction Fuzzy Hash: 1FB09237E040188AEB009AC9B8413EEF720E794325F104063C2225200183B103689BE1
                                              Function 0BC4ECD0 Relevance: .0, Instructions: 8COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1f59a637e7e58d7f44de42355c66f3f66190a23c5f28d1737bcbf93f934a8f66
                                              • Instruction ID: 46896fc12547e1df07c1052224a5ece70537c833b9204281d67ebdc155878b08
                                              • Opcode Fuzzy Hash: 1f59a637e7e58d7f44de42355c66f3f66190a23c5f28d1737bcbf93f934a8f66
                                              • Instruction Fuzzy Hash: 1BB092302505088F8200DA6AD84480173ADAF89A0434080E4E1088B631DA31A8009A40
                                              Function 05543150 Relevance: .0, Instructions: 7COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dd305c8682803f8cd3e48e9c3dbcc1fee737f5508fafbcd0c04e1af5ccb145ee
                                              • Instruction ID: 72132c6f8b91f458710192d15283a2ad4454807dde311452799a13bc4270f6e4
                                              • Opcode Fuzzy Hash: dd305c8682803f8cd3e48e9c3dbcc1fee737f5508fafbcd0c04e1af5ccb145ee
                                              • Instruction Fuzzy Hash: 61B01234140208CFC200DB5DD448C4073ECEF08A1534100D0F10D8B732C721FC40CA40
                                              Function 05543340 Relevance: .0, Instructions: 7COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 79a13f34584defdca235b799d1b828a2c8c31dd1e8bba79713e0f379b1fe5d5a
                                              • Instruction ID: 3500fcb77b3068117070a2755b6df40992440358c719d221bb354a181ae4356b
                                              • Opcode Fuzzy Hash: 79a13f34584defdca235b799d1b828a2c8c31dd1e8bba79713e0f379b1fe5d5a
                                              • Instruction Fuzzy Hash: 22B092311502088F83009B68E548C0137A8AB08A143110090E1088B232C621F8008A51
                                              Function 05540370 Relevance: .0, Instructions: 7COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0c5aa06abd19b972ef5ffdcdd9d868785c862436591dc722b60b57511d1520ba
                                              • Instruction ID: 38f246181df111d5429a8bd68a772e0fce3d181c3253e5a9de7ce3dab65c4b62
                                              • Opcode Fuzzy Hash: 0c5aa06abd19b972ef5ffdcdd9d868785c862436591dc722b60b57511d1520ba
                                              • Instruction Fuzzy Hash: F4B01230240208CFC300DB5DD445C003BFCAF49A0434000D0F1088B731C721FC008A40
                                              Function 05540BD0 Relevance: .0, Instructions: 7COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 92a417cdb34d81c1afb0df4d08a39985e4c55831df0d27270f9c4b8acb859ff3
                                              • Instruction ID: de8dc64e72719d8615f5572672be4b6ff8fccd44edac4ca872f7aefcae7638d8
                                              • Opcode Fuzzy Hash: 92a417cdb34d81c1afb0df4d08a39985e4c55831df0d27270f9c4b8acb859ff3
                                              • Instruction Fuzzy Hash: EEB01234140208CFC300DB5CD549C507BECEF08A0430540D0F20C8B332D722FC008A40
                                              Function 055409C0 Relevance: .0, Instructions: 7COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7c75d1f359baf881aebbd545750fb125bd9c5c0c39637b878c602c40b716e62d
                                              • Instruction ID: c33795987177c21f5cbdac8c9888cd4206e67c0f7a04de651ea4cb362d1e97b6
                                              • Opcode Fuzzy Hash: 7c75d1f359baf881aebbd545750fb125bd9c5c0c39637b878c602c40b716e62d
                                              • Instruction Fuzzy Hash: 29B092301502088FC200DA58D444C4077A8BB08A0430100D0E2088B232D622F8008A40
                                              Function 05540990 Relevance: .0, Instructions: 7COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 149b3b8abd7c2fab9b7e4a745b5e7cb4a54d10e8afa2e5da7e96e67ea0595db2
                                              • Instruction ID: 0666db46a6e83b03bdbc4174638f5755fda2c091e5cd55f036d48e3d7623dd39
                                              • Opcode Fuzzy Hash: 149b3b8abd7c2fab9b7e4a745b5e7cb4a54d10e8afa2e5da7e96e67ea0595db2
                                              • Instruction Fuzzy Hash: 44B092301A02088F82009A59D444C4033ACAF08A1534100D0E1088B632C621FC008A80
                                              Function 05543480 Relevance: .0, Instructions: 7COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 901620a7f2b9dd4091141eb96992825778dc560f8c705c10b144c0f3bf9f7286
                                              • Instruction ID: bc08162c7b03c7ddb5c483f2b39994bf13d10df8561089b0163c2ef345907767
                                              • Opcode Fuzzy Hash: 901620a7f2b9dd4091141eb96992825778dc560f8c705c10b144c0f3bf9f7286
                                              • Instruction Fuzzy Hash: FCB092301502088F82409A59D444C0073A8AF08A143410090F1098B632C621FC018A40
                                              Function 05543540 Relevance: .0, Instructions: 6COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 002a13c4b4bb0bc9d899a7640ffc39a39e6dc55eb7181f9dbe7fcf056f3d45aa
                                              • Instruction ID: 553b0eb1a6d4306465047410511b0781ffe419e0e7a47821ef9fbe9f3d74a8b3
                                              • Opcode Fuzzy Hash: 002a13c4b4bb0bc9d899a7640ffc39a39e6dc55eb7181f9dbe7fcf056f3d45aa
                                              • Instruction Fuzzy Hash: 6BB0123101020CA787002A45E80D845BF2CE714250B404021F505400108B325860D994
                                              Function 0BC40F68 Relevance: .0, Instructions: 3COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2750ecba6c7276f000edc951ccb606ea331ec8aed9b44c133668018b0f1ec48c
                                              • Instruction ID: 75c62a37f447577b4debba288b401a42bbf84038de5f839eb037deabf7b5e669
                                              • Opcode Fuzzy Hash: 2750ecba6c7276f000edc951ccb606ea331ec8aed9b44c133668018b0f1ec48c
                                              • Instruction Fuzzy Hash:
                                              Function 05541742 Relevance: .0, Instructions: 2COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4651562757.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_5540000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cd16f08ba8b321adea98c287dee4cce1e970dd75baa4dfdb233552c33e570d79
                                              • Instruction ID: 176bb5962da7b2135210072ef45d8f99f8668bcd5f67f9090126ec8bcf11bc3e
                                              • Opcode Fuzzy Hash: cd16f08ba8b321adea98c287dee4cce1e970dd75baa4dfdb233552c33e570d79
                                              • Instruction Fuzzy Hash:
                                              Function 0BC4ECF8 Relevance: .0, Instructions: 2COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4659548294.000000000BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BC40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_bc40000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f5a5d819664cc16b7906e77c2218c555ebc1ebd0b6d90731449c27c880253fc4
                                              • Instruction ID: e6cf54ecbd49e2bd41da67fc9d60e45cf9da16eb33d4277cd70952d6d3f69cac
                                              • Opcode Fuzzy Hash: f5a5d819664cc16b7906e77c2218c555ebc1ebd0b6d90731449c27c880253fc4
                                              • Instruction Fuzzy Hash:

                                              Non-executed Functions

                                              Function 11FA64B0 Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetKeyState.USER32(00000001), ref: 11FA64FD
                                              • GetKeyState.USER32(00000002), ref: 11FA6542
                                              • GetKeyState.USER32(00000004), ref: 11FA6587
                                              • GetKeyState.USER32(00000005), ref: 11FA65CC
                                              • GetKeyState.USER32(00000006), ref: 11FA6611
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.4661771675.0000000011FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 11FA0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_11fa0000_BlackBerryBackupExtractor.jbxd
                                              Similarity
                                              • API ID: State
                                              • String ID:
                                              • API String ID: 1649606143-0
                                              • Opcode ID: e85506ce236fc69b2b6c81b9da02d64a717b890b400324891534655640f9370b
                                              • Instruction ID: 58f204eccfda3b277c560b70c33046ce0d19dd657c66a80feb81b541f20a4223
                                              • Opcode Fuzzy Hash: e85506ce236fc69b2b6c81b9da02d64a717b890b400324891534655640f9370b
                                              • Instruction Fuzzy Hash: 54417FB0C0174ACEEB12CF69D5093AFBFF4AB84314F20841DD189A7240C7BE9545CBA2