Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe

Overview

General Information

Sample name:SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
Analysis ID:1510318
MD5:7268329d169f985be48d34007c4fd957
SHA1:c44b9bbb1a384b146e758316532164df963bdb50
SHA256:f1ce6d3956c9ec05c7fdc5cc58828b62e698d9a9b27733b2df03166f9242f2a3
Tags:exe
Infos:

Detection

Score:42
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:36
Range:0 - 100

Signatures

Detected unpacking (changes PE section rights)
AI detected suspicious sample
Hides threads from debuggers
PE file contains section with special chars
Performs DNS TXT record lookups
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Explorer Process Tree Break
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe (PID: 6568 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe" MD5: 7268329D169F985BE48D34007C4FD957)
    • cmd.exe (PID: 6836 cmdline: "cmd.exe" /c taskkill /f /im "BlackBerryBackupExtractor.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 7000 cmdline: taskkill /f /im "BlackBerryBackupExtractor.exe" MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
    • explorer.exe (PID: 3848 cmdline: "C:\Windows\explorer.exe" C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
  • explorer.exe (PID: 6988 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 662F4F92FDE3557E86D110526BB578D5)
    • BlackBerryBackupExtractor.exe (PID: 4124 cmdline: "C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe" MD5: 8CD8B27DAB255BA25B5283FB4496709D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Explorer Process Tree Break
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber: Data: Command: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, CommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 752, ProcessCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ProcessId: 6988, ProcessName: explorer.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.5% probability
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeEXE: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeEXE: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor-uninstaller.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeEXE: cmd.exeJump to behavior

Compliance

barindex
EXE planting / hijacking vulnerabilities found
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeEXE: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeEXE: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor-uninstaller.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeEXE: cmd.exeJump to behavior
Uses 32bit PE files
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Found installer window with terms and condition text
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeWindow detected: I &AgreeCancelNullsoft Install System v3.08 Nullsoft Install System v3.08License AgreementPlease review the license terms before installing BlackBerry Backup Extractor.Press Page Down to see the rest of the agreement.License Contents A. Reincubate Software Ltd Terms & Conditions B. Droid Font Family Copyright Notice C. LED Icon Set Copyright NoticeA. Reincubate Software Ltd Terms & ConditionsThank you for choosing a Reincubate product or service. Please read the following terms & conditions carefully as they govern your use of our products services and our websites. Occasionally a particular product or service will require its own specific terms & conditions. If this is the case please read those in addition to these terms.TermsIn these terms & conditions the following definitions apply:"We" "us" "our" and "Reincubate" refer to Reincubate Software Ltd a company registered in England number 5189175."You" refers to the person or company currently reading these terms & conditions."Product" or "application" refers to any product developed and sold by Reincubate."service" refers to any online service provided by Reincubate whether free or subscription."website" refers to any Reincubate website including (but not limited to) www.reincubate.com www.iphonebackupextractor.com www.blackberryconverter.com www.awdit.com and www.keepcalm-o-matic.co.uk.1. Copyright and trademarkAll Reincubate products and services are copyright (c) 2023 Reincubate Software Ltd. You may not copy disassemble decompile modify or in any other way alter or duplicate any of our products or services without our explicit permission. There are two exceptions to this:- Where we make available a demonstration version of a product or service you may distribute this freely provided you acknowledge us as the copyright holder and link back to our website.- Where you have purchased a Reincubate product or service you may make one copy for backup or archival purposes provided the backup copy is not used at the same time as the original.Reincubate is a registered trademark of Reincubate Software Ltd. Other trademarks used in Reincubate products and services are held by their respective owners.2. Use of Reincubate products services and websitesWhen you purchase a Reincubate product you are permitted a single non-exclusive worldwide perpetual license to use the product. By using the product you agree to be bound by these terms. Services may be purchased on a time-limited basis in which case any such license expires at the end of the term set out when the service was originally purchased. You may not reverse engineer or decompile our products or services or take any action that may assist others to do so. You may not incorporate any part of our products or services into any third party website application or service without our express written permission. You may not copy sell lend give away or otherwise distribute the registered version of any of our products without express written perm
Creates a software uninstall entry
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BlackBerry Backup ExtractorJump to behavior
Creates license or readme file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile created: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\License.txtJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile created: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\README.txtJump to behavior
PE / OLE file has a valid certificate
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeStatic PE information: certificate valid
Uses secure TLS version for HTTPS connections
Source: unknownHTTPS traffic detected: 172.67.75.19:443 -> 192.168.2.4:49740 version: TLS 1.2
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Binary contains paths to debug symbols
Source: Binary string: c:\Users\dbdkm\work\bbbe-app\tmp\BlackBerryBackupExtractor-merged.pdbBSJB source: BlackBerryBackupExtractor.exe, 00000008.00000003.1756404577.00000000051B0000.00000004.00001000.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000002.3545315465.0000000000852000.00000040.00000001.01000000.0000000C.sdmp
Source: Binary string: c:\Users\dbdkm\work\bbbe-app\tmp\BlackBerryBackupExtractor-merged.pdb source: BlackBerryBackupExtractor.exe, 00000008.00000003.1756404577.00000000051B0000.00000004.00001000.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000002.3545315465.0000000000852000.00000040.00000001.01000000.0000000C.sdmp
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeCode function: 0_2_0040290B FindFirstFileW,0_2_0040290B
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeCode function: 0_2_004069C3 FindFirstFileW,FindClose,0_2_004069C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeCode function: 0_2_00405D99 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405D99
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile opened: C:\Users\user\AppData\Roaming\ReincubateJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile opened: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile opened: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup ExtractorJump to behavior
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /latest-version/F6E219C772F2D0D47416/ HTTP/1.1User-Agent: bbbe-2.0.8.5-1-1Host: uds.reincubate.comConnection: Close
Source: global trafficDNS traffic detected: DNS query: uds.reincubate.com
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, BlackBerryBackupExtractor.exe.0.dr, nse5967.tmp.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, BlackBerryBackupExtractor.exe.0.dr, nse5967.tmp.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, BlackBerryBackupExtractor.exe.0.dr, nse5967.tmp.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, BlackBerryBackupExtractor.exe.0.dr, nse5967.tmp.0.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3552525591.000000000BC54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, BlackBerryBackupExtractor.exe.0.dr, nse5967.tmp.0.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, BlackBerryBackupExtractor.exe.0.dr, nse5967.tmp.0.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, BlackBerryBackupExtractor.exe.0.dr, nse5967.tmp.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, BlackBerryBackupExtractor.exe.0.dr, nse5967.tmp.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, BlackBerryBackupExtractor.exe.0.dr, nse5967.tmp.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, BlackBerryBackupExtractor.exe.0.dr, nse5967.tmp.0.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, BlackBerryBackupExtractor.exe.0.dr, nse5967.tmp.0.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3549774886.00000000067A1000.00000004.00000800.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000002.3549774886.00000000066E9000.00000004.00000800.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000002.3549020703.0000000005527000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000003.1715366145.0000000000511000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000003.1715240481.000000000050C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000002.1737940941.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000002.1737406338.000000000019A000.00000004.00000010.00020000.00000000.sdmp, nse5967.tmp.0.dr, License.txt.0.drString found in binary or memory: http://led24.de/
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, BlackBerryBackupExtractor-uninstaller.exe.0.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, BlackBerryBackupExtractor.exe.0.dr, nse5967.tmp.0.drString found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, BlackBerryBackupExtractor.exe.0.dr, nse5967.tmp.0.drString found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, BlackBerryBackupExtractor.exe.0.dr, nse5967.tmp.0.drString found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, BlackBerryBackupExtractor.exe.0.dr, nse5967.tmp.0.drString found in binary or memory: http://ocsp.digicert.com0X
Source: nse5967.tmp.0.drString found in binary or memory: http://ocsp.sectigo.com0
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3549020703.00000000056EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3549020703.0000000005716000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://uds.reincubate.com
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3549020703.0000000005716000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://uds.reincubate.comd
Source: BlackBerryBackupExtractor.exe, 00000008.00000003.1790285833.00000000084BF000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/$http://ascendercorp.com/eula10.html
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000002.3551321419.0000000007D10000.00000002.00000001.00040000.00000014.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000002.3551293821.0000000007CF0000.00000002.00000001.00040000.00000013.sdmp, DroidSans-Bold.ttf.0.dr, nse5967.tmp.0.dr, DroidSans.ttf.0.drString found in binary or memory: http://www.ascendercorp.com/http://ascendercorp.com/eula10.html
Source: nse5967.tmp.0.dr, DroidSans.ttf.0.drString found in binary or memory: http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.htmlThis
Source: BlackBerryBackupExtractor.exe, 00000008.00000003.1812272937.00000000084C3000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1811959597.00000000084C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/t
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3551601220.00000000084B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/type
Source: BlackBerryBackupExtractor.exe, 00000008.00000003.1812272937.00000000084C3000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1809135905.00000000084BB000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1811959597.00000000084C5000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1809184367.00000000084C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: BlackBerryBackupExtractor.exe, 00000008.00000003.1812272937.00000000084C3000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000002.3551601220.00000000084B0000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1811959597.00000000084C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html%x
Source: BlackBerryBackupExtractor.exe, 00000008.00000003.1812272937.00000000084C3000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1811959597.00000000084C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmldx
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlhDroid
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3549020703.0000000005670000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blackberryconverter.com/?utm_source=app&utm_campaign=2.0.8.5
Source: nse5967.tmp.0.dr, README.txt.0.drString found in binary or memory: http://www.blackberryconverter.com/blog/
Source: nse5967.tmp.0.dr, README.txt.0.drString found in binary or memory: http://www.blackberryconverter.com/help-howto-and-support/
Source: nse5967.tmp.0.dr, README.txt.0.drString found in binary or memory: http://www.blackberryconverter.com/help-howto-and-support/#running
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3549020703.0000000005670000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blackberryconverter.com/help-howto-and-support/?utm_source=app&utm_campaign=2.0.8.5
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3549020703.0000000005670000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blackberryconverter.com/register/?utm_source=app&utm_campaign=2.0.8.5
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3549020703.0000000005670000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blackberryconverter.com/terms-and-conditions/?utm_source=app&utm_campaign=2.0.8.5
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3549020703.0000000005670000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blackberryconverter.com/upgrade-key/?utm_source=app&utm_campaign=2.0.8.5
Source: BlackBerryBackupExtractor.exe, 00000008.00000003.1793561653.00000000084E6000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1793327893.00000000084E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
Source: BlackBerryBackupExtractor.exe, 00000008.00000003.1793561653.00000000084E6000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1793327893.00000000084E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comIta
Source: BlackBerryBackupExtractor.exe, 00000008.00000003.1793327893.00000000084E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comL
Source: BlackBerryBackupExtractor.exe, 00000008.00000003.1793561653.00000000084E6000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1793327893.00000000084E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comN
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000003.1715366145.0000000000511000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000003.1715240481.000000000050C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000002.1737940941.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000002.1737406338.000000000019A000.00000004.00000010.00020000.00000000.sdmp, nse5967.tmp.0.dr, License.txt.0.drString found in binary or memory: http://www.droidfonts.com/
Source: BlackBerryBackupExtractor.exe, 00000008.00000003.1800867350.00000000084BF000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1810270175.00000000084C4000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1804015499.00000000084C1000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1799175652.00000000084BD000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1809135905.00000000084BB000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1799033759.00000000084BD000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1810522606.00000000084C5000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1810168833.00000000084C4000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1809184367.00000000084C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
Source: BlackBerryBackupExtractor.exe, 00000008.00000003.1799175652.00000000084BD000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1799033759.00000000084BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
Source: BlackBerryBackupExtractor.exe, 00000008.00000003.1803606889.00000000084C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
Source: BlackBerryBackupExtractor.exe, 00000008.00000003.1809135905.00000000084BB000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1809184367.00000000084C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com8
Source: BlackBerryBackupExtractor.exe, 00000008.00000003.1809135905.00000000084BB000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1809184367.00000000084C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
Source: BlackBerryBackupExtractor.exe, 00000008.00000003.1804015499.00000000084C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
Source: BlackBerryBackupExtractor.exe, 00000008.00000003.1804015499.00000000084C1000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1803606889.00000000084C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalic
Source: BlackBerryBackupExtractor.exe, 00000008.00000003.1810270175.00000000084C4000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1810168833.00000000084C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd
Source: BlackBerryBackupExtractor.exe, 00000008.00000003.1810270175.00000000084C4000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1810168833.00000000084C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comght
Source: BlackBerryBackupExtractor.exe, 00000008.00000003.1803606889.00000000084C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comm
Source: BlackBerryBackupExtractor.exe, 00000008.00000003.1799175652.00000000084BD000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1799033759.00000000084BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.como.jp/(w
Source: BlackBerryBackupExtractor.exe, 00000008.00000003.1799175652.00000000084BD000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1799033759.00000000084BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comr:
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1768794439.00000000084CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
Source: BlackBerryBackupExtractor.exe, 00000008.00000003.1768448888.00000000084CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com=e
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: BlackBerryBackupExtractor.exe, 00000008.00000003.1809135905.00000000084BB000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1809184367.00000000084C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3549774886.00000000067A1000.00000004.00000800.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000002.3549774886.00000000066E9000.00000004.00000800.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1762000495.000000000132D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.google-analytics.com/collect
Source: BlackBerryBackupExtractor.exe, 00000008.00000003.1798526235.00000000084BD000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1796065509.00000000084B6000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1797516155.00000000084BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: BlackBerryBackupExtractor.exe, 00000008.00000003.1798843509.00000000084BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/(w
Source: BlackBerryBackupExtractor.exe, 00000008.00000003.1798843509.00000000084BE000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1799175652.00000000084BD000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1799033759.00000000084BD000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1798526235.00000000084BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/7w
Source: BlackBerryBackupExtractor.exe, 00000008.00000003.1798843509.00000000084BE000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1799175652.00000000084BD000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1799033759.00000000084BD000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1798526235.00000000084BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: BlackBerryBackupExtractor.exe, 00000008.00000003.1798843509.00000000084BE000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1798526235.00000000084BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/bt
Source: BlackBerryBackupExtractor.exe, 00000008.00000003.1797516155.00000000084BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: BlackBerryBackupExtractor.exe, 00000008.00000003.1798526235.00000000084BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/sN
Source: BlackBerryBackupExtractor.exe, 00000008.00000003.1804015499.00000000084C1000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1809135905.00000000084BB000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000002.3551601220.00000000084B0000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1806178860.00000000084BD000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1806438396.00000000084BD000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1803606889.00000000084C0000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1809184367.00000000084C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.monotype.sadem
Source: BlackBerryBackupExtractor.exe, BlackBerryBackupExtractor.exe, 00000008.00000002.3545579079.0000000000A5E000.00000040.00000001.01000000.0000000C.sdmpString found in binary or memory: http://www.oreans.com
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3545579079.0000000000A5E000.00000040.00000001.01000000.0000000C.sdmpString found in binary or memory: http://www.oreans.comP
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1781544340.00000000084CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
Source: BlackBerryBackupExtractor.exe, 00000008.00000003.1790285833.00000000084BF000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: BlackBerryBackupExtractor.exe, 00000008.00000003.1790285833.00000000084BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnto
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3549020703.000000000565A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://appexceptions.reincubate.com/error-report/F6E219C772F2D0D47416/
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3549020703.0000000005762000.00000004.00000800.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000002.3549020703.000000000576B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reincubate.com/res/labs/bbbe/bbbe-latest.exe
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, BlackBerryBackupExtractor.exe.0.dr, nse5967.tmp.0.drString found in binary or memory: https://sectigo.com/CPS0
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3549020703.00000000056EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uds.reincubate.com
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3549020703.0000000005527000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uds.reincubate.com/client-auth-reset/
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3549020703.0000000005527000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uds.reincubate.com/client-auth/
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3549020703.0000000005527000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uds.reincubate.com/client-status/
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3549020703.000000000565A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uds.reincubate.com/latest-version/F6E219C772F2D0D47416/
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3549020703.000000000576B000.00000004.00000800.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000002.3549020703.000000000575E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.reincubate.com/support/ipbe/what-iphone-backup-extractor-does/#compatibility
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
Source: unknownHTTPS traffic detected: 172.67.75.19:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeCode function: 0_2_0040582E GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040582E
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 8_2_12095DC8 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,8_2_12095DC8

System Summary

barindex
PE file contains section with special chars
Source: BlackBerryBackupExtractor.exe.0.drStatic PE information: section name:
Source: BlackBerryBackupExtractor.exe.0.drStatic PE information: section name: .idata
Source: BlackBerryBackupExtractor.exe.0.drStatic PE information: section name:
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess Stats: CPU usage > 49%
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeCode function: 0_2_00403665 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403665
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile created: C:\Windows\Fonts\DroidSans.ttfJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile created: C:\Windows\Fonts\DroidSans-Bold.ttfJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeCode function: 0_2_00406ED50_2_00406ED5
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeCode function: 0_2_004076AC0_2_004076AC
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 8_2_052EB2448_2_052EB244
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 8_2_052EB23C8_2_052EB23C
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 8_2_052EBA3F8_2_052EBA3F
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 8_2_07EEABB88_2_07EEABB8
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 8_2_07EEABA88_2_07EEABA8
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 8_2_0B85DDA18_2_0B85DDA1
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 8_2_0B8C3AE88_2_0B8C3AE8
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 8_2_0B8C2A788_2_0B8C2A78
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 8_2_0B8C6C808_2_0B8C6C80
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 8_2_0B8C04288_2_0B8C0428
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 8_2_0B8C6C808_2_0B8C6C80
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 8_2_0B8C47A88_2_0B8C47A8
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 8_2_0B8C4D008_2_0B8C4D00
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 8_2_0B8C2A788_2_0B8C2A78
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000003.1736323482.000000000055C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEXPLORER.EXE.MUIj% vs SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000003.1733596221.000000000055C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEXPLORER.EXE.MUIj% vs SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000002.1738078217.000000000055C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEXPLORER.EXE.MUIj% vs SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: BlackBerryBackupExtractor.exe.0.drStatic PE information: Section: ZLIB complexity 0.9924017252753556
Source: BlackBerryBackupExtractor.exe.0.drStatic PE information: Section: .rsrc ZLIB complexity 0.994140625
Source: BlackBerryBackupExtractor.exe.0.drStatic PE information: Section: ebblbqjy ZLIB complexity 0.9896841476212687
Source: BlackBerryBackupExtractor.exe.0.drStatic PE information: Section: jwuvegyw ZLIB complexity 1.021484375
Source: BlackBerryBackupExtractor.exe, 00000008.00000003.1807786595.00000000084D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DITC Blackadder is a Trademark of International Typeface Corporation.slntAA
Source: classification engineClassification label: mal42.evad.winEXE@11/15@2/1
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeCode function: 0_2_00403665 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403665
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeCode function: 0_2_00404ADA GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404ADA
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeCode function: 0_2_004021AA CoCreateInstance,0_2_004021AA
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile created: C:\Users\user\AppData\Roaming\ReincubateJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6860:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile created: C:\Users\user\AppData\Local\Temp\nsz5947.tmpJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess created: C:\Windows\explorer.exeJump to behavior
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BlackBerryBackupExtractor.exe")
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: BlackBerryBackupExtractor.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: BlackBerryBackupExtractor.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c taskkill /f /im "BlackBerryBackupExtractor.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im "BlackBerryBackupExtractor.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe "C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c taskkill /f /im "BlackBerryBackupExtractor.exe"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im "BlackBerryBackupExtractor.exe"Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe "C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ninput.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: actxprxy.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ninput.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: actxprxy.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: smartscreenps.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: rasman.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: dui70.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: duser.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: thumbcache.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: windows.ui.fileexplorer.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: structuredquery.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: windows.storage.search.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: iconcodecservice.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: twinapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: actxprxy.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: networkexplorer.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: mrmcorer.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: windows.staterepositorycore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: bcp47mrm.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: provsvc.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: mfsrcsnk.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: mfplat.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: rtworkq.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: Uninstall.lnk.0.drLNK file: ..\..\..\..\..\..\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor-uninstaller.exe
Source: BlackBerry Backup Extractor.lnk.0.drLNK file: ..\..\..\..\..\..\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe
Source: BlackBerry Backup Extractor.lnk0.0.drLNK file: ..\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeWindow detected: I &AgreeCancelNullsoft Install System v3.08 Nullsoft Install System v3.08License AgreementPlease review the license terms before installing BlackBerry Backup Extractor.Press Page Down to see the rest of the agreement.License Contents A. Reincubate Software Ltd Terms & Conditions B. Droid Font Family Copyright Notice C. LED Icon Set Copyright NoticeA. Reincubate Software Ltd Terms & ConditionsThank you for choosing a Reincubate product or service. Please read the following terms & conditions carefully as they govern your use of our products services and our websites. Occasionally a particular product or service will require its own specific terms & conditions. If this is the case please read those in addition to these terms.TermsIn these terms & conditions the following definitions apply:"We" "us" "our" and "Reincubate" refer to Reincubate Software Ltd a company registered in England number 5189175."You" refers to the person or company currently reading these terms & conditions."Product" or "application" refers to any product developed and sold by Reincubate."service" refers to any online service provided by Reincubate whether free or subscription."website" refers to any Reincubate website including (but not limited to) www.reincubate.com www.iphonebackupextractor.com www.blackberryconverter.com www.awdit.com and www.keepcalm-o-matic.co.uk.1. Copyright and trademarkAll Reincubate products and services are copyright (c) 2023 Reincubate Software Ltd. You may not copy disassemble decompile modify or in any other way alter or duplicate any of our products or services without our explicit permission. There are two exceptions to this:- Where we make available a demonstration version of a product or service you may distribute this freely provided you acknowledge us as the copyright holder and link back to our website.- Where you have purchased a Reincubate product or service you may make one copy for backup or archival purposes provided the backup copy is not used at the same time as the original.Reincubate is a registered trademark of Reincubate Software Ltd. Other trademarks used in Reincubate products and services are held by their respective owners.2. Use of Reincubate products services and websitesWhen you purchase a Reincubate product you are permitted a single non-exclusive worldwide perpetual license to use the product. By using the product you agree to be bound by these terms. Services may be purchased on a time-limited basis in which case any such license expires at the end of the term set out when the service was originally purchased. You may not reverse engineer or decompile our products or services or take any action that may assist others to do so. You may not incorporate any part of our products or services into any third party website application or service without our express written permission. You may not copy sell lend give away or otherwise distribute the registered version of any of our products without express written perm
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWindow detected: Number of UI elements: 13
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BlackBerry Backup ExtractorJump to behavior
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeStatic PE information: certificate valid
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeStatic file information: File size 3046224 > 1048576
Source: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: c:\Users\dbdkm\work\bbbe-app\tmp\BlackBerryBackupExtractor-merged.pdbBSJB source: BlackBerryBackupExtractor.exe, 00000008.00000003.1756404577.00000000051B0000.00000004.00001000.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000002.3545315465.0000000000852000.00000040.00000001.01000000.0000000C.sdmp
Source: Binary string: c:\Users\dbdkm\work\bbbe-app\tmp\BlackBerryBackupExtractor-merged.pdb source: BlackBerryBackupExtractor.exe, 00000008.00000003.1756404577.00000000051B0000.00000004.00001000.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000002.3545315465.0000000000852000.00000040.00000001.01000000.0000000C.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeUnpacked PE file: 8.2.BlackBerryBackupExtractor.exe.850000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ebblbqjy:EW;jwuvegyw:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: jwuvegyw
Source: nsExec.dll.0.drStatic PE information: real checksum: 0x0 should be: 0xde0c
Source: LangDLL.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x91a8
Source: System.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x3d68
Source: BlackBerryBackupExtractor-uninstaller.exe.0.drStatic PE information: real checksum: 0x2ea28f should be: 0x36d63
Source: BlackBerryBackupExtractor.exe.0.drStatic PE information: section name:
Source: BlackBerryBackupExtractor.exe.0.drStatic PE information: section name: .idata
Source: BlackBerryBackupExtractor.exe.0.drStatic PE information: section name:
Source: BlackBerryBackupExtractor.exe.0.drStatic PE information: section name: ebblbqjy
Source: BlackBerryBackupExtractor.exe.0.drStatic PE information: section name: jwuvegyw
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 8_2_052E2468 pushad ; iretd 8_2_052E2469
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 8_2_07672590 push FFFFFFC3h; ret 8_2_07672647
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 8_2_07EEB7EB push ecx; ret 8_2_07EEB7F6
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 8_2_07EEB7DF push ecx; ret 8_2_07EEB7EA
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 8_2_07EEB7D5 push ecx; ret 8_2_07EEB7DE
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 8_2_07EEB56F push esp; ret 8_2_07EEB57A
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 8_2_07EEB563 push esp; ret 8_2_07EEB56E
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 8_2_07EEB57B push esp; ret 8_2_07EEB586
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 8_2_07EEB54B push esp; ret 8_2_07EEB556
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 8_2_07EEB557 push esp; ret 8_2_07EEB562
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 8_2_07EEB527 push esp; ret 8_2_07EEB53E
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 8_2_07EEB53F push esp; ret 8_2_07EEB54A
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeCode function: 8_2_07EE9BC8 push FFFFFF8Bh; iretd 8_2_07EE9BCA
Source: BlackBerryBackupExtractor.exe.0.drStatic PE information: section name: entropy: 7.963639992526216
Source: BlackBerryBackupExtractor.exe.0.drStatic PE information: section name: ebblbqjy entropy: 7.947437869566587
Source: BlackBerryBackupExtractor.exe.0.drStatic PE information: section name: jwuvegyw entropy: 7.334086978180639
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile created: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile created: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\System.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile created: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile created: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\LangDLL.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile created: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor-uninstaller.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile created: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\License.txtJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile created: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\README.txtJump to behavior

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ReincubateJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Reincubate\BlackBerry Backup ExtractorJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Reincubate\BlackBerry Backup Extractor\Uninstall.lnkJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Reincubate\BlackBerry Backup Extractor\BlackBerry Backup Extractor.lnkJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B24F0B second address: B24F23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jng 00007FD828C22D82h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B24F23 second address: B24F29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B24F29 second address: B24F2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B24F2D second address: B24F39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FD82896C4D6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B24F39 second address: B24F3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B23EAE second address: B23EDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD82896C4DEh 0x00000009 js 00007FD82896C4D6h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 popad 0x00000012 js 00007FD82896C4E2h 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B23EDF second address: B23EE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B24040 second address: B24059 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD82896C4E3h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B24059 second address: B2405F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B2405F second address: B24063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B24063 second address: B24084 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007FD828C22D76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FD828C22D7Eh 0x00000016 push edx 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B244A6 second address: B244AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B24610 second address: B24614 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B24614 second address: B24629 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD82896C4E1h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B24629 second address: B2462F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B2462F second address: B2463B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FD82896C4D6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B2463B second address: B24658 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD828C22D76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD828C22D7Fh 0x00000013 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B24658 second address: B2467A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jno 00007FD82896C4D6h 0x0000000b jmp 00007FD82896C4DAh 0x00000010 push edx 0x00000011 pop edx 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jnl 00007FD82896C4D6h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B2467A second address: B2467E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B28003 second address: B28052 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jns 00007FD82896C4EBh 0x00000013 jmp 00007FD82896C4E5h 0x00000018 push 00000000h 0x0000001a xor dword ptr [ebp+1264189Fh], edi 0x00000020 call 00007FD82896C4D9h 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FD82896C4E3h 0x0000002d rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B28052 second address: B280A6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD828C22D7Eh 0x0000000b popad 0x0000000c push eax 0x0000000d jng 00007FD828C22D7Eh 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 jnc 00007FD828C22D7Eh 0x0000001d mov eax, dword ptr [eax] 0x0000001f pushad 0x00000020 jmp 00007FD828C22D7Ah 0x00000025 jnl 00007FD828C22D78h 0x0000002b pushad 0x0000002c popad 0x0000002d popad 0x0000002e mov dword ptr [esp+04h], eax 0x00000032 push eax 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B280A6 second address: B28110 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD82896C4DAh 0x00000009 popad 0x0000000a pop eax 0x0000000b pop eax 0x0000000c mov dh, B6h 0x0000000e push 00000003h 0x00000010 mov dword ptr [ebp+12641B77h], ecx 0x00000016 push 00000000h 0x00000018 jns 00007FD82896C4EDh 0x0000001e jg 00007FD82896C4E7h 0x00000024 call 00007FD82896C4E0h 0x00000029 pop esi 0x0000002a push 00000003h 0x0000002c add di, 33CDh 0x00000031 push edx 0x00000032 call 00007FD82896C4E0h 0x00000037 mov edx, dword ptr [ebp+12642B5Dh] 0x0000003d pop ecx 0x0000003e pop edx 0x0000003f call 00007FD82896C4D9h 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 push ecx 0x00000048 pop ecx 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B28110 second address: B28115 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B28115 second address: B2811A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B2811A second address: B28163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007FD828C22D86h 0x00000011 jmp 00007FD828C22D81h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FD828C22D83h 0x0000001e rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B28163 second address: B2817C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007FD82896C4DCh 0x00000013 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B2817C second address: B2818F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD828C22D7Fh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B2818F second address: B281BD instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD82896C4D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push ebx 0x0000000f jbe 00007FD82896C4E0h 0x00000015 jmp 00007FD82896C4DAh 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jbe 00007FD82896C4D8h 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B281BD second address: B281F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD828C22D87h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a stc 0x0000000b lea ebx, dword ptr [ebp+12709EBBh] 0x00000011 add esi, dword ptr [ebp+1264386Eh] 0x00000017 js 00007FD828C22D7Ch 0x0000001d mov dword ptr [ebp+1264189Fh], ecx 0x00000023 push eax 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 push edx 0x00000028 pop edx 0x00000029 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B28258 second address: B2825C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B2825C second address: B282B0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD828C22D76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jbe 00007FD828C22D7Ch 0x00000012 jnc 00007FD828C22D76h 0x00000018 jmp 00007FD828C22D86h 0x0000001d popad 0x0000001e nop 0x0000001f pushad 0x00000020 sub eax, dword ptr [ebp+12642B41h] 0x00000026 mov edx, dword ptr [ebp+12642CB5h] 0x0000002c popad 0x0000002d push 00000000h 0x0000002f push edx 0x00000030 mov si, di 0x00000033 pop ecx 0x00000034 push 89E6D34Dh 0x00000039 je 00007FD828C22D84h 0x0000003f push eax 0x00000040 push edx 0x00000041 push edx 0x00000042 pop edx 0x00000043 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B2839F second address: B283A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B283A5 second address: B283D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD828C22D85h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD828C22D7Fh 0x00000013 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B283D2 second address: B283DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FD82896C4D6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B283DC second address: B283E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B283E0 second address: B28422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007FD82896C4D8h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 mov si, 2B0Ch 0x00000027 push 00000000h 0x00000029 or dword ptr [ebp+12641B59h], esi 0x0000002f push 479ADB30h 0x00000034 jbe 00007FD82896C4E4h 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B28422 second address: B28426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B28426 second address: B2848B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xor dword ptr [esp], 479ADBB0h 0x0000000d jmp 00007FD82896C4E0h 0x00000012 push 00000003h 0x00000014 mov di, cx 0x00000017 push 00000000h 0x00000019 push 00000003h 0x0000001b jng 00007FD82896C4DCh 0x00000021 mov dword ptr [ebp+1264341Eh], edi 0x00000027 jmp 00007FD82896C4E1h 0x0000002c call 00007FD82896C4D9h 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FD82896C4E7h 0x00000038 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B2848B second address: B284BA instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD828C22D7Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007FD828C22D84h 0x00000013 jc 00007FD828C22D76h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B284BA second address: B28566 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD82896C4E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push edi 0x0000000e jmp 00007FD82896C4E6h 0x00000013 pop edi 0x00000014 mov eax, dword ptr [eax] 0x00000016 pushad 0x00000017 push esi 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a pop esi 0x0000001b push esi 0x0000001c push edx 0x0000001d pop edx 0x0000001e pop esi 0x0000001f popad 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 pushad 0x00000025 jmp 00007FD82896C4DAh 0x0000002a jmp 00007FD82896C4E0h 0x0000002f popad 0x00000030 pop eax 0x00000031 push 00000000h 0x00000033 push eax 0x00000034 call 00007FD82896C4D8h 0x00000039 pop eax 0x0000003a mov dword ptr [esp+04h], eax 0x0000003e add dword ptr [esp+04h], 00000019h 0x00000046 inc eax 0x00000047 push eax 0x00000048 ret 0x00000049 pop eax 0x0000004a ret 0x0000004b mov dl, E3h 0x0000004d lea ebx, dword ptr [ebp+12709ECFh] 0x00000053 add edi, 44866533h 0x00000059 xchg eax, ebx 0x0000005a pushad 0x0000005b push eax 0x0000005c push edx 0x0000005d jmp 00007FD82896C4E8h 0x00000062 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B4809D second address: B480BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD828C22D85h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B480BA second address: B480CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD82896C4DCh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B480CC second address: B480DF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FD828C22D7Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B45DF3 second address: B45E03 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD82896C4D6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B45E03 second address: B45E09 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B45E09 second address: B45E26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD82896C4E1h 0x0000000b popad 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B45E26 second address: B45E40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD828C22D86h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B45F94 second address: B45F98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B46244 second address: B4626B instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD828C22D76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FD828C22D82h 0x00000012 jl 00007FD828C22D76h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B463C6 second address: B463CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B463CA second address: B463D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B463D4 second address: B463E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD82896C4DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B463E2 second address: B463E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B463E8 second address: B463EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B46561 second address: B46579 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD828C22D81h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B46579 second address: B46598 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FD82896C4DAh 0x0000000e je 00007FD82896C4DCh 0x00000014 jng 00007FD82896C4D6h 0x0000001a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B46598 second address: B465A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD828C22D7Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B46835 second address: B46851 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007FD82896C4D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FD82896C4DCh 0x00000015 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B46851 second address: B46857 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B46857 second address: B4685D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B46E42 second address: B46E4C instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD828C22D93h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B46FDC second address: B46FE8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD82896C4D6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B3F20E second address: B3F245 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD828C22D7Fh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jmp 00007FD828C22D85h 0x00000011 jnc 00007FD828C22D78h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B3F245 second address: B3F24F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FD82896C4D6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B3F24F second address: B3F280 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD828C22D86h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a jo 00007FD828C22D96h 0x00000010 jne 00007FD828C22D7Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B3F280 second address: B3F284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B3F284 second address: B3F28A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B1F486 second address: B1F4A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD82896C4E7h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B47162 second address: B4717E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD828C22D84h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B4717E second address: B47183 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B4772E second address: B47732 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B47732 second address: B47774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b jnc 00007FD82896C4D6h 0x00000011 pop edi 0x00000012 jmp 00007FD82896C4E6h 0x00000017 popad 0x00000018 push edi 0x00000019 pushad 0x0000001a jmp 00007FD82896C4E5h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B47774 second address: B47790 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD828C22D81h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B47790 second address: B47796 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B47BF3 second address: B47C03 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 jp 00007FD828C22D76h 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B47C03 second address: B47C0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FD82896C4D6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B3F278 second address: B3F280 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B4A497 second address: B4A49B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B4A7B6 second address: B4A7BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B1C98D second address: B1C9ED instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FD82896C4E4h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop ecx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jg 00007FD82896C4EFh 0x00000014 pushad 0x00000015 jne 00007FD82896C4D6h 0x0000001b jmp 00007FD82896C4E7h 0x00000020 push ebx 0x00000021 pop ebx 0x00000022 popad 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B51DAA second address: B51DAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B51DAE second address: B51DB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B51DB2 second address: B51DCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FD828C22D76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FD828C22D7Dh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B5242D second address: B52450 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD82896C4E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B52450 second address: B52456 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B52456 second address: B5245A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B5245A second address: B52460 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B525CE second address: B525D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B525D4 second address: B525EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FD828C22D80h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B525EB second address: B5262C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD82896C4E8h 0x00000007 jmp 00007FD82896C4E0h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FD82896C4E3h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B55340 second address: B55348 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B553C3 second address: B553DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jc 00007FD82896C4D6h 0x0000000c pop edi 0x0000000d popad 0x0000000e push eax 0x0000000f jl 00007FD82896C4DEh 0x00000015 push ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B553DB second address: B553EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007FD828C22D78h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B553EE second address: B553F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B553F4 second address: B55413 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD828C22D76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FD828C22D7Fh 0x00000015 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B55413 second address: B5543C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD82896C4E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d pushad 0x0000000e jmp 00007FD82896C4DDh 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B5543C second address: B55453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 pop eax 0x00000007 mov edi, dword ptr [ebp+12642BADh] 0x0000000d push 141A5ED8h 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B55453 second address: B55458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B558E6 second address: B558EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B558EC second address: B558F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B558F2 second address: B55909 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD828C22D76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jnp 00007FD828C22D84h 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B56441 second address: B56449 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B56449 second address: B56473 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD828C22D86h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD828C22D7Ch 0x00000012 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B568C5 second address: B568F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007FD82896C4DCh 0x0000000b jng 00007FD82896C4D6h 0x00000011 popad 0x00000012 push eax 0x00000013 pushad 0x00000014 jmp 00007FD82896C4E6h 0x00000019 push eax 0x0000001a push edx 0x0000001b push esi 0x0000001c pop esi 0x0000001d rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B578F5 second address: B578F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B578F9 second address: B57977 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov esi, dword ptr [ebp+12642DDDh] 0x0000000f push 00000000h 0x00000011 mov si, 0CE7h 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push edi 0x0000001a call 00007FD82896C4D8h 0x0000001f pop edi 0x00000020 mov dword ptr [esp+04h], edi 0x00000024 add dword ptr [esp+04h], 00000016h 0x0000002c inc edi 0x0000002d push edi 0x0000002e ret 0x0000002f pop edi 0x00000030 ret 0x00000031 xchg eax, ebx 0x00000032 push ecx 0x00000033 pushad 0x00000034 jmp 00007FD82896C4E6h 0x00000039 jmp 00007FD82896C4E4h 0x0000003e popad 0x0000003f pop ecx 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 push edi 0x00000044 jmp 00007FD82896C4E5h 0x00000049 pop edi 0x0000004a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B57747 second address: B57765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD828C22D89h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B57977 second address: B5797C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B57765 second address: B57790 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD828C22D78h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d jmp 00007FD828C22D7Fh 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FD828C22D7Ah 0x0000001a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B581F0 second address: B58202 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jnc 00007FD82896C4D6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B58202 second address: B58207 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B5944B second address: B5945B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007FD82896C4D8h 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B5945B second address: B59461 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B5A8A6 second address: B5A8AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B5A8AB second address: B5A901 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007FD828C22D78h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 push 00000000h 0x00000028 adc si, 9991h 0x0000002d push 00000000h 0x0000002f sub dword ptr [ebp+12641BDAh], edi 0x00000035 xchg eax, ebx 0x00000036 pushad 0x00000037 push edx 0x00000038 push esi 0x00000039 pop esi 0x0000003a pop edx 0x0000003b jne 00007FD828C22D7Ch 0x00000041 popad 0x00000042 push eax 0x00000043 jl 00007FD828C22D84h 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B5A901 second address: B5A905 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B5B37F second address: B5B384 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B5A655 second address: B5A659 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B5BE32 second address: B5BE36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B5BE36 second address: B5BE3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B5BE3C second address: B5BE42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B5BE42 second address: B5BE46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B5BE46 second address: B5BE4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B5D9B7 second address: B5DA45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD82896C4E4h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007FD82896C4D8h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 mov ebx, dword ptr [ebp+12642CE9h] 0x0000002e mov dword ptr [ebp+1264233Fh], edx 0x00000034 push 00000000h 0x00000036 jnl 00007FD82896C4DAh 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push ebx 0x00000041 call 00007FD82896C4D8h 0x00000046 pop ebx 0x00000047 mov dword ptr [esp+04h], ebx 0x0000004b add dword ptr [esp+04h], 0000001Dh 0x00000053 inc ebx 0x00000054 push ebx 0x00000055 ret 0x00000056 pop ebx 0x00000057 ret 0x00000058 sub dword ptr [ebp+12641A99h], ebx 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 push edi 0x00000062 pushad 0x00000063 popad 0x00000064 pop edi 0x00000065 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B5DA45 second address: B5DA4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B5EB36 second address: B5EBAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FD82896C4D6h 0x0000000a popad 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov edi, dword ptr [ebp+12642BC1h] 0x00000015 jbe 00007FD82896C4E1h 0x0000001b jmp 00007FD82896C4DBh 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push edi 0x00000025 call 00007FD82896C4D8h 0x0000002a pop edi 0x0000002b mov dword ptr [esp+04h], edi 0x0000002f add dword ptr [esp+04h], 00000015h 0x00000037 inc edi 0x00000038 push edi 0x00000039 ret 0x0000003a pop edi 0x0000003b ret 0x0000003c jmp 00007FD82896C4E1h 0x00000041 movsx edi, cx 0x00000044 push 00000000h 0x00000046 mov bx, F901h 0x0000004a push eax 0x0000004b pushad 0x0000004c jns 00007FD82896C4DCh 0x00000052 pushad 0x00000053 jo 00007FD82896C4D6h 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B5FADB second address: B5FADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B5FADF second address: B5FAE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B15F5D second address: B15F73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007FD828C22D76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FD828C22D7Ah 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B620E7 second address: B620ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B5C66E second address: B5C68A instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD828C22D78h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FD828C22D7Bh 0x00000016 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B5C68A second address: B5C690 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B5C690 second address: B5C695 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B6307D second address: B63083 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B641E1 second address: B641E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B5FCED second address: B5FCF2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B622B6 second address: B622BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B65FC4 second address: B6601F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD82896C4E2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov edi, dword ptr [ebp+12642D5Dh] 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007FD82896C4D8h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 0000001Ah 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c jnp 00007FD82896C4DCh 0x00000032 push 00000000h 0x00000034 mov edi, dword ptr [ebp+12642BE5h] 0x0000003a push eax 0x0000003b push eax 0x0000003c push edx 0x0000003d push ecx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B6601F second address: B66024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B66024 second address: B6603B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD82896C4E2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B670CB second address: B670CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B670CF second address: B67115 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a xor dword ptr [ebp+1273006Ah], edx 0x00000010 push 00000000h 0x00000012 mov dword ptr [ebp+127112D1h], edi 0x00000018 push 00000000h 0x0000001a and ebx, dword ptr [ebp+12642C39h] 0x00000020 jbe 00007FD82896C4E4h 0x00000026 xchg eax, esi 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FD82896C4DFh 0x0000002e rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B67115 second address: B67132 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD828C22D83h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B6331A second address: B63324 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B63324 second address: B63328 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B67132 second address: B67138 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B67138 second address: B6713D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B6713D second address: B67142 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B65357 second address: B6535B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B6535B second address: B65365 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD82896C4D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B66204 second address: B6622E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD828C22D7Fh 0x00000008 jmp 00007FD828C22D7Bh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 jbe 00007FD828C22D7Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B66321 second address: B6632B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B6632B second address: B6632F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B6902B second address: B69030 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B69F37 second address: B69F7F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 mov di, si 0x0000000b push 00000000h 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007FD828C22D78h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 jmp 00007FD828C22D7Dh 0x0000002c push 00000000h 0x0000002e mov edi, 68A2C5E0h 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 jnl 00007FD828C22D76h 0x0000003e rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B69F7F second address: B69F85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B682BF second address: B682C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B691D8 second address: B691DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B682C3 second address: B682D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007FD828C22D76h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B691DC second address: B691E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B67393 second address: B67398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B67398 second address: B6739E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B6AFCE second address: B6AFD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B6AFD2 second address: B6AFD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B6AFD8 second address: B6B01E instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD828C22D78h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d or bx, C0FBh 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007FD828C22D78h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 0000001Dh 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 mov dword ptr [ebp+12645B83h], ebx 0x00000036 push eax 0x00000037 push edi 0x00000038 pushad 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B6A1F8 second address: B6A20B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD82896C4DEh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B6CF73 second address: B6CF7E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B6C106 second address: B6C14B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 js 00007FD82896C4D8h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e nop 0x0000000f sbb di, D23Ah 0x00000014 push dword ptr fs:[00000000h] 0x0000001b sub dword ptr [ebp+12642E88h], esi 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 mov dword ptr [ebp+1270832Ah], ebx 0x0000002e mov eax, dword ptr [ebp+12640599h] 0x00000034 xor ebx, dword ptr [ebp+12642D4Dh] 0x0000003a push FFFFFFFFh 0x0000003c mov di, si 0x0000003f nop 0x00000040 push ecx 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B6C14B second address: B6C14F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B6DFF7 second address: B6E008 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD82896C4D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B6E008 second address: B6E00D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B6D109 second address: B6D11F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD82896C4E2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B6D11F second address: B6D1CC instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD828C22D78h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d xor ebx, dword ptr [ebp+12641834h] 0x00000013 sub dword ptr [ebp+12643241h], eax 0x00000019 push dword ptr fs:[00000000h] 0x00000020 push 00000000h 0x00000022 push eax 0x00000023 call 00007FD828C22D78h 0x00000028 pop eax 0x00000029 mov dword ptr [esp+04h], eax 0x0000002d add dword ptr [esp+04h], 0000001Dh 0x00000035 inc eax 0x00000036 push eax 0x00000037 ret 0x00000038 pop eax 0x00000039 ret 0x0000003a mov bx, si 0x0000003d mov dword ptr fs:[00000000h], esp 0x00000044 push 00000000h 0x00000046 push edi 0x00000047 call 00007FD828C22D78h 0x0000004c pop edi 0x0000004d mov dword ptr [esp+04h], edi 0x00000051 add dword ptr [esp+04h], 00000016h 0x00000059 inc edi 0x0000005a push edi 0x0000005b ret 0x0000005c pop edi 0x0000005d ret 0x0000005e movzx ebx, bx 0x00000061 mov eax, dword ptr [ebp+126412F9h] 0x00000067 mov ebx, dword ptr [ebp+12642B85h] 0x0000006d mov edi, dword ptr [ebp+12642A99h] 0x00000073 push FFFFFFFFh 0x00000075 xor edi, 06C6648Ch 0x0000007b nop 0x0000007c jmp 00007FD828C22D89h 0x00000081 push eax 0x00000082 push eax 0x00000083 push edx 0x00000084 push ebx 0x00000085 pushad 0x00000086 popad 0x00000087 pop ebx 0x00000088 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B6D1CC second address: B6D1D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B6E209 second address: B6E213 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FD828C22D76h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B6E213 second address: B6E231 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD82896C4D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD82896C4DFh 0x00000014 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B6E231 second address: B6E237 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B6E237 second address: B6E23B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B718F0 second address: B718F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B761F1 second address: B76201 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 jl 00007FD82896C4DCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B76328 second address: B76340 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jng 00007FD828C22D76h 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007FD828C22D76h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B76340 second address: B76346 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B86C36 second address: B86C3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B86C3D second address: B86C6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jng 00007FD82896C4E7h 0x0000000e jmp 00007FD82896C4E1h 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 jl 00007FD82896C4E0h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B86C6A second address: B86C78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B86DAE second address: B86DCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FD82896C4DFh 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B86DCD second address: B86DD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B86DD1 second address: B86DD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B86E79 second address: B86E7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B86E7E second address: B86E83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B86F51 second address: B86F62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD828C22D7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B88377 second address: B88395 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jns 00007FD82896C4E9h 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B88395 second address: B8839A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B8CD9A second address: B8CD9F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B8C5E7 second address: B8C5EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B8C5EE second address: B8C619 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD82896C4E4h 0x00000007 jng 00007FD82896C4DEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B8C7BD second address: B8C7D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FD828C22D76h 0x00000009 push edi 0x0000000a pop edi 0x0000000b jno 00007FD828C22D76h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B8C7D0 second address: B8C7D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B8C7D9 second address: B8C7DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B8CC26 second address: B8CC50 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD82896C4D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnl 00007FD82896C4E9h 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B8CC50 second address: B8CC5C instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD828C22D76h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B911F9 second address: B9121C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FD82896C4DDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jnp 00007FD82896C4D6h 0x00000014 jbe 00007FD82896C4D6h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B9121C second address: B9123F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 jbe 00007FD828C22D76h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FD828C22D7Dh 0x00000015 jc 00007FD828C22D76h 0x0000001b rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B9123F second address: B91243 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B91355 second address: B91360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B917A3 second address: B917E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD82896C4E7h 0x00000009 jnl 00007FD82896C4EDh 0x0000000f popad 0x00000010 jnp 00007FD82896C4DEh 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B91950 second address: B91954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B90F01 second address: B90F16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD82896C4DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B951EE second address: B95211 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD828C22D76h 0x00000008 jmp 00007FD828C22D81h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jng 00007FD828C22D76h 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B98B7F second address: B98B85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B53E01 second address: B53E2F instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD828C22D8Bh 0x00000008 jmp 00007FD828C22D85h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jnc 00007FD828C22D7Ch 0x00000018 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B53E2F second address: B53E45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD82896C4E1h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B53E45 second address: B3F20E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov dword ptr [ebp+1264388Fh], eax 0x0000000e call dword ptr [ebp+12641AD1h] 0x00000014 pushad 0x00000015 pushad 0x00000016 jp 00007FD828C22D76h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B5426A second address: B5426F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B5442F second address: B54439 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD828C22D76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B54525 second address: B54542 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD82896C4E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B54BD0 second address: B54BD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B54BD4 second address: B54BDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B54F11 second address: B54F24 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007FD828C22D78h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B54F24 second address: B54F42 instructions: 0x00000000 rdtsc 0x00000002 je 00007FD82896C4DCh 0x00000008 jl 00007FD82896C4D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jne 00007FD82896C4D8h 0x0000001c rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B54F42 second address: B54F47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B98EBD second address: B98EC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B98EC3 second address: B98EFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD828C22D81h 0x00000009 jmp 00007FD828C22D88h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jp 00007FD828C22D76h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B98EFB second address: B98F05 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD82896C4D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B9962A second address: B9963F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FD828C22D76h 0x0000000a popad 0x0000000b jc 00007FD828C22D9Dh 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B9992F second address: B99935 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B9E9A8 second address: B9E9AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B9E9AD second address: B9E9CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD82896C4DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007FD82896C4F9h 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007FD82896C4D6h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B9D593 second address: B9D599 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B9D810 second address: B9D816 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B9D961 second address: B9D965 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B9D965 second address: B9D96B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B9D96B second address: B9D97B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jl 00007FD828C22D76h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B9D97B second address: B9D987 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007FD82896C4D6h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B9DAD8 second address: B9DADE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B9DC26 second address: B9DC2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B9DC2C second address: B9DC30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B9DC30 second address: B9DC34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B9DC34 second address: B9DC6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnl 00007FD828C22D76h 0x0000000d jmp 00007FD828C22D85h 0x00000012 jnl 00007FD828C22D76h 0x00000018 popad 0x00000019 pushad 0x0000001a jmp 00007FD828C22D7Ch 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B9DDB1 second address: B9DDB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B9DDB5 second address: B9DDD9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD828C22D76h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FD828C22D88h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B9DF1B second address: B9DF27 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD82896C4DEh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B9DF27 second address: B9DF2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B9E0BA second address: B9E0D4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 jo 00007FD82896C4DEh 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B9E827 second address: B9E82D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B9E82D second address: B9E86E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FD82896C4E0h 0x0000000a jmp 00007FD82896C4DEh 0x0000000f popad 0x00000010 pushad 0x00000011 jmp 00007FD82896C4E9h 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B9E86E second address: B9E876 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B9D100 second address: B9D11E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD82896C4E4h 0x00000009 popad 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BA27E5 second address: BA27F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BA27F0 second address: BA27F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BA27F4 second address: BA27FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BA27FA second address: BA2800 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BA46A2 second address: BA46C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD828C22D84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007FD828C22D7Eh 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B11CA3 second address: B11CA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B11CA9 second address: B11CC7 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD828C22D76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007FD828C22D7Ah 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 je 00007FD828C22D76h 0x0000001a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B11CC7 second address: B11CEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD82896C4E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007FD82896C4DCh 0x00000012 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BA8376 second address: BA838C instructions: 0x00000000 rdtsc 0x00000002 js 00007FD828C22D76h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d je 00007FD828C22D76h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BACBC3 second address: BACBD7 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD82896C4D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007FD82896C4D6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BACBD7 second address: BACBDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BAC663 second address: BAC66A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BAE3A8 second address: BAE3B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BAE3B0 second address: BAE3B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BAE3B8 second address: BAE3C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BAE3C3 second address: BAE3C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BAE3C9 second address: BAE3D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BB18CA second address: BB18CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BB18CE second address: BB18D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BB0DC4 second address: BB0DCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BB0DCA second address: BB0DD1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BB10D1 second address: BB10E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FD82896C4D6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BB4FA0 second address: BB4FAA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BB4FAA second address: BB4FAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BB523E second address: BB5256 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD828C22D83h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BB5256 second address: BB5277 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD82896C4DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007FD82896C4F0h 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007FD82896C4D6h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BB53BB second address: BB53D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD828C22D85h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BB53D4 second address: BB53ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD82896C4E4h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BB53ED second address: BB53FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD828C22D7Ch 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BB53FF second address: BB5413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 jg 00007FD82896C4D8h 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B549C2 second address: B549C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B549C8 second address: B549E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD82896C4E5h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B549E1 second address: B54A18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b sub dl, FFFFFFA5h 0x0000000e mov ebx, dword ptr [ebp+12735B10h] 0x00000014 adc dx, B390h 0x00000019 add eax, ebx 0x0000001b sub dword ptr [ebp+1271BFCDh], edi 0x00000021 nop 0x00000022 push edx 0x00000023 pushad 0x00000024 pushad 0x00000025 popad 0x00000026 pushad 0x00000027 popad 0x00000028 popad 0x00000029 pop edx 0x0000002a push eax 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e pushad 0x0000002f popad 0x00000030 jo 00007FD828C22D76h 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B54A18 second address: B54A52 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD82896C4D8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov ecx, dword ptr [ebp+12641B46h] 0x00000011 push 00000004h 0x00000013 sub dword ptr [ebp+126438CBh], ebx 0x00000019 mov ecx, dword ptr [ebp+12642AB5h] 0x0000001f nop 0x00000020 jbe 00007FD82896C4DEh 0x00000026 push ecx 0x00000027 jo 00007FD82896C4D6h 0x0000002d pop ecx 0x0000002e push eax 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 jne 00007FD82896C4D6h 0x00000038 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BBD495 second address: BBD4E8 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD828C22D76h 0x00000008 jno 00007FD828C22D76h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007FD828C22D85h 0x00000015 pushad 0x00000016 jmp 00007FD828C22D83h 0x0000001b jmp 00007FD828C22D81h 0x00000020 push esi 0x00000021 pop esi 0x00000022 popad 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 push ecx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BBD4E8 second address: BBD4ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BBD4ED second address: BBD4FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jbe 00007FD828C22D76h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BBB6AD second address: BBB6C8 instructions: 0x00000000 rdtsc 0x00000002 je 00007FD82896C4D6h 0x00000008 jl 00007FD82896C4D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jne 00007FD82896C4D6h 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BBB6C8 second address: BBB6D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BBBB15 second address: BBBB3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FD82896C4E1h 0x0000000f jmp 00007FD82896C4DFh 0x00000014 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BBBB3F second address: BBBB43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BBBDD1 second address: BBBDD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BBBDD9 second address: BBBDDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BBBDDD second address: BBBDED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007FD82896C4E2h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BBBDED second address: BBBDFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FD828C22D76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BBBDFE second address: BBBE02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BBBE02 second address: BBBE34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD828C22D80h 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007FD828C22D76h 0x00000013 jmp 00007FD828C22D84h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BBC368 second address: BBC36D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BBC36D second address: BBC38E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FD828C22D89h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BBC38E second address: BBC39A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BBC39A second address: BBC3BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD828C22D85h 0x00000009 pushad 0x0000000a popad 0x0000000b jng 00007FD828C22D76h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BBC3BC second address: BBC3C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BBC681 second address: BBC685 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BBC685 second address: BBC68B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BBCC3B second address: BBCC57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD828C22D88h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BBCC57 second address: BBCC5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BBCC5B second address: BBCC74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD828C22D7Bh 0x0000000d jp 00007FD828C22D76h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BC0BAE second address: BC0BCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FD82896C4E9h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BC0BCC second address: BC0BD1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BBFCF1 second address: BBFD10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 jmp 00007FD82896C4E7h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BBFD10 second address: BBFD23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 js 00007FD828C22DADh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BBFD23 second address: BBFD27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BBFD27 second address: BBFD48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD828C22D89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BBFD48 second address: BBFD4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BBFD4C second address: BBFD50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BC0017 second address: BC004D instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD82896C4F1h 0x00000008 push ecx 0x00000009 jmp 00007FD82896C4E0h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BC018D second address: BC0191 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BC0191 second address: BC019B instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD82896C4D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BC0715 second address: BC071A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BC071A second address: BC0736 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD82896C4E1h 0x00000007 pushad 0x00000008 jp 00007FD82896C4D6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BC0736 second address: BC073C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BCB16F second address: BCB183 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD82896C4E0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BCB183 second address: BCB1A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FD828C22D7Bh 0x0000000c jmp 00007FD828C22D7Ah 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BCB1A3 second address: BCB1AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BCB1AF second address: BCB1EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FD828C22D76h 0x0000000a popad 0x0000000b jo 00007FD828C22D78h 0x00000011 push edx 0x00000012 pop edx 0x00000013 popad 0x00000014 jnp 00007FD828C22DB8h 0x0000001a jmp 00007FD828C22D7Dh 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FD828C22D86h 0x00000026 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B1496B second address: B1496F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: B1496F second address: B149B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD828C22D89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD828C22D7Ah 0x00000011 js 00007FD828C22D8Bh 0x00000017 jmp 00007FD828C22D85h 0x0000001c rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BC985F second address: BC9865 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BC99AA second address: BC99AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BC9B07 second address: BC9B15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD82896C4DAh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BC9B15 second address: BC9B29 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jnl 00007FD828C22D76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007FD828C22D76h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BC9DCC second address: BC9DE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push esi 0x00000006 jc 00007FD82896C4D6h 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007FD82896C4D6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BC9DE3 second address: BC9DE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BC9F27 second address: BC9F3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD82896C4E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BC9F3C second address: BC9F55 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD828C22D78h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007FD828C22D78h 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BC9F55 second address: BC9F5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BC9F5C second address: BC9F62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BCB04D second address: BCB053 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BD17FD second address: BD1801 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BD1AB8 second address: BD1ADE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007FD82896C4E7h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BD1ADE second address: BD1B20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD828C22D86h 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FD828C22D7Eh 0x00000010 popad 0x00000011 jl 00007FD828C22D87h 0x00000017 jmp 00007FD828C22D7Fh 0x0000001c push ebx 0x0000001d pop ebx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BDE862 second address: BDE892 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD82896C4F4h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c js 00007FD82896C4D6h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BDE892 second address: BDE8A8 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD828C22D76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f jnp 00007FD828C22D76h 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BDE8A8 second address: BDE8AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BDEFCB second address: BDEFD1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BDEFD1 second address: BDEFF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD82896C4E8h 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BDF453 second address: BDF45D instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD828C22D7Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BDF5AC second address: BDF5D0 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD82896C4EBh 0x00000008 jmp 00007FD82896C4E5h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BDF5D0 second address: BDF5D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BDF8A4 second address: BDF8A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BDF8A9 second address: BDF8CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 push esi 0x00000007 pop esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD828C22D87h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BDFA2B second address: BDFA31 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BDFA31 second address: BDFA3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jbe 00007FD828C22D76h 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BDFB73 second address: BDFB79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BDFC9E second address: BDFCC0 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD828C22D76h 0x00000008 jnp 00007FD828C22D76h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007FD828C22D7Eh 0x00000019 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BDFCC0 second address: BDFCE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FD82896C4DBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007FD82896C4DFh 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 push edi 0x00000016 pop edi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BDFCE9 second address: BDFCF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BE00E6 second address: BE0104 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FD82896C4E2h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BE0104 second address: BE010C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BE010C second address: BE0116 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD82896C4E2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BE03D1 second address: BE03D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BE03D8 second address: BE040C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FD82896C4E7h 0x00000011 pop edi 0x00000012 push ebx 0x00000013 jmp 00007FD82896C4DCh 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a pop ebx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BE040C second address: BE0412 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BE0412 second address: BE0418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BE085B second address: BE0867 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BE0867 second address: BE086B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BE7D46 second address: BE7D52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FD828C22D76h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BE7D52 second address: BE7D56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BEBD04 second address: BEBD1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD828C22D7Ah 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BEBD1D second address: BEBD21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BEBD21 second address: BEBD36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD828C22D7Fh 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BEB7E2 second address: BEB7E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BEB8FD second address: BEB902 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BEB902 second address: BEB919 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD82896C4E2h 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BEE6EB second address: BEE6F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BEE6F1 second address: BEE6FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BEE6FA second address: BEE704 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FD828C22D76h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BEE704 second address: BEE70A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BEE881 second address: BEE886 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BF3FF1 second address: BF4018 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD82896C4E4h 0x00000007 pushad 0x00000008 jmp 00007FD82896C4DEh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BF9D9C second address: BF9DC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD828C22D81h 0x00000007 jmp 00007FD828C22D86h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BF9DC7 second address: BF9DD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jp 00007FD82896C4D6h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BF9DD3 second address: BF9E06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jne 00007FD828C22D76h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 jmp 00007FD828C22D87h 0x00000018 popad 0x00000019 jc 00007FD828C22D8Ah 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BF9E06 second address: BF9E18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD82896C4DEh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: BF9C33 second address: BF9C42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD828C22D7Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: C0125B second address: C01262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: C01262 second address: C01267 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: C01418 second address: C01422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FD82896C4D6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: C0159F second address: C015A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: C0172C second address: C0177B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD82896C4DFh 0x00000007 jmp 00007FD82896C4E2h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e js 00007FD82896C4FFh 0x00000014 push edi 0x00000015 jmp 00007FD82896C4E3h 0x0000001a pop edi 0x0000001b push edx 0x0000001c jmp 00007FD82896C4DCh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: C0602B second address: C06031 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: C06031 second address: C06050 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD82896C4E7h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: C06050 second address: C0605A instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD828C22D76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: C1078F second address: C1079E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: C1079E second address: C107DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD828C22D7Ch 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jnc 00007FD828C22D76h 0x00000012 jmp 00007FD828C22D81h 0x00000017 jmp 00007FD828C22D84h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: C24C93 second address: C24C9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: C24C9D second address: C24CA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: C24CA3 second address: C24CA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: C26499 second address: C2649E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: C2C9CC second address: C2C9D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: C2C9D0 second address: C2C9DA instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD828C22D76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: C2BD4F second address: C2BD5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FD82896C4D6h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: C2BD5F second address: C2BD65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: C2BD65 second address: C2BD6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: C2BD6B second address: C2BD70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: C2BD70 second address: C2BD76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: C2BD76 second address: C2BD7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: C349B6 second address: C349C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FD82896C4D6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: C38A44 second address: C38A4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: C38A4A second address: C38A62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD82896C4E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: C38A62 second address: C38A88 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD828C22D8Fh 0x00000008 jmp 00007FD828C22D89h 0x0000000d push esi 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: C38A88 second address: C38A9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007FD82896C4D6h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: C38A9A second address: C38A9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: C3A89C second address: C3A8B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD82896C4E3h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: C30822 second address: C30852 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD828C22D82h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD828C22D87h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: C2F470 second address: C2F476 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: C2F476 second address: C2F48C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD828C22D82h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: C2F48C second address: C2F490 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: C2F5DB second address: C2F5DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: C2F5DF second address: C2F5ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: C2F5ED second address: C2F5F3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: C2F5F3 second address: C2F5F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRDTSC instruction interceptor: First address: C306E8 second address: C306F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSpecial instruction interceptor: First address: B4A510 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSpecial instruction interceptor: First address: B48CA4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSpecial instruction interceptor: First address: A5F332 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSpecial instruction interceptor: First address: B7193C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSpecial instruction interceptor: First address: BD374A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeMemory allocated: 52E0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeMemory allocated: 5500000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeMemory allocated: 5340000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeMemory allocated: BE10000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeMemory allocated: 10E10000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWindow / User API: threadDelayed 1658Jump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWindow / User API: threadDelayed 376Jump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWindow / User API: threadDelayed 405Jump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWindow / User API: threadDelayed 1531Jump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWindow / User API: threadDelayed 1554Jump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWindow / User API: threadDelayed 1621Jump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWindow / User API: threadDelayed 1607Jump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWindow / User API: foregroundWindowGot 362Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\System.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\LangDLL.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor-uninstaller.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe TID: 7080Thread sleep time: -146073s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe TID: 7136Thread sleep time: -130065s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe TID: 2148Thread sleep time: -3317658s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe TID: 7004Thread sleep time: -56000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe TID: 7132Thread sleep time: -148074s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe TID: 5356Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe TID: 2136Thread sleep time: -3063531s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe TID: 1848Thread sleep time: -3109554s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe TID: 6984Thread sleep time: -3243621s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe TID: 7016Thread sleep time: -3215607s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe TID: 5356Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeCode function: 0_2_0040290B FindFirstFileW,0_2_0040290B
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeCode function: 0_2_004069C3 FindFirstFileW,FindClose,0_2_004069C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeCode function: 0_2_00405D99 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405D99
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile opened: C:\Users\user\AppData\Roaming\ReincubateJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile opened: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeFile opened: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup ExtractorJump to behavior
Source: BlackBerryBackupExtractor.exe, BlackBerryBackupExtractor.exe, 00000008.00000002.3545579079.0000000000B2C000.00000040.00000001.01000000.0000000C.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3550823162.0000000007A19000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:4Insta
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3545579079.0000000000B2C000.00000040.00000001.01000000.0000000C.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: BlackBerryBackupExtractor.exe, 00000008.00000002.3550823162.0000000007A6B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeAPI call chain: ExitProcess graph end nodegraph_0-3424
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeOpen window title or class name: regmonclass
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeOpen window title or class name: ollydbg
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeOpen window title or class name: filemonclass
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeFile opened: NTICE
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeFile opened: SICE
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeFile opened: SIWVID
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Performs DNS TXT record lookups
Source: TrafficDNS traffic detected: queries for: uds.reincubate.com
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c taskkill /f /im "BlackBerryBackupExtractor.exe"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im "BlackBerryBackupExtractor.exe"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im "BlackBerryBackupExtractor.exe"Jump to behavior
Source: BlackBerryBackupExtractor.exe, BlackBerryBackupExtractor.exe, 00000008.00000002.3545579079.0000000000B2C000.00000040.00000001.01000000.0000000C.sdmpBinary or memory string: 'Program Manager
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\DroidSans.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\Windows\Fonts\DroidSans-Bold.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeCode function: 0_2_00403665 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403665
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exeDirectory queried: C:\Users\user\DocumentsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
Windows Management Instrumentation		1
DLL Side-Loading		1
DLL Side-Loading		11
Disable or Modify Tools		1
Input Capture		13
File and Directory Discovery		Remote Services1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		1
DLL Search Order Hijacking		1
DLL Search Order Hijacking		2
Obfuscated Files or Information		LSASS Memory226
System Information Discovery		Remote Desktop Protocol1
Data from Local System		11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
Windows Service		1
Access Token Manipulation		12
Software Packing		Security Account Manager1
Query Registry		SMB/Windows Admin Shares1
Input Capture		2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCron1
Registry Run Keys / Startup Folder		1
Windows Service		1
DLL Side-Loading		NTDS641
Security Software Discovery		Distributed Component Object Model1
Clipboard Data		3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
Process Injection		1
DLL Search Order Hijacking		LSA Secrets2
Process Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
Registry Run Keys / Startup Folder		11
Masquerading		Cached Domain Credentials271
Virtualization/Sandbox Evasion		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items271
Virtualization/Sandbox Evasion		DCSync1
Application Window Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Access Token Manipulation		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
Process Injection		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1510318 Sample: SecuriteInfo.com.W32.Possib... Startdate: 12/09/2024 Architecture: WINDOWS Score: 42 33 uds.reincubate.com 2->33 39 Detected unpacking (changes PE section rights) 2->39 41 Performs DNS TXT record lookups 2->41 43 Tries to detect sandboxes and other dynamic analysis tools (window names) 2->43 45 4 other signatures 2->45 8 explorer.exe 2->8         started        10 SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe 17 43 2->10         started        signatures3 process4 file5 13 BlackBerryBackupExtractor.exe 19 18 8->13         started        25 C:\Users\...\BlackBerryBackupExtractor.exe, PE32 10->25 dropped 27 BlackBerryBackupEx...tor-uninstaller.exe, PE32 10->27 dropped 29 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 10->29 dropped 31 2 other files (none is malicious) 10->31 dropped 17 cmd.exe 1 10->17         started        19 explorer.exe 1 10->19         started        process6 dnsIp7 35 uds.reincubate.com 13->35 37 uds.reincubate.com 172.67.75.19, 443, 49740 CLOUDFLARENETUS United States 13->37 47 Hides threads from debuggers 13->47 49 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->49 51 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 13->51 21 taskkill.exe 1 17->21         started        23 conhost.exe 17->23         started        signatures8 53 Performs DNS TXT record lookups 35->53 process9

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe3%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\nsu5978.tmp\LangDLL.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsu5978.tmp\System.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsu5978.tmp\nsExec.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor-uninstaller.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe12%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.fontbureau.com/designersG0%URL Reputationsafe
http://www.fontbureau.com/designers/?0%URL Reputationsafe
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
http://www.fontbureau.com/designers?0%URL Reputationsafe
http://www.tiro.com0%URL Reputationsafe
http://www.fontbureau.com/designers0%URL Reputationsafe
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.sajatypeworks.com0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
http://www.fonts.com0%URL Reputationsafe
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.urwpp.deDPlease0%URL Reputationsafe
http://www.zhongyicts.com.cn0%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
http://www.sakkal.com0%URL Reputationsafe
http://www.fontbureau.com0%URL Reputationsafe
https://sectigo.com/CPS00%URL Reputationsafe
http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
http://www.founder.com.cn/cn0%URL Reputationsafe
http://www.droidfonts.com/0%Avira URL Cloudsafe
http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
http://www.zhongyicts.com.cnto0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%Avira URL Cloudsafe
http://www.ascendercorp.com/typedesigners.htmldx0%Avira URL Cloudsafe
http://www.ascendercorp.com/type0%Avira URL Cloudsafe
http://www.blackberryconverter.com/?utm_source=app&utm_campaign=2.0.8.50%Avira URL Cloudsafe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%Avira URL Cloudsafe
http://www.carterandcone.com0%Avira URL Cloudsafe
https://uds.reincubate.com/client-auth/0%Avira URL Cloudsafe
https://uds.reincubate.com0%Avira URL Cloudsafe
http://www.fontbureau.com/designers80%URL Reputationsafe
http://www.jiyu-kobo.co.jp/7w0%Avira URL Cloudsafe
http://www.oreans.com0%Avira URL Cloudsafe
https://www.reincubate.com/support/ipbe/what-iphone-backup-extractor-does/#compatibility0%Avira URL Cloudsafe
http://www.fonts.com=e0%Avira URL Cloudsafe
http://www.monotype.sadem0%Avira URL Cloudsafe
https://appexceptions.reincubate.com/error-report/F6E219C772F2D0D47416/0%Avira URL Cloudsafe
https://reincubate.com/res/labs/bbbe/bbbe-latest.exe0%Avira URL Cloudsafe
http://www.blackberryconverter.com/help-howto-and-support/?utm_source=app&utm_campaign=2.0.8.50%Avira URL Cloudsafe
http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.htmlThis0%Avira URL Cloudsafe
http://www.fontbureau.com/0%Avira URL Cloudsafe
http://www.oreans.comP0%Avira URL Cloudsafe
http://uds.reincubate.com0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/Y00%Avira URL Cloudsafe
http://www.fontbureau.como.jp/(w0%Avira URL Cloudsafe
http://www.ascendercorp.com/typedesigners.html0%Avira URL Cloudsafe
http://www.blackberryconverter.com/blog/0%Avira URL Cloudsafe
http://www.blackberryconverter.com/terms-and-conditions/?utm_source=app&utm_campaign=2.0.8.50%Avira URL Cloudsafe
http://led24.de/0%Avira URL Cloudsafe
http://www.carterandcone.comN0%Avira URL Cloudsafe
http://www.fontbureau.com80%Avira URL Cloudsafe
http://www.ascendercorp.com/t0%Avira URL Cloudsafe
http://www.carterandcone.comL0%Avira URL Cloudsafe
http://www.fontbureau.comF0%Avira URL Cloudsafe
http://www.blackberryconverter.com/register/?utm_source=app&utm_campaign=2.0.8.50%Avira URL Cloudsafe
http://www.ascendercorp.com/0%Avira URL Cloudsafe
http://www.apache.org/licenses/LICENSE-2.00%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/(w0%Avira URL Cloudsafe
http://www.galapagosdesign.com/0%Avira URL Cloudsafe
http://uds.reincubate.comd0%Avira URL Cloudsafe
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/bt0%Avira URL Cloudsafe
http://www.blackberryconverter.com/help-howto-and-support/#running0%Avira URL Cloudsafe
http://www.ascendercorp.com/http://ascendercorp.com/eula10.html0%Avira URL Cloudsafe
https://uds.reincubate.com/client-auth-reset/0%Avira URL Cloudsafe
http://www.fontbureau.coma0%Avira URL Cloudsafe
https://uds.reincubate.com/latest-version/F6E219C772F2D0D47416/0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/jp/0%Avira URL Cloudsafe
http://www.fontbureau.comd0%Avira URL Cloudsafe
http://www.fontbureau.comr:0%Avira URL Cloudsafe
http://james.newtonking.com/projects/json0%Avira URL Cloudsafe
http://www.blackberryconverter.com/upgrade-key/?utm_source=app&utm_campaign=2.0.8.50%Avira URL Cloudsafe
http://www.carterandcone.comIta0%Avira URL Cloudsafe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y0%Avira URL Cloudsafe
http://www.fontbureau.comalic0%Avira URL Cloudsafe
https://uds.reincubate.com/client-status/0%Avira URL Cloudsafe
http://www.blackberryconverter.com/help-howto-and-support/0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/sN0%Avira URL Cloudsafe
http://www.ascendercorp.com/typedesigners.htmlhDroid0%Avira URL Cloudsafe
http://www.fontbureau.comm0%Avira URL Cloudsafe
http://www.ascendercorp.com/typedesigners.html%x0%Avira URL Cloudsafe
http://www.ascendercorp.com/$http://ascendercorp.com/eula10.html0%Avira URL Cloudsafe
http://www.fontbureau.comght0%Avira URL Cloudsafe
http://www.fontbureau.com/designers/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
uds.reincubate.com
172.67.75.19
truetrue
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://uds.reincubate.com/latest-version/F6E219C772F2D0D47416/false
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://www.fontbureau.com/designersGBlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.droidfonts.com/SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000003.1715366145.0000000000511000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000003.1715240481.000000000050C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000002.1737940941.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000002.1737406338.000000000019A000.00000004.00000010.00020000.00000000.sdmp, nse5967.tmp.0.dr, License.txt.0.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.fontbureau.com/designers/?BlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.founder.com.cn/cn/bTheBlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, BlackBerryBackupExtractor.exe.0.dr, nse5967.tmp.0.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://ocsp.sectigo.com0nse5967.tmp.0.drfalse
    • URL Reputation: safe
    		unknown
    http://www.fontbureau.com/designers?BlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.blackberryconverter.com/?utm_source=app&utm_campaign=2.0.8.5BlackBerryBackupExtractor.exe, 00000008.00000002.3549020703.0000000005670000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.ascendercorp.com/typeBlackBerryBackupExtractor.exe, 00000008.00000002.3551601220.00000000084B0000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://uds.reincubate.com/client-auth/BlackBerryBackupExtractor.exe, 00000008.00000002.3549020703.0000000005527000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.tiro.comBlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1781544340.00000000084CC000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.zhongyicts.com.cntoBlackBerryBackupExtractor.exe, 00000008.00000003.1790285833.00000000084BF000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.fontbureau.com/designersBlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://uds.reincubate.comBlackBerryBackupExtractor.exe, 00000008.00000002.3549020703.00000000056EF000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, BlackBerryBackupExtractor.exe.0.dr, nse5967.tmp.0.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.ascendercorp.com/typedesigners.htmldxBlackBerryBackupExtractor.exe, 00000008.00000003.1812272937.00000000084C3000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1811959597.00000000084C5000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.goodfont.co.krBlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.carterandcone.comBlackBerryBackupExtractor.exe, 00000008.00000003.1793561653.00000000084E6000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1793327893.00000000084E6000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.jiyu-kobo.co.jp/7wBlackBerryBackupExtractor.exe, 00000008.00000003.1798843509.00000000084BE000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1799175652.00000000084BD000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1799033759.00000000084BD000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1798526235.00000000084BD000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://www.reincubate.com/support/ipbe/what-iphone-backup-extractor-does/#compatibilityBlackBerryBackupExtractor.exe, 00000008.00000002.3549020703.000000000576B000.00000004.00000800.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000002.3549020703.000000000575E000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.fonts.com=eBlackBerryBackupExtractor.exe, 00000008.00000003.1768448888.00000000084CC000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.monotype.sademBlackBerryBackupExtractor.exe, 00000008.00000003.1804015499.00000000084C1000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1809135905.00000000084BB000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000002.3551601220.00000000084B0000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1806178860.00000000084BD000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1806438396.00000000084BD000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1803606889.00000000084C0000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1809184367.00000000084C0000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.oreans.comBlackBerryBackupExtractor.exe, BlackBerryBackupExtractor.exe, 00000008.00000002.3545579079.0000000000A5E000.00000040.00000001.01000000.0000000C.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.sajatypeworks.comBlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.typography.netDBlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.founder.com.cn/cn/cTheBlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.galapagosdesign.com/staff/dennis.htmBlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://appexceptions.reincubate.com/error-report/F6E219C772F2D0D47416/BlackBerryBackupExtractor.exe, 00000008.00000002.3549020703.000000000565A000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://reincubate.com/res/labs/bbbe/bbbe-latest.exeBlackBerryBackupExtractor.exe, 00000008.00000002.3549020703.0000000005762000.00000004.00000800.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000002.3549020703.000000000576B000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.htmlThisnse5967.tmp.0.dr, DroidSans.ttf.0.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.blackberryconverter.com/help-howto-and-support/?utm_source=app&utm_campaign=2.0.8.5BlackBerryBackupExtractor.exe, 00000008.00000002.3549020703.0000000005670000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.fontbureau.com/BlackBerryBackupExtractor.exe, 00000008.00000003.1799175652.00000000084BD000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1799033759.00000000084BD000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.galapagosdesign.com/DPleaseBlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.jiyu-kobo.co.jp/Y0BlackBerryBackupExtractor.exe, 00000008.00000003.1798843509.00000000084BE000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1799175652.00000000084BD000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1799033759.00000000084BD000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1798526235.00000000084BD000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://uds.reincubate.comBlackBerryBackupExtractor.exe, 00000008.00000002.3549020703.0000000005716000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.blackberryconverter.com/blog/nse5967.tmp.0.dr, README.txt.0.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.ascendercorp.com/typedesigners.htmlBlackBerryBackupExtractor.exe, 00000008.00000003.1812272937.00000000084C3000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1809135905.00000000084BB000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1811959597.00000000084C5000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1809184367.00000000084C0000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.oreans.comPBlackBerryBackupExtractor.exe, 00000008.00000002.3545579079.0000000000A5E000.00000040.00000001.01000000.0000000C.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.fontbureau.como.jp/(wBlackBerryBackupExtractor.exe, 00000008.00000003.1799175652.00000000084BD000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1799033759.00000000084BD000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.fonts.comBlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1768794439.00000000084CC000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.sandoll.co.krBlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.blackberryconverter.com/terms-and-conditions/?utm_source=app&utm_campaign=2.0.8.5BlackBerryBackupExtractor.exe, 00000008.00000002.3549020703.0000000005670000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.fontbureau.com8BlackBerryBackupExtractor.exe, 00000008.00000003.1809135905.00000000084BB000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1809184367.00000000084C0000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.urwpp.deDPleaseBlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.zhongyicts.com.cnBlackBerryBackupExtractor.exe, 00000008.00000003.1790285833.00000000084BF000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://led24.de/SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000003.1715366145.0000000000511000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000003.1715240481.000000000050C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000002.1737940941.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000002.1737406338.000000000019A000.00000004.00000010.00020000.00000000.sdmp, nse5967.tmp.0.dr, License.txt.0.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameBlackBerryBackupExtractor.exe, 00000008.00000002.3549020703.00000000056EF000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.sakkal.comBlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.carterandcone.comNBlackBerryBackupExtractor.exe, 00000008.00000003.1793561653.00000000084E6000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1793327893.00000000084E6000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.ascendercorp.com/tBlackBerryBackupExtractor.exe, 00000008.00000003.1812272937.00000000084C3000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1811959597.00000000084C5000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.carterandcone.comLBlackBerryBackupExtractor.exe, 00000008.00000003.1793327893.00000000084E6000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.apache.org/licenses/LICENSE-2.0BlackBerryBackupExtractor.exe, 00000008.00000003.1790285833.00000000084BF000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.fontbureau.comBlackBerryBackupExtractor.exe, 00000008.00000003.1800867350.00000000084BF000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1810270175.00000000084C4000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1804015499.00000000084C1000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1799175652.00000000084BD000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1809135905.00000000084BB000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1799033759.00000000084BD000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1810522606.00000000084C5000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1810168833.00000000084C4000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1809184367.00000000084C0000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.galapagosdesign.com/BlackBerryBackupExtractor.exe, 00000008.00000003.1809135905.00000000084BB000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1809184367.00000000084C0000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.fontbureau.comFBlackBerryBackupExtractor.exe, 00000008.00000003.1809135905.00000000084BB000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1809184367.00000000084C0000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://sectigo.com/CPS0SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, BlackBerryBackupExtractor.exe.0.dr, nse5967.tmp.0.drfalse
    • URL Reputation: safe
    		unknown
    http://www.ascendercorp.com/BlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://uds.reincubate.comdBlackBerryBackupExtractor.exe, 00000008.00000002.3549020703.0000000005716000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.blackberryconverter.com/register/?utm_source=app&utm_campaign=2.0.8.5BlackBerryBackupExtractor.exe, 00000008.00000002.3549020703.0000000005670000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.jiyu-kobo.co.jp/(wBlackBerryBackupExtractor.exe, 00000008.00000003.1798843509.00000000084BE000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.jiyu-kobo.co.jp/btBlackBerryBackupExtractor.exe, 00000008.00000003.1798843509.00000000084BE000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1798526235.00000000084BD000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, BlackBerryBackupExtractor.exe.0.dr, nse5967.tmp.0.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.blackberryconverter.com/help-howto-and-support/#runningnse5967.tmp.0.dr, README.txt.0.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://nsis.sf.net/NSIS_ErrorErrorSecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, BlackBerryBackupExtractor-uninstaller.exe.0.drfalse
    • URL Reputation: safe
    		unknown
    http://www.ascendercorp.com/http://ascendercorp.com/eula10.htmlSecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000002.3551321419.0000000007D10000.00000002.00000001.00040000.00000014.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000002.3551293821.0000000007CF0000.00000002.00000001.00040000.00000013.sdmp, DroidSans-Bold.ttf.0.dr, nse5967.tmp.0.dr, DroidSans.ttf.0.drfalse
    • Avira URL Cloud: safe
    		unknown
    https://uds.reincubate.com/client-auth-reset/BlackBerryBackupExtractor.exe, 00000008.00000002.3549020703.0000000005527000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.jiyu-kobo.co.jp/jp/BlackBerryBackupExtractor.exe, 00000008.00000003.1797516155.00000000084BB000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.fontbureau.comaBlackBerryBackupExtractor.exe, 00000008.00000003.1804015499.00000000084C1000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.fontbureau.comdBlackBerryBackupExtractor.exe, 00000008.00000003.1810270175.00000000084C4000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1810168833.00000000084C4000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.fontbureau.comr:BlackBerryBackupExtractor.exe, 00000008.00000003.1799175652.00000000084BD000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1799033759.00000000084BD000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://james.newtonking.com/projects/jsonBlackBerryBackupExtractor.exe, 00000008.00000002.3549774886.00000000067A1000.00000004.00000800.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000002.3549774886.00000000066E9000.00000004.00000800.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000002.3549020703.0000000005527000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.carterandcone.comlBlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpfalse
      		unknown
      http://www.fontbureau.com/designers/cabarga.htmlNBlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://www.blackberryconverter.com/upgrade-key/?utm_source=app&utm_campaign=2.0.8.5BlackBerryBackupExtractor.exe, 00000008.00000002.3549020703.0000000005670000.00000004.00000800.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.founder.com.cn/cnBlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://www.carterandcone.comItaBlackBerryBackupExtractor.exe, 00000008.00000003.1793561653.00000000084E6000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1793327893.00000000084E6000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.fontbureau.com/designers/frere-user.htmlBlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0ySecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, BlackBerryBackupExtractor.exe.0.dr, nse5967.tmp.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      https://uds.reincubate.com/client-status/BlackBerryBackupExtractor.exe, 00000008.00000002.3549020703.0000000005527000.00000004.00000800.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.ascendercorp.com/typedesigners.htmlhDroidBlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.blackberryconverter.com/help-howto-and-support/nse5967.tmp.0.dr, README.txt.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.fontbureau.commBlackBerryBackupExtractor.exe, 00000008.00000003.1803606889.00000000084C0000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.jiyu-kobo.co.jp/BlackBerryBackupExtractor.exe, 00000008.00000003.1798526235.00000000084BD000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1796065509.00000000084B6000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1797516155.00000000084BB000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://www.fontbureau.com/designers8BlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://www.jiyu-kobo.co.jp/sNBlackBerryBackupExtractor.exe, 00000008.00000003.1798526235.00000000084BD000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.fontbureau.comalicBlackBerryBackupExtractor.exe, 00000008.00000003.1804015499.00000000084C1000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1803606889.00000000084C0000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.ascendercorp.com/typedesigners.html%xBlackBerryBackupExtractor.exe, 00000008.00000003.1812272937.00000000084C3000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000002.3551601220.00000000084B0000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1811959597.00000000084C5000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.ascendercorp.com/$http://ascendercorp.com/eula10.htmlBlackBerryBackupExtractor.exe, 00000008.00000002.3551811836.00000000095C2000.00000004.00000800.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.fontbureau.comghtBlackBerryBackupExtractor.exe, 00000008.00000003.1810270175.00000000084C4000.00000004.00000020.00020000.00000000.sdmp, BlackBerryBackupExtractor.exe, 00000008.00000003.1810168833.00000000084C4000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.fontbureau.com/designers/BlackBerryBackupExtractor.exe, 00000008.00000003.1803606889.00000000084C0000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      172.67.75.19
      		uds.reincubate.comUnited States
      		13335CLOUDFLARENETUStrue

      General Information

      Joe Sandbox version:40.0.0 Tourmaline
      Analysis ID:1510318
      Start date and time:2024-09-12 20:30:54 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 8m 1s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Run name:Run with higher sleep bypass
      Number of analysed new started processes analysed:15
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
      Detection:MAL
      Classification:mal42.evad.winEXE@11/15@2/1
      EGA Information:
      • Successful, ratio: 100%
      HCA Information:
      • Successful, ratio: 70%
      • Number of executed functions: 224
      • Number of non-executed functions: 23
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

      Warnings

      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
      • Not all processes where analyzed, report is missing behavior information
      • Report size exceeded maximum capacity and may have missing behavior information.
      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
      • Report size getting too big, too many NtEnumerateKey calls found.
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtProtectVirtualMemory calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.
      • Report size getting too big, too many NtReadVirtualMemory calls found.
      • VT rate limit hit for: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe

      Simulations

      Behavior and APIs

      TimeTypeDescription
      14:32:22API Interceptor5754965x Sleep call for process: BlackBerryBackupExtractor.exe modified

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      uds.reincubate.comdmge-latest.exeGet hashmaliciousUnknownBrowse
      • 97.107.131.51

      ASNs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      CLOUDFLARENETUShttps://apple-online.shop/ChromeSetup.exe/Get hashmaliciousUnknownBrowse
      • 104.17.25.14
      (No subject) (72).emlGet hashmaliciousUnknownBrowse
      • 162.159.61.3
      https://aurubatourismauthority.projectfileshare.com/Get hashmaliciousHtmlDropperBrowse
      • 188.114.96.3
      test doc joesandbox.htmlGet hashmaliciousUnknownBrowse
      • 104.17.25.14
      https://www.google.co.uk/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2FGlobalp.%E2%80%8Bkj%C2%ADdc%C2%ADuh%C2%ADn%E2%80%8B.o%C2%ADne%E2%80%8B/bB4C1mGet hashmaliciousHTMLPhisherBrowse
      • 104.21.35.64
      f380122b-c637-edef-70b2-6adee77f4bad.emlGet hashmaliciousUnknownBrowse
      • 188.114.96.3
      Play_VM-Now(Desireem)CQDM.htmlGet hashmaliciousUnknownBrowse
      • 1.1.1.1
      https://eficensitcom-my.sharepoint.com/:f:/g/personal/prathyushap_eficensit_com/EmmWsEjkvfRJorJdypQBJdYBR0PBdaEDGU2Tg4-Q6_4WZw?e=8wSnKh&xsdata=MDV8MDJ8dGhvbWFzLmhvZXZlbEBoeWRyYXRpZ2h0LmNvbXwyZjliZjI0NTdmZDI0NDRiNzk1NzA4ZGNkMmYxZTdlNXwxNjAyYWU4MjAyNjY0MGQ2OTEwYjExNjgwZmUwZjZhNXwwfDB8NjM4NjE3MTgzNjU0MDEzNTQyfFVua25vd258VFdGcGJHWnNiM2Q4ZXlKV0lqb2lNQzR3TGpBd01EQWlMQ0pRSWpvaVYybHVNeklpTENKQlRpSTZJazFoYVd3aUxDSlhWQ0k2TW4wPXwwfHx8&sdata=UWhyaGFVOWYxMGt6Z1piU1hUTDdKa2VCeVdQWUZwd2NwR09TSmE2eC9xVT0%3dGet hashmaliciousHTMLPhisherBrowse
      • 188.114.96.3
      SecuriteInfo.com.Riskware.Application.5189.31489.exeGet hashmaliciousUnknownBrowse
      • 172.64.154.146

      JA3 Fingerprints

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      3b5074b1b5d032e5620f69f9f700ff0ebot_library.exeGet hashmaliciousUnknownBrowse
      • 172.67.75.19
      bot_library.exeGet hashmaliciousUnknownBrowse
      • 172.67.75.19
      signed contract and order confirmation.exeGet hashmaliciousAgentTeslaBrowse
      • 172.67.75.19
      https://ftp.hp.com/pub/softlib/software13/HPSA/HPSupportSolutionsFramework-13.0.1.131.exeGet hashmaliciousUnknownBrowse
      • 172.67.75.19
      http://www.nanpfund.com/Get hashmaliciousUnknownBrowse
      • 172.67.75.19
      https://profile.datasbase.click/administration.html?now=Angela.Tremblay@CSC-SCC.GC.CAGet hashmaliciousUnknownBrowse
      • 172.67.75.19
      Confirmare de plat#U0103_shrunk.exeGet hashmaliciousAgentTeslaBrowse
      • 172.67.75.19
      #U00d6deme Bildirimi_shrunk.exeGet hashmaliciousAgentTeslaBrowse
      • 172.67.75.19
      Play_VM-Now(Bstilz)CLQD.htmlGet hashmaliciousHTMLPhisherBrowse
      • 172.67.75.19

      Dropped Files

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      C:\Users\user\AppData\Local\Temp\nsu5978.tmp\LangDLL.dllf9GwN5TLpA.htaGet hashmaliciousCobalt Strike, GuLoaderBrowse
        eDHL.exeGet hashmaliciousGuLoaderBrowse
          eDHL.exeGet hashmaliciousGuLoaderBrowse
            Pepsico Company Profile.exeGet hashmaliciousGuLoaderBrowse
              Pepsico Company Profile.exeGet hashmaliciousGuLoaderBrowse
                SecuriteInfo.com.MSExcel.CVE_2017_0199.G1.exploit.3568.4683.xlsxGet hashmaliciousGuLoaderBrowse
                  SecuriteInfo.com.FileRepMalware.11227.27096.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                    SecuriteInfo.com.FileRepMalware.11227.27096.exeGet hashmaliciousGuLoaderBrowse
                      SecuriteInfo.com.X97M.DownLoader.1509.23983.22740.xlsxGet hashmaliciousGuLoaderBrowse
                        C:\Users\user\AppData\Local\Temp\nsu5978.tmp\System.dllf_00622c.exeGet hashmaliciousUnknownBrowse
                          https://github.com/angryip/ipscan/releases/download/3.9.1/ipscan-3.9.1-setup.exeGet hashmaliciousUnknownBrowse
                            47#U0627.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                              Request for Quotation - sample catalog.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                47#U0627.vbsGet hashmaliciousGuLoaderBrowse
                                  Request for Quotation - sample catalog.vbsGet hashmaliciousGuLoaderBrowse
                                    tKr6T60C1r.exeGet hashmaliciousUnknownBrowse
                                      #U0423#U0432#U0435#U0434#U043e#U043c#U043b#U0435#U043d#U0438#U0435_#U2116_24357 .exeGet hashmaliciousFormBook, GuLoaderBrowse
                                        #U0423#U0432#U0435#U0434#U043e#U043c#U043b#U0435#U043d#U0438#U0435_#U2116_24357 .exeGet hashmaliciousGuLoaderBrowse

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Temp\nse5967.tmp

                                          Download File
                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):3141402
                                          Entropy (8bit):7.860092883256183
                                          Encrypted:false
                                          SSDEEP:49152:ScfrILOClKr1PVn7wJj2ExFDcJd+6iVAATi9EpoNjSfInTcubjnlG68uBshYb6S0:DILOCSFVnMJKEXkVPEp/aG68uBsthZ
                                          MD5:C83A97178B92EBFBA03616B612469672
                                          SHA1:698E8D8061CC8D53074640F7BA266AD0E62562C3
                                          SHA-256:2A60B230818467D8C538D4DEFE222402CB6520404FEE8B212C405E5095BED50E
                                          SHA-512:8E61EDD1187FBEE082B21D61E46DE7323A4DA81465455C1327A6AEC4A75F2238DCAFCF726587B4C5684C2B63C46F301644D12C4049903DA42DB4B5B657D5AA68
                                          Malicious:false
                                          Reputation:low
                                          Preview: .......,...................j....M..............................................................................J...Z.......3.......[.......................................................................................................................................................G...U............F..f.......................q.......................s...............j.......................q...................................................................................................................i.......4...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\nsu5978.tmp\LangDLL.dll

                                          Download File
                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):5632
                                          Entropy (8bit):3.81812520226775
                                          Encrypted:false
                                          SSDEEP:48:S46+/nTKYKxbWsptIpBtWZ0iV8jAWiAJCvxft2O2B8mFofjLl:zFuPbOBtWZBV8jAWiAJCdv2Cm0L
                                          MD5:68B287F4067BA013E34A1339AFDB1EA8
                                          SHA1:45AD585B3CC8E5A6AF7B68F5D8269C97992130B3
                                          SHA-256:18E8B40BA22C7A1687BD16E8D585380BC2773FFF5002D7D67E9485FCC0C51026
                                          SHA-512:06C38BBB07FB55256F3CDC24E77B3C8F3214F25BFD140B521A39D167113BF307A7E8D24E445D510BC5E4E41D33C9173BB14E3F2A38BC29A0E3D08C1F0DCA4BDB
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Joe Sandbox View:
                                          • Filename: f9GwN5TLpA.hta, Detection: malicious, Browse
                                          • Filename: eDHL.exe, Detection: malicious, Browse
                                          • Filename: eDHL.exe, Detection: malicious, Browse
                                          • Filename: Pepsico Company Profile.exe, Detection: malicious, Browse
                                          • Filename: Pepsico Company Profile.exe, Detection: malicious, Browse
                                          • Filename: SecuriteInfo.com.MSExcel.CVE_2017_0199.G1.exploit.3568.4683.xlsx, Detection: malicious, Browse
                                          • Filename: SecuriteInfo.com.FileRepMalware.11227.27096.exe, Detection: malicious, Browse
                                          • Filename: SecuriteInfo.com.FileRepMalware.11227.27096.exe, Detection: malicious, Browse
                                          • Filename: SecuriteInfo.com.X97M.DownLoader.1509.23983.22740.xlsx, Detection: malicious, Browse
                                          Reputation:moderate, very likely benign file
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................>..........:..........Rich..........................PE..L....Oa...........!........."......?........ ...............................p............@.........................`"..I...\ ..P....P..`....................`....................................................... ..\............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...`....P......................@..@.reloc..`....`......................@..B................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\nsu5978.tmp\System.dll

                                          Download File
                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):12288
                                          Entropy (8bit):5.814115788739565
                                          Encrypted:false
                                          SSDEEP:192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
                                          MD5:CFF85C549D536F651D4FB8387F1976F2
                                          SHA1:D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
                                          SHA-256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
                                          SHA-512:531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Joe Sandbox View:
                                          • Filename: f_00622c.exe, Detection: malicious, Browse
                                          • Filename: , Detection: malicious, Browse
                                          • Filename: 47#U0627.vbs, Detection: malicious, Browse
                                          • Filename: Request for Quotation - sample catalog.vbs, Detection: malicious, Browse
                                          • Filename: 47#U0627.vbs, Detection: malicious, Browse
                                          • Filename: Request for Quotation - sample catalog.vbs, Detection: malicious, Browse
                                          • Filename: tKr6T60C1r.exe, Detection: malicious, Browse
                                          • Filename: #U0423#U0432#U0435#U0434#U043e#U043c#U043b#U0435#U043d#U0438#U0435_#U2116_24357 .exe, Detection: malicious, Browse
                                          • Filename: #U0423#U0432#U0435#U0434#U043e#U043c#U043b#U0435#U043d#U0438#U0435_#U2116_24357 .exe, Detection: malicious, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\nsu5978.tmp\modern-header.bmp

                                          Download File
                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
                                          File Type:PC bitmap, Windows 3.x format, 150 x 57 x 24, image size 25766, resolution 2834 x 2834 px/m, cbSize 25820, bits offset 54
                                          Category:dropped
                                          Size (bytes):25820
                                          Entropy (8bit):3.085809376818384
                                          Encrypted:false
                                          SSDEEP:192:eu3qVJNobSxVeObb4hBZLE9oOAbz3YsShFc:e2qVPrxbP/oOAJN
                                          MD5:EA1BCBB019BB35C193D1805042435A38
                                          SHA1:1F466FDA34754F87FBF564EC012BEA8920CDBA3F
                                          SHA-256:450DA4202CB619E532863A26BA369420EA5D8DF136C3243D4635ECDC83C3EC39
                                          SHA-512:FE256B54EEFC745F531566C3F925CD532B293DA7977D4E193B6D0736F693B831D239AB9A2BDAA3A5EFB2D83295939A9296DBCDFC61B16A1D06A75819FE73EBA7
                                          Malicious:false
                                          Preview:BM.d......6...(.......9............d....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\nsu5978.tmp\nsExec.dll

                                          Download File
                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):7168
                                          Entropy (8bit):5.298362543684714
                                          Encrypted:false
                                          SSDEEP:96:J9zdzBzMDByZtr/HDQIUIq9m6v6vBckzu9wSBpLEgvElHlernNQaSGYuH2DQ:JykDr/HA5v6G2IElFernNQZGdHW
                                          MD5:675C4948E1EFC929EDCABFE67148EDDD
                                          SHA1:F5BDD2C4329ED2732ECFE3423C3CC482606EB28E
                                          SHA-256:1076CA39C449ED1A968021B76EF31F22A5692DFAFEEA29460E8D970A63C59906
                                          SHA-512:61737021F86F54279D0A4E35DB0D0808E9A55D89784A31D597F2E4B65B7BBEEC99AA6C79D65258259130EEDA2E5B2820F4F1247777A3010F2DC53E30C612A683
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L.....Oa...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Reincubate\BlackBerry Backup Extractor\BlackBerry Backup Extractor.lnk

                                          Download File
                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Jun 15 10:44:34 2023, mtime=Thu Sep 12 17:31:50 2024, atime=Thu Jun 15 10:44:34 2023, length=2611648, window=hide
                                          Category:dropped
                                          Size (bytes):1341
                                          Entropy (8bit):4.760981927268571
                                          Encrypted:false
                                          SSDEEP:24:8mzmDAmTw+PB2611RLQcDUFBLD8lhAyd3ao8RZDUFTD8l9rb8RZDUFRKkhfBm:8maDDTPB2611dTDUnD8sS3ao8/DUZD83
                                          MD5:CD12A09467DCF6246F2E29252CFE0F63
                                          SHA1:229924A195B04FD4F5D51CE3A221098714973F3D
                                          SHA-256:E4A3DEDD366378E9E06D2A97419E4D7EA081C74BF11B1B3C5576B4BD973897F9
                                          SHA-512:4DEDE903517A6FB481FAC337BCFCF9F704CAA4B528FDBD941511B206514B7670596B920B3E769D0AC1B0F73CFF7D5BED4F5ADF10AAD0EF97FD91C4193586870E
                                          Malicious:false
                                          Preview:L..................F.... ....=0.~.....5.B....=0.~.....'.....................z.:..DG..Yr?.D..U..k0.&...&......vk.v....F...B...].x.B.......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^,Y.............................%..A.p.p.D.a.t.a...B.V.1.....,Y....Roaming.@......CW.^,Y............................j...R.o.a.m.i.n.g.....^.1.....,Y....REINCU~1..F......,Y..,Y......S.....................j...R.e.i.n.c.u.b.a.t.e.......1.....,Y....BLACKB~1..h......,Y..,Y......T.........................B.l.a.c.k.B.e.r.r.y. .B.a.c.k.u.p. .E.x.t.r.a.c.t.o.r.......2...'..V.] .BLACKB~2.EXE..l.......V.],Y......K.........................B.l.a.c.k.B.e.r.r.y.B.a.c.k.u.p.E.x.t.r.a.c.t.o.r...e.x.e.......................-.....................MK.....C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe..V.....\.....\.....\.....\.....\.....\.R.e.i.n.c.u.b.a.t.e.\.B.l.a.c.k.B.e.r.r.y. .B.a.c.k.u.p. .E.x.t.r.a.c.t.o.r.\.B.l.a.c.k.B.e.r.r.y.B.a.c.

                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Reincubate\BlackBerry Backup Extractor\Uninstall.lnk

                                          Download File
                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Sep 12 17:31:50 2024, mtime=Thu Sep 12 17:31:50 2024, atime=Thu Sep 12 17:31:50 2024, length=163369, window=hide
                                          Category:dropped
                                          Size (bytes):1401
                                          Entropy (8bit):4.759425233369194
                                          Encrypted:false
                                          SSDEEP:24:8m2PZPJ7NAmTw+PB2611RLQcDUFNJD8lYoAmd3a/iP8RZDUFTD8lYwrb8RZDUFRo:8mmZPJ7NDTPB2611dTDUZD8aPu3a/iPq
                                          MD5:13F9C3A5FEA392E1FB6FF20715B3B785
                                          SHA1:959CEE872E791B09559014249DEBA599685F3DA4
                                          SHA-256:E03000052DD0636D7AF57AEEA939EC5EF1BEE5437FE28DE833DCF25F522451DA
                                          SHA-512:896D4428BA96E6A19813C7CD1B6EABF55273033FEA30AD8531157724C9CA87452B77A498EAB7D3C818177A1EDC4CCDED0B385EB6692805E7DEA58F745FC2C2E8
                                          Malicious:false
                                          Preview:L..................F.... .....".B...y...B...y...B...)~........................:..DG..Yr?.D..U..k0.&...&......vk.v....F...B...].x.B.......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^,Y.............................%..A.p.p.D.a.t.a...B.V.1.....,Y....Roaming.@......CW.^,Y............................j...R.o.a.m.i.n.g.....^.1.....,Y....REINCU~1..F......,Y..,Y......S.....................j...R.e.i.n.c.u.b.a.t.e.......1.....,Y....BLACKB~1..h......,Y..,Y......T.........................B.l.a.c.k.B.e.r.r.y. .B.a.c.k.u.p. .E.x.t.r.a.c.t.o.r.......2.)~..,Y.. .BLACKB~1.EXE.........,Y..,Y..............................$.B.l.a.c.k.B.e.r.r.y.B.a.c.k.u.p.E.x.t.r.a.c.t.o.r.-.u.n.i.n.s.t.a.l.l.e.r...e.x.e.......................-.....................MK.....C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor-uninstaller.exe..b.....\.....\.....\.....\.....\.....\.R.e.i.n.c.u.b.a.t.e.\.B.l.a.c.k.B.e.r.r.y. .B.a.c.k.u.p. .E.x.t.r.a.

                                          C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor-uninstaller.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                          Category:dropped
                                          Size (bytes):163369
                                          Entropy (8bit):7.361411491018553
                                          Encrypted:false
                                          SSDEEP:3072:JFZoCDi1UE1uvgQYeNYjek4XDmNmLHta09dzo4oGh7K1ibb0wkll0PVxK6S9yl8:JF2d1UqINVTg0KGcKbsf0bK6uQ8
                                          MD5:8DD5778933E2ED5D213EEA9459F332DC
                                          SHA1:26FBA7CCC27D94E86EA21CD1DF743025899C0E50
                                          SHA-256:2D5D35251CEB380C781297AA2D3F31206DD4BB0AAB556761EC4E3B42D3FDDEEC
                                          SHA-512:629C29B5B5DE1D3F6F5E038AAD430DABFC11D333ACCEE8B3196E6995DD4712FBA13AA09D969458EF410AE85D503A02D794DEB855097B0BE7F36DDD758544B64A
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................j..........e6............@.......................................@..........................................................#...W...........................................................................................text....i.......j.................. ..`.rdata...............n..............@..@.data...X...........................@....ndata.......`...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):2611648
                                          Entropy (8bit):7.971383117448041
                                          Encrypted:false
                                          SSDEEP:49152:0frILOClKr1PVn7wJj2ExFDcJd+6iVAATi9EpoNjSfInTcubjnlG68uBshYbD:oILOCSFVnMJKEXkVPEp/aG68uBsQ
                                          MD5:8CD8B27DAB255BA25B5283FB4496709D
                                          SHA1:00EE08878A837F4CE9D08F025DBCA041042AF653
                                          SHA-256:DB0AB43D4018BBC1AA3774CFADFD6304AB4A362CB2ECFD39A04F5028C0D2E89D
                                          SHA-512:527A63976F782DAA00CE77CF981A5B02B13D33F9FDB6C636E2F71BD2738F0BC33C8DC0A9E450B7FC2318200172A6B592E38F830FFE6DB15A075A22D785C7711E
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 12%
                                          Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.....................j ......@T.. ... ....@.. .......................`T.....@S(...@.................................m. ......@..Xi............'..W.... ..................................................................................... . . ... ....... ..............@....rsrc...Xi...@...f...&..............@....idata . .... .....................@... .`.... .....................@...ebblbqjy.....@?.....................@...jwuvegyw. ...@T.......'.............@...................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\License.txt

                                          Download File
                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
                                          File Type:Unicode text, UTF-8 text, with very long lines (457), with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):14226
                                          Entropy (8bit):4.474976705134131
                                          Encrypted:false
                                          SSDEEP:192:Y+vcYGR8xfv7/NI7lhBBi5WqSlEpYcZSSj5BSr4QNu/9u1XqxglWS/dshCSvhWUG:gRCfvOlhXit9pJ5U4Qt04JlGIU/O
                                          MD5:100D4189ECCF072145C5634BCB24CB05
                                          SHA1:26DE3E68A1431103C8956A9A44EF53BE7290ED5E
                                          SHA-256:6DA42184E41FDA8FFCCE1B64541313F991525145311799D96D88E5EAEF9DBA4E
                                          SHA-512:0953D73D8D194969E27F1019C59EEE9E612FB8618A4FDDC43349552D007652312681507D145AF340011405ACCA46BD91764F22B1DD6B7CFE44C3162190725F2B
                                          Malicious:false
                                          Preview:License Contents.... A. Reincubate Software Ltd Terms & Conditions.. B. Droid Font Family Copyright Notice.. C. LED Icon Set Copyright Notice......A. Reincubate Software Ltd Terms & Conditions....Thank you for choosing a Reincubate product or service. Please read the following terms & conditions carefully as they govern your use of our products, services and our websites. Occasionally a particular product or service will require its own specific terms & conditions. If this is the case please read those in addition to these terms.....Terms....In these terms & conditions the following definitions apply:...."We", "us", "our" and "Reincubate" refer to Reincubate Software Ltd, a company registered in England number 5189175....."You" refers to the person or company currently reading these terms & conditions....."Product" or "application" refers to any product developed and sold by Reincubate....."service" refers to any online service provided by Reincubate, whether free or subscript

                                          C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\README.txt

                                          Download File
                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1717
                                          Entropy (8bit):4.904813470551442
                                          Encrypted:false
                                          SSDEEP:48:n343otV1gLi8LnezOLbzKovvfMywV8LJHM:bP1gLi8r/PLvf2QJs
                                          MD5:630CDF7EADE2819F63EC22D6FA1DE958
                                          SHA1:A744E5494FA0E5654D51763C829BFC4E9E7C0C81
                                          SHA-256:12157EE78C2B851C2859C55091908BB0B4246AD24E5B380AB42E658D26E1512B
                                          SHA-512:511D005DBBFB8EA965588B9EFEFFEF5EA0417C5EF6F0AC41D7EA7A0B8F78D855627F88A206B2DF725CFA34CABF36E092D8B59FB2617CFA7EFB7E3D56BC4FED58
                                          Malicious:false
                                          Preview:BlackBerry Backup Extractor....~ About:....The BlackBerry Backup Extractor can recover contacts, call histories, BBM, MMS, SMS and text messages, calendar entries, memos, app files and data that might otherwise be inaccessible.....The application automatically converts the extracted database into CSV and VCard formats, so they can be easily imported into Excel, Outlook, or Webmail.......~ Features:....Uses all versions of BlackBerry Desktop Software IPD backup files....Works with any BlackBerry device ..(All phone types and also the Blackberry PlayBook)....Will run on any Windows XP, Vista or Windows 7 computer, in 32 or 64-bit mode....Can also run on Linux or OS X computers....Recover data from IPD backups whether you have lost or broken your BlackBerry? Deleted something important? Or run a failed update?....Extract files from the backups BlackBerry Desktop Software automatically makes from your Device....Easy to use software, no technical knowledge required....No spyware or ads....P

                                          C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\bbbe-document-icon.ico

                                          Download File
                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
                                          File Type:MS Windows icon resource - 4 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, 48x48, 32 bits/pixel
                                          Category:dropped
                                          Size (bytes):49119
                                          Entropy (8bit):7.330118311356384
                                          Encrypted:false
                                          SSDEEP:768:EK0cb08Zuk75gfVosqln3V5a+1HRG4ad1iBIjz7agp:EK0crszfVoLl3V5Z1xeHuUygp
                                          MD5:528CB601B4BFBF03A5660C88CF813977
                                          SHA1:47FD7BC65370B24405170AAAA4D92E6EA481BDC4
                                          SHA-256:856CA1A97E4B11F5A544A86883796F5A2E6B4C8744607E4EAAA38DF975B65064
                                          SHA-512:E3EA27802A0AA80CCF795CCAFE22035BA9F1549AE012FE7D15D252AFD7C89738BBB61243C8C7DB879C4EE9FBFC1288BA65589BE3A4CDA21A1A2F66DD4E88D6D4
                                          Malicious:false
                                          Preview:............ ....F...00.... ..%..'... .... .............. .h...w....PNG........IHDR.............\r.f....IDATx..}..[.....iz.g.q/T.m.......M7...R $..7.&dS..Hv.l.T.@.)KI!..$..j...`.{.{f<..K.....y.5...=...t_..;.).\..Vh.6a..~.@..Z.......Vh.......m.....Z.M.V..B+.....Ph.6.[.....&p+.@....n..(.B......Vh.......m.....Z.M.v$..b.l.s=...n:.}~.mF.o..w....H.&.m....z$.s....MKmz.V.........E...R[a`......;....L...*2A.........K........~.X..V.B.-.>.....-....G&+(.<.#......VF.{.U......U.hT;...R.f...u........m....G.}..~.>....sG.....@ ..H.&'mE0..............'Uh....@__.....|.....utt....K.6.... O...O..._..w.{K".0OZ..i.#.X.:6.%o.o.4M...q.u=.....MUU....>......x<hkk.....G.~../PW=0....t..@ .........<..-<`..1...G..~..{}\.`g.....@ .?.~R.ycp.D".....3gb...x.....t.M.jnn~..I .....s. ......7.p.Z>.....~?...w.\.5.L".......BMM..,X...n,[...-[...LG.5ZPh..I....#.K.J...,.....n.....??g.....q}.]t.z{{q..g.l.......>....F;...5.........~.-... `..H.`.....F.v.............+W....o.......Hs....&.../.

                                          C:\Users\user\Desktop\BlackBerry Backup Extractor.lnk

                                          Download File
                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Jun 15 10:44:34 2023, mtime=Thu Sep 12 17:31:50 2024, atime=Thu Jun 15 10:44:34 2023, length=2611648, window=hide
                                          Category:dropped
                                          Size (bytes):1343
                                          Entropy (8bit):4.75899737498188
                                          Encrypted:false
                                          SSDEEP:24:8mziDAmTw+PB2611RLQcDUFBLD8lhAyd3a7Vb8RZDUFTD8l9rb8RZDUFRKkhfBm:8muDDTPB2611dTDUnD8sS3a7R8/DUZDW
                                          MD5:267759AA08A736516AD0A80B583445BD
                                          SHA1:EDE668E675572A8B9F834F3A1DD8BCCC79423C49
                                          SHA-256:DE8033A8E3A1771EC8474D1FDF8ED18A27164AC965867C6F954908917F243042
                                          SHA-512:016F2C0C3B080267CD42A0AA7BA1BC4053FED030977B984DE5BAECF25D7CD573946AC26A2BC3BCF364FC35D23BABDB2953D29BB4E031FB5AED3CAAE3B5C970E6
                                          Malicious:false
                                          Preview:L..................F.... ....=0.~....t..B....=0.~.....'.....................z.:..DG..Yr?.D..U..k0.&...&......vk.v....F...B...].x.B.......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^,Y.............................%..A.p.p.D.a.t.a...B.V.1.....,Y....Roaming.@......CW.^,Y............................j...R.o.a.m.i.n.g.....^.1.....,Y....REINCU~1..F......,Y..,Y......S.....................j...R.e.i.n.c.u.b.a.t.e.......1.....,Y....BLACKB~1..h......,Y..,Y......T.........................B.l.a.c.k.B.e.r.r.y. .B.a.c.k.u.p. .E.x.t.r.a.c.t.o.r.......2...'..V.] .BLACKB~2.EXE..l.......V.],Y......K.........................B.l.a.c.k.B.e.r.r.y.B.a.c.k.u.p.E.x.t.r.a.c.t.o.r...e.x.e.......................-.....................MK.....C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe..W.....\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.R.e.i.n.c.u.b.a.t.e.\.B.l.a.c.k.B.e.r.r.y. .B.a.c.k.u.p. .E.x.t.r.a.c.t.o.r.\.B.l.a.c.k.B.e.r.r.y.B.a.

                                          C:\Windows\Fonts\DroidSans-Bold.ttf

                                          Download File
                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
                                          File Type:TrueType Font data, 17 tables, 1st "LTSH", 25 names, Macintosh, Digitized data copyright \251 2006, Google Corporation.Droid SansBoldAscender - Droid Sans BoldV
                                          Category:dropped
                                          Size (bytes):148484
                                          Entropy (8bit):6.5125162403200605
                                          Encrypted:false
                                          SSDEEP:3072:j0M77wfFWtStY60Gn66U2XheFFlG07fOFH/yb/1q6RAg6L:49WYCNIXXgFj7fwfyb/z6L
                                          MD5:CC7B7106612676AC9B4CC5017576F0C0
                                          SHA1:9550ACFB025061AFA6E278F721C4EA5C018374B0
                                          SHA-256:EE9B77A21790BFB0B2DBF2BAE5C590E548BA60215EB2AA230601DAEC3D0FA4AC
                                          SHA-512:A97789C885E3F2F216D032F253CC07B23DD2835852988E8AAC0E1BF265FF730A5E010150ED76FDA9CD8C85BF5FCEE8168A172219CE80141D5F14DBD57A82B26A
                                          Malicious:false
                                          Preview:............LTSH..:....8...TOS/2..W........`cmap... ..2.....cvt K.RQ..@0....fpgms.#...6.....gasp......C.....glyf......F.....hdmx..d.......%Hhead.".........6hhea.......T...$hmtx.!.........>kern.#,...Zp... locah.&...B8....maxp...b...x... nameM.SO..'.....post.<$o..3.....prepeq...=....b.........T=_.<...........2...... X..w.......................m.......w.y...................O.....P.....y......./.Z.....&.................3.......3.....f..................@. [...(....1ASC. . .........m.. ........^..... ...................J.u.....+.-.h.b...?...R.!.....R...=.\.?.h.X.R.?...=.H.u.N...h.?.h.\.h.N.h.9.h...h.V.h.L.h.7.h.H.h.?.H.u.R.?.h.X.h.X.h.X.......f.3...#.....w.....{...d.....w.......B...9.....H...N...D.....w.......w.....1.^.d.).........j...........P.1.....N.....3.B...J.....L...V.......f...f...f...).j.......q...q.......q.............f.......f.y.....b.P./.....P...s...b...P.....7.....h.......h.X.....J.u.h...h.R.h.\.h...h.....j.......d.../...R.h.X...=...d.....m.\.h.X.../...;...L.....=.q.H.u.......\

                                          C:\Windows\Fonts\DroidSans.ttf

                                          Download File
                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
                                          File Type:TrueType Font data, 17 tables, 1st "LTSH", 25 names, Macintosh, Digitized data copyright \251 2006, Google Corporation.Droid SansRegularAscender - Droid SansVer
                                          Category:dropped
                                          Size (bytes):108796
                                          Entropy (8bit):6.6821115583084625
                                          Encrypted:false
                                          SSDEEP:1536:LPAzMOZingTtTlor4nfboz3q7WK0M0+a5K9mkdyrSsCfEsiavHjs7NGDabv:WTK4M+6bMa5Tvp1aPjs7Ndbv
                                          MD5:205EF3CF1E8C6B008BC74EC0D287199E
                                          SHA1:68C63F287D7A7C132A1E3B1139EC22482EFACDF0
                                          SHA-256:12F0210759B1716B822043A6179047EF5F751A793ABBFDA150B566AE57D83F68
                                          SHA-512:362A46825A2D0B9E2866FB0FF982A98F17144A2A18797F403AD7F43E86B960D8C948A7F0DDC9567C3408CF44B160A0BF65070D504BF893ABF9B75DDC2E08395C
                                          Malicious:false
                                          Preview:............LTSH.).....<...UOS/2..UX.......`cmap./."..9.....cvt 9.=...G.....fpgms.#...=.....gasp............glyfn....NP....hdmxDwb5......,Dhead.\WX.......6hhea...j...T...$hmtx q.........Bkern.".p..U...7.loca.`...I.....maxp...>...x... name..........jpostx..A........prep;....D.............w..W_.<...........3........p.........................m.....Z.......................P.....Q.....z......./.Z.............h.........3.......3.....f..................@. [...(....1ASC.@. .........m.. ........J..... ...................'...7...+.3.h.{...f...m.....h.R.h.=.h.R.h.f...?...R.%.......h.b.h...h.`.h.R.h...h...h.q.h.Z.h.j.h.j.%...%.?.h.f.h.f.h.f.h.%...m...........}.y...9.........}.......R.+.H...................}.......}.....'.h.'...............`...7...P.R.m.......m.3.B.).J.......?.^.......q...q.H.q.....%.%.....................+.........q.......q.1.....Z...!...............#.......R...=.h.....3.h.f.....'...h...h.D.h.{.h...h.....y...3...d...D...R.h.f...R...d.....m.{.h.f...1.............=.q.%.....#...?

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                          Entropy (8bit):7.987090569617577
                                          TrID:
                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                          • DOS Executable Generic (2002/1) 0.02%
                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                          File name:SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
                                          File size:3'046'224 bytes
                                          MD5:7268329d169f985be48d34007c4fd957
                                          SHA1:c44b9bbb1a384b146e758316532164df963bdb50
                                          SHA256:f1ce6d3956c9ec05c7fdc5cc58828b62e698d9a9b27733b2df03166f9242f2a3
                                          SHA512:d4493e5d48331c8e5a3e2af8ae64b43346f8d0d82e9a5e8421adeb5c262a90a75b7b9497e9fb9327307a632817e2eba1c0724dbe3907b6eda404c597c329242e
                                          SSDEEP:49152:L7aVeL8C5jSd0vWKApi/POWRH7hxdDjYkCcRJEGlTISD9jXP9WDldjcauKdWu:LseL8CVS2v+p2VV9xtHC8DlFLPEHjw4z
                                          TLSH:D4E533407338C10BDEA36E3729A5B5132FF05BC56264977AB35A0F963BB1750CAABD40
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................j.........

                                          File Icon

                                          Icon Hash:0e1f3b174d23370e

                                          Static PE Info

                                          General

                                          Entrypoint:0x403665
                                          Entrypoint Section:.text
                                          Digitally signed:true
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x614F9B95 [Sat Sep 25 21:58:45 2021 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:61259b55b8912888e90f516ca08dc514

                                          Authenticode Signature

                                          Signature Valid:true
                                          Signature Issuer:CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
                                          Signature Validation Error:The operation completed successfully
                                          Error Number:0
                                          Not Before, Not After
                                          • 14/04/2023 01:00:00 14/04/2026 00:59:59
                                          Subject Chain
                                          • CN=Reincubate Limited, O=Reincubate Limited, S=London, C=GB
                                          Version:3
                                          Thumbprint MD5:A408EDF7146B9AE688D31163740598FB
                                          Thumbprint SHA-1:6384649DEB6A53E869CF42BDF6966E0925924863
                                          Thumbprint SHA-256:FD28555BB46CA0D7729232010CE72238599B44B4043F9A8E5913C26980A9AF50
                                          Serial:00D2DF2902998F046489806C134CE087DF

                                          Entrypoint Preview

                                          Instruction
                                          push ebp
                                          mov ebp, esp
                                          sub esp, 000003F4h
                                          push ebx
                                          push esi
                                          push edi
                                          push 00000020h
                                          pop edi
                                          xor ebx, ebx
                                          push 00008001h
                                          mov dword ptr [ebp-14h], ebx
                                          mov dword ptr [ebp-04h], 0040A230h
                                          mov dword ptr [ebp-10h], ebx
                                          call dword ptr [004080C8h]
                                          mov esi, dword ptr [004080CCh]
                                          lea eax, dword ptr [ebp-00000140h]
                                          push eax
                                          mov dword ptr [ebp-0000012Ch], ebx
                                          mov dword ptr [ebp-2Ch], ebx
                                          mov dword ptr [ebp-28h], ebx
                                          mov dword ptr [ebp-00000140h], 0000011Ch
                                          call esi
                                          test eax, eax
                                          jne 00007FD828E2628Ah
                                          lea eax, dword ptr [ebp-00000140h]
                                          mov dword ptr [ebp-00000140h], 00000114h
                                          push eax
                                          call esi
                                          mov ax, word ptr [ebp-0000012Ch]
                                          mov ecx, dword ptr [ebp-00000112h]
                                          sub ax, 00000053h
                                          add ecx, FFFFFFD0h
                                          neg ax
                                          sbb eax, eax
                                          mov byte ptr [ebp-26h], 00000004h
                                          not eax
                                          and eax, ecx
                                          mov word ptr [ebp-2Ch], ax
                                          cmp dword ptr [ebp-0000013Ch], 0Ah
                                          jnc 00007FD828E2625Ah
                                          and word ptr [ebp-00000132h], 0000h
                                          mov eax, dword ptr [ebp-00000134h]
                                          movzx ecx, byte ptr [ebp-00000138h]
                                          mov dword ptr [00434FF8h], eax
                                          xor eax, eax
                                          mov ah, byte ptr [ebp-0000013Ch]
                                          movzx eax, ax
                                          or eax, ecx
                                          xor ecx, ecx
                                          mov ch, byte ptr [ebp-2Ch]
                                          movzx ecx, cx
                                          shl eax, 10h
                                          or eax, ecx

                                          Rich Headers

                                          Programming Language:
                                          • [EXP] VC++ 6.0 SP5 build 8804

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x86100xa0.rdata
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x510000x1a280.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x2e23900x57c0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x10000x69e70x6a0012c53d7ffb6b83e91537cb4b804b29cfFalse0.6724646226415094data6.507877508414709IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rdata0x80000x14a60x1600d62f92f8344c212b4300774af029d966False0.43892045454545453data5.021834416829947IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .data0xa0000x2b0580x8006a14c223334afc5fc8671e26593f587fFalse0.40234375data3.4211269010192864IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .ndata0x360000x1b0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .rsrc0x510000x1a2800x1a40003d4e9a1091a0c8c18e409f8d60c6156False0.7676990327380953data6.947707826168857IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_ICON0x514480x11db3PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9992753524111623
                                          RT_ICON0x632000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.462344398340249
                                          RT_ICON0x657a80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.5330675422138836
                                          RT_ICON0x668500xea8Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.21721748400852878
                                          RT_ICON0x676f80x988dataEnglishUnited States0.010245901639344262
                                          RT_ICON0x680800x8a8dataEnglishUnited States0.01128158844765343
                                          RT_ICON0x689280x6c8dataEnglishUnited States0.012672811059907835
                                          RT_ICON0x68ff00x668dataEnglishUnited States0.012804878048780487
                                          RT_ICON0x696580x568dataEnglishUnited States0.014450867052023121
                                          RT_ICON0x69bc00x468dataEnglishUnited States0.015957446808510637
                                          RT_ICON0x6a0280x2e8dataEnglishUnited States0.020161290322580645
                                          RT_ICON0x6a3100x1e8dataEnglishUnited States0.028688524590163935
                                          RT_ICON0x6a4f80x128dataEnglishUnited States0.04391891891891892
                                          RT_DIALOG0x6a6200xb4dataEnglishUnited States0.6111111111111112
                                          RT_DIALOG0x6a6d80x200dataEnglishUnited States0.40234375
                                          RT_DIALOG0x6a8d80xf8dataEnglishUnited States0.6290322580645161
                                          RT_DIALOG0x6a9d00xeedataEnglishUnited States0.6302521008403361
                                          RT_GROUP_ICON0x6aac00xbcTarga image data - Map 32 x 7603 x 1 +1EnglishUnited States0.28191489361702127
                                          RT_VERSION0x6ab800x2ccdataEnglishUnited States0.44972067039106145
                                          RT_MANIFEST0x6ae500x42eXML 1.0 document, ASCII text, with very long lines (1070), with no line terminatorsEnglishUnited States0.5130841121495328

                                          Imports

                                          DLLImport
                                          ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
                                          SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
                                          ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
                                          COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                          USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
                                          GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                          KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

                                          Possible Origin

                                          Language of compilation systemCountry where language is spokenMap
                                          EnglishUnited States

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Sep 12, 2024 20:32:03.527415991 CEST49740443192.168.2.4172.67.75.19
                                          Sep 12, 2024 20:32:03.527463913 CEST44349740172.67.75.19192.168.2.4
                                          Sep 12, 2024 20:32:03.527534008 CEST49740443192.168.2.4172.67.75.19
                                          Sep 12, 2024 20:32:03.634155035 CEST49740443192.168.2.4172.67.75.19
                                          Sep 12, 2024 20:32:03.634212017 CEST44349740172.67.75.19192.168.2.4
                                          Sep 12, 2024 20:32:04.128487110 CEST44349740172.67.75.19192.168.2.4
                                          Sep 12, 2024 20:32:04.128572941 CEST49740443192.168.2.4172.67.75.19
                                          Sep 12, 2024 20:32:04.131501913 CEST49740443192.168.2.4172.67.75.19
                                          Sep 12, 2024 20:32:04.131515026 CEST44349740172.67.75.19192.168.2.4
                                          Sep 12, 2024 20:32:04.131831884 CEST44349740172.67.75.19192.168.2.4
                                          Sep 12, 2024 20:32:04.173136950 CEST49740443192.168.2.4172.67.75.19
                                          Sep 12, 2024 20:32:04.366641045 CEST49740443192.168.2.4172.67.75.19
                                          Sep 12, 2024 20:32:04.411428928 CEST44349740172.67.75.19192.168.2.4
                                          Sep 12, 2024 20:32:04.542002916 CEST44349740172.67.75.19192.168.2.4
                                          Sep 12, 2024 20:32:04.542387962 CEST44349740172.67.75.19192.168.2.4
                                          Sep 12, 2024 20:32:04.542476892 CEST49740443192.168.2.4172.67.75.19
                                          Sep 12, 2024 20:32:04.598720074 CEST49740443192.168.2.4172.67.75.19

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Sep 12, 2024 20:32:02.480448008 CEST6472053192.168.2.41.1.1.1
                                          Sep 12, 2024 20:32:02.488677979 CEST53647201.1.1.1192.168.2.4
                                          Sep 12, 2024 20:32:03.006578922 CEST5669053192.168.2.41.1.1.1
                                          Sep 12, 2024 20:32:03.020075083 CEST53566901.1.1.1192.168.2.4

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Sep 12, 2024 20:32:02.480448008 CEST192.168.2.41.1.1.10xfc8fStandard query (0)uds.reincubate.comA (IP address)IN (0x0001)false
                                          Sep 12, 2024 20:32:03.006578922 CEST192.168.2.41.1.1.10xb2aaStandard query (0)uds.reincubate.com16IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Sep 12, 2024 20:32:02.488677979 CEST1.1.1.1192.168.2.40xfc8fNo error (0)uds.reincubate.com172.67.75.19A (IP address)IN (0x0001)false
                                          Sep 12, 2024 20:32:02.488677979 CEST1.1.1.1192.168.2.40xfc8fNo error (0)uds.reincubate.com104.26.6.161A (IP address)IN (0x0001)false
                                          Sep 12, 2024 20:32:02.488677979 CEST1.1.1.1192.168.2.40xfc8fNo error (0)uds.reincubate.com104.26.7.161A (IP address)IN (0x0001)false
                                          Sep 12, 2024 20:32:03.020075083 CEST1.1.1.1192.168.2.40xb2aaNo error (0)uds.reincubate.comTXT (Text strings)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • uds.reincubate.com

                                          HTTPS Proxied Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.449740172.67.75.194434124C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe
                                          TimestampBytes transferredDirectionData
                                          2024-09-12 18:32:04 UTC129OUTGET /latest-version/F6E219C772F2D0D47416/ HTTP/1.1
                                          User-Agent: bbbe-2.0.8.5-1-1
                                          Host: uds.reincubate.com
                                          Connection: Close
                                          2024-09-12 18:32:04 UTC645INHTTP/1.1 200 OK
                                          Date: Thu, 12 Sep 2024 18:32:04 GMT
                                          Content-Type: application/json
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          vary: Origin
                                          via: 1.1 google
                                          alt-svc: h3=":443"; ma=86400
                                          CF-Cache-Status: DYNAMIC
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zMwHMSr3AAPMN6dB4VKlAWEjXqlGs4DXuk2gYHdPxzzyP0qxbm6wlmT5U9tGyDffEviY%2B89dgptsU80i8ddRvlpIhzR5ZDlpxnkUIACD2QKcpAaOp2q%2BskZSf4exUYtYcan38A%3D%3D"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Strict-Transport-Security: max-age=2592000
                                          Server: cloudflare
                                          CF-RAY: 8c21fa6398e77c7b-EWR
                                          2024-09-12 18:32:04 UTC724INData Raw: 34 31 34 0d 0a 7b 0a 20 20 20 20 22 61 63 74 69 6f 6e 22 3a 20 22 6e 6f 74 69 66 79 5f 69 66 5f 6e 65 77 65 72 22 2c 0a 20 20 20 20 22 76 65 72 73 69 6f 6e 22 3a 20 22 32 2e 30 2e 36 2e 32 22 2c 0a 20 20 20 20 22 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 72 65 69 6e 63 75 62 61 74 65 2e 63 6f 6d 2f 72 65 73 2f 6c 61 62 73 2f 62 62 62 65 2f 62 62 62 65 2d 6c 61 74 65 73 74 2e 65 78 65 22 2c 0a 20 20 20 20 22 6d 65 73 73 61 67 65 22 3a 20 22 22 2c 0a 20 20 20 20 22 72 65 6c 65 61 73 65 5f 6e 6f 74 65 73 22 3a 20 22 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 5c 6e 3c 73 74 79 6c 65 3e 5c 6e 20 20 68 33 2c 20 6c 69 2c 20 70 20 7b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 61 72 69 61 6c 3b 20 7d 5c 6e 20 20 6c 69 2c 20 70 20 7b 20 63 6f 6c 6f 72 3a 20 23 36 35 36
                                          Data Ascii: 414{ "action": "notify_if_newer", "version": "2.0.6.2", "url": "https://reincubate.com/res/labs/bbbe/bbbe-latest.exe", "message": "", "release_notes": "<html><body>\n<style>\n h3, li, p { font-family: arial; }\n li, p { color: #656
                                          2024-09-12 18:32:04 UTC327INData Raw: 6e 64 3a 20 23 32 31 37 32 38 42 3b 20 7d 5c 6e 20 20 73 70 61 6e 2e 69 6d 70 72 6f 76 65 6d 65 6e 74 20 7b 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 33 43 42 45 42 41 3b 20 7d 5c 6e 3c 2f 73 74 79 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 22 2c 0a 20 20 20 20 22 63 6f 6e 66 69 67 22 3a 20 7b 7d 2c 0a 20 20 20 20 22 73 74 61 74 75 73 22 3a 20 7b 0a 20 20 20 20 20 20 20 20 22 69 63 6c 6f 75 64 22 3a 20 22 53 79 73 74 65 6d 20 73 74 61 74 75 73 3a 20 72 65 61 6c 2d 74 69 6d 65 20 3c 66 6f 6e 74 20 63 6f 6c 6f 72 3d 5c 22 23 37 34 44 44 37 34 5c 22 3e 5c 75 32 37 33 61 3c 2f 66 6f 6e 74 3e 20 53 65 65 20 3c 61 20 68 72 65 66 3d 5c 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 72 65 69 6e 63 75 62 61 74 65 2e 63 6f 6d 2f 73 75 70 70 6f 72 74 2f 69 70 62 65
                                          Data Ascii: nd: #21728B; }\n span.improvement { background: #3CBEBA; }\n</style></body></html>", "config": {}, "status": { "icloud": "System status: real-time <font color=\"#74DD74\">\u273a</font> See <a href=\"https://www.reincubate.com/support/ipbe
                                          2024-09-12 18:32:04 UTC5INData Raw: 30 0d 0a 0d 0a
                                          Data Ascii: 0


                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:14:31:45
                                          Start date:12/09/2024
                                          Path:C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe"
                                          Imagebase:0x400000
                                          File size:3'046'224 bytes
                                          MD5 hash:7268329D169F985BE48D34007C4FD957
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:1
                                          Start time:14:31:49
                                          Start date:12/09/2024
                                          Path:C:\Windows\SysWOW64\cmd.exe
                                          Wow64 process (32bit):true
                                          Commandline:"cmd.exe" /c taskkill /f /im "BlackBerryBackupExtractor.exe"
                                          Imagebase:0x240000
                                          File size:236'544 bytes
                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:2
                                          Start time:14:31:49
                                          Start date:12/09/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:14:31:49
                                          Start date:12/09/2024
                                          Path:C:\Windows\SysWOW64\taskkill.exe
                                          Wow64 process (32bit):true
                                          Commandline:taskkill /f /im "BlackBerryBackupExtractor.exe"
                                          Imagebase:0xbd0000
                                          File size:74'240 bytes
                                          MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:5
                                          Start time:14:31:51
                                          Start date:12/09/2024
                                          Path:C:\Windows\explorer.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Windows\explorer.exe" C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe
                                          Imagebase:0x7ff72b770000
                                          File size:5'141'208 bytes
                                          MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:7
                                          Start time:14:31:51
                                          Start date:12/09/2024
                                          Path:C:\Windows\explorer.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                                          Imagebase:0x7ff72b770000
                                          File size:5'141'208 bytes
                                          MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:8
                                          Start time:14:31:51
                                          Start date:12/09/2024
                                          Path:C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe"
                                          Imagebase:0x850000
                                          File size:2'611'648 bytes
                                          MD5 hash:8CD8B27DAB255BA25B5283FB4496709D
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Antivirus matches:
                                          • Detection: 12%, ReversingLabs
                                          Reputation:low
                                          Has exited:false

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:31.4%
                                            Dynamic/Decrypted Code Coverage:0%
                                            Signature Coverage:16.5%
                                            Total number of Nodes:1356
                                            Total number of Limit Nodes:39
                                            execution_graph 2938 4015c1 2957 402da6 2938->2957 2942 401631 2944 401663 2942->2944 2945 401636 2942->2945 2947 401423 24 API calls 2944->2947 2981 401423 2945->2981 2949 40165b 2947->2949 2953 40164a SetCurrentDirectoryW 2953->2949 2954 4015d1 2954->2942 2955 401617 GetFileAttributesW 2954->2955 2969 405f89 2954->2969 2973 405c58 2954->2973 2976 405bbe CreateDirectoryW 2954->2976 2985 405c3b CreateDirectoryW 2954->2985 2955->2954 2958 402db2 2957->2958 2988 4066ca 2958->2988 2961 4015c8 2963 406007 CharNextW CharNextW 2961->2963 2964 406024 2963->2964 2965 406036 2963->2965 2964->2965 2966 406031 CharNextW 2964->2966 2967 405f89 CharNextW 2965->2967 2968 40605a 2965->2968 2966->2968 2967->2965 2968->2954 2970 405f8f 2969->2970 2971 405fa5 2970->2971 2972 405f96 CharNextW 2970->2972 2971->2954 2972->2970 3026 406a5a GetModuleHandleA 2973->3026 2977 405c0b 2976->2977 2978 405c0f GetLastError 2976->2978 2977->2954 2978->2977 2979 405c1e SetFileSecurityW 2978->2979 2979->2977 2980 405c34 GetLastError 2979->2980 2980->2977 3035 4056ef 2981->3035 2984 40668d lstrcpynW 2984->2953 2986 405c4b 2985->2986 2987 405c4f GetLastError 2985->2987 2986->2954 2987->2986 3003 4066d7 2988->3003 2989 4068fa 2990 402dd3 2989->2990 3021 40668d lstrcpynW 2989->3021 2990->2961 3005 406914 2990->3005 2992 4068c8 lstrlenW 2992->3003 2993 4066ca 10 API calls 2993->2992 2994 4067df GetSystemDirectoryW 2994->3003 2998 4067f2 GetWindowsDirectoryW 2998->3003 2999 406869 lstrcatW 2999->3003 3000 4066ca 10 API calls 3000->3003 3001 406914 5 API calls 3001->3003 3002 406821 SHGetSpecialFolderLocation 3002->3003 3004 406839 SHGetPathFromIDListW CoTaskMemFree 3002->3004 3003->2989 3003->2992 3003->2993 3003->2994 3003->2998 3003->2999 3003->3000 3003->3001 3003->3002 3014 40655b 3003->3014 3019 4065d4 wsprintfW 3003->3019 3020 40668d lstrcpynW 3003->3020 3004->3003 3012 406921 3005->3012 3006 406997 3007 40699c CharPrevW 3006->3007 3009 4069bd 3006->3009 3007->3006 3008 40698a CharNextW 3008->3006 3008->3012 3009->2961 3010 405f89 CharNextW 3010->3012 3011 406976 CharNextW 3011->3012 3012->3006 3012->3008 3012->3010 3012->3011 3013 406985 CharNextW 3012->3013 3013->3008 3022 4064fa 3014->3022 3017 4065bf 3017->3003 3018 40658f RegQueryValueExW RegCloseKey 3018->3017 3019->3003 3020->3003 3021->2990 3023 406509 3022->3023 3024 406512 RegOpenKeyExW 3023->3024 3025 40650d 3023->3025 3024->3025 3025->3017 3025->3018 3027 406a80 GetProcAddress 3026->3027 3028 406a76 3026->3028 3030 405c5f 3027->3030 3032 4069ea GetSystemDirectoryW 3028->3032 3030->2954 3031 406a7c 3031->3027 3031->3030 3033 406a0c wsprintfW LoadLibraryExW 3032->3033 3033->3031 3036 40570a 3035->3036 3045 401431 3035->3045 3037 405726 lstrlenW 3036->3037 3038 4066ca 17 API calls 3036->3038 3039 405734 lstrlenW 3037->3039 3040 40574f 3037->3040 3038->3037 3041 405746 lstrcatW 3039->3041 3039->3045 3042 405762 3040->3042 3043 405755 SetWindowTextW 3040->3043 3041->3040 3044 405768 SendMessageW SendMessageW SendMessageW 3042->3044 3042->3045 3043->3042 3044->3045 3045->2984 3046 401941 3047 401943 3046->3047 3048 402da6 17 API calls 3047->3048 3049 401948 3048->3049 3052 405d99 3049->3052 3088 406064 3052->3088 3055 405dc1 DeleteFileW 3085 401951 3055->3085 3056 405dd8 3057 405ef8 3056->3057 3102 40668d lstrcpynW 3056->3102 3057->3085 3120 4069c3 FindFirstFileW 3057->3120 3059 405dfe 3060 405e11 3059->3060 3061 405e04 lstrcatW 3059->3061 3103 405fa8 lstrlenW 3060->3103 3062 405e17 3061->3062 3065 405e27 lstrcatW 3062->3065 3067 405e32 lstrlenW FindFirstFileW 3062->3067 3065->3067 3067->3057 3068 405e54 3067->3068 3071 405edb FindNextFileW 3068->3071 3080 405d99 60 API calls 3068->3080 3084 4056ef 24 API calls 3068->3084 3086 4056ef 24 API calls 3068->3086 3107 40668d lstrcpynW 3068->3107 3108 405d51 3068->3108 3116 40644d MoveFileExW 3068->3116 3071->3068 3075 405ef1 FindClose 3071->3075 3072 405d51 5 API calls 3074 405f33 3072->3074 3076 405f4d 3074->3076 3079 405f37 3074->3079 3075->3057 3078 4056ef 24 API calls 3076->3078 3078->3085 3081 4056ef 24 API calls 3079->3081 3079->3085 3080->3068 3082 405f44 3081->3082 3083 40644d 36 API calls 3082->3083 3083->3085 3084->3071 3086->3068 3126 40668d lstrcpynW 3088->3126 3090 406075 3091 406007 4 API calls 3090->3091 3092 40607b 3091->3092 3093 405db9 3092->3093 3094 406914 5 API calls 3092->3094 3093->3055 3093->3056 3100 40608b 3094->3100 3095 4060bc lstrlenW 3096 4060c7 3095->3096 3095->3100 3098 405f5c 3 API calls 3096->3098 3097 4069c3 2 API calls 3097->3100 3099 4060cc GetFileAttributesW 3098->3099 3099->3093 3100->3093 3100->3095 3100->3097 3101 405fa8 2 API calls 3100->3101 3101->3095 3102->3059 3104 405fb6 3103->3104 3105 405fc8 3104->3105 3106 405fbc CharPrevW 3104->3106 3105->3062 3106->3104 3106->3105 3107->3068 3127 406158 GetFileAttributesW 3108->3127 3111 405d7e 3111->3068 3112 405d74 DeleteFileW 3114 405d7a 3112->3114 3113 405d6c RemoveDirectoryW 3113->3114 3114->3111 3115 405d8a SetFileAttributesW 3114->3115 3115->3111 3117 40646e 3116->3117 3118 406461 3116->3118 3117->3068 3130 4062d3 3118->3130 3121 405f1d 3120->3121 3122 4069d9 FindClose 3120->3122 3121->3085 3123 405f5c lstrlenW CharPrevW 3121->3123 3122->3121 3124 405f27 3123->3124 3125 405f78 lstrcatW 3123->3125 3124->3072 3125->3124 3126->3090 3128 405d5d 3127->3128 3129 40616a SetFileAttributesW 3127->3129 3128->3111 3128->3112 3128->3113 3129->3128 3131 406303 3130->3131 3132 406329 GetShortPathNameW 3130->3132 3157 40617d GetFileAttributesW CreateFileW 3131->3157 3133 406448 3132->3133 3134 40633e 3132->3134 3133->3117 3134->3133 3136 406346 wsprintfA 3134->3136 3139 4066ca 17 API calls 3136->3139 3137 40630d CloseHandle GetShortPathNameW 3137->3133 3138 406321 3137->3138 3138->3132 3138->3133 3140 40636e 3139->3140 3158 40617d GetFileAttributesW CreateFileW 3140->3158 3142 40637b 3142->3133 3143 40638a GetFileSize GlobalAlloc 3142->3143 3144 406441 CloseHandle 3143->3144 3145 4063ac 3143->3145 3144->3133 3159 406200 ReadFile 3145->3159 3150 4063cb lstrcpyA 3153 4063ed 3150->3153 3151 4063df 3152 4060e2 4 API calls 3151->3152 3152->3153 3154 406424 SetFilePointer 3153->3154 3166 40622f WriteFile 3154->3166 3157->3137 3158->3142 3160 40621e 3159->3160 3160->3144 3161 4060e2 lstrlenA 3160->3161 3162 406123 lstrlenA 3161->3162 3163 40612b 3162->3163 3164 4060fc lstrcmpiA 3162->3164 3163->3150 3163->3151 3164->3163 3165 40611a CharNextA 3164->3165 3165->3162 3167 40624d GlobalFree 3166->3167 3167->3144 3182 401c43 3183 402d84 17 API calls 3182->3183 3184 401c4a 3183->3184 3185 402d84 17 API calls 3184->3185 3186 401c57 3185->3186 3187 401c6c 3186->3187 3188 402da6 17 API calls 3186->3188 3189 401c7c 3187->3189 3190 402da6 17 API calls 3187->3190 3188->3187 3191 401cd3 3189->3191 3192 401c87 3189->3192 3190->3189 3194 402da6 17 API calls 3191->3194 3193 402d84 17 API calls 3192->3193 3196 401c8c 3193->3196 3195 401cd8 3194->3195 3197 402da6 17 API calls 3195->3197 3198 402d84 17 API calls 3196->3198 3199 401ce1 FindWindowExW 3197->3199 3200 401c98 3198->3200 3203 401d03 3199->3203 3201 401cc3 SendMessageW 3200->3201 3202 401ca5 SendMessageTimeoutW 3200->3202 3201->3203 3202->3203 3941 4028c4 3942 4028ca 3941->3942 3943 4028d2 FindClose 3942->3943 3944 402c2a 3942->3944 3943->3944 3573 403c4a 3574 403c65 3573->3574 3575 403c5b CloseHandle 3573->3575 3576 403c79 3574->3576 3577 403c6f CloseHandle 3574->3577 3575->3574 3582 403ca7 3576->3582 3577->3576 3580 405d99 67 API calls 3581 403c8a 3580->3581 3583 403cb5 3582->3583 3584 403c7e 3583->3584 3585 403cba FreeLibrary GlobalFree 3583->3585 3584->3580 3585->3584 3585->3585 3948 4016cc 3949 402da6 17 API calls 3948->3949 3950 4016d2 GetFullPathNameW 3949->3950 3951 40170e 3950->3951 3952 4016ec 3950->3952 3953 401723 GetShortPathNameW 3951->3953 3954 402c2a 3951->3954 3952->3951 3955 4069c3 2 API calls 3952->3955 3953->3954 3956 4016fe 3955->3956 3956->3951 3958 40668d lstrcpynW 3956->3958 3958->3951 3959 401e4e GetDC 3960 402d84 17 API calls 3959->3960 3961 401e60 GetDeviceCaps MulDiv ReleaseDC 3960->3961 3962 402d84 17 API calls 3961->3962 3963 401e91 3962->3963 3964 4066ca 17 API calls 3963->3964 3965 401ece CreateFontIndirectW 3964->3965 3966 402638 3965->3966 3823 402950 3824 402da6 17 API calls 3823->3824 3826 40295c 3824->3826 3825 402972 3828 406158 2 API calls 3825->3828 3826->3825 3827 402da6 17 API calls 3826->3827 3827->3825 3829 402978 3828->3829 3851 40617d GetFileAttributesW CreateFileW 3829->3851 3831 402985 3832 402a3b 3831->3832 3833 4029a0 GlobalAlloc 3831->3833 3834 402a23 3831->3834 3835 402a42 DeleteFileW 3832->3835 3836 402a55 3832->3836 3833->3834 3837 4029b9 3833->3837 3838 403396 40 API calls 3834->3838 3835->3836 3852 40361d SetFilePointer 3837->3852 3840 402a30 CloseHandle 3838->3840 3840->3832 3841 4029bf 3842 403607 ReadFile 3841->3842 3843 4029c8 GlobalAlloc 3842->3843 3844 4029d8 3843->3844 3845 402a0c 3843->3845 3847 403396 40 API calls 3844->3847 3846 40622f WriteFile 3845->3846 3848 402a18 GlobalFree 3846->3848 3850 4029e5 3847->3850 3848->3834 3849 402a03 GlobalFree 3849->3845 3850->3849 3851->3831 3852->3841 3967 405056 GetDlgItem GetDlgItem 3968 4050a8 7 API calls 3967->3968 3974 4052cd 3967->3974 3969 405142 SendMessageW 3968->3969 3970 40514f DeleteObject 3968->3970 3969->3970 3971 405158 3970->3971 3972 40518f 3971->3972 3975 4066ca 17 API calls 3971->3975 3976 4045e9 18 API calls 3972->3976 3973 4053af 3977 40545b 3973->3977 3982 4052c0 3973->3982 3987 405408 SendMessageW 3973->3987 3974->3973 4001 40533c 3974->4001 4021 404fa4 SendMessageW 3974->4021 3980 405171 SendMessageW SendMessageW 3975->3980 3981 4051a3 3976->3981 3978 405465 SendMessageW 3977->3978 3979 40546d 3977->3979 3978->3979 3989 405486 3979->3989 3990 40547f ImageList_Destroy 3979->3990 3998 405496 3979->3998 3980->3971 3986 4045e9 18 API calls 3981->3986 3984 404650 8 API calls 3982->3984 3983 4053a1 SendMessageW 3983->3973 3988 40565c 3984->3988 4002 4051b4 3986->4002 3987->3982 3992 40541d SendMessageW 3987->3992 3993 40548f GlobalFree 3989->3993 3989->3998 3990->3989 3991 405610 3991->3982 3996 405622 ShowWindow GetDlgItem ShowWindow 3991->3996 3995 405430 3992->3995 3993->3998 3994 40528f GetWindowLongW SetWindowLongW 3997 4052a8 3994->3997 4007 405441 SendMessageW 3995->4007 3996->3982 3999 4052c5 3997->3999 4000 4052ad ShowWindow 3997->4000 3998->3991 4012 4054d1 3998->4012 4026 405024 3998->4026 4020 40461e SendMessageW 3999->4020 4019 40461e SendMessageW 4000->4019 4001->3973 4001->3983 4002->3994 4003 40528a 4002->4003 4006 405207 SendMessageW 4002->4006 4008 405245 SendMessageW 4002->4008 4009 405259 SendMessageW 4002->4009 4003->3994 4003->3997 4006->4002 4007->3977 4008->4002 4009->4002 4011 4055db 4013 4055e6 InvalidateRect 4011->4013 4015 4055f2 4011->4015 4014 4054ff SendMessageW 4012->4014 4017 405515 4012->4017 4013->4015 4014->4017 4015->3991 4035 404f5f 4015->4035 4016 405589 SendMessageW SendMessageW 4016->4017 4017->4011 4017->4016 4019->3982 4020->3974 4022 405003 SendMessageW 4021->4022 4023 404fc7 GetMessagePos ScreenToClient SendMessageW 4021->4023 4025 404ffb 4022->4025 4024 405000 4023->4024 4023->4025 4024->4022 4025->4001 4038 40668d lstrcpynW 4026->4038 4028 405037 4039 4065d4 wsprintfW 4028->4039 4030 405041 4031 40140b 2 API calls 4030->4031 4032 40504a 4031->4032 4040 40668d lstrcpynW 4032->4040 4034 405051 4034->4012 4041 404e96 4035->4041 4037 404f74 4037->3991 4038->4028 4039->4030 4040->4034 4042 404eaf 4041->4042 4043 4066ca 17 API calls 4042->4043 4044 404f13 4043->4044 4045 4066ca 17 API calls 4044->4045 4046 404f1e 4045->4046 4047 4066ca 17 API calls 4046->4047 4048 404f34 lstrlenW wsprintfW SetDlgItemTextW 4047->4048 4048->4037 4049 401956 4050 402da6 17 API calls 4049->4050 4051 40195d lstrlenW 4050->4051 4052 402638 4051->4052 3863 4014d7 3864 402d84 17 API calls 3863->3864 3865 4014dd Sleep 3864->3865 3867 402c2a 3865->3867 3868 4020d8 3869 4020ea 3868->3869 3879 40219c 3868->3879 3870 402da6 17 API calls 3869->3870 3872 4020f1 3870->3872 3871 401423 24 API calls 3877 4022f6 3871->3877 3873 402da6 17 API calls 3872->3873 3874 4020fa 3873->3874 3875 402110 LoadLibraryExW 3874->3875 3876 402102 GetModuleHandleW 3874->3876 3878 402121 3875->3878 3875->3879 3876->3875 3876->3878 3888 406ac9 3878->3888 3879->3871 3882 402132 3885 401423 24 API calls 3882->3885 3886 402142 3882->3886 3883 40216b 3884 4056ef 24 API calls 3883->3884 3884->3886 3885->3886 3886->3877 3887 40218e FreeLibrary 3886->3887 3887->3877 3893 4066af WideCharToMultiByte 3888->3893 3890 406ae6 3891 406aed GetProcAddress 3890->3891 3892 40212c 3890->3892 3891->3892 3892->3882 3892->3883 3893->3890 4053 404759 lstrlenW 4054 404778 4053->4054 4055 40477a WideCharToMultiByte 4053->4055 4054->4055 4056 402b59 4057 402b60 4056->4057 4058 402bab 4056->4058 4061 402d84 17 API calls 4057->4061 4062 402ba9 4057->4062 4059 406a5a 5 API calls 4058->4059 4060 402bb2 4059->4060 4063 402da6 17 API calls 4060->4063 4064 402b6e 4061->4064 4065 402bbb 4063->4065 4066 402d84 17 API calls 4064->4066 4065->4062 4068 402bbf IIDFromString 4065->4068 4067 402b7a 4066->4067 4073 4065d4 wsprintfW 4067->4073 4068->4062 4069 402bce 4068->4069 4069->4062 4074 40668d lstrcpynW 4069->4074 4071 402beb CoTaskMemFree 4071->4062 4073->4062 4074->4071 4075 404ada 4076 404b06 4075->4076 4077 404b17 4075->4077 4136 405cd1 GetDlgItemTextW 4076->4136 4079 404b23 GetDlgItem 4077->4079 4112 404b82 4077->4112 4083 404b37 4079->4083 4080 404b11 4082 406914 5 API calls 4080->4082 4081 404c66 4084 404e15 4081->4084 4138 405cd1 GetDlgItemTextW 4081->4138 4082->4077 4086 404b4b SetWindowTextW 4083->4086 4091 406007 4 API calls 4083->4091 4090 404650 8 API calls 4084->4090 4089 4045e9 18 API calls 4086->4089 4087 4066ca 17 API calls 4093 404bf6 SHBrowseForFolderW 4087->4093 4088 404c96 4094 406064 18 API calls 4088->4094 4095 404b67 4089->4095 4096 404e29 4090->4096 4092 404b41 4091->4092 4092->4086 4100 405f5c 3 API calls 4092->4100 4093->4081 4097 404c0e CoTaskMemFree 4093->4097 4098 404c9c 4094->4098 4099 4045e9 18 API calls 4095->4099 4101 405f5c 3 API calls 4097->4101 4139 40668d lstrcpynW 4098->4139 4102 404b75 4099->4102 4100->4086 4103 404c1b 4101->4103 4137 40461e SendMessageW 4102->4137 4106 404c52 SetDlgItemTextW 4103->4106 4111 4066ca 17 API calls 4103->4111 4106->4081 4107 404b7b 4109 406a5a 5 API calls 4107->4109 4108 404cb3 4110 406a5a 5 API calls 4108->4110 4109->4112 4118 404cba 4110->4118 4113 404c3a lstrcmpiW 4111->4113 4112->4081 4112->4084 4112->4087 4113->4106 4116 404c4b lstrcatW 4113->4116 4114 404cfb 4140 40668d lstrcpynW 4114->4140 4116->4106 4117 404d02 4119 406007 4 API calls 4117->4119 4118->4114 4122 405fa8 2 API calls 4118->4122 4124 404d53 4118->4124 4120 404d08 GetDiskFreeSpaceW 4119->4120 4123 404d2c MulDiv 4120->4123 4120->4124 4122->4118 4123->4124 4125 404dc4 4124->4125 4127 404f5f 20 API calls 4124->4127 4126 404de7 4125->4126 4128 40140b 2 API calls 4125->4128 4141 40460b KiUserCallbackDispatcher 4126->4141 4129 404db1 4127->4129 4128->4126 4131 404dc6 SetDlgItemTextW 4129->4131 4132 404db6 4129->4132 4131->4125 4134 404e96 20 API calls 4132->4134 4133 404e03 4133->4084 4135 404a33 SendMessageW 4133->4135 4134->4125 4135->4084 4136->4080 4137->4107 4138->4088 4139->4108 4140->4117 4141->4133 3917 40175c 3918 402da6 17 API calls 3917->3918 3919 401763 3918->3919 3920 4061ac 2 API calls 3919->3920 3921 40176a 3920->3921 3922 4061ac 2 API calls 3921->3922 3922->3921 4142 401d5d 4143 402d84 17 API calls 4142->4143 4144 401d6e SetWindowLongW 4143->4144 4145 402c2a 4144->4145 3923 4028de 3924 4028e6 3923->3924 3925 4028ea FindNextFileW 3924->3925 3928 4028fc 3924->3928 3926 402943 3925->3926 3925->3928 3929 40668d lstrcpynW 3926->3929 3929->3928 4146 405663 4147 405673 4146->4147 4148 405687 4146->4148 4149 405679 4147->4149 4158 4056d0 4147->4158 4150 40568f IsWindowVisible 4148->4150 4154 4056a6 4148->4154 4152 404635 SendMessageW 4149->4152 4153 40569c 4150->4153 4150->4158 4151 4056d5 CallWindowProcW 4155 405683 4151->4155 4152->4155 4156 404fa4 5 API calls 4153->4156 4154->4151 4157 405024 4 API calls 4154->4157 4156->4154 4157->4158 4158->4151 4159 401563 4160 402ba4 4159->4160 4163 4065d4 wsprintfW 4160->4163 4162 402ba9 4163->4162 3230 403665 SetErrorMode GetVersionExW 3231 4036b7 GetVersionExW 3230->3231 3232 4036ef 3230->3232 3231->3232 3233 403748 3232->3233 3234 406a5a 5 API calls 3232->3234 3235 4069ea 3 API calls 3233->3235 3234->3233 3236 40375e lstrlenA 3235->3236 3236->3233 3237 40376e 3236->3237 3238 406a5a 5 API calls 3237->3238 3239 403775 3238->3239 3240 406a5a 5 API calls 3239->3240 3241 40377c 3240->3241 3242 406a5a 5 API calls 3241->3242 3243 403788 #17 OleInitialize SHGetFileInfoW 3242->3243 3320 40668d lstrcpynW 3243->3320 3246 4037d5 GetCommandLineW 3321 40668d lstrcpynW 3246->3321 3248 4037e7 3249 405f89 CharNextW 3248->3249 3250 40380d CharNextW 3249->3250 3255 40381e 3250->3255 3251 40391c 3252 403930 GetTempPathW 3251->3252 3322 403634 3252->3322 3254 403948 3256 4039a2 DeleteFileW 3254->3256 3257 40394c GetWindowsDirectoryW lstrcatW 3254->3257 3255->3251 3258 405f89 CharNextW 3255->3258 3265 40391e 3255->3265 3332 4030d0 GetTickCount GetModuleFileNameW 3256->3332 3259 403634 12 API calls 3257->3259 3258->3255 3261 403968 3259->3261 3261->3256 3264 40396c GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3261->3264 3262 4039b5 3263 403b91 ExitProcess CoUninitialize 3262->3263 3270 405f89 CharNextW 3262->3270 3304 403a6a 3262->3304 3267 403ba1 3263->3267 3268 403bb6 3263->3268 3269 403634 12 API calls 3264->3269 3417 40668d lstrcpynW 3265->3417 3422 405ced 3267->3422 3273 403c34 ExitProcess 3268->3273 3274 403bbe GetCurrentProcess OpenProcessToken 3268->3274 3275 40399a 3269->3275 3286 4039d7 3270->3286 3279 403c04 3274->3279 3280 403bd5 LookupPrivilegeValueW AdjustTokenPrivileges 3274->3280 3275->3256 3275->3263 3276 403a79 3276->3263 3281 406a5a 5 API calls 3279->3281 3280->3279 3284 403c0b 3281->3284 3282 403a40 3288 406064 18 API calls 3282->3288 3283 403a81 3287 405c58 5 API calls 3283->3287 3285 403c20 ExitWindowsEx 3284->3285 3289 403c2d 3284->3289 3285->3273 3285->3289 3286->3282 3286->3283 3290 403a86 lstrcatW 3287->3290 3291 403a4c 3288->3291 3426 40140b 3289->3426 3293 403aa2 lstrcatW lstrcmpiW 3290->3293 3294 403a97 lstrcatW 3290->3294 3291->3263 3418 40668d lstrcpynW 3291->3418 3293->3276 3295 403ac2 3293->3295 3294->3293 3297 403ac7 3295->3297 3298 403ace 3295->3298 3301 405bbe 4 API calls 3297->3301 3302 405c3b 2 API calls 3298->3302 3299 403a5f 3419 40668d lstrcpynW 3299->3419 3305 403acc 3301->3305 3303 403ad3 SetCurrentDirectoryW 3302->3303 3306 403af0 3303->3306 3307 403ae5 3303->3307 3361 403d3c 3304->3361 3305->3303 3421 40668d lstrcpynW 3306->3421 3420 40668d lstrcpynW 3307->3420 3310 4066ca 17 API calls 3311 403b32 DeleteFileW 3310->3311 3312 403b3e CopyFileW 3311->3312 3317 403afd 3311->3317 3312->3317 3313 403b88 3314 40644d 36 API calls 3313->3314 3314->3276 3315 40644d 36 API calls 3315->3317 3316 4066ca 17 API calls 3316->3317 3317->3310 3317->3313 3317->3315 3317->3316 3318 405c70 2 API calls 3317->3318 3319 403b72 CloseHandle 3317->3319 3318->3317 3319->3317 3320->3246 3321->3248 3323 406914 5 API calls 3322->3323 3325 403640 3323->3325 3324 40364a 3324->3254 3325->3324 3326 405f5c 3 API calls 3325->3326 3327 403652 3326->3327 3328 405c3b 2 API calls 3327->3328 3329 403658 3328->3329 3429 4061ac 3329->3429 3433 40617d GetFileAttributesW CreateFileW 3332->3433 3334 403113 3360 403120 3334->3360 3434 40668d lstrcpynW 3334->3434 3336 403136 3337 405fa8 2 API calls 3336->3337 3338 40313c 3337->3338 3435 40668d lstrcpynW 3338->3435 3340 403147 GetFileSize 3341 403246 3340->3341 3359 40315e 3340->3359 3436 40302e 3341->3436 3345 403289 GlobalAlloc 3349 4061ac 2 API calls 3345->3349 3346 403305 3347 40302e 32 API calls 3346->3347 3347->3360 3350 4032d5 CreateFileW 3349->3350 3352 40330f 3350->3352 3350->3360 3351 40326a 3353 403607 ReadFile 3351->3353 3451 40361d SetFilePointer 3352->3451 3356 403275 3353->3356 3354 40302e 32 API calls 3354->3359 3356->3345 3356->3360 3357 40331d 3452 403396 3357->3452 3359->3341 3359->3346 3359->3354 3359->3360 3467 403607 3359->3467 3360->3262 3362 406a5a 5 API calls 3361->3362 3363 403d50 3362->3363 3364 403d68 3363->3364 3367 403d56 3363->3367 3365 40655b 3 API calls 3364->3365 3366 403d98 3365->3366 3369 403db7 lstrcatW 3366->3369 3371 40655b 3 API calls 3366->3371 3502 4065d4 wsprintfW 3367->3502 3370 403d66 3369->3370 3487 404012 3370->3487 3371->3369 3374 406064 18 API calls 3375 403de9 3374->3375 3376 403e7d 3375->3376 3379 40655b 3 API calls 3375->3379 3377 406064 18 API calls 3376->3377 3378 403e83 3377->3378 3381 403e93 LoadImageW 3378->3381 3382 4066ca 17 API calls 3378->3382 3380 403e1b 3379->3380 3380->3376 3385 403e3c lstrlenW 3380->3385 3389 405f89 CharNextW 3380->3389 3383 403f39 3381->3383 3384 403eba RegisterClassW 3381->3384 3382->3381 3388 40140b 2 API calls 3383->3388 3386 403ef0 SystemParametersInfoW CreateWindowExW 3384->3386 3387 403f43 3384->3387 3390 403e70 3385->3390 3391 403e4a lstrcmpiW 3385->3391 3386->3383 3387->3276 3392 403f3f 3388->3392 3393 403e39 3389->3393 3395 405f5c 3 API calls 3390->3395 3391->3390 3394 403e5a GetFileAttributesW 3391->3394 3392->3387 3397 404012 18 API calls 3392->3397 3393->3385 3396 403e66 3394->3396 3398 403e76 3395->3398 3396->3390 3399 405fa8 2 API calls 3396->3399 3400 403f50 3397->3400 3503 40668d lstrcpynW 3398->3503 3399->3390 3402 403f5c ShowWindow 3400->3402 3403 403fdf 3400->3403 3405 4069ea 3 API calls 3402->3405 3495 4057c2 OleInitialize 3403->3495 3406 403f74 3405->3406 3408 403f82 GetClassInfoW 3406->3408 3411 4069ea 3 API calls 3406->3411 3407 403fe5 3409 404001 3407->3409 3410 403fe9 3407->3410 3413 403f96 GetClassInfoW RegisterClassW 3408->3413 3414 403fac DialogBoxParamW 3408->3414 3412 40140b 2 API calls 3409->3412 3410->3387 3416 40140b 2 API calls 3410->3416 3411->3408 3412->3387 3413->3414 3415 40140b 2 API calls 3414->3415 3415->3387 3416->3387 3417->3252 3418->3299 3419->3304 3420->3306 3421->3317 3423 405d02 3422->3423 3424 403bae ExitProcess 3423->3424 3425 405d16 MessageBoxIndirectW 3423->3425 3425->3424 3427 401389 2 API calls 3426->3427 3428 401420 3427->3428 3428->3273 3430 4061b9 GetTickCount GetTempFileNameW 3429->3430 3431 4061ef 3430->3431 3432 403663 3430->3432 3431->3430 3431->3432 3432->3254 3433->3334 3434->3336 3435->3340 3437 403057 3436->3437 3438 40303f 3436->3438 3440 403067 GetTickCount 3437->3440 3441 40305f 3437->3441 3439 403048 DestroyWindow 3438->3439 3444 40304f 3438->3444 3439->3444 3443 403075 3440->3443 3440->3444 3442 406a96 2 API calls 3441->3442 3442->3444 3445 4030aa CreateDialogParamW ShowWindow 3443->3445 3446 40307d 3443->3446 3444->3345 3444->3360 3470 40361d SetFilePointer 3444->3470 3445->3444 3446->3444 3471 403012 3446->3471 3448 40308b wsprintfW 3449 4056ef 24 API calls 3448->3449 3450 4030a8 3449->3450 3450->3444 3451->3357 3453 4033c1 3452->3453 3454 4033a5 SetFilePointer 3452->3454 3474 40349e GetTickCount 3453->3474 3454->3453 3457 40345e 3457->3360 3458 406200 ReadFile 3459 4033e1 3458->3459 3459->3457 3460 40349e 38 API calls 3459->3460 3461 4033f8 3460->3461 3461->3457 3462 403464 ReadFile 3461->3462 3464 403407 3461->3464 3462->3457 3464->3457 3465 406200 ReadFile 3464->3465 3466 40622f WriteFile 3464->3466 3465->3464 3466->3464 3468 406200 ReadFile 3467->3468 3469 40361a 3468->3469 3469->3359 3470->3351 3472 403021 3471->3472 3473 403023 MulDiv 3471->3473 3472->3473 3473->3448 3475 4035f6 3474->3475 3476 4034cc 3474->3476 3477 40302e 32 API calls 3475->3477 3486 40361d SetFilePointer 3476->3486 3483 4033c8 3477->3483 3479 4034d7 SetFilePointer 3482 4034fc 3479->3482 3480 403607 ReadFile 3480->3482 3481 40302e 32 API calls 3481->3482 3482->3480 3482->3481 3482->3483 3484 40622f WriteFile 3482->3484 3485 4035d7 SetFilePointer 3482->3485 3483->3457 3483->3458 3484->3482 3485->3475 3486->3479 3488 404026 3487->3488 3504 4065d4 wsprintfW 3488->3504 3490 404097 3505 4040cb 3490->3505 3492 403dc7 3492->3374 3493 40409c 3493->3492 3494 4066ca 17 API calls 3493->3494 3494->3493 3508 404635 3495->3508 3497 4057e5 3501 40580c 3497->3501 3511 401389 3497->3511 3498 404635 SendMessageW 3499 40581e CoUninitialize 3498->3499 3499->3407 3501->3498 3502->3370 3503->3376 3504->3490 3506 4066ca 17 API calls 3505->3506 3507 4040d9 SetWindowTextW 3506->3507 3507->3493 3509 40464d 3508->3509 3510 40463e SendMessageW 3508->3510 3509->3497 3510->3509 3513 401390 3511->3513 3512 4013fe 3512->3497 3513->3512 3514 4013cb MulDiv SendMessageW 3513->3514 3514->3513 4164 401968 4165 402d84 17 API calls 4164->4165 4166 40196f 4165->4166 4167 402d84 17 API calls 4166->4167 4168 40197c 4167->4168 4169 402da6 17 API calls 4168->4169 4170 401993 lstrlenW 4169->4170 4172 4019a4 4170->4172 4171 4019e5 4172->4171 4176 40668d lstrcpynW 4172->4176 4174 4019d5 4174->4171 4175 4019da lstrlenW 4174->4175 4175->4171 4176->4174 3586 4040ea 3587 404102 3586->3587 3588 404263 3586->3588 3587->3588 3589 40410e 3587->3589 3590 4042b4 3588->3590 3591 404274 GetDlgItem GetDlgItem 3588->3591 3593 404119 SetWindowPos 3589->3593 3594 40412c 3589->3594 3592 40430e 3590->3592 3600 401389 2 API calls 3590->3600 3595 4045e9 18 API calls 3591->3595 3596 404635 SendMessageW 3592->3596 3613 40425e 3592->3613 3593->3594 3597 404135 ShowWindow 3594->3597 3598 404177 3594->3598 3599 40429e SetClassLongW 3595->3599 3626 404320 3596->3626 3601 404250 3597->3601 3602 404155 GetWindowLongW 3597->3602 3603 404196 3598->3603 3604 40417f DestroyWindow 3598->3604 3605 40140b 2 API calls 3599->3605 3608 4042e6 3600->3608 3609 404650 8 API calls 3601->3609 3602->3601 3610 40416e ShowWindow 3602->3610 3606 40419b SetWindowLongW 3603->3606 3607 4041ac 3603->3607 3658 404572 3604->3658 3605->3590 3606->3613 3607->3601 3611 4041b8 GetDlgItem 3607->3611 3608->3592 3612 4042ea SendMessageW 3608->3612 3609->3613 3610->3598 3616 4041e6 3611->3616 3617 4041c9 SendMessageW IsWindowEnabled 3611->3617 3612->3613 3614 40140b 2 API calls 3614->3626 3615 404574 DestroyWindow KiUserCallbackDispatcher 3615->3658 3620 4041f3 3616->3620 3623 40423a SendMessageW 3616->3623 3624 404206 3616->3624 3632 4041eb 3616->3632 3617->3613 3617->3616 3618 4045a3 ShowWindow 3618->3613 3619 4066ca 17 API calls 3619->3626 3620->3623 3620->3632 3622 4045e9 18 API calls 3622->3626 3623->3601 3627 404223 3624->3627 3628 40420e 3624->3628 3625 404221 3625->3601 3626->3613 3626->3614 3626->3615 3626->3619 3626->3622 3633 4045e9 18 API calls 3626->3633 3649 4044b4 DestroyWindow 3626->3649 3629 40140b 2 API calls 3627->3629 3630 40140b 2 API calls 3628->3630 3631 40422a 3629->3631 3630->3632 3631->3601 3631->3632 3662 4045c2 3632->3662 3634 40439b GetDlgItem 3633->3634 3635 4043b0 3634->3635 3636 4043b8 ShowWindow KiUserCallbackDispatcher 3634->3636 3635->3636 3659 40460b KiUserCallbackDispatcher 3636->3659 3638 4043e2 KiUserCallbackDispatcher 3642 4043f6 3638->3642 3639 4043fb GetSystemMenu EnableMenuItem SendMessageW 3640 40442b SendMessageW 3639->3640 3639->3642 3640->3642 3642->3639 3643 4040cb 18 API calls 3642->3643 3660 40461e SendMessageW 3642->3660 3661 40668d lstrcpynW 3642->3661 3643->3642 3645 40445a lstrlenW 3646 4066ca 17 API calls 3645->3646 3647 404470 SetWindowTextW 3646->3647 3648 401389 2 API calls 3647->3648 3648->3626 3650 4044ce CreateDialogParamW 3649->3650 3649->3658 3651 404501 3650->3651 3650->3658 3652 4045e9 18 API calls 3651->3652 3653 40450c GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3652->3653 3654 401389 2 API calls 3653->3654 3655 404552 3654->3655 3655->3613 3656 40455a ShowWindow 3655->3656 3657 404635 SendMessageW 3656->3657 3657->3658 3658->3613 3658->3618 3659->3638 3660->3642 3661->3645 3663 4045c9 3662->3663 3664 4045cf SendMessageW 3662->3664 3663->3664 3664->3625 4177 40166a 4178 402da6 17 API calls 4177->4178 4179 401670 4178->4179 4180 4069c3 2 API calls 4179->4180 4181 401676 4180->4181 4182 402aeb 4183 402d84 17 API calls 4182->4183 4184 402af1 4183->4184 4185 4066ca 17 API calls 4184->4185 4186 40292e 4184->4186 4185->4186 4187 4026ec 4188 402d84 17 API calls 4187->4188 4195 4026fb 4188->4195 4189 402745 ReadFile 4189->4195 4199 402838 4189->4199 4190 406200 ReadFile 4190->4195 4192 402785 MultiByteToWideChar 4192->4195 4193 40283a 4209 4065d4 wsprintfW 4193->4209 4195->4189 4195->4190 4195->4192 4195->4193 4196 4027ab SetFilePointer MultiByteToWideChar 4195->4196 4197 40284b 4195->4197 4195->4199 4200 40625e SetFilePointer 4195->4200 4196->4195 4198 40286c SetFilePointer 4197->4198 4197->4199 4198->4199 4201 40627a 4200->4201 4208 406292 4200->4208 4202 406200 ReadFile 4201->4202 4203 406286 4202->4203 4204 4062c3 SetFilePointer 4203->4204 4205 40629b SetFilePointer 4203->4205 4203->4208 4204->4208 4205->4204 4206 4062a6 4205->4206 4207 40622f WriteFile 4206->4207 4207->4208 4208->4195 4209->4199 3782 40176f 3783 402da6 17 API calls 3782->3783 3784 401776 3783->3784 3785 401796 3784->3785 3786 40179e 3784->3786 3821 40668d lstrcpynW 3785->3821 3822 40668d lstrcpynW 3786->3822 3789 40179c 3793 406914 5 API calls 3789->3793 3790 4017a9 3791 405f5c 3 API calls 3790->3791 3792 4017af lstrcatW 3791->3792 3792->3789 3797 4017bb 3793->3797 3794 4069c3 2 API calls 3794->3797 3795 406158 2 API calls 3795->3797 3797->3794 3797->3795 3798 4017cd CompareFileTime 3797->3798 3799 40188d 3797->3799 3800 401864 3797->3800 3803 40668d lstrcpynW 3797->3803 3808 4066ca 17 API calls 3797->3808 3818 405ced MessageBoxIndirectW 3797->3818 3820 40617d GetFileAttributesW CreateFileW 3797->3820 3798->3797 3801 4056ef 24 API calls 3799->3801 3802 4056ef 24 API calls 3800->3802 3811 401879 3800->3811 3804 401897 3801->3804 3802->3811 3803->3797 3805 403396 40 API calls 3804->3805 3806 4018aa 3805->3806 3807 4018be SetFileTime 3806->3807 3809 4018d0 CloseHandle 3806->3809 3807->3809 3808->3797 3810 4018e1 3809->3810 3809->3811 3812 4018e6 3810->3812 3813 4018f9 3810->3813 3814 4066ca 17 API calls 3812->3814 3815 4066ca 17 API calls 3813->3815 3816 4018ee lstrcatW 3814->3816 3817 401901 3815->3817 3816->3817 3819 405ced MessageBoxIndirectW 3817->3819 3818->3797 3819->3811 3820->3797 3821->3789 3822->3790 4210 401a72 4211 402d84 17 API calls 4210->4211 4212 401a7b 4211->4212 4213 402d84 17 API calls 4212->4213 4214 401a20 4213->4214 4215 401573 4216 401583 ShowWindow 4215->4216 4217 40158c 4215->4217 4216->4217 4218 402c2a 4217->4218 4219 40159a ShowWindow 4217->4219 4219->4218 4220 4023f4 4221 402da6 17 API calls 4220->4221 4222 402403 4221->4222 4223 402da6 17 API calls 4222->4223 4224 40240c 4223->4224 4225 402da6 17 API calls 4224->4225 4226 402416 GetPrivateProfileStringW 4225->4226 4227 4014f5 SetForegroundWindow 4228 402c2a 4227->4228 4229 401ff6 4230 402da6 17 API calls 4229->4230 4231 401ffd 4230->4231 4232 4069c3 2 API calls 4231->4232 4233 402003 4232->4233 4235 402014 4233->4235 4236 4065d4 wsprintfW 4233->4236 4236->4235 4237 401b77 4238 402da6 17 API calls 4237->4238 4239 401b7e 4238->4239 4240 402d84 17 API calls 4239->4240 4241 401b87 wsprintfW 4240->4241 4242 402c2a 4241->4242 4243 403cfa 4244 403d05 4243->4244 4245 403d0c GlobalAlloc 4244->4245 4246 403d09 4244->4246 4245->4246 4247 40167b 4248 402da6 17 API calls 4247->4248 4249 401682 4248->4249 4250 402da6 17 API calls 4249->4250 4251 40168b 4250->4251 4252 402da6 17 API calls 4251->4252 4253 401694 MoveFileW 4252->4253 4254 4016a0 4253->4254 4255 4016a7 4253->4255 4256 401423 24 API calls 4254->4256 4257 4069c3 2 API calls 4255->4257 4259 4022f6 4255->4259 4256->4259 4258 4016b6 4257->4258 4258->4259 4260 40644d 36 API calls 4258->4260 4260->4254 4261 4019ff 4262 402da6 17 API calls 4261->4262 4263 401a06 4262->4263 4264 402da6 17 API calls 4263->4264 4265 401a0f 4264->4265 4266 401a16 lstrcmpiW 4265->4266 4267 401a28 lstrcmpW 4265->4267 4268 401a1c 4266->4268 4267->4268 4269 4022ff 4270 402da6 17 API calls 4269->4270 4271 402305 4270->4271 4272 402da6 17 API calls 4271->4272 4273 40230e 4272->4273 4274 402da6 17 API calls 4273->4274 4275 402317 4274->4275 4276 4069c3 2 API calls 4275->4276 4277 402320 4276->4277 4278 402331 lstrlenW lstrlenW 4277->4278 4279 402324 4277->4279 4281 4056ef 24 API calls 4278->4281 4280 4056ef 24 API calls 4279->4280 4283 40232c 4279->4283 4280->4283 4282 40236f SHFileOperationW 4281->4282 4282->4279 4282->4283 4284 401000 4285 401037 BeginPaint GetClientRect 4284->4285 4286 40100c DefWindowProcW 4284->4286 4288 4010f3 4285->4288 4291 401179 4286->4291 4289 401073 CreateBrushIndirect FillRect DeleteObject 4288->4289 4290 4010fc 4288->4290 4289->4288 4292 401102 CreateFontIndirectW 4290->4292 4293 401167 EndPaint 4290->4293 4292->4293 4294 401112 6 API calls 4292->4294 4293->4291 4294->4293 3168 401d81 3169 401d94 GetDlgItem 3168->3169 3170 401d87 3168->3170 3172 401d8e 3169->3172 3179 402d84 3170->3179 3173 401dd5 GetClientRect LoadImageW SendMessageW 3172->3173 3174 402da6 17 API calls 3172->3174 3176 401e33 3173->3176 3178 401e3f 3173->3178 3174->3173 3177 401e38 DeleteObject 3176->3177 3176->3178 3177->3178 3180 4066ca 17 API calls 3179->3180 3181 402d99 3180->3181 3181->3172 4295 401503 4296 40150b 4295->4296 4298 40151e 4295->4298 4297 402d84 17 API calls 4296->4297 4297->4298 4299 402383 4300 40238a 4299->4300 4303 40239d 4299->4303 4301 4066ca 17 API calls 4300->4301 4302 402397 4301->4302 4304 405ced MessageBoxIndirectW 4302->4304 4304->4303 4305 402c05 SendMessageW 4306 402c1f InvalidateRect 4305->4306 4307 402c2a 4305->4307 4306->4307 3665 40248a 3666 402da6 17 API calls 3665->3666 3667 40249c 3666->3667 3668 402da6 17 API calls 3667->3668 3669 4024a6 3668->3669 3682 402e36 3669->3682 3672 40292e 3673 4024de 3675 4024ea 3673->3675 3677 402d84 17 API calls 3673->3677 3674 402da6 17 API calls 3676 4024d4 lstrlenW 3674->3676 3678 402509 RegSetValueExW 3675->3678 3679 403396 40 API calls 3675->3679 3676->3673 3677->3675 3680 40251f RegCloseKey 3678->3680 3679->3678 3680->3672 3683 402e51 3682->3683 3686 406528 3683->3686 3687 406537 3686->3687 3688 406542 RegCreateKeyExW 3687->3688 3689 4024b6 3687->3689 3688->3689 3689->3672 3689->3673 3689->3674 3723 40290b 3724 402da6 17 API calls 3723->3724 3725 402912 FindFirstFileW 3724->3725 3726 40293a 3725->3726 3730 402925 3725->3730 3731 4065d4 wsprintfW 3726->3731 3728 402943 3732 40668d lstrcpynW 3728->3732 3731->3728 3732->3730 4308 40190c 4309 401943 4308->4309 4310 402da6 17 API calls 4309->4310 4311 401948 4310->4311 4312 405d99 67 API calls 4311->4312 4313 401951 4312->4313 4314 40190f 4315 402da6 17 API calls 4314->4315 4316 401916 4315->4316 4317 405ced MessageBoxIndirectW 4316->4317 4318 40191f 4317->4318 3853 402891 3854 402898 3853->3854 3856 402ba9 3853->3856 3855 402d84 17 API calls 3854->3855 3857 40289f 3855->3857 3858 4028ae SetFilePointer 3857->3858 3858->3856 3859 4028be 3858->3859 3861 4065d4 wsprintfW 3859->3861 3861->3856 4319 401491 4320 4056ef 24 API calls 4319->4320 4321 401498 4320->4321 4322 401f12 4323 402da6 17 API calls 4322->4323 4324 401f18 4323->4324 4325 402da6 17 API calls 4324->4325 4326 401f21 4325->4326 4327 402da6 17 API calls 4326->4327 4328 401f2a 4327->4328 4329 402da6 17 API calls 4328->4329 4330 401f33 4329->4330 4331 401423 24 API calls 4330->4331 4332 401f3a 4331->4332 4339 405cb3 ShellExecuteExW 4332->4339 4334 401f82 4335 406b05 5 API calls 4334->4335 4337 40292e 4334->4337 4336 401f9f CloseHandle 4335->4336 4336->4337 4339->4334 4340 402f93 4341 402fa5 SetTimer 4340->4341 4342 402fbe 4340->4342 4341->4342 4343 40300c 4342->4343 4344 403012 MulDiv 4342->4344 4345 402fcc wsprintfW SetWindowTextW SetDlgItemTextW 4344->4345 4345->4343 4347 404a93 4348 404aa3 4347->4348 4349 404ac9 4347->4349 4350 4045e9 18 API calls 4348->4350 4351 404650 8 API calls 4349->4351 4353 404ab0 SetDlgItemTextW 4350->4353 4352 404ad5 4351->4352 4353->4349 4354 401d17 4355 402d84 17 API calls 4354->4355 4356 401d1d IsWindow 4355->4356 4357 401a20 4356->4357 3894 401b9b 3895 401ba8 3894->3895 3896 401bec 3894->3896 3897 401c31 3895->3897 3902 401bbf 3895->3902 3898 401bf1 3896->3898 3899 401c16 GlobalAlloc 3896->3899 3901 4066ca 17 API calls 3897->3901 3908 40239d 3897->3908 3898->3908 3915 40668d lstrcpynW 3898->3915 3900 4066ca 17 API calls 3899->3900 3900->3897 3903 402397 3901->3903 3913 40668d lstrcpynW 3902->3913 3909 405ced MessageBoxIndirectW 3903->3909 3906 401c03 GlobalFree 3906->3908 3907 401bce 3914 40668d lstrcpynW 3907->3914 3909->3908 3911 401bdd 3916 40668d lstrcpynW 3911->3916 3913->3907 3914->3911 3915->3906 3916->3908 4358 40261c 4359 402da6 17 API calls 4358->4359 4360 402623 4359->4360 4363 40617d GetFileAttributesW CreateFileW 4360->4363 4362 40262f 4363->4362 3930 40259e 3931 402de6 17 API calls 3930->3931 3932 4025a8 3931->3932 3933 402d84 17 API calls 3932->3933 3934 4025b1 3933->3934 3935 4025d9 RegEnumValueW 3934->3935 3936 4025cd RegEnumKeyW 3934->3936 3937 40292e 3934->3937 3938 4025f5 RegCloseKey 3935->3938 3939 4025ee 3935->3939 3936->3938 3938->3937 3939->3938 4364 40149e 4365 4014ac PostQuitMessage 4364->4365 4366 40239d 4364->4366 4365->4366 4367 40471f lstrcpynW lstrlenW 4368 4015a3 4369 402da6 17 API calls 4368->4369 4370 4015aa SetFileAttributesW 4369->4370 4371 4015bc 4370->4371 3204 401fa4 3205 402da6 17 API calls 3204->3205 3206 401faa 3205->3206 3207 4056ef 24 API calls 3206->3207 3208 401fb4 3207->3208 3217 405c70 CreateProcessW 3208->3217 3211 401fdd CloseHandle 3215 40292e 3211->3215 3214 401fcf 3214->3211 3225 4065d4 wsprintfW 3214->3225 3218 405ca3 CloseHandle 3217->3218 3219 401fba 3217->3219 3218->3219 3219->3211 3219->3215 3220 406b05 WaitForSingleObject 3219->3220 3221 406b1f 3220->3221 3222 406b31 GetExitCodeProcess 3221->3222 3226 406a96 3221->3226 3222->3214 3225->3211 3227 406ab3 PeekMessageW 3226->3227 3228 406ac3 WaitForSingleObject 3227->3228 3229 406aa9 DispatchMessageW 3227->3229 3228->3221 3229->3227 3515 4047a8 3516 4047c0 3515->3516 3520 4048da 3515->3520 3546 4045e9 3516->3546 3517 404944 3518 404a0e 3517->3518 3519 40494e GetDlgItem 3517->3519 3558 404650 3518->3558 3525 404968 3519->3525 3526 4049cf 3519->3526 3520->3517 3520->3518 3522 404915 GetDlgItem SendMessageW 3520->3522 3551 40460b KiUserCallbackDispatcher 3522->3551 3523 404827 3528 4045e9 18 API calls 3523->3528 3525->3526 3530 40498e SendMessageW LoadCursorW SetCursor 3525->3530 3526->3518 3531 4049e1 3526->3531 3535 404834 CheckDlgButton 3528->3535 3529 404a09 3555 404a57 3530->3555 3532 4049f7 3531->3532 3533 4049e7 SendMessageW 3531->3533 3532->3529 3537 4049fd SendMessageW 3532->3537 3533->3532 3534 40493f 3552 404a33 3534->3552 3549 40460b KiUserCallbackDispatcher 3535->3549 3537->3529 3541 404852 GetDlgItem 3550 40461e SendMessageW 3541->3550 3543 404868 SendMessageW 3544 404885 GetSysColor 3543->3544 3545 40488e SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 3543->3545 3544->3545 3545->3529 3547 4066ca 17 API calls 3546->3547 3548 4045f4 SetDlgItemTextW 3547->3548 3548->3523 3549->3541 3550->3543 3551->3534 3553 404a41 3552->3553 3554 404a46 SendMessageW 3552->3554 3553->3554 3554->3517 3572 405cb3 ShellExecuteExW 3555->3572 3557 4049bd LoadCursorW SetCursor 3557->3526 3559 404713 3558->3559 3560 404668 GetWindowLongW 3558->3560 3559->3529 3560->3559 3561 40467d 3560->3561 3561->3559 3562 4046aa GetSysColor 3561->3562 3563 4046ad 3561->3563 3562->3563 3564 4046b3 SetTextColor 3563->3564 3565 4046bd SetBkMode 3563->3565 3564->3565 3566 4046d5 GetSysColor 3565->3566 3567 4046db 3565->3567 3566->3567 3568 4046e2 SetBkColor 3567->3568 3569 4046ec 3567->3569 3568->3569 3569->3559 3570 404706 CreateBrushIndirect 3569->3570 3571 4046ff DeleteObject 3569->3571 3570->3559 3571->3570 3572->3557 3690 4021aa 3691 402da6 17 API calls 3690->3691 3692 4021b1 3691->3692 3693 402da6 17 API calls 3692->3693 3694 4021bb 3693->3694 3695 402da6 17 API calls 3694->3695 3696 4021c5 3695->3696 3697 402da6 17 API calls 3696->3697 3698 4021cf 3697->3698 3699 402da6 17 API calls 3698->3699 3700 4021d9 3699->3700 3701 402218 CoCreateInstance 3700->3701 3702 402da6 17 API calls 3700->3702 3705 402237 3701->3705 3702->3701 3703 401423 24 API calls 3704 4022f6 3703->3704 3705->3703 3705->3704 3706 40252a 3717 402de6 3706->3717 3709 402da6 17 API calls 3710 40253d 3709->3710 3711 402548 RegQueryValueExW 3710->3711 3716 40292e 3710->3716 3712 40256e RegCloseKey 3711->3712 3713 402568 3711->3713 3712->3716 3713->3712 3722 4065d4 wsprintfW 3713->3722 3718 402da6 17 API calls 3717->3718 3719 402dfd 3718->3719 3720 4064fa RegOpenKeyExW 3719->3720 3721 402534 3720->3721 3721->3709 3722->3712 4372 40202a 4373 402da6 17 API calls 4372->4373 4374 402031 4373->4374 4375 406a5a 5 API calls 4374->4375 4376 402040 4375->4376 4377 4020cc 4376->4377 4378 40205c GlobalAlloc 4376->4378 4378->4377 4379 402070 4378->4379 4380 406a5a 5 API calls 4379->4380 4381 402077 4380->4381 4382 406a5a 5 API calls 4381->4382 4383 402081 4382->4383 4383->4377 4387 4065d4 wsprintfW 4383->4387 4385 4020ba 4388 4065d4 wsprintfW 4385->4388 4387->4385 4388->4377 3733 40582e 3734 4059d8 3733->3734 3735 40584f GetDlgItem GetDlgItem GetDlgItem 3733->3735 3737 4059e1 GetDlgItem CreateThread CloseHandle 3734->3737 3738 405a09 3734->3738 3778 40461e SendMessageW 3735->3778 3737->3738 3781 4057c2 5 API calls 3737->3781 3740 405a34 3738->3740 3741 405a20 ShowWindow ShowWindow 3738->3741 3742 405a59 3738->3742 3739 4058bf 3744 4058c6 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3739->3744 3743 405a94 3740->3743 3746 405a48 3740->3746 3747 405a6e ShowWindow 3740->3747 3780 40461e SendMessageW 3741->3780 3748 404650 8 API calls 3742->3748 3743->3742 3754 405aa2 SendMessageW 3743->3754 3752 405934 3744->3752 3753 405918 SendMessageW SendMessageW 3744->3753 3755 4045c2 SendMessageW 3746->3755 3750 405a80 3747->3750 3751 405a8e 3747->3751 3749 405a67 3748->3749 3756 4056ef 24 API calls 3750->3756 3757 4045c2 SendMessageW 3751->3757 3758 405947 3752->3758 3759 405939 SendMessageW 3752->3759 3753->3752 3754->3749 3760 405abb CreatePopupMenu 3754->3760 3755->3742 3756->3751 3757->3743 3762 4045e9 18 API calls 3758->3762 3759->3758 3761 4066ca 17 API calls 3760->3761 3763 405acb AppendMenuW 3761->3763 3764 405957 3762->3764 3765 405ae8 GetWindowRect 3763->3765 3766 405afb TrackPopupMenu 3763->3766 3767 405960 ShowWindow 3764->3767 3768 405994 GetDlgItem SendMessageW 3764->3768 3765->3766 3766->3749 3770 405b16 3766->3770 3771 405976 ShowWindow 3767->3771 3772 405983 3767->3772 3768->3749 3769 4059bb SendMessageW SendMessageW 3768->3769 3769->3749 3773 405b32 SendMessageW 3770->3773 3771->3772 3779 40461e SendMessageW 3772->3779 3773->3773 3774 405b4f OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3773->3774 3776 405b74 SendMessageW 3774->3776 3776->3776 3777 405b9d GlobalUnlock SetClipboardData CloseClipboard 3776->3777 3777->3749 3778->3739 3779->3768 3780->3740 4389 404e30 4390 404e40 4389->4390 4391 404e5c 4389->4391 4400 405cd1 GetDlgItemTextW 4390->4400 4392 404e62 SHGetPathFromIDListW 4391->4392 4393 404e8f 4391->4393 4395 404e79 SendMessageW 4392->4395 4396 404e72 4392->4396 4395->4393 4398 40140b 2 API calls 4396->4398 4397 404e4d SendMessageW 4397->4391 4398->4395 4400->4397 4401 401a30 4402 402da6 17 API calls 4401->4402 4403 401a39 ExpandEnvironmentStringsW 4402->4403 4404 401a4d 4403->4404 4406 401a60 4403->4406 4405 401a52 lstrcmpW 4404->4405 4404->4406 4405->4406 4412 4023b2 4413 4023c0 4412->4413 4414 4023ba 4412->4414 4416 402da6 17 API calls 4413->4416 4419 4023ce 4413->4419 4415 402da6 17 API calls 4414->4415 4415->4413 4416->4419 4417 402da6 17 API calls 4420 4023dc 4417->4420 4418 402da6 17 API calls 4421 4023e5 WritePrivateProfileStringW 4418->4421 4419->4417 4419->4420 4420->4418 3862 405cb3 ShellExecuteExW 4422 402434 4423 402467 4422->4423 4424 40243c 4422->4424 4426 402da6 17 API calls 4423->4426 4425 402de6 17 API calls 4424->4425 4428 402443 4425->4428 4427 40246e 4426->4427 4433 402e64 4427->4433 4430 402da6 17 API calls 4428->4430 4431 40247b 4428->4431 4432 402454 RegDeleteValueW RegCloseKey 4430->4432 4432->4431 4434 402e71 4433->4434 4435 402e78 4433->4435 4434->4431 4435->4434 4437 402ea9 4435->4437 4438 4064fa RegOpenKeyExW 4437->4438 4439 402ed7 4438->4439 4440 402ee7 RegEnumValueW 4439->4440 4444 402f0a 4439->4444 4448 402f81 4439->4448 4441 402f71 RegCloseKey 4440->4441 4440->4444 4441->4448 4442 402f46 RegEnumKeyW 4443 402f4f RegCloseKey 4442->4443 4442->4444 4445 406a5a 5 API calls 4443->4445 4444->4441 4444->4442 4444->4443 4446 402ea9 6 API calls 4444->4446 4447 402f5f 4445->4447 4446->4444 4447->4448 4449 402f63 RegDeleteKeyW 4447->4449 4448->4434 4449->4448 4450 401735 4451 402da6 17 API calls 4450->4451 4452 40173c SearchPathW 4451->4452 4453 401757 4452->4453 4454 401d38 4455 402d84 17 API calls 4454->4455 4456 401d3f 4455->4456 4457 402d84 17 API calls 4456->4457 4458 401d4b GetDlgItem 4457->4458 4459 402638 4458->4459 4460 4014b8 4461 4014be 4460->4461 4462 401389 2 API calls 4461->4462 4463 4014c6 4462->4463 4464 40263e 4465 402652 4464->4465 4466 40266d 4464->4466 4467 402d84 17 API calls 4465->4467 4468 402672 4466->4468 4469 40269d 4466->4469 4478 402659 4467->4478 4471 402da6 17 API calls 4468->4471 4470 402da6 17 API calls 4469->4470 4472 4026a4 lstrlenW 4470->4472 4473 402679 4471->4473 4472->4478 4481 4066af WideCharToMultiByte 4473->4481 4475 40268d lstrlenA 4475->4478 4476 4026d1 4477 4026e7 4476->4477 4479 40622f WriteFile 4476->4479 4478->4476 4478->4477 4480 40625e 5 API calls 4478->4480 4479->4477 4480->4476 4481->4475

                                            Executed Functions

                                            Function 00403665 Relevance: 91.4, APIs: 34, Strings: 18, Instructions: 450stringfilecomCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 403665-4036b5 SetErrorMode GetVersionExW 1 4036b7-4036eb GetVersionExW 0->1 2 4036ef-4036f6 0->2 1->2 3 403700-403740 2->3 4 4036f8 2->4 5 403742-40374a call 406a5a 3->5 6 403753 3->6 4->3 5->6 11 40374c 5->11 7 403758-40376c call 4069ea lstrlenA 6->7 13 40376e-40378a call 406a5a * 3 7->13 11->6 20 40379b-4037fd #17 OleInitialize SHGetFileInfoW call 40668d GetCommandLineW call 40668d 13->20 21 40378c-403792 13->21 28 403806-403819 call 405f89 CharNextW 20->28 29 4037ff-403801 20->29 21->20 25 403794 21->25 25->20 32 403910-403916 28->32 29->28 33 40391c 32->33 34 40381e-403824 32->34 35 403930-40394a GetTempPathW call 403634 33->35 36 403826-40382b 34->36 37 40382d-403833 34->37 46 4039a2-4039ba DeleteFileW call 4030d0 35->46 47 40394c-40396a GetWindowsDirectoryW lstrcatW call 403634 35->47 36->36 36->37 39 403835-403839 37->39 40 40383a-40383e 37->40 39->40 41 403844-40384a 40->41 42 4038fe-40390c call 405f89 40->42 44 403864-40389d 41->44 45 40384c-403853 41->45 42->32 61 40390e-40390f 42->61 51 4038b9-4038f3 44->51 52 40389f-4038a4 44->52 49 403855-403858 45->49 50 40385a 45->50 62 4039c0-4039c6 46->62 63 403b91-403b9f ExitProcess CoUninitialize 46->63 47->46 66 40396c-40399c GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403634 47->66 49->44 49->50 50->44 58 4038f5-4038f9 51->58 59 4038fb-4038fd 51->59 52->51 56 4038a6-4038ae 52->56 64 4038b0-4038b3 56->64 65 4038b5 56->65 58->59 67 40391e-40392b call 40668d 58->67 59->42 61->32 68 4039cc-4039df call 405f89 62->68 69 403a6d-403a74 call 403d3c 62->69 71 403ba1-403bb0 call 405ced ExitProcess 63->71 72 403bb6-403bbc 63->72 64->51 64->65 65->51 66->46 66->63 67->35 87 403a31-403a3e 68->87 88 4039e1-403a16 68->88 81 403a79-403a7c 69->81 77 403c34-403c3c 72->77 78 403bbe-403bd3 GetCurrentProcess OpenProcessToken 72->78 82 403c41-403c44 ExitProcess 77->82 83 403c3e 77->83 85 403c04-403c12 call 406a5a 78->85 86 403bd5-403bfe LookupPrivilegeValueW AdjustTokenPrivileges 78->86 81->63 83->82 94 403c20-403c2b ExitWindowsEx 85->94 95 403c14-403c1e 85->95 86->85 91 403a40-403a4e call 406064 87->91 92 403a81-403a95 call 405c58 lstrcatW 87->92 90 403a18-403a1c 88->90 96 403a25-403a2d 90->96 97 403a1e-403a23 90->97 91->63 108 403a54-403a6a call 40668d * 2 91->108 106 403aa2-403abc lstrcatW lstrcmpiW 92->106 107 403a97-403a9d lstrcatW 92->107 94->77 100 403c2d-403c2f call 40140b 94->100 95->94 95->100 96->90 101 403a2f 96->101 97->96 97->101 100->77 101->87 109 403ac2-403ac5 106->109 110 403b8f 106->110 107->106 108->69 112 403ac7-403acc call 405bbe 109->112 113 403ace call 405c3b 109->113 110->63 118 403ad3-403ae3 SetCurrentDirectoryW 112->118 113->118 121 403af0-403b1c call 40668d 118->121 122 403ae5-403aeb call 40668d 118->122 126 403b21-403b3c call 4066ca DeleteFileW 121->126 122->121 129 403b7c-403b86 126->129 130 403b3e-403b4e CopyFileW 126->130 129->126 131 403b88-403b8a call 40644d 129->131 130->129 132 403b50-403b70 call 40644d call 4066ca call 405c70 130->132 131->110 132->129 140 403b72-403b79 CloseHandle 132->140 140->129
                                            APIs
                                            • SetErrorMode.KERNELBASE(00008001), ref: 00403688
                                            • GetVersionExW.KERNEL32(?), ref: 004036B1
                                            • GetVersionExW.KERNEL32(0000011C), ref: 004036C8
                                            • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040375F
                                            • #17.COMCTL32(00000007,00000009,0000000B), ref: 0040379B
                                            • OleInitialize.OLE32(00000000), ref: 004037A2
                                            • SHGetFileInfoW.SHELL32(0042B268,00000000,?,000002B4,00000000), ref: 004037C0
                                            • GetCommandLineW.KERNEL32(00433F40,NSIS Error), ref: 004037D5
                                            • CharNextW.USER32(00000000,"C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe",00000020,"C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe",00000000), ref: 0040380E
                                            • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 00403941
                                            • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403952
                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040395E
                                            • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403972
                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040397A
                                            • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040398B
                                            • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403993
                                            • DeleteFileW.KERNELBASE(1033), ref: 004039A7
                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe",00000000,?), ref: 00403A8E
                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe",00000000,?), ref: 00403A9D
                                              • Part of subcall function 00405C3B: CreateDirectoryW.KERNELBASE(?,00000000,00403658,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403948), ref: 00405C41
                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe",00000000,?), ref: 00403AA8
                                            • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe",00000000,?), ref: 00403AB4
                                            • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403AD4
                                            • DeleteFileW.KERNEL32(0042AA68,0042AA68,?,00436000,?), ref: 00403B33
                                            • CopyFileW.KERNEL32(C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe,0042AA68,00000001), ref: 00403B46
                                            • CloseHandle.KERNEL32(00000000,0042AA68,0042AA68,?,0042AA68,00000000), ref: 00403B73
                                            • ExitProcess.KERNEL32(?), ref: 00403B91
                                            • CoUninitialize.COMBASE(?), ref: 00403B96
                                            • ExitProcess.KERNEL32 ref: 00403BB0
                                            • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403BC4
                                            • OpenProcessToken.ADVAPI32(00000000), ref: 00403BCB
                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403BDF
                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403BFE
                                            • ExitWindowsEx.USER32(00000002,80040002), ref: 00403C23
                                            • ExitProcess.KERNEL32 ref: 00403C44
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Processlstrcat$ExitFile$Directory$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
                                            • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor$C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                            • API String ID: 2292928366-3289832978
                                            • Opcode ID: 4c55df234a1a169625c4d9510f8e78281ae4f2daef50c2ec046ef8ddf9a3fc35
                                            • Instruction ID: 7202d2b8b7838142eb81bebdbe26780666e8e28037d8cbf22de7a4751e5c1698
                                            • Opcode Fuzzy Hash: 4c55df234a1a169625c4d9510f8e78281ae4f2daef50c2ec046ef8ddf9a3fc35
                                            • Instruction Fuzzy Hash: 2AE12871A00210ABDB10AFB59D45BAF7AB8EB4470AF10847FF545B22D1DB7C8A41CB6D
                                            Function 0040582E Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 141 40582e-405849 142 4059d8-4059df 141->142 143 40584f-405916 GetDlgItem * 3 call 40461e call 404f77 GetClientRect GetSystemMetrics SendMessageW * 2 141->143 145 4059e1-405a03 GetDlgItem CreateThread CloseHandle 142->145 146 405a09-405a16 142->146 164 405934-405937 143->164 165 405918-405932 SendMessageW * 2 143->165 145->146 148 405a34-405a3e 146->148 149 405a18-405a1e 146->149 153 405a40-405a46 148->153 154 405a94-405a98 148->154 151 405a20-405a2f ShowWindow * 2 call 40461e 149->151 152 405a59-405a62 call 404650 149->152 151->148 161 405a67-405a6b 152->161 158 405a48-405a54 call 4045c2 153->158 159 405a6e-405a7e ShowWindow 153->159 154->152 156 405a9a-405aa0 154->156 156->152 166 405aa2-405ab5 SendMessageW 156->166 158->152 162 405a80-405a89 call 4056ef 159->162 163 405a8e-405a8f call 4045c2 159->163 162->163 163->154 170 405947-40595e call 4045e9 164->170 171 405939-405945 SendMessageW 164->171 165->164 172 405bb7-405bb9 166->172 173 405abb-405ae6 CreatePopupMenu call 4066ca AppendMenuW 166->173 180 405960-405974 ShowWindow 170->180 181 405994-4059b5 GetDlgItem SendMessageW 170->181 171->170 172->161 178 405ae8-405af8 GetWindowRect 173->178 179 405afb-405b10 TrackPopupMenu 173->179 178->179 179->172 183 405b16-405b2d 179->183 184 405983 180->184 185 405976-405981 ShowWindow 180->185 181->172 182 4059bb-4059d3 SendMessageW * 2 181->182 182->172 187 405b32-405b4d SendMessageW 183->187 186 405989-40598f call 40461e 184->186 185->186 186->181 187->187 188 405b4f-405b72 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 187->188 190 405b74-405b9b SendMessageW 188->190 190->190 191 405b9d-405bb1 GlobalUnlock SetClipboardData CloseClipboard 190->191 191->172
                                            APIs
                                            • GetDlgItem.USER32(?,00000403), ref: 0040588C
                                            • GetDlgItem.USER32(?,000003EE), ref: 0040589B
                                            • GetClientRect.USER32(?,?), ref: 004058D8
                                            • GetSystemMetrics.USER32(00000002), ref: 004058DF
                                            • SendMessageW.USER32(?,00001061,00000000,?), ref: 00405900
                                            • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405911
                                            • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405924
                                            • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405932
                                            • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405945
                                            • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405967
                                            • ShowWindow.USER32(?,00000008), ref: 0040597B
                                            • GetDlgItem.USER32(?,000003EC), ref: 0040599C
                                            • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004059AC
                                            • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004059C5
                                            • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004059D1
                                            • GetDlgItem.USER32(?,000003F8), ref: 004058AA
                                              • Part of subcall function 0040461E: SendMessageW.USER32(00000028,?,00000001,00404449), ref: 0040462C
                                            • GetDlgItem.USER32(?,000003EC), ref: 004059EE
                                            • CreateThread.KERNELBASE(00000000,00000000,Function_000057C2,00000000), ref: 004059FC
                                            • CloseHandle.KERNELBASE(00000000), ref: 00405A03
                                            • ShowWindow.USER32(00000000), ref: 00405A27
                                            • ShowWindow.USER32(?,00000008), ref: 00405A2C
                                            • ShowWindow.USER32(00000008), ref: 00405A76
                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405AAA
                                            • CreatePopupMenu.USER32 ref: 00405ABB
                                            • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405ACF
                                            • GetWindowRect.USER32(?,?), ref: 00405AEF
                                            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405B08
                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B40
                                            • OpenClipboard.USER32(00000000), ref: 00405B50
                                            • EmptyClipboard.USER32 ref: 00405B56
                                            • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405B62
                                            • GlobalLock.KERNEL32(00000000), ref: 00405B6C
                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B80
                                            • GlobalUnlock.KERNEL32(00000000), ref: 00405BA0
                                            • SetClipboardData.USER32(0000000D,00000000), ref: 00405BAB
                                            • CloseClipboard.USER32 ref: 00405BB1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                            • String ID: {
                                            • API String ID: 590372296-366298937
                                            • Opcode ID: 594e09f59107cca7157d15a5a23896bf4c5370f9eabdd5831dabeea937b03c7e
                                            • Instruction ID: ad0e61e05fba8a1df39cdb997e21152ba8bbf2b4b8703c5d6f74bcbe2795bbf3
                                            • Opcode Fuzzy Hash: 594e09f59107cca7157d15a5a23896bf4c5370f9eabdd5831dabeea937b03c7e
                                            • Instruction Fuzzy Hash: 09B158B0900608FFDB119FA1DD899AE7BB9FB48315F00403AFA45BA1A0CB755E51DF68
                                            Function 00405D99 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 544 405d99-405dbf call 406064 547 405dc1-405dd3 DeleteFileW 544->547 548 405dd8-405ddf 544->548 549 405f55-405f59 547->549 550 405de1-405de3 548->550 551 405df2-405e02 call 40668d 548->551 552 405f03-405f08 550->552 553 405de9-405dec 550->553 557 405e11-405e12 call 405fa8 551->557 558 405e04-405e0f lstrcatW 551->558 552->549 555 405f0a-405f0d 552->555 553->551 553->552 559 405f17-405f1f call 4069c3 555->559 560 405f0f-405f15 555->560 561 405e17-405e1b 557->561 558->561 559->549 568 405f21-405f35 call 405f5c call 405d51 559->568 560->549 564 405e27-405e2d lstrcatW 561->564 565 405e1d-405e25 561->565 567 405e32-405e4e lstrlenW FindFirstFileW 564->567 565->564 565->567 569 405e54-405e5c 567->569 570 405ef8-405efc 567->570 584 405f37-405f3a 568->584 585 405f4d-405f50 call 4056ef 568->585 573 405e7c-405e90 call 40668d 569->573 574 405e5e-405e66 569->574 570->552 572 405efe 570->572 572->552 586 405e92-405e9a 573->586 587 405ea7-405eb2 call 405d51 573->587 576 405e68-405e70 574->576 577 405edb-405eeb FindNextFileW 574->577 576->573 580 405e72-405e7a 576->580 577->569 583 405ef1-405ef2 FindClose 577->583 580->573 580->577 583->570 584->560 590 405f3c-405f4b call 4056ef call 40644d 584->590 585->549 586->577 591 405e9c-405ea5 call 405d99 586->591 597 405ed3-405ed6 call 4056ef 587->597 598 405eb4-405eb7 587->598 590->549 591->577 597->577 600 405eb9-405ec9 call 4056ef call 40644d 598->600 601 405ecb-405ed1 598->601 600->577 601->577
                                            APIs
                                            • DeleteFileW.KERNELBASE(?,?,74DF3420,74DF2EE0,00000000), ref: 00405DC2
                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsu5978.tmp\*.*,\*.*,C:\Users\user\AppData\Local\Temp\nsu5978.tmp\*.*,?,?,74DF3420,74DF2EE0,00000000), ref: 00405E0A
                                            • lstrcatW.KERNEL32(?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsu5978.tmp\*.*,?,?,74DF3420,74DF2EE0,00000000), ref: 00405E2D
                                            • lstrlenW.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsu5978.tmp\*.*,?,?,74DF3420,74DF2EE0,00000000), ref: 00405E33
                                            • FindFirstFileW.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsu5978.tmp\*.*,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsu5978.tmp\*.*,?,?,74DF3420,74DF2EE0,00000000), ref: 00405E43
                                            • FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405EE3
                                            • FindClose.KERNEL32(00000000), ref: 00405EF2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                            • String ID: .$.$C:\Users\user\AppData\Local\Temp\nsu5978.tmp\*.*$\*.*
                                            • API String ID: 2035342205-1720233761
                                            • Opcode ID: 252f33129f6abad13087e64fb92cbb60fd1a4d3dc83bffe141fc161afd94df17
                                            • Instruction ID: 3bf7406ac91ec4dd5ee52beca3a565466598d16321ce9fad4ed104e0e91c8342
                                            • Opcode Fuzzy Hash: 252f33129f6abad13087e64fb92cbb60fd1a4d3dc83bffe141fc161afd94df17
                                            • Instruction Fuzzy Hash: 7F41D130800A15AACB21AB61CC49BAF7678EF81718F24417FF945B11D1D77C4E86DEAE
                                            Function 004069C3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindFirstFileW.KERNELBASE(74DF3420,004302F8,C:\,004060AD,C:\,C:\,00000000,C:\,C:\,74DF3420,?,74DF2EE0,00405DB9,?,74DF3420,74DF2EE0), ref: 004069CE
                                            • FindClose.KERNELBASE(00000000), ref: 004069DA
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Find$CloseFileFirst
                                            • String ID: C:\
                                            • API String ID: 2295610775-3404278061
                                            • Opcode ID: 3880175e769e76fa77aae8c7cfa12813b322c012e9387fc66468c7031057106f
                                            • Instruction ID: 3c057573fcaabf10d705fd9a8bc3d0837248d5ed29ac60a78c5b2b67310fc299
                                            • Opcode Fuzzy Hash: 3880175e769e76fa77aae8c7cfa12813b322c012e9387fc66468c7031057106f
                                            • Instruction Fuzzy Hash: 1CD012715481205FC34017386E0C85B7A989F163357218B37B4A6F15E0CB34CC3287AC
                                            Function 004021AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CoCreateInstance.OLE32(004085F0,?,00000001,004085E0,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229
                                            Strings
                                            • C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor, xrefs: 00402269
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: CreateInstance
                                            • String ID: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor
                                            • API String ID: 542301482-2325335884
                                            • Opcode ID: 70dc6ecbecee9357e60868247212f995677eb957e081adbb0ea1a54d331089b8
                                            • Instruction ID: 2d2e5bbc6e5ef502b098ca75eaee8a225efadfc65403042a85a9f29fa5c0db88
                                            • Opcode Fuzzy Hash: 70dc6ecbecee9357e60868247212f995677eb957e081adbb0ea1a54d331089b8
                                            • Instruction Fuzzy Hash: 37411571A00208EFCF40DFE4C989E9D7BB5BF49348B20456AF505EB2D1DB799981CB94
                                            Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040291A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: FileFindFirst
                                            • String ID:
                                            • API String ID: 1974802433-0
                                            • Opcode ID: ba7edad31f9b469188afe4470049fe2ddcb16a652daf74fb1c246c9531100aa4
                                            • Instruction ID: 48794005611725ab24a66c32a3ce206bb79c4e5d10a9c3449c21b72c90bd16c7
                                            • Opcode Fuzzy Hash: ba7edad31f9b469188afe4470049fe2ddcb16a652daf74fb1c246c9531100aa4
                                            • Instruction Fuzzy Hash: CCF05E71904104AED701DBA4D949AAEB378FF14314F20467BE115F21D0E7B88E159B29
                                            Function 004040EA Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 192 4040ea-4040fc 193 404102-404108 192->193 194 404263-404272 192->194 193->194 195 40410e-404117 193->195 196 4042c1-4042d6 194->196 197 404274-4042bc GetDlgItem * 2 call 4045e9 SetClassLongW call 40140b 194->197 200 404119-404126 SetWindowPos 195->200 201 40412c-404133 195->201 198 404316-40431b call 404635 196->198 199 4042d8-4042db 196->199 197->196 211 404320-40433b 198->211 203 4042dd-4042e8 call 401389 199->203 204 40430e-404310 199->204 200->201 206 404135-40414f ShowWindow 201->206 207 404177-40417d 201->207 203->204 228 4042ea-404309 SendMessageW 203->228 204->198 210 4045b6 204->210 212 404250-40425e call 404650 206->212 213 404155-404168 GetWindowLongW 206->213 214 404196-404199 207->214 215 40417f-404191 DestroyWindow 207->215 217 4045b8-4045bf 210->217 224 404344-40434a 211->224 225 40433d-40433f call 40140b 211->225 212->217 213->212 226 40416e-404171 ShowWindow 213->226 220 40419b-4041a7 SetWindowLongW 214->220 221 4041ac-4041b2 214->221 218 404593-404599 215->218 218->210 231 40459b-4045a1 218->231 220->217 221->212 227 4041b8-4041c7 GetDlgItem 221->227 232 404350-40435b 224->232 233 404574-40458d DestroyWindow KiUserCallbackDispatcher 224->233 225->224 226->207 234 4041e6-4041e9 227->234 235 4041c9-4041e0 SendMessageW IsWindowEnabled 227->235 228->217 231->210 236 4045a3-4045ac ShowWindow 231->236 232->233 237 404361-4043ae call 4066ca call 4045e9 * 3 GetDlgItem 232->237 233->218 239 4041eb-4041ec 234->239 240 4041ee-4041f1 234->240 235->210 235->234 236->210 264 4043b0-4043b5 237->264 265 4043b8-4043f4 ShowWindow KiUserCallbackDispatcher call 40460b KiUserCallbackDispatcher 237->265 242 40421c-404221 call 4045c2 239->242 243 4041f3-4041f9 240->243 244 4041ff-404204 240->244 242->212 247 40423a-40424a SendMessageW 243->247 248 4041fb-4041fd 243->248 244->247 249 404206-40420c 244->249 247->212 248->242 252 404223-40422c call 40140b 249->252 253 40420e-404214 call 40140b 249->253 252->212 261 40422e-404238 252->261 262 40421a 253->262 261->262 262->242 264->265 268 4043f6-4043f7 265->268 269 4043f9 265->269 270 4043fb-404429 GetSystemMenu EnableMenuItem SendMessageW 268->270 269->270 271 40442b-40443c SendMessageW 270->271 272 40443e 270->272 273 404444-404483 call 40461e call 4040cb call 40668d lstrlenW call 4066ca SetWindowTextW call 401389 271->273 272->273 273->211 284 404489-40448b 273->284 284->211 285 404491-404495 284->285 286 4044b4-4044c8 DestroyWindow 285->286 287 404497-40449d 285->287 286->218 288 4044ce-4044fb CreateDialogParamW 286->288 287->210 289 4044a3-4044a9 287->289 288->218 291 404501-404558 call 4045e9 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 288->291 289->211 290 4044af 289->290 290->210 291->210 296 40455a-40456d ShowWindow call 404635 291->296 298 404572 296->298 298->218
                                            APIs
                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404126
                                            • ShowWindow.USER32(?), ref: 00404146
                                            • GetWindowLongW.USER32(?,000000F0), ref: 00404158
                                            • ShowWindow.USER32(?,00000004), ref: 00404171
                                            • DestroyWindow.USER32 ref: 00404185
                                            • SetWindowLongW.USER32(?,00000000,00000000), ref: 0040419E
                                            • GetDlgItem.USER32(?,?), ref: 004041BD
                                            • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004041D1
                                            • IsWindowEnabled.USER32(00000000), ref: 004041D8
                                            • GetDlgItem.USER32(?,00000001), ref: 00404283
                                            • GetDlgItem.USER32(?,00000002), ref: 0040428D
                                            • SetClassLongW.USER32(?,000000F2,?), ref: 004042A7
                                            • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004042F8
                                            • GetDlgItem.USER32(?,00000003), ref: 0040439E
                                            • ShowWindow.USER32(00000000,?), ref: 004043BF
                                            • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004043D1
                                            • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004043EC
                                            • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404402
                                            • EnableMenuItem.USER32(00000000), ref: 00404409
                                            • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404421
                                            • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404434
                                            • lstrlenW.KERNEL32(0042D2A8,?,0042D2A8,00000000), ref: 0040445E
                                            • SetWindowTextW.USER32(?,0042D2A8), ref: 00404472
                                            • ShowWindow.USER32(?,0000000A), ref: 004045A6
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Window$Item$MessageSendShow$Long$CallbackDispatcherMenuUser$ClassDestroyEnableEnabledSystemTextlstrlen
                                            • String ID:
                                            • API String ID: 3964124867-0
                                            • Opcode ID: a909010d8c72ebaa78a2a8cb2f30679cc7e32d907dd9b02ea1346e9f086c6b13
                                            • Instruction ID: de9aa89a916c8b209ea0d52822f85574d94c23603a42d9a5d354d97988027e5a
                                            • Opcode Fuzzy Hash: a909010d8c72ebaa78a2a8cb2f30679cc7e32d907dd9b02ea1346e9f086c6b13
                                            • Instruction Fuzzy Hash: 28C1D0B1A00204FBDB21AF61EE45E2B3BB8EB85745B50053EFB41B11F1CB3998419B6D
                                            Function 00403D3C Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 299 403d3c-403d54 call 406a5a 302 403d56-403d66 call 4065d4 299->302 303 403d68-403d9f call 40655b 299->303 312 403dc2-403deb call 404012 call 406064 302->312 308 403da1-403db2 call 40655b 303->308 309 403db7-403dbd lstrcatW 303->309 308->309 309->312 317 403df1-403df6 312->317 318 403e7d-403e85 call 406064 312->318 317->318 320 403dfc-403e24 call 40655b 317->320 324 403e93-403eb8 LoadImageW 318->324 325 403e87-403e8e call 4066ca 318->325 320->318 326 403e26-403e2a 320->326 328 403f39-403f41 call 40140b 324->328 329 403eba-403eea RegisterClassW 324->329 325->324 330 403e3c-403e48 lstrlenW 326->330 331 403e2c-403e39 call 405f89 326->331 342 403f43-403f46 328->342 343 403f4b-403f56 call 404012 328->343 332 403ef0-403f34 SystemParametersInfoW CreateWindowExW 329->332 333 404008 329->333 337 403e70-403e78 call 405f5c call 40668d 330->337 338 403e4a-403e58 lstrcmpiW 330->338 331->330 332->328 336 40400a-404011 333->336 337->318 338->337 341 403e5a-403e64 GetFileAttributesW 338->341 345 403e66-403e68 341->345 346 403e6a-403e6b call 405fa8 341->346 342->336 352 403f5c-403f76 ShowWindow call 4069ea 343->352 353 403fdf-403fe0 call 4057c2 343->353 345->337 345->346 346->337 358 403f82-403f94 GetClassInfoW 352->358 359 403f78-403f7d call 4069ea 352->359 357 403fe5-403fe7 353->357 360 404001-404003 call 40140b 357->360 361 403fe9-403fef 357->361 364 403f96-403fa6 GetClassInfoW RegisterClassW 358->364 365 403fac-403fcf DialogBoxParamW call 40140b 358->365 359->358 360->333 361->342 366 403ff5-403ffc call 40140b 361->366 364->365 370 403fd4-403fdd call 403c8c 365->370 366->342 370->336
                                            APIs
                                              • Part of subcall function 00406A5A: GetModuleHandleA.KERNEL32(?,00000020,?,00403775,0000000B), ref: 00406A6C
                                              • Part of subcall function 00406A5A: GetProcAddress.KERNEL32(00000000,?), ref: 00406A87
                                            • lstrcatW.KERNEL32(1033,0042D2A8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D2A8,00000000,00000002,74DF3420,C:\Users\user\AppData\Local\Temp\,?,00000000,?), ref: 00403DBD
                                            • lstrlenW.KERNEL32(Remove folder: ,?,?,?,Remove folder: ,00000000,C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor,1033,0042D2A8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D2A8,00000000,00000002,74DF3420), ref: 00403E3D
                                            • lstrcmpiW.KERNEL32(?,.exe,Remove folder: ,?,?,?,Remove folder: ,00000000,C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor,1033,0042D2A8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D2A8,00000000), ref: 00403E50
                                            • GetFileAttributesW.KERNEL32(Remove folder: ,?,00000000,?), ref: 00403E5B
                                            • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor), ref: 00403EA4
                                              • Part of subcall function 004065D4: wsprintfW.USER32 ref: 004065E1
                                            • RegisterClassW.USER32(00433EE0), ref: 00403EE1
                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403EF9
                                            • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403F2E
                                            • ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403F64
                                            • GetClassInfoW.USER32(00000000,RichEdit20W,00433EE0), ref: 00403F90
                                            • GetClassInfoW.USER32(00000000,RichEdit,00433EE0), ref: 00403F9D
                                            • RegisterClassW.USER32(00433EE0), ref: 00403FA6
                                            • DialogBoxParamW.USER32(?,00000000,004040EA,00000000), ref: 00403FC5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                            • String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor$Control Panel\Desktop\ResourceLocale$Remove folder: $RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$>C
                                            • API String ID: 1975747703-2007118958
                                            • Opcode ID: 125b924c795658e2fb6f2b424cc5b2ba0af3e0ec064c37c13f72d94e5ebd84ad
                                            • Instruction ID: da25d123fd33bceb9cd954dc55613c71382b45676866b2bca109948a29669d0c
                                            • Opcode Fuzzy Hash: 125b924c795658e2fb6f2b424cc5b2ba0af3e0ec064c37c13f72d94e5ebd84ad
                                            • Instruction Fuzzy Hash: 7C61C970540300BFD620AF66AD46E2B3A7CEB8474AF50453FFA45B22E1CB7D99118A6D
                                            Function 004047A8 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 373 4047a8-4047ba 374 4047c0-4047c8 373->374 375 4048da-4048e7 373->375 376 4047ca-4047d9 374->376 377 4047db-4047ff 374->377 378 404944-404948 375->378 379 4048e9-4048f2 375->379 376->377 382 404801 377->382 383 404808-404883 call 4045e9 * 2 CheckDlgButton call 40460b GetDlgItem call 40461e SendMessageW 377->383 384 404a0e-404a15 378->384 385 40494e-404966 GetDlgItem 378->385 380 4048f8-4048fe 379->380 381 404a1d 379->381 380->381 386 404904-40490f 380->386 389 404a20-404a27 call 404650 381->389 382->383 415 404885-404888 GetSysColor 383->415 416 40488e-4048d5 SendMessageW * 2 lstrlenW SendMessageW * 2 383->416 384->381 388 404a17 384->388 390 404968-40496f 385->390 391 4049cf-4049d6 385->391 386->381 392 404915-40493f GetDlgItem SendMessageW call 40460b call 404a33 386->392 388->381 399 404a2c-404a30 389->399 390->391 395 404971-40498c 390->395 391->389 396 4049d8-4049df 391->396 392->378 395->391 400 40498e-4049cc SendMessageW LoadCursorW SetCursor call 404a57 LoadCursorW SetCursor 395->400 396->389 401 4049e1-4049e5 396->401 400->391 402 4049f7-4049fb 401->402 403 4049e7-4049f5 SendMessageW 401->403 407 404a09-404a0c 402->407 408 4049fd-404a07 SendMessageW 402->408 403->402 407->399 408->407 415->416 416->399
                                            APIs
                                            • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404846
                                            • GetDlgItem.USER32(?,000003E8), ref: 0040485A
                                            • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404877
                                            • GetSysColor.USER32(?), ref: 00404888
                                            • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404896
                                            • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004048A4
                                            • lstrlenW.KERNEL32(?), ref: 004048A9
                                            • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004048B6
                                            • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004048CB
                                            • GetDlgItem.USER32(?,0000040A), ref: 00404924
                                            • SendMessageW.USER32(00000000), ref: 0040492B
                                            • GetDlgItem.USER32(?,000003E8), ref: 00404956
                                            • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404999
                                            • LoadCursorW.USER32(00000000,00007F02), ref: 004049A7
                                            • SetCursor.USER32(00000000), ref: 004049AA
                                            • LoadCursorW.USER32(00000000,00007F00), ref: 004049C3
                                            • SetCursor.USER32(00000000), ref: 004049C6
                                            • SendMessageW.USER32(00000111,00000001,00000000), ref: 004049F5
                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404A07
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                            • String ID: N$.C
                                            • API String ID: 3103080414-3550801149
                                            • Opcode ID: 2c2edbd67907794629cef93c5f20fe49d7483b4f1c50941cc9e49a96c5bda95e
                                            • Instruction ID: 04e69940b6acc2fd086222b6b6ea3ba721d9538463f901576bc41ccddba7bb55
                                            • Opcode Fuzzy Hash: 2c2edbd67907794629cef93c5f20fe49d7483b4f1c50941cc9e49a96c5bda95e
                                            • Instruction Fuzzy Hash: F86190B1A00209FFDF10AF60DD45A6A7B69FB84314F00853AFA01B62D0C778A951DF9C
                                            Function 004030D0 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 208memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 417 4030d0-40311e GetTickCount GetModuleFileNameW call 40617d 420 403120-403125 417->420 421 40312a-403158 call 40668d call 405fa8 call 40668d GetFileSize 417->421 422 40338f-403393 420->422 429 403246-403254 call 40302e 421->429 430 40315e-403175 421->430 436 403349-40334e 429->436 437 40325a-40325d 429->437 432 403177 430->432 433 403179-403186 call 403607 430->433 432->433 441 403305-40330d call 40302e 433->441 442 40318c-403192 433->442 436->422 439 403289-4032f9 GlobalAlloc call 4061ac CreateFileW 437->439 440 40325f-403277 call 40361d call 403607 437->440 456 4032fb-403300 439->456 457 40330f-40333f call 40361d call 403396 439->457 440->436 469 40327d-403283 440->469 441->436 446 403212-403216 442->446 447 403194-4031ac call 406138 442->447 452 403218-40321e call 40302e 446->452 453 40321f-403225 446->453 447->453 462 4031ae-4031b5 447->462 452->453 454 403227-403235 call 406b47 453->454 455 403238-403240 453->455 454->455 455->429 455->430 456->422 473 403344-403347 457->473 462->453 467 4031b7-4031be 462->467 467->453 470 4031c0-4031c7 467->470 469->436 469->439 470->453 472 4031c9-4031d0 470->472 472->453 474 4031d2-4031f2 472->474 473->436 475 403350-403361 473->475 474->436 476 4031f8-4031fc 474->476 477 403363 475->477 478 403369-40336c 475->478 479 403204-40320c 476->479 480 4031fe-403202 476->480 477->478 481 40336e-403373 478->481 479->453 482 40320e-403210 479->482 480->429 480->479 481->481 483 403375-40338d call 406138 481->483 482->453 483->422
                                            APIs
                                            • GetTickCount.KERNEL32 ref: 004030E4
                                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe,00000400), ref: 00403100
                                              • Part of subcall function 0040617D: GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe,80000000,00000003), ref: 00406181
                                              • Part of subcall function 0040617D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004061A3
                                            • GetFileSize.KERNEL32(00000000,00000000,00444000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe,C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe,80000000,00000003), ref: 00403149
                                            • GlobalAlloc.KERNELBASE(00000040,?), ref: 0040328E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                            • String ID: @@$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                            • API String ID: 2803837635-2412424591
                                            • Opcode ID: bad2e3b01d9b3b13e63a1b39e6cc5da044d3535b7ab0fa3027879e4241c96e0e
                                            • Instruction ID: 364f6887d48bc7b951d8ae4203d579f58ecc863924d2f457b4153bb80ab2427c
                                            • Opcode Fuzzy Hash: bad2e3b01d9b3b13e63a1b39e6cc5da044d3535b7ab0fa3027879e4241c96e0e
                                            • Instruction Fuzzy Hash: 9871EF31900204AFDB20DFA5EE81B9E7FA8AB44315F20817FE915B62D1DB389E40CB5D
                                            Function 004066CA Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 196stringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 486 4066ca-4066d5 487 4066d7-4066e6 486->487 488 4066e8-4066fe 486->488 487->488 489 406700-40670d 488->489 490 406716-40671f 488->490 489->490 491 40670f-406712 489->491 492 406725 490->492 493 4068fa-406905 490->493 491->490 494 40672a-406737 492->494 495 406910-406911 493->495 496 406907-40690b call 40668d 493->496 494->493 497 40673d-406746 494->497 496->495 499 4068d8 497->499 500 40674c-406789 497->500 501 4068e6-4068e9 499->501 502 4068da-4068e4 499->502 503 40687c-406881 500->503 504 40678f-406796 500->504 505 4068eb-4068f4 501->505 502->505 506 406883-406889 503->506 507 4068b4-4068b9 503->507 508 406798-40679a 504->508 509 40679b-40679d 504->509 505->493 510 406727 505->510 511 406899-4068a5 call 40668d 506->511 512 40688b-406897 call 4065d4 506->512 515 4068c8-4068d6 lstrlenW 507->515 516 4068bb-4068c3 call 4066ca 507->516 508->509 513 4067da-4067dd 509->513 514 40679f-4067c6 call 40655b 509->514 510->494 527 4068aa-4068b0 511->527 512->527 518 4067ed-4067f0 513->518 519 4067df-4067eb GetSystemDirectoryW 513->519 529 406863-406867 514->529 531 4067cc-4067d5 call 4066ca 514->531 515->505 516->515 524 4067f2-406800 GetWindowsDirectoryW 518->524 525 406859-40685b 518->525 523 40685d-406861 519->523 523->529 530 406874-40687a call 406914 523->530 524->525 525->523 533 406802-40680a 525->533 527->515 532 4068b2 527->532 529->530 534 406869-40686f lstrcatW 529->534 530->515 531->523 532->530 537 406821-406837 SHGetSpecialFolderLocation 533->537 538 40680c-406815 533->538 534->530 541 406855 537->541 542 406839-406853 SHGetPathFromIDListW CoTaskMemFree 537->542 543 40681d-40681f 538->543 541->525 542->523 542->541 543->523 543->537
                                            APIs
                                            • GetSystemDirectoryW.KERNEL32(Remove folder: ,00000400), ref: 004067E5
                                            • GetWindowsDirectoryW.KERNEL32(Remove folder: ,00000400,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\,?,00405726,Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\,00000000,00000000,00000000,00000000), ref: 004067F8
                                            • lstrcatW.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 0040686F
                                            • lstrlenW.KERNEL32(Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\,?,00405726,Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\,00000000), ref: 004068C9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Directory$SystemWindowslstrcatlstrlen
                                            • String ID: &W@$Remove folder: $Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                            • API String ID: 4260037668-3391701120
                                            • Opcode ID: 3e400c5343cfc33d28fc060edae60873890dd6f9eb032d48237974229c953048
                                            • Instruction ID: 222baa3488ebd17d4188baabad1ccaa5edf8f2b789f9d6ace106459298ebb4c1
                                            • Opcode Fuzzy Hash: 3e400c5343cfc33d28fc060edae60873890dd6f9eb032d48237974229c953048
                                            • Instruction Fuzzy Hash: A461EE72901205AADF10AF65CD40AAE37A5EF44318F22C13FE907B62D0DB7D99A1CB4D
                                            Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 608 40176f-401794 call 402da6 call 405fd3 613 401796-40179c call 40668d 608->613 614 40179e-4017b0 call 40668d call 405f5c lstrcatW 608->614 619 4017b5-4017b6 call 406914 613->619 614->619 623 4017bb-4017bf 619->623 624 4017c1-4017cb call 4069c3 623->624 625 4017f2-4017f5 623->625 633 4017dd-4017ef 624->633 634 4017cd-4017db CompareFileTime 624->634 627 4017f7-4017f8 call 406158 625->627 628 4017fd-401819 call 40617d 625->628 627->628 635 40181b-40181e 628->635 636 40188d-4018b6 call 4056ef call 403396 628->636 633->625 634->633 637 401820-40185e call 40668d * 2 call 4066ca call 40668d call 405ced 635->637 638 40186f-401879 call 4056ef 635->638 650 4018b8-4018bc 636->650 651 4018be-4018ca SetFileTime 636->651 637->623 670 401864-401865 637->670 648 401882-401888 638->648 652 402c33 648->652 650->651 654 4018d0-4018db CloseHandle 650->654 651->654 657 402c35-402c39 652->657 655 4018e1-4018e4 654->655 656 402c2a-402c2d 654->656 659 4018e6-4018f7 call 4066ca lstrcatW 655->659 660 4018f9-4018fc call 4066ca 655->660 656->652 666 401901-4023a2 call 405ced 659->666 660->666 666->656 666->657 670->648 672 401867-401868 670->672 672->638
                                            APIs
                                            • lstrcatW.KERNEL32(00000000,00000000,open,C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor,?,?,00000031), ref: 004017B0
                                            • CompareFileTime.KERNEL32(-00000014,?,open,open,00000000,00000000,open,C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor,?,?,00000031), ref: 004017D5
                                              • Part of subcall function 0040668D: lstrcpynW.KERNEL32(?,?,00000400,004037D5,00433F40,NSIS Error), ref: 0040669A
                                              • Part of subcall function 004056EF: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405727
                                              • Part of subcall function 004056EF: lstrlenW.KERNEL32(004030A8,Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405737
                                              • Part of subcall function 004056EF: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\,004030A8,004030A8,Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\,00000000,00000000,00000000), ref: 0040574A
                                              • Part of subcall function 004056EF: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\), ref: 0040575C
                                              • Part of subcall function 004056EF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405782
                                              • Part of subcall function 004056EF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040579C
                                              • Part of subcall function 004056EF: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057AA
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                            • String ID: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor$C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe$open$open C:\Windows\explorer.exe
                                            • API String ID: 1941528284-1741954930
                                            • Opcode ID: 3eb7c47ae52ee09527a3e83c3e24da30cf40b2af24631dbd23c86e1c2bf12060
                                            • Instruction ID: 3917aaa0535afdaa8150d035ffb2f8f3de46a25fb5f3ebe939534b09b008d861
                                            • Opcode Fuzzy Hash: 3eb7c47ae52ee09527a3e83c3e24da30cf40b2af24631dbd23c86e1c2bf12060
                                            • Instruction Fuzzy Hash: 0C41AE31800108BACF11AFB5CD85DAE7A79EF45368B21473FF412B10E1DB3D89519A6E
                                            Function 004056EF Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 674 4056ef-405704 675 40570a-40571b 674->675 676 4057bb-4057bf 674->676 677 405726-405732 lstrlenW 675->677 678 40571d-405721 call 4066ca 675->678 680 405734-405744 lstrlenW 677->680 681 40574f-405753 677->681 678->677 680->676 682 405746-40574a lstrcatW 680->682 683 405762-405766 681->683 684 405755-40575c SetWindowTextW 681->684 682->681 685 405768-4057aa SendMessageW * 3 683->685 686 4057ac-4057ae 683->686 684->683 685->686 686->676 687 4057b0-4057b3 686->687 687->676
                                            APIs
                                            • lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405727
                                            • lstrlenW.KERNEL32(004030A8,Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405737
                                            • lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\,004030A8,004030A8,Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\,00000000,00000000,00000000), ref: 0040574A
                                            • SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\), ref: 0040575C
                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405782
                                            • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040579C
                                            • SendMessageW.USER32(?,00001013,?,00000000), ref: 004057AA
                                              • Part of subcall function 004066CA: lstrcatW.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 0040686F
                                              • Part of subcall function 004066CA: lstrlenW.KERNEL32(Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\,?,00405726,Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\,00000000), ref: 004068C9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: MessageSendlstrlen$lstrcat$TextWindow
                                            • String ID: Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\
                                            • API String ID: 1495540970-548656469
                                            • Opcode ID: 278353603dcbb75a668f8a71779c99bfd23b7d47d2199f18e2ce94613a8461f0
                                            • Instruction ID: 1b676207b4a0a1055a3a12a699133e47920e8c41e9ca1950a47408d5e63b7e6c
                                            • Opcode Fuzzy Hash: 278353603dcbb75a668f8a71779c99bfd23b7d47d2199f18e2ce94613a8461f0
                                            • Instruction Fuzzy Hash: 3E218975900518FACB119FA5DD84ACFBFB8EF49350F10803AF904B22A0C7798A519FA8
                                            Function 004069EA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 688 4069ea-406a0a GetSystemDirectoryW 689 406a0c 688->689 690 406a0e-406a10 688->690 689->690 691 406a21-406a23 690->691 692 406a12-406a1b 690->692 694 406a24-406a57 wsprintfW LoadLibraryExW 691->694 692->691 693 406a1d-406a1f 692->693 693->694
                                            APIs
                                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406A01
                                            • wsprintfW.USER32 ref: 00406A3C
                                            • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406A50
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: DirectoryLibraryLoadSystemwsprintf
                                            • String ID: %s%S.dll$UXTHEME$\
                                            • API String ID: 2200240437-1946221925
                                            • Opcode ID: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
                                            • Instruction ID: dddb1bef5f3f5ee0ffb7d6c9f59c350f03ebda43387605203a83eddebe2ff1d2
                                            • Opcode Fuzzy Hash: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
                                            • Instruction Fuzzy Hash: 47F09C7065011967DB14BB58DD0DFAB365CAB01705F11447AE646F10D0EB7CDA68CB98
                                            Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
                                            • GlobalAlloc.KERNELBASE(00000040,?,00000000,?), ref: 004029CD
                                            • GlobalFree.KERNELBASE(?), ref: 00402A06
                                            • GlobalFree.KERNELBASE(00000000), ref: 00402A19
                                            • CloseHandle.KERNELBASE(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
                                            • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Global$AllocFree$CloseDeleteFileHandle
                                            • String ID:
                                            • API String ID: 2667972263-0
                                            • Opcode ID: c27a12bb1b371df456bad0cb2fc82cd344a309b2c83eb080518c5475c9ab4ebb
                                            • Instruction ID: 9452f222c2943755f981640e626c36c4c8fc1fb7f7789119dd72cb871a19e56f
                                            • Opcode Fuzzy Hash: c27a12bb1b371df456bad0cb2fc82cd344a309b2c83eb080518c5475c9ab4ebb
                                            • Instruction Fuzzy Hash: ED31C071D00124BBCF216FA9CE89DDEBE79AF49364F14023AF550762E1CB794C429B98
                                            Function 0040349E Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 101COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 731 40349e-4034c6 GetTickCount 732 4035f6-4035fe call 40302e 731->732 733 4034cc-4034f7 call 40361d SetFilePointer 731->733 738 403600-403604 732->738 739 4034fc-40350e 733->739 740 403510 739->740 741 403512-403520 call 403607 739->741 740->741 744 403526-403532 741->744 745 4035e8-4035eb 741->745 746 403538-40353e 744->746 745->738 747 403540-403546 746->747 748 403569-403585 call 406bb5 746->748 747->748 749 403548-403568 call 40302e 747->749 754 4035f1 748->754 755 403587-40358f 748->755 749->748 756 4035f3-4035f4 754->756 757 403591-403599 call 40622f 755->757 758 4035b2-4035b8 755->758 756->738 761 40359e-4035a0 757->761 758->754 760 4035ba-4035bc 758->760 760->754 762 4035be-4035d1 760->762 763 4035a2-4035ae 761->763 764 4035ed-4035ef 761->764 762->739 765 4035d7-4035e6 SetFilePointer 762->765 763->746 766 4035b0 763->766 764->756 765->732 766->762
                                            APIs
                                            • GetTickCount.KERNEL32 ref: 004034B2
                                              • Part of subcall function 0040361D: SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040331D,?), ref: 0040362B
                                            • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004033C8,00000004,00000000,00000000,?,?,00403344,000000FF,00000000,00000000,?,?), ref: 004034E5
                                            • SetFilePointer.KERNELBASE(002E680E,00000000,00000000,0040CE90,afii10065afii10066afii10067afii10068afii10069afii10070afii10072afii10073afii10074afii10075afii10076afii10077afii10078afii10079afii10080afii10081afii10082afii10083afii10084afii10085afii10086afii10087afii10088afii10089afii10090afii10091,00004000,?,00000000,004033C8,00000004,00000000,00000000,?,?,00403344,000000FF), ref: 004035E0
                                            Strings
                                            • afii10065afii10066afii10067afii10068afii10069afii10070afii10072afii10073afii10074afii10075afii10076afii10077afii10078afii10079afii10080afii10081afii10082afii10083afii10084afii10085afii10086afii10087afii10088afii10089afii10090afii10091, xrefs: 00403512, 00403518
                                            • PjA, xrefs: 004034F7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: FilePointer$CountTick
                                            • String ID: afii10065afii10066afii10067afii10068afii10069afii10070afii10072afii10073afii10074afii10075afii10076afii10077afii10078afii10079afii10080afii10081afii10082afii10083afii10084afii10085afii10086afii10087afii10088afii10089afii10090afii10091$PjA
                                            • API String ID: 1092082344-2470023004
                                            • Opcode ID: 9ce1662b015069013aad91297686e64e48a83dbe4dcecd47c05504c3ad461c8e
                                            • Instruction ID: f9242c332a4440439c60d59a0742db288cd856b70a60ad5ac0c55a234a5691a7
                                            • Opcode Fuzzy Hash: 9ce1662b015069013aad91297686e64e48a83dbe4dcecd47c05504c3ad461c8e
                                            • Instruction Fuzzy Hash: F2317E72600201EFDB209F29EF819163BA8EB40356758023BF805B26F0C7799E55DB5E
                                            Function 00405BBE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 767 405bbe-405c09 CreateDirectoryW 768 405c0b-405c0d 767->768 769 405c0f-405c1c GetLastError 767->769 770 405c36-405c38 768->770 769->770 771 405c1e-405c32 SetFileSecurityW 769->771 771->768 772 405c34 GetLastError 771->772 772->770
                                            APIs
                                            • CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405C01
                                            • GetLastError.KERNEL32 ref: 00405C15
                                            • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405C2A
                                            • GetLastError.KERNEL32 ref: 00405C34
                                            Strings
                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405BE4
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ErrorLast$CreateDirectoryFileSecurity
                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                            • API String ID: 3449924974-3081826266
                                            • Opcode ID: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
                                            • Instruction ID: 83cbdc828edc03ec969cff9db7e05ee4047ca164e5c91e20edd7243e9c57a5c6
                                            • Opcode Fuzzy Hash: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
                                            • Instruction Fuzzy Hash: E90108B1D0421DEAEF109BA0C944BEFBBB8EF04314F00403AD545B6180E77896488B99
                                            Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 773 401d81-401d85 774 401d94-401d9a GetDlgItem 773->774 775 401d87-401d92 call 402d84 773->775 777 401da0-401dcc 774->777 775->777 778 401dd7 777->778 779 401dce-401dd5 call 402da6 777->779 782 401ddb-401e31 GetClientRect LoadImageW SendMessageW 778->782 779->782 784 401e33-401e36 782->784 785 401e3f-401e42 782->785 784->785 786 401e38-401e39 DeleteObject 784->786 787 401e48 785->787 788 402c2a-402c39 785->788 786->785 787->788
                                            APIs
                                            • GetDlgItem.USER32(?,?), ref: 00401D9A
                                            • GetClientRect.USER32(?,?), ref: 00401DE5
                                            • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
                                            • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
                                            • DeleteObject.GDI32(00000000), ref: 00401E39
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                            • String ID:
                                            • API String ID: 1849352358-0
                                            • Opcode ID: 3043d85d86b90f5b5396c33957a01327d121a2023d37ed61208decb0b3137206
                                            • Instruction ID: 2f6f3c36036cdbb9089b0383ba4f4cbfc48a317e9096f9b837de44549e037801
                                            • Opcode Fuzzy Hash: 3043d85d86b90f5b5396c33957a01327d121a2023d37ed61208decb0b3137206
                                            • Instruction Fuzzy Hash: 4321F672904119AFCB05DBA4DE45AEEBBB5FF08304F14003AF945F62A0DB389D51DB98
                                            Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
                                            • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: MessageSend$Timeout
                                            • String ID: !
                                            • API String ID: 1777923405-2657877971
                                            • Opcode ID: 0df20d807e71c32f2e7a06027160097b2d0fc48425b0cade28e6ea958b081efc
                                            • Instruction ID: 370c909e2e73d1f6fe44a55a7d7bb6cb0e832c487cf9fbdb9b52faa9c3bc30de
                                            • Opcode Fuzzy Hash: 0df20d807e71c32f2e7a06027160097b2d0fc48425b0cade28e6ea958b081efc
                                            • Instruction Fuzzy Hash: 7C219C7190420AAFEF05AFA4D94AAAE7BB4FF84304F14453EF601B61D0D7B88941CB98
                                            Function 0040248A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe,00000023,00000011,00000002), ref: 004024D5
                                            • RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe,00000000,00000011,00000002), ref: 00402515
                                            • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe,00000000,00000011,00000002), ref: 004025FD
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: CloseValuelstrlen
                                            • String ID: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe
                                            • API String ID: 2655323295-2919141329
                                            • Opcode ID: 907eb9ad1105a09e04069cca1f3e1d61c916a6a4e724c7a160cfa59f566c54f2
                                            • Instruction ID: 12e8642c4e4b4d640cc525bd6b04ad739d3cc6f192bf8d9ddfd4a5f785b5dc43
                                            • Opcode Fuzzy Hash: 907eb9ad1105a09e04069cca1f3e1d61c916a6a4e724c7a160cfa59f566c54f2
                                            • Instruction Fuzzy Hash: A0117C71E00118BEEF10AFA5DE49EAEBAB8FB44354F11443AF404F61C1D7B98D419A58
                                            Function 004061AC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetTickCount.KERNEL32 ref: 004061CA
                                            • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,00403663,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403948), ref: 004061E5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: CountFileNameTempTick
                                            • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                            • API String ID: 1716503409-678247507
                                            • Opcode ID: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
                                            • Instruction ID: fdeb3f6c26f57af455627ae7e74bc600c6faa16c265c20ecce0caf76aa503c20
                                            • Opcode Fuzzy Hash: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
                                            • Instruction Fuzzy Hash: ABF09076700204BFDB008F59DD05E9BB7BCEBA5710F11803EEA05E7141E6B499659768
                                            Function 00403C4A Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                                            Download Yara Rule
                                            APIs
                                            • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,00403B96,?), ref: 00403C5C
                                            • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,00403B96,?), ref: 00403C70
                                            Strings
                                            • C:\Users\user\AppData\Local\Temp\nsu5978.tmp\, xrefs: 00403C80
                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00403C4F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: CloseHandle
                                            • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsu5978.tmp\
                                            • API String ID: 2962429428-2731231510
                                            • Opcode ID: 9571c11899c35297b6ebd84899c65c6a73d40b7c1d7f594ffb6386dbdd5b959e
                                            • Instruction ID: 7b84d4da0dc678c8153cc4de85347ab916e1b3437e0ab70bc8e42d0d677741ea
                                            • Opcode Fuzzy Hash: 9571c11899c35297b6ebd84899c65c6a73d40b7c1d7f594ffb6386dbdd5b959e
                                            • Instruction Fuzzy Hash: DCE0863240471496D120AF7CBE4D9853B185F413357204326F078F20F0C7389A574A9D
                                            Function 00403396 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetFilePointer.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,00403344,000000FF,00000000,00000000,?,?), ref: 004033BB
                                            Strings
                                            • afii10065afii10066afii10067afii10068afii10069afii10070afii10072afii10073afii10074afii10075afii10076afii10077afii10078afii10079afii10080afii10081afii10082afii10083afii10084afii10085afii10086afii10087afii10088afii10089afii10090afii10091, xrefs: 00403410, 00403427, 0040343D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: FilePointer
                                            • String ID: afii10065afii10066afii10067afii10068afii10069afii10070afii10072afii10073afii10074afii10075afii10076afii10077afii10078afii10079afii10080afii10081afii10082afii10083afii10084afii10085afii10086afii10087afii10088afii10089afii10090afii10091
                                            • API String ID: 973152223-3450027178
                                            • Opcode ID: a8c288b3f372f050feaf29e92bc45c0714d3d1efbc66f040d379b470514232d5
                                            • Instruction ID: 879c1cfb3023fffcbe0c0e2ea75a253ce7de77ab076c6aeeb6356754f21bc02d
                                            • Opcode Fuzzy Hash: a8c288b3f372f050feaf29e92bc45c0714d3d1efbc66f040d379b470514232d5
                                            • Instruction Fuzzy Hash: DD316D30600219BFDB12DF65EE48A9E3F68EF00359F10443BB905FA190D2389A51DBA9
                                            Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00406007: CharNextW.USER32(?,?,C:\,?,0040607B,C:\,C:\,74DF3420,?,74DF2EE0,00405DB9,?,74DF3420,74DF2EE0,00000000), ref: 00406015
                                              • Part of subcall function 00406007: CharNextW.USER32(00000000), ref: 0040601A
                                              • Part of subcall function 00406007: CharNextW.USER32(00000000), ref: 00406032
                                            • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                              • Part of subcall function 00405BBE: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405C01
                                            • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor,?,00000000,000000F0), ref: 0040164D
                                            Strings
                                            • C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor, xrefs: 00401640
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                            • String ID: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor
                                            • API String ID: 1892508949-2325335884
                                            • Opcode ID: 5fdaf71305cc2eebf81003d9ed1838ab7ff08b26dd653175ac811ad0fbb09da4
                                            • Instruction ID: e73362fd3d85cb6548b28c60964109a8c874feb3c7e239491ccc939b3b9f7cdb
                                            • Opcode Fuzzy Hash: 5fdaf71305cc2eebf81003d9ed1838ab7ff08b26dd653175ac811ad0fbb09da4
                                            • Instruction Fuzzy Hash: 5A11E231508114EBDF316FA5CD4099E36A0EF15369B28093BF905B12F1DA3E89819B4D
                                            Function 00406064 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0040668D: lstrcpynW.KERNEL32(?,?,00000400,004037D5,00433F40,NSIS Error), ref: 0040669A
                                              • Part of subcall function 00406007: CharNextW.USER32(?,?,C:\,?,0040607B,C:\,C:\,74DF3420,?,74DF2EE0,00405DB9,?,74DF3420,74DF2EE0,00000000), ref: 00406015
                                              • Part of subcall function 00406007: CharNextW.USER32(00000000), ref: 0040601A
                                              • Part of subcall function 00406007: CharNextW.USER32(00000000), ref: 00406032
                                            • lstrlenW.KERNEL32(C:\,00000000,C:\,C:\,74DF3420,?,74DF2EE0,00405DB9,?,74DF3420,74DF2EE0,00000000), ref: 004060BD
                                            • GetFileAttributesW.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,74DF3420,?,74DF2EE0,00405DB9,?,74DF3420,74DF2EE0), ref: 004060CD
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                            • String ID: C:\
                                            • API String ID: 3248276644-3404278061
                                            • Opcode ID: ceab7f6141c97bd95801e758521eaa2340c4166b8ffd449cb058fd8e326b7757
                                            • Instruction ID: 3d96d79a6bf6e9154c2ce5442b990e62448fd6ed276594ad5baef106ced42e1b
                                            • Opcode Fuzzy Hash: ceab7f6141c97bd95801e758521eaa2340c4166b8ffd449cb058fd8e326b7757
                                            • Instruction Fuzzy Hash: 3CF0F43614496219DA22F23A4C05AAF15448E82364B1B463BFC97B12C1CF3C8973847E
                                            Function 004020D8 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402103
                                              • Part of subcall function 004056EF: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405727
                                              • Part of subcall function 004056EF: lstrlenW.KERNEL32(004030A8,Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405737
                                              • Part of subcall function 004056EF: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\,004030A8,004030A8,Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\,00000000,00000000,00000000), ref: 0040574A
                                              • Part of subcall function 004056EF: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\), ref: 0040575C
                                              • Part of subcall function 004056EF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405782
                                              • Part of subcall function 004056EF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040579C
                                              • Part of subcall function 004056EF: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057AA
                                            • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402114
                                            • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402191
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                            • String ID:
                                            • API String ID: 334405425-0
                                            • Opcode ID: 0e1c26a5bf56fc850ad3554e1c335fc627687a4e605940a2150547e6b950aef5
                                            • Instruction ID: a321a58b122e5769608c0d537d44edacf3bc60c8a4d9086c5487ffa21be87ae2
                                            • Opcode Fuzzy Hash: 0e1c26a5bf56fc850ad3554e1c335fc627687a4e605940a2150547e6b950aef5
                                            • Instruction Fuzzy Hash: F921D431904104FADF11AFA5CF48A9E7A71BF48358F60413BF505B91E0DBBD8A829A5D
                                            Function 00401B9B Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GlobalFree.KERNEL32(0052B480), ref: 00401C0B
                                            • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C1D
                                              • Part of subcall function 004066CA: lstrcatW.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 0040686F
                                              • Part of subcall function 004066CA: lstrlenW.KERNEL32(Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\,?,00405726,Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\,00000000), ref: 004068C9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Global$AllocFreelstrcatlstrlen
                                            • String ID: open
                                            • API String ID: 3292104215-2758837156
                                            • Opcode ID: e44648b2847528073b7ea023ce46eb1f8e5f4ef5fcdd82f597a9323f2c2e4c3e
                                            • Instruction ID: 90824dc58898cdbd7663888cd0f434ed115bd306e5074048f8633ee4ba0fe65e
                                            • Opcode Fuzzy Hash: e44648b2847528073b7ea023ce46eb1f8e5f4ef5fcdd82f597a9323f2c2e4c3e
                                            • Instruction Fuzzy Hash: 57219672904210DBDB10AFA4DE84A6E72A4EB043147150A3BF956F72D0D7B99C498B9D
                                            Function 00401F12 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 54COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00405CB3: ShellExecuteExW.SHELL32(?), ref: 00405CC2
                                              • Part of subcall function 00406B05: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406B16
                                              • Part of subcall function 00406B05: GetExitCodeProcess.KERNEL32(?,?), ref: 00406B38
                                            • CloseHandle.KERNELBASE(?,?,?,?,?,?), ref: 00401FEB
                                            Strings
                                            • C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor, xrefs: 00401F6A
                                            • @, xrefs: 00401F8A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: CloseCodeExecuteExitHandleObjectProcessShellSingleWait
                                            • String ID: @$C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor
                                            • API String ID: 165873841-4178098557
                                            • Opcode ID: 36db43ef3e927bd04da0962e8effbc096c84322674ef5c9c80db41dbe1f2cbc2
                                            • Instruction ID: 6aead98af9dea84bc66228ccdd4905e447fd33a6d514b7a3bc928a4b4fa65473
                                            • Opcode Fuzzy Hash: 36db43ef3e927bd04da0962e8effbc096c84322674ef5c9c80db41dbe1f2cbc2
                                            • Instruction Fuzzy Hash: 93114971E042189ADB61EFB9CA49B8CB6F4BF04304F24457AE005F72C1EBBC89459B18
                                            Function 0040259E Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025D1
                                            • RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 004025E4
                                            • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe,00000000,00000011,00000002), ref: 004025FD
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Enum$CloseValue
                                            • String ID:
                                            • API String ID: 397863658-0
                                            • Opcode ID: a52ea4e95114893f1214cc9d7383c7dfe67ecb6e144a2ad09a8b9bac2c3cb168
                                            • Instruction ID: 37dacb53ad9a055d943042c5f940af4a435521b0350b712bcdcabe01861b578f
                                            • Opcode Fuzzy Hash: a52ea4e95114893f1214cc9d7383c7dfe67ecb6e144a2ad09a8b9bac2c3cb168
                                            • Instruction Fuzzy Hash: 02017CB1904105ABEB159F94DE58AAEB66CFF40348F10403AF501B61C0EBB85E44966D
                                            Function 00405D51 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00406158: GetFileAttributesW.KERNELBASE(?,?,00405D5D,?,?,00000000,00405F33,?,?,?,?), ref: 0040615D
                                              • Part of subcall function 00406158: SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406171
                                            • RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405F33), ref: 00405D6C
                                            • DeleteFileW.KERNELBASE(?,?,?,00000000,00405F33), ref: 00405D74
                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D8C
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: File$Attributes$DeleteDirectoryRemove
                                            • String ID:
                                            • API String ID: 1655745494-0
                                            • Opcode ID: 80ad4dccc83bd5cfbcd7ef077da852fe0cb096cb549a199170c52783d075929e
                                            • Instruction ID: 6423c5750aabc8c703f34b5ef79d46a41281dcb2f393b60bcf192cc7258de457
                                            • Opcode Fuzzy Hash: 80ad4dccc83bd5cfbcd7ef077da852fe0cb096cb549a199170c52783d075929e
                                            • Instruction Fuzzy Hash: 79E0E531104AA156C31067308D0CB5F6994EFC6314F05C93BF892B51C1D77888078A69
                                            Function 00406200 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadFile.KERNELBASE(?,00000000,00000000,00000000,00000000,afii10065afii10066afii10067afii10068afii10069afii10070afii10072afii10073afii10074afii10075afii10076afii10077afii10078afii10079afii10080afii10081afii10082afii10083afii10084afii10085afii10086afii10087afii10088afii10089afii10090afii10091,00416A50,0040361A,?,?,0040351E,afii10065afii10066afii10067afii10068afii10069afii10070afii10072afii10073afii10074afii10075afii10076afii10077afii10078afii10079afii10080afii10081afii10082afii10083afii10084afii10085afii10086afii10087afii10088afii10089afii10090afii10091,00004000,?,00000000,004033C8), ref: 00406214
                                            Strings
                                            • afii10065afii10066afii10067afii10068afii10069afii10070afii10072afii10073afii10074afii10075afii10076afii10077afii10078afii10079afii10080afii10081afii10082afii10083afii10084afii10085afii10086afii10087afii10088afii10089afii10090afii10091, xrefs: 00406203
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: FileRead
                                            • String ID: afii10065afii10066afii10067afii10068afii10069afii10070afii10072afii10073afii10074afii10075afii10076afii10077afii10078afii10079afii10080afii10081afii10082afii10083afii10084afii10085afii10086afii10087afii10088afii10089afii10090afii10091
                                            • API String ID: 2738559852-3450027178
                                            • Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                            • Instruction ID: 0c8818240235829ee2caa456c12b7fe7948c2218b6bfb3ad10962a89f26fd1e7
                                            • Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                            • Instruction Fuzzy Hash: 70E08C3220025BBBCF10AE61AC00AEB3BACEB05360F014C7AFD12E2140E234E82187A4
                                            Function 0040252A Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 0040255B
                                            • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe,00000000,00000011,00000002), ref: 004025FD
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: CloseQueryValue
                                            • String ID:
                                            • API String ID: 3356406503-0
                                            • Opcode ID: c7cbaee71969ef2f8bac58d28aa888dda5e6e41e75dc4d2b1362c79011206805
                                            • Instruction ID: ce94e06674b2063eb830c91d8a42ee3caf534e634ce57701022dee7af47e3e9b
                                            • Opcode Fuzzy Hash: c7cbaee71969ef2f8bac58d28aa888dda5e6e41e75dc4d2b1362c79011206805
                                            • Instruction Fuzzy Hash: 73116A71900219EBDF14DFA4DE589AEB7B4FF04345B20843BE002B62C0E7B88A45EB5D
                                            Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                            • SendMessageW.USER32(?,00000402,00000000), ref: 004013F4
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID:
                                            • API String ID: 3850602802-0
                                            • Opcode ID: 7b87da26941d3aa668fa355f933a5313dcdb5a3521c9a42cb06613eba6504328
                                            • Instruction ID: 3318a6deb1fecedd1d8049cd847474dd1034ca6a2abc63ecceb067bb8a78016f
                                            • Opcode Fuzzy Hash: 7b87da26941d3aa668fa355f933a5313dcdb5a3521c9a42cb06613eba6504328
                                            • Instruction Fuzzy Hash: 4C01F431A24220DBE7094B389D05B6A36A8E714315F14813FF851F65F1E778CC029B4D
                                            Function 004057C2 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OleInitialize.OLE32(00000000), ref: 004057D2
                                              • Part of subcall function 00404635: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404647
                                            • CoUninitialize.COMBASE(00000404,00000000,?,00000000,?), ref: 0040581E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: InitializeMessageSendUninitialize
                                            • String ID:
                                            • API String ID: 2896919175-0
                                            • Opcode ID: fc1388026c54a09b95de14390a5393f9e9ed8c547e3e5077fba47ed0ae551c4e
                                            • Instruction ID: 97d44b5ca4adf0d0d7323f517b99f76dbd520b04f20c21dbe704a453cc6936e4
                                            • Opcode Fuzzy Hash: fc1388026c54a09b95de14390a5393f9e9ed8c547e3e5077fba47ed0ae551c4e
                                            • Instruction Fuzzy Hash: CAF090774006409AE3416754AD01B9773A8EBD4705F09D43FEF85632E0D7795C018B6D
                                            Function 00406A5A Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleA.KERNEL32(?,00000020,?,00403775,0000000B), ref: 00406A6C
                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00406A87
                                              • Part of subcall function 004069EA: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406A01
                                              • Part of subcall function 004069EA: wsprintfW.USER32 ref: 00406A3C
                                              • Part of subcall function 004069EA: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406A50
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                            • String ID:
                                            • API String ID: 2547128583-0
                                            • Opcode ID: a89557e88259ac32882439a66efe2bded2b7fe37332f597cb2162f61758b0433
                                            • Instruction ID: d56d102e99fd3101cdb8aec338c2f50177d10d048057f994065b24068ac66ad8
                                            • Opcode Fuzzy Hash: a89557e88259ac32882439a66efe2bded2b7fe37332f597cb2162f61758b0433
                                            • Instruction Fuzzy Hash: 28E086326042215BD210A6705D08D3773A89BD5740306853EF95AF2040DB38DC35AB7E
                                            Function 00403CA7 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                            Download Yara Rule
                                            APIs
                                            • FreeLibrary.KERNELBASE(?,74DF3420,00000000,74DF2EE0,00403C7E,C:\Users\user\AppData\Local\Temp\,00403B96,?), ref: 00403CC1
                                            • GlobalFree.KERNEL32(?), ref: 00403CC8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Free$GlobalLibrary
                                            • String ID:
                                            • API String ID: 1100898210-0
                                            • Opcode ID: 52bae1a00f641985f8d901fbc550cdcf9aca1cab1693d867321a06d4c530aff9
                                            • Instruction ID: 71155446bc0b73c9347c443766f8a52f6ca226953ad014e307e6a41b6b2137c9
                                            • Opcode Fuzzy Hash: 52bae1a00f641985f8d901fbc550cdcf9aca1cab1693d867321a06d4c530aff9
                                            • Instruction Fuzzy Hash: 8DE0123360A62097D6316F45FE0875EB76DAF44B22F05407BEC84BB26087745D428BE8
                                            Function 0040617D Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe,80000000,00000003), ref: 00406181
                                            • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004061A3
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: File$AttributesCreate
                                            • String ID:
                                            • API String ID: 415043291-0
                                            • Opcode ID: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
                                            • Instruction ID: 0e1b57c135d9ed337dcee0f1630d7a3ffd6699826ab823f4ff8c6da5104765b0
                                            • Opcode Fuzzy Hash: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
                                            • Instruction Fuzzy Hash: DCD09E71254201AFEF0D8F20DF16F2E7AA2EB94B04F11952CB682940E1DAB15C15AB19
                                            Function 00406158 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileAttributesW.KERNELBASE(?,?,00405D5D,?,?,00000000,00405F33,?,?,?,?), ref: 0040615D
                                            • SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406171
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: AttributesFile
                                            • String ID:
                                            • API String ID: 3188754299-0
                                            • Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                            • Instruction ID: 0723e86848f5330ec6f90e3c76412c46a8a36ecb04b7045f48d893429f4a9222
                                            • Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                            • Instruction Fuzzy Hash: 05D012765041317FC2102728EF0C89BBFA5EF64371B014B35F9A5A62F0CB304C638A98
                                            Function 00405C3B Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateDirectoryW.KERNELBASE(?,00000000,00403658,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403948), ref: 00405C41
                                            • GetLastError.KERNEL32 ref: 00405C4F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: CreateDirectoryErrorLast
                                            • String ID:
                                            • API String ID: 1375471231-0
                                            • Opcode ID: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
                                            • Instruction ID: 04a9a840500a1faae1428a8721403a6602e48d21a4d0f4853d09d499ab864726
                                            • Opcode Fuzzy Hash: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
                                            • Instruction Fuzzy Hash: 31C04C30208601AEEB505B609F08B177A949B50781F11443D6247E41A4DA788455DD2D
                                            Function 00402891 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004028AF
                                              • Part of subcall function 004065D4: wsprintfW.USER32 ref: 004065E1
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: FilePointerwsprintf
                                            • String ID:
                                            • API String ID: 327478801-0
                                            • Opcode ID: 911f81caf7f6a85de1c8215937790c797343221fa9c872a56ab6e19d05cabded
                                            • Instruction ID: d3f61a6b652c36d323ffa4745d65a27fd9b4ce70cee92daaf366dae8ce959304
                                            • Opcode Fuzzy Hash: 911f81caf7f6a85de1c8215937790c797343221fa9c872a56ab6e19d05cabded
                                            • Instruction Fuzzy Hash: E7E01271904105BFDB01AFA5BE499AEB3B8EF44319B10493BF102F10D1DA794D519B2D
                                            Function 004028DE Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindNextFileW.KERNELBASE(00000000,?,?), ref: 004028F2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: FileFindNext
                                            • String ID:
                                            • API String ID: 2029273394-0
                                            • Opcode ID: e3c1db33ff94f9492508707642f8a866c7dc6783fb47d8f406cf324d72a7e5ba
                                            • Instruction ID: d6b4e108d485a6d9ae59b3d82497b8fd92684bf00ab7ad0ed4119ffb0bf3b79c
                                            • Opcode Fuzzy Hash: e3c1db33ff94f9492508707642f8a866c7dc6783fb47d8f406cf324d72a7e5ba
                                            • Instruction Fuzzy Hash: 49E06D72A04105AFDB11DFA0EE88AAE73B4EF40308F20457BD102F20D0E7B89E55AB19
                                            Function 00406528 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E57,00000000,?,?), ref: 00406551
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                                            • Instruction ID: 9dc2e05faf14d98d07d01530fc29406d3e42f20afa7b541e6caf9ca19718b436
                                            • Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                                            • Instruction Fuzzy Hash: AAE0E6B2010109BEDF095F50EC0AD7B371DE704304F01452EF957D4051E6B5AD705634
                                            Function 0040622F Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000,00419DBB,00416A50,0040359E,00416A50,00419DBB,0040CE90,afii10065afii10066afii10067afii10068afii10069afii10070afii10072afii10073afii10074afii10075afii10076afii10077afii10078afii10079afii10080afii10081afii10082afii10083afii10084afii10085afii10086afii10087afii10088afii10089afii10090afii10091,00004000,?,00000000,004033C8), ref: 00406243
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: FileWrite
                                            • String ID:
                                            • API String ID: 3934441357-0
                                            • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                            • Instruction ID: 5b734f92b1dc7b123c5c272c0027e6cf43796c1bbbaf0e44fea3265e2477ecc1
                                            • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                            • Instruction Fuzzy Hash: DEE08C3224025AABCF20BE609C00BEB3B6DFB01360F01447AFA1AE3040D234E83087A4
                                            Function 004064FA Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,?,?,?,00406588,?,00000000,?,?,Remove folder: ,?), ref: 0040651E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Open
                                            • String ID:
                                            • API String ID: 71445658-0
                                            • Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                                            • Instruction ID: b6e5496c941c17b2b5574e89bf7b365a59fee3d89c9ab4e4d75452d2b85434ad
                                            • Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                                            • Instruction Fuzzy Hash: 3ED0123204020EBBDF115F90ED01FAB3B6DEB08314F014426FE06A4091D775D630AB69
                                            Function 004045E9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 004066CA: lstrcatW.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 0040686F
                                              • Part of subcall function 004066CA: lstrlenW.KERNEL32(Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\,?,00405726,Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\,00000000), ref: 004068C9
                                            • SetDlgItemTextW.USER32(?,?,00000000), ref: 00404603
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ItemTextlstrcatlstrlen
                                            • String ID:
                                            • API String ID: 281422827-0
                                            • Opcode ID: e3843e70eb5d9dcbb5370903225d5acf726ac4879fd88bc540f8ea1a0a7f924d
                                            • Instruction ID: d409525a4702a70ccaeefb4a9c4cd5b1d7f1f13d8284e09b1dfcac6adae530d2
                                            • Opcode Fuzzy Hash: e3843e70eb5d9dcbb5370903225d5acf726ac4879fd88bc540f8ea1a0a7f924d
                                            • Instruction Fuzzy Hash: 00C04C75158700BFE641A795CC42F1FB7A9EFA432AF40C92EB15DA11E1C63588249A2A
                                            Function 00404635 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404647
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID:
                                            • API String ID: 3850602802-0
                                            • Opcode ID: 79349130b84a71d7d24d15bb86ebc2430f6dcd2e3aeaf46f87cddf0983e00a96
                                            • Instruction ID: f009f2a1c1a45d547a2a1c50361a24df8b21343da8ac70265c7cea7dbb18a530
                                            • Opcode Fuzzy Hash: 79349130b84a71d7d24d15bb86ebc2430f6dcd2e3aeaf46f87cddf0983e00a96
                                            • Instruction Fuzzy Hash: D3C04C71A44600BADE108B659E45F0677646790701F144429B651A60D0D679D410D61C
                                            Function 0040361D Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040331D,?), ref: 0040362B
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: FilePointer
                                            • String ID:
                                            • API String ID: 973152223-0
                                            • Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                            • Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
                                            • Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                            • Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D
                                            Function 0040461E Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(00000028,?,00000001,00404449), ref: 0040462C
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID:
                                            • API String ID: 3850602802-0
                                            • Opcode ID: 4768057bedefbb6777ed1c67ba1ab4b6976a3bd61fd77b5d4e8e7cabab1a8cb3
                                            • Instruction ID: 1288f5754442609c71cc13eb59ca165896558465cf736fd1b329baf66f62a9e4
                                            • Opcode Fuzzy Hash: 4768057bedefbb6777ed1c67ba1ab4b6976a3bd61fd77b5d4e8e7cabab1a8cb3
                                            • Instruction Fuzzy Hash: CBB01239181A00FBDE518B00DE09F857E62F7A4701F158078F341250F0CEB200A4DB08
                                            Function 00405CB3 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                            Download Yara Rule
                                            APIs
                                            • ShellExecuteExW.SHELL32(?), ref: 00405CC2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ExecuteShell
                                            • String ID:
                                            • API String ID: 587946157-0
                                            • Opcode ID: 34af207f7f04f37b2a6a243a8c8041682423b78b35e6f682d2e1a111f695392f
                                            • Instruction ID: 155326c85e208380d9db810c36285a9e1b4200be200639c8195ffcf147e959ee
                                            • Opcode Fuzzy Hash: 34af207f7f04f37b2a6a243a8c8041682423b78b35e6f682d2e1a111f695392f
                                            • Instruction Fuzzy Hash: BEC092B2000200EFE301CF80CB09F067BE8AF54306F028068E185DA060C7788840CB29
                                            Function 0040460B Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserCallbackDispatcher.NTDLL(?,004043E2), ref: 00404615
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: CallbackDispatcherUser
                                            • String ID:
                                            • API String ID: 2492992576-0
                                            • Opcode ID: ab55b9bd48f224c8aa1db7185d130912a98e56434272dcc4edc3d698b70dace1
                                            • Instruction ID: bb054eceab77ac383eef7cace4fb2d685cb9460f7e53505dec8a849b25ea0a96
                                            • Opcode Fuzzy Hash: ab55b9bd48f224c8aa1db7185d130912a98e56434272dcc4edc3d698b70dace1
                                            • Instruction Fuzzy Hash: 83A00275505501DFDE115B51DF09D057B75EB547017414579A54554034C6318461EB1D
                                            Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 004056EF: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405727
                                              • Part of subcall function 004056EF: lstrlenW.KERNEL32(004030A8,Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405737
                                              • Part of subcall function 004056EF: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\,004030A8,004030A8,Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\,00000000,00000000,00000000), ref: 0040574A
                                              • Part of subcall function 004056EF: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\), ref: 0040575C
                                              • Part of subcall function 004056EF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405782
                                              • Part of subcall function 004056EF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040579C
                                              • Part of subcall function 004056EF: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057AA
                                              • Part of subcall function 00405C70: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004302B0,00000000,00000000), ref: 00405C99
                                              • Part of subcall function 00405C70: CloseHandle.KERNEL32(?), ref: 00405CA6
                                            • CloseHandle.KERNELBASE(?,?,?,?,?,?), ref: 00401FEB
                                              • Part of subcall function 00406B05: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406B16
                                              • Part of subcall function 00406B05: GetExitCodeProcess.KERNEL32(?,?), ref: 00406B38
                                              • Part of subcall function 004065D4: wsprintfW.USER32 ref: 004065E1
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                            • String ID:
                                            • API String ID: 2972824698-0
                                            • Opcode ID: d908a64bc98e64b5c753e16f2107be5d0a72c37192d028a9905f96d597801fd4
                                            • Instruction ID: c052c412f22659a8f46e6200f408dd4d6040b692da9eb56a480fef8ace216da0
                                            • Opcode Fuzzy Hash: d908a64bc98e64b5c753e16f2107be5d0a72c37192d028a9905f96d597801fd4
                                            • Instruction Fuzzy Hash: E6F0B472905122EBDB21BBA59A84DDE76F4DF01319F25453BE102B21E0D77C4E428B5E
                                            Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Sleep.KERNELBASE(00000000), ref: 004014EA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Sleep
                                            • String ID:
                                            • API String ID: 3472027048-0
                                            • Opcode ID: ac6988d6737da0f8f374dd9beb112762d7b6513219a14d0013161243766bad8c
                                            • Instruction ID: dfa9e5455b4c4888305db9676ff2fb7d432735461a62d31c9e3fa16f187ead4d
                                            • Opcode Fuzzy Hash: ac6988d6737da0f8f374dd9beb112762d7b6513219a14d0013161243766bad8c
                                            • Instruction Fuzzy Hash: 79D05E73A141018BD704EBB8BE8545E73A8EB503193208837D402E10D1E67888464618

                                            Non-executed Functions

                                            Function 00404ADA Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDlgItem.USER32(?,000003FB), ref: 00404B29
                                            • SetWindowTextW.USER32(00000000,?), ref: 00404B53
                                            • SHBrowseForFolderW.SHELL32(?), ref: 00404C04
                                            • CoTaskMemFree.OLE32(00000000), ref: 00404C0F
                                            • lstrcmpiW.KERNEL32(Remove folder: ,0042D2A8,00000000,?,?), ref: 00404C41
                                            • lstrcatW.KERNEL32(?,Remove folder: ), ref: 00404C4D
                                            • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404C5F
                                              • Part of subcall function 00405CD1: GetDlgItemTextW.USER32(?,?,00000400,00404C96), ref: 00405CE4
                                              • Part of subcall function 00406914: CharNextW.USER32(?,*?|<>/":,00000000,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,?,00403640,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403948), ref: 00406977
                                              • Part of subcall function 00406914: CharNextW.USER32(?,?,?,00000000,?,00403640,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403948), ref: 00406986
                                              • Part of subcall function 00406914: CharNextW.USER32(?,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,?,00403640,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403948), ref: 0040698B
                                              • Part of subcall function 00406914: CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,?,00403640,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403948), ref: 0040699E
                                            • GetDiskFreeSpaceW.KERNEL32(0042B278,?,?,0000040F,?,0042B278,0042B278,?,00000001,0042B278,?,?,000003FB,?), ref: 00404D22
                                            • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404D3D
                                              • Part of subcall function 00404E96: lstrlenW.KERNEL32(0042D2A8,0042D2A8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F37
                                              • Part of subcall function 00404E96: wsprintfW.USER32 ref: 00404F40
                                              • Part of subcall function 00404E96: SetDlgItemTextW.USER32(?,0042D2A8), ref: 00404F53
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                            • String ID: A$C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor$Remove folder:
                                            • API String ID: 2624150263-2902482024
                                            • Opcode ID: f9501cdbfdd5d593f78db5f5bbadcc5a3fe73e371e435490aaee45e8f5b25fe8
                                            • Instruction ID: 8de460b93a94d9638e4c8340bf91bde38678985932417c8a19f49581c71f127f
                                            • Opcode Fuzzy Hash: f9501cdbfdd5d593f78db5f5bbadcc5a3fe73e371e435490aaee45e8f5b25fe8
                                            • Instruction Fuzzy Hash: E2A18FB1900209ABDB11AFA5CD45AEFB7B8EF84314F11843BF601B62D1DB7C99418B6D
                                            Function 00406ED5 Relevance: .3, Instructions: 334COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: afe72c06ea602c3cf127e44642a3c9ca6d5fbe7b283cf6e54b2e0cfe85c279f0
                                            • Instruction ID: 12099141196d994b6db1118544d6ad0bf95dcc2611d7ca72b0b76a467cae004c
                                            • Opcode Fuzzy Hash: afe72c06ea602c3cf127e44642a3c9ca6d5fbe7b283cf6e54b2e0cfe85c279f0
                                            • Instruction Fuzzy Hash: B9E18B7190470ADFDB24CF59D880BAAB7F1FB44305F15852FE496A72C1D778AA81CB05
                                            Function 004076AC Relevance: .3, Instructions: 300COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 832179d8bf6c187bd03c7ed6ec4b7c5e86b82aa6766dc48a69ce732bdecf8ca0
                                            • Instruction ID: d77a6006860e8e10b6e55c443759483099a9f2afa151c81c3c632ace6f25aa93
                                            • Opcode Fuzzy Hash: 832179d8bf6c187bd03c7ed6ec4b7c5e86b82aa6766dc48a69ce732bdecf8ca0
                                            • Instruction Fuzzy Hash: C7C14672E04259CBDF18CF68C4906EEBBB2BF88354F25826AC85677380D7347942CB95
                                            Function 00405056 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDlgItem.USER32(?,000003F9), ref: 0040506E
                                            • GetDlgItem.USER32(?,00000408), ref: 00405079
                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 004050C3
                                            • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 004050DA
                                            • SetWindowLongW.USER32(?,000000FC,00405663), ref: 004050F3
                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00405107
                                            • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00405119
                                            • SendMessageW.USER32(?,00001109,00000002), ref: 0040512F
                                            • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 0040513B
                                            • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 0040514D
                                            • DeleteObject.GDI32(00000000), ref: 00405150
                                            • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0040517B
                                            • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405187
                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405222
                                            • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405252
                                              • Part of subcall function 0040461E: SendMessageW.USER32(00000028,?,00000001,00404449), ref: 0040462C
                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405266
                                            • GetWindowLongW.USER32(?,000000F0), ref: 00405294
                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004052A2
                                            • ShowWindow.USER32(?,00000005), ref: 004052B2
                                            • SendMessageW.USER32(?,00000419,00000000,?), ref: 004053AD
                                            • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00405412
                                            • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405427
                                            • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 0040544B
                                            • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040546B
                                            • ImageList_Destroy.COMCTL32(?), ref: 00405480
                                            • GlobalFree.KERNEL32(?), ref: 00405490
                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405509
                                            • SendMessageW.USER32(?,00001102,?,?), ref: 004055B2
                                            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004055C1
                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 004055EC
                                            • ShowWindow.USER32(?,00000000), ref: 0040563A
                                            • GetDlgItem.USER32(?,000003FE), ref: 00405645
                                            • ShowWindow.USER32(00000000), ref: 0040564C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                            • String ID: $M$N
                                            • API String ID: 2564846305-813528018
                                            • Opcode ID: a9908f137ce661955d3d445f73b9b734142551124249dbd1ac239f916e43fbdf
                                            • Instruction ID: 802e29ad9049053b1e5f0954b56f66994214d628c42b5479e99464951c8be7a9
                                            • Opcode Fuzzy Hash: a9908f137ce661955d3d445f73b9b734142551124249dbd1ac239f916e43fbdf
                                            • Instruction Fuzzy Hash: 4B028A70900608EFDB20DFA5DD85AAF7BB5FB84314F10857AEA10BA2E1D7799941CF18
                                            Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                            Download Yara Rule
                                            APIs
                                            • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                            • BeginPaint.USER32(?,?), ref: 00401047
                                            • GetClientRect.USER32(?,?), ref: 0040105B
                                            • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                            • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                            • DeleteObject.GDI32(?), ref: 004010ED
                                            • CreateFontIndirectW.GDI32(?), ref: 00401105
                                            • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                            • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                            • SelectObject.GDI32(00000000,?), ref: 00401140
                                            • DrawTextW.USER32(00000000,00433F40,000000FF,00000010,00000820), ref: 00401156
                                            • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                            • DeleteObject.GDI32(?), ref: 00401165
                                            • EndPaint.USER32(?,?), ref: 0040116E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                            • String ID: F
                                            • API String ID: 941294808-1304234792
                                            • Opcode ID: 2f1e5daefa1e974f7702a4f04cca372f11bc15e8f7964d7cb9a588415a687d31
                                            • Instruction ID: 51bbb84c6bc3822f31e30dcd4a70f84438cd96ed0ad77071a061e55a22a78342
                                            • Opcode Fuzzy Hash: 2f1e5daefa1e974f7702a4f04cca372f11bc15e8f7964d7cb9a588415a687d31
                                            • Instruction Fuzzy Hash: 48418C71800209AFCF058F95DE459AF7BB9FF44315F04802AF991AA1A0CB34EA55DFA4
                                            Function 004062D3 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 130memorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,0040646E,?,?), ref: 0040630E
                                            • GetShortPathNameW.KERNEL32(?,00430948,00000400), ref: 00406317
                                              • Part of subcall function 004060E2: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063C7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060F2
                                              • Part of subcall function 004060E2: lstrlenA.KERNEL32(00000000,?,00000000,004063C7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406124
                                            • GetShortPathNameW.KERNEL32(?,00431148,00000400), ref: 00406334
                                            • wsprintfA.USER32 ref: 00406352
                                            • GetFileSize.KERNEL32(00000000,00000000,00431148,C0000000,00000004,00431148,?,?,?,?,?), ref: 0040638D
                                            • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 0040639C
                                            • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004063D4
                                            • SetFilePointer.KERNEL32(0040A5B0,00000000,00000000,00000000,00000000,00430548,00000000,-0000000A,0040A5B0,00000000,[Rename],00000000,00000000,00000000), ref: 0040642A
                                            • GlobalFree.KERNEL32(00000000), ref: 0040643B
                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406442
                                              • Part of subcall function 0040617D: GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe,80000000,00000003), ref: 00406181
                                              • Part of subcall function 0040617D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004061A3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                            • String ID: %ls=%ls$HC$[Rename]
                                            • API String ID: 2171350718-751199019
                                            • Opcode ID: 02b6072bb31f1d68e91523ae5e330492c5079dd9865bc02a0e86606110766321
                                            • Instruction ID: 74bdd788cb8b4ee040e55f76e0ef7417015a071b3de06053f844a7372032ebef
                                            • Opcode Fuzzy Hash: 02b6072bb31f1d68e91523ae5e330492c5079dd9865bc02a0e86606110766321
                                            • Instruction Fuzzy Hash: D7312470100325BFD2206B659D49F6B3A6CEF45758F26003AFD46F62D2DA7CD82186BD
                                            Function 00404650 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetWindowLongW.USER32(?,000000EB), ref: 0040466D
                                            • GetSysColor.USER32(00000000), ref: 004046AB
                                            • SetTextColor.GDI32(?,00000000), ref: 004046B7
                                            • SetBkMode.GDI32(?,?), ref: 004046C3
                                            • GetSysColor.USER32(?), ref: 004046D6
                                            • SetBkColor.GDI32(?,?), ref: 004046E6
                                            • DeleteObject.GDI32(?), ref: 00404700
                                            • CreateBrushIndirect.GDI32(?), ref: 0040470A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                            • String ID:
                                            • API String ID: 2320649405-0
                                            • Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                                            • Instruction ID: 6121d008a9b7ecf76a81997280e59ba99a2e493cbb0db5da31d436609754e44e
                                            • Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                                            • Instruction Fuzzy Hash: 0F2177715007059FC7309F68D948B5BBBF8AF82714B05892EE992B36E1D738D904CB59
                                            Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadFile.KERNEL32(?,?,?,?), ref: 00402758
                                            • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
                                            • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
                                            • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC
                                              • Part of subcall function 0040625E: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406274
                                            • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: File$Pointer$ByteCharMultiWide$Read
                                            • String ID: 9
                                            • API String ID: 163830602-2366072709
                                            • Opcode ID: 67c81ffb95277c01c66448ee03bc1d149d7ee8f033b4707ba9551d335eed2048
                                            • Instruction ID: 166ceabb3e2238d138e74452bf92276f4d80c89d812dfbd6cc667926565fca09
                                            • Opcode Fuzzy Hash: 67c81ffb95277c01c66448ee03bc1d149d7ee8f033b4707ba9551d335eed2048
                                            • Instruction Fuzzy Hash: 9651F975D00219ABDF20EF95CA88AAEBB79FF04304F10817BE541B62D4D7B49D82CB58
                                            Function 00406914 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON
                                            Download Yara Rule
                                            APIs
                                            • CharNextW.USER32(?,*?|<>/":,00000000,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,?,00403640,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403948), ref: 00406977
                                            • CharNextW.USER32(?,?,?,00000000,?,00403640,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403948), ref: 00406986
                                            • CharNextW.USER32(?,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,?,00403640,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403948), ref: 0040698B
                                            • CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,?,00403640,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403948), ref: 0040699E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Char$Next$Prev
                                            • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
                                            • API String ID: 589700163-4010320282
                                            • Opcode ID: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
                                            • Instruction ID: e7b68e4bab7b21d1a9feacd00843ba5077d54604f9afa7ebb0505ef274780ca8
                                            • Opcode Fuzzy Hash: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
                                            • Instruction Fuzzy Hash: 2A11E69580071299D7303B188C40B77A2E8AF54760F52443FED8A736C1E7BC4C9286BD
                                            Function 0040302E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                            Download Yara Rule
                                            APIs
                                            • DestroyWindow.USER32(00000000,00000000), ref: 00403049
                                            • GetTickCount.KERNEL32 ref: 00403067
                                            • wsprintfW.USER32 ref: 00403095
                                              • Part of subcall function 004056EF: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405727
                                              • Part of subcall function 004056EF: lstrlenW.KERNEL32(004030A8,Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405737
                                              • Part of subcall function 004056EF: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\,004030A8,004030A8,Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\,00000000,00000000,00000000), ref: 0040574A
                                              • Part of subcall function 004056EF: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\), ref: 0040575C
                                              • Part of subcall function 004056EF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405782
                                              • Part of subcall function 004056EF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040579C
                                              • Part of subcall function 004056EF: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057AA
                                            • CreateDialogParamW.USER32(0000006F,00000000,00402F93,00000000), ref: 004030B9
                                            • ShowWindow.USER32(00000000,00000005), ref: 004030C7
                                              • Part of subcall function 00403012: MulDiv.KERNEL32(00000000,00000064,0000336B), ref: 00403027
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                            • String ID: ... %d%%
                                            • API String ID: 722711167-2449383134
                                            • Opcode ID: b5cbcf955adf1b998350fb665a9b45eb4fb8a209939906c4e4281ae41dacce0d
                                            • Instruction ID: f5c9a828d9b77ec8a4b8d889384ec28a22608ac642f349807ce7d694f809b17b
                                            • Opcode Fuzzy Hash: b5cbcf955adf1b998350fb665a9b45eb4fb8a209939906c4e4281ae41dacce0d
                                            • Instruction Fuzzy Hash: B701AD70913610ABC721BF60AE08A9A7F6CAB00B06F14403BF841B21E9DA385644CB9E
                                            Function 00404FA4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404FBF
                                            • GetMessagePos.USER32 ref: 00404FC7
                                            • ScreenToClient.USER32(?,?), ref: 00404FE1
                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404FF3
                                            • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00405019
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Message$Send$ClientScreen
                                            • String ID: f
                                            • API String ID: 41195575-1993550816
                                            • Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                            • Instruction ID: 854ec97d9aec7fbf1761168e703054b56d1c17fff8591377de73e048a42af4f7
                                            • Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                            • Instruction Fuzzy Hash: F8014C31900619BADB00DBA4DD85BFFBBBCAB54B15F10012BBA50B61C0D6B49A058BA5
                                            Function 00401E4E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDC.USER32(?), ref: 00401E51
                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
                                            • MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
                                            • ReleaseDC.USER32(?,00000000), ref: 00401E84
                                              • Part of subcall function 004066CA: lstrcatW.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 0040686F
                                              • Part of subcall function 004066CA: lstrlenW.KERNEL32(Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\,?,00405726,Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\,00000000), ref: 004068C9
                                            • CreateFontIndirectW.GDI32(0040CE20), ref: 00401ED3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
                                            • String ID: MS Shell Dlg
                                            • API String ID: 2584051700-76309092
                                            • Opcode ID: 92f01be67c811d73aea03585c7e288fe3df1721f994b097e0014ee00e04dbc5a
                                            • Instruction ID: 7c51e5a73a22c87430a112b3afc2fa3cc1ee70618efc563a88b6ad89211de1e7
                                            • Opcode Fuzzy Hash: 92f01be67c811d73aea03585c7e288fe3df1721f994b097e0014ee00e04dbc5a
                                            • Instruction Fuzzy Hash: C6017571905641EFEB005BB4EE8DB9A3FB4BB16305F104A79F545B61E2C7B904058BAC
                                            Function 00402F93 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
                                            • wsprintfW.USER32 ref: 00402FE5
                                            • SetWindowTextW.USER32(?,?), ref: 00402FF5
                                            • SetDlgItemTextW.USER32(?,00000406,?), ref: 00403007
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Text$ItemTimerWindowwsprintf
                                            • String ID: unpacking data: %d%%$verifying installer: %d%%
                                            • API String ID: 1451636040-1158693248
                                            • Opcode ID: 1544cb4517f93d8949c53ea1ad77390297e2a2b2a304bbe75cac4b66005c9a0b
                                            • Instruction ID: d2bb70d987cc30a978c8a103495d1f2f68561e9b24ca436dc3171362fb91f73a
                                            • Opcode Fuzzy Hash: 1544cb4517f93d8949c53ea1ad77390297e2a2b2a304bbe75cac4b66005c9a0b
                                            • Instruction Fuzzy Hash: FFF0367050020DABEF206F50DD4ABEA3B69EB00309F00813AF615B51D0DBB999559F59
                                            Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402EFD
                                            • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
                                            • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
                                            • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: CloseEnum$DeleteValue
                                            • String ID:
                                            • API String ID: 1354259210-0
                                            • Opcode ID: 1bc60eb0e66f615d2d3d061c5866a638354d38a2b8b306f581c9a959db7e233a
                                            • Instruction ID: 6b95dc3500511dce4e5de31b38d7436f6fd5a8a345ad3081b8d117c02f9ef813
                                            • Opcode Fuzzy Hash: 1bc60eb0e66f615d2d3d061c5866a638354d38a2b8b306f581c9a959db7e233a
                                            • Instruction Fuzzy Hash: EB212A7150010ABFDF11AF90CE89EEF7B7DEB54384F110076F909B21A0D7B59E54AA68
                                            Function 00404E96 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(0042D2A8,0042D2A8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F37
                                            • wsprintfW.USER32 ref: 00404F40
                                            • SetDlgItemTextW.USER32(?,0042D2A8), ref: 00404F53
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ItemTextlstrlenwsprintf
                                            • String ID: %u.%u%s%s
                                            • API String ID: 3540041739-3551169577
                                            • Opcode ID: 397c4eefef7c4fd46db2786e05f81ea67758746fc016b33e0f79fd620f39338b
                                            • Instruction ID: 95f330d89eb615a081aaf18d4b62896d2d727392bfc7759752ebdb1328b7b6c0
                                            • Opcode Fuzzy Hash: 397c4eefef7c4fd46db2786e05f81ea67758746fc016b33e0f79fd620f39338b
                                            • Instruction Fuzzy Hash: 5211D87390412837DB0065ADDC41EAF3298EB81339F150637FA26F21D1D979C82642E8
                                            Function 00406007 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                            Download Yara Rule
                                            APIs
                                            • CharNextW.USER32(?,?,C:\,?,0040607B,C:\,C:\,74DF3420,?,74DF2EE0,00405DB9,?,74DF3420,74DF2EE0,00000000), ref: 00406015
                                            • CharNextW.USER32(00000000), ref: 0040601A
                                            • CharNextW.USER32(00000000), ref: 00406032
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: CharNext
                                            • String ID: C:\
                                            • API String ID: 3213498283-3404278061
                                            • Opcode ID: 57a0f749dedf01e66309fd0a2db08218b059d7c159d1474e7fdd1c0f95484055
                                            • Instruction ID: 128a25df78dd06359cb7b9c1fd5de48d27faf8bc0378c0985d39fa9dfcfcc245
                                            • Opcode Fuzzy Hash: 57a0f749dedf01e66309fd0a2db08218b059d7c159d1474e7fdd1c0f95484055
                                            • Instruction Fuzzy Hash: 73F0F62199072195DF31F6584C54A7756BCEB55391B02803FD642B71C1D3F94CA082DA
                                            Function 00405F5C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403652,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403948), ref: 00405F62
                                            • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403652,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403948), ref: 00405F6C
                                            • lstrcatW.KERNEL32(?,0040A014), ref: 00405F7E
                                            Strings
                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405F5C
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: CharPrevlstrcatlstrlen
                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                            • API String ID: 2659869361-3081826266
                                            • Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
                                            • Instruction ID: f916046b62cc2aa89770169b94aadace9c2e82a4a7df0b7432f73ae3ee9d266f
                                            • Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
                                            • Instruction Fuzzy Hash: 4AD0A731111930ABC1116B459C04CDF629CAE85300341083BF501B31E0C77D1D628BFD
                                            Function 0040263E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenA.KERNEL32(open C:\Windows\explorer.exe), ref: 00402695
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: lstrlen
                                            • String ID: C:\Users\user\AppData\Roaming\Reincubate\BlackBerry Backup Extractor\BlackBerryBackupExtractor.exe$open C:\Windows\explorer.exe
                                            • API String ID: 1659193697-1021091799
                                            • Opcode ID: 339cda3b6240c2b4372ebba86d340f3574c2dbc1eb9f31013044c8f79a9c9593
                                            • Instruction ID: 62d20b05a3357d934ec4866fba63d5b78b50cde32abaa7e104bc331bec961829
                                            • Opcode Fuzzy Hash: 339cda3b6240c2b4372ebba86d340f3574c2dbc1eb9f31013044c8f79a9c9593
                                            • Instruction Fuzzy Hash: D211E772E40204AACF10BFB18E4AA9E7670AF44758F21483FE002B61C1D6FD8D51479E
                                            Function 00405663 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • IsWindowVisible.USER32(?), ref: 00405692
                                            • CallWindowProcW.USER32(?,?,?,?), ref: 004056E3
                                              • Part of subcall function 00404635: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404647
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Window$CallMessageProcSendVisible
                                            • String ID:
                                            • API String ID: 3748168415-3916222277
                                            • Opcode ID: 14138667baaff432bd57aba462d359ac5a3867fb529480fe1940324c389a3283
                                            • Instruction ID: 49dc673acd963005c08682070ecd0f599ab8459687fb68577aa77c07b07ccbf5
                                            • Opcode Fuzzy Hash: 14138667baaff432bd57aba462d359ac5a3867fb529480fe1940324c389a3283
                                            • Instruction Fuzzy Hash: 27017131500609AFEF205F11ED91A9B3765EB84354FA04837FA09762D0D77B8CA29E6D
                                            Function 0040655B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000000,?,00000000,?,?,Remove folder: ,?,?,004067C2,80000002), ref: 004065A1
                                            • RegCloseKey.ADVAPI32(?,?,004067C2,80000002,Software\Microsoft\Windows\CurrentVersion,Remove folder: ,Remove folder: ,Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsu5978.tmp\), ref: 004065AC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: CloseQueryValue
                                            • String ID: Remove folder:
                                            • API String ID: 3356406503-1958208860
                                            • Opcode ID: c51c7f91b14884c04d5a49d2292e28a4eee82ba6fe5fe9d4b8ccfb8c6b524185
                                            • Instruction ID: e4ac7359a1b659a9f59a634dbd82e0f580ad783f88516533abd6ea308344e3a8
                                            • Opcode Fuzzy Hash: c51c7f91b14884c04d5a49d2292e28a4eee82ba6fe5fe9d4b8ccfb8c6b524185
                                            • Instruction Fuzzy Hash: 1A019E72510209BECF218F54DC05EDB3BA8EF54364F018039FD1A92190D738D968DB94
                                            Function 00405FA8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,0040313C,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe,C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe,80000000,00000003), ref: 00405FAE
                                            • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,0040313C,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe,C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe,80000000,00000003), ref: 00405FBE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: CharPrevlstrlen
                                            • String ID: C:\Users\user\Desktop
                                            • API String ID: 2709904686-224404859
                                            • Opcode ID: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
                                            • Instruction ID: 535f5ccac895b1779bb0ecd95b90d1ca11060359cda8f514803827ef2a973a34
                                            • Opcode Fuzzy Hash: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
                                            • Instruction Fuzzy Hash: B6D05EB34119209AD712A704DD0099F67A8EF5130074A442AE441E61A1D77C5C918AA9
                                            Function 004060E2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063C7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060F2
                                            • lstrcmpiA.KERNEL32(00000000,00000000), ref: 0040610A
                                            • CharNextA.USER32(00000000,?,00000000,004063C7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040611B
                                            • lstrlenA.KERNEL32(00000000,?,00000000,004063C7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406124
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1737527534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1737500897.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737577651.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737704959.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1737846798.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: lstrlen$CharNextlstrcmpi
                                            • String ID:
                                            • API String ID: 190613189-0
                                            • Opcode ID: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
                                            • Instruction ID: 08f1e04cea81bf1613d6e43d8f1348f64120c3bc5a4528e71377fff87bf4f4b2
                                            • Opcode Fuzzy Hash: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
                                            • Instruction Fuzzy Hash: 19F0C231604018EFC7029FA8DD0099EBFA8DF06250B2640BAE841FB211D674DE11A798

                                            Execution Graph

                                            Execution Coverage:12%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:1.1%
                                            Total number of Nodes:275
                                            Total number of Limit Nodes:29
                                            execution_graph 56056 120991c8 56057 12099221 56056->56057 56058 12099269 GetActiveWindow 56057->56058 56061 12099297 56057->56061 56063 120993b6 56057->56063 56058->56061 56059 120995a8 GetProcessWindowStation 56060 120995d0 56059->56060 56062 120993a8 56061->56062 56067 12099790 56061->56067 56071 1209a100 56062->56071 56076 1209a0f0 56062->56076 56063->56059 56063->56060 56068 120997a8 56067->56068 56081 12099836 56068->56081 56072 1209a112 56071->56072 56075 1209a145 56072->56075 56111 12098920 56072->56111 56075->56063 56077 1209a100 56076->56077 56078 12098920 4 API calls 56077->56078 56080 1209a145 56077->56080 56079 1209a141 56078->56079 56079->56063 56080->56063 56084 12098888 56081->56084 56085 12098893 56084->56085 56089 12099d00 56085->56089 56099 12099d10 56085->56099 56086 120997b3 56086->56062 56091 12099cfd 56089->56091 56090 12099d9c 56090->56086 56091->56089 56091->56090 56092 12099e21 GetActiveWindow 56091->56092 56093 12099e75 56091->56093 56094 12099e4f 56092->56094 56096 12099f13 56093->56096 56098 7ee3314 KiUserCallbackDispatcher 56093->56098 56109 7eedc98 KiUserCallbackDispatcher 56093->56109 56094->56093 56095 12099e87 GetFocus 56094->56095 56095->56093 56096->56086 56098->56093 56101 12099d25 56099->56101 56100 12099d9c 56100->56086 56101->56100 56102 12099e21 GetActiveWindow 56101->56102 56103 12099e75 56101->56103 56104 12099e4f 56102->56104 56106 12099f13 56103->56106 56107 7eedc98 KiUserCallbackDispatcher 56103->56107 56108 7ee3314 KiUserCallbackDispatcher 56103->56108 56104->56103 56105 12099e87 GetFocus 56104->56105 56105->56103 56106->56086 56107->56103 56108->56103 56110 7eedd16 56109->56110 56110->56093 56112 1209892b 56111->56112 56113 1209aadb 56112->56113 56116 1209af99 56112->56116 56123 1209afa8 56112->56123 56113->56113 56117 1209af9f 56116->56117 56130 1209ad40 56117->56130 56119 1209afe8 56120 1209b034 56119->56120 56122 1209ad40 3 API calls 56119->56122 56140 1209b1c8 56119->56140 56120->56113 56122->56120 56124 1209afcd 56123->56124 56125 1209ad40 3 API calls 56124->56125 56126 1209afe8 56125->56126 56127 1209b034 56126->56127 56128 1209b1c8 3 API calls 56126->56128 56129 1209ad40 3 API calls 56126->56129 56127->56113 56128->56127 56129->56127 56131 1209ad4b 56130->56131 56132 1209b1e5 56131->56132 56150 1209ae0c 56131->56150 56132->56119 56136 1209b280 56136->56119 56137 1209b27c 56137->56136 56138 1209b309 SHILCreateFromPath 56137->56138 56139 1209b33e 56138->56139 56139->56119 56141 1209b1d8 56140->56141 56142 1209b1e5 56141->56142 56143 1209ae0c SHILCreateFromPath 56141->56143 56142->56120 56144 1209b268 56143->56144 56145 1209ae18 SHCreateShellItem 56144->56145 56147 1209b27c 56144->56147 56145->56147 56146 1209b280 56146->56120 56147->56146 56148 1209b309 SHILCreateFromPath 56147->56148 56149 1209b33e 56148->56149 56149->56120 56151 1209b2b8 SHILCreateFromPath 56150->56151 56153 1209b268 56151->56153 56153->56137 56154 1209ae18 56153->56154 56155 1209b370 SHCreateShellItem 56154->56155 56156 1209b3fb 56155->56156 55902 b85dda1 55904 b85ddd1 55902->55904 55903 b85de5c 55904->55903 55905 b85e1b0 WaitMessage 55904->55905 55905->55904 56012 b85ea00 DispatchMessageW 56013 b85ea6c 56012->56013 55936 7eedaa8 55938 7eedab9 55936->55938 55937 7eedaec 55938->55937 55941 7eedb08 55938->55941 55944 7eedaf9 55938->55944 55947 7eedb51 55941->55947 55942 7eedb16 55942->55937 55945 7eedb16 55944->55945 55946 7eedb51 KiUserCallbackDispatcher 55944->55946 55945->55937 55946->55945 55948 7eedb77 55947->55948 55950 7eedb7b 55948->55950 55951 7ee3314 55948->55951 55950->55942 55952 7eedca0 KiUserCallbackDispatcher 55951->55952 55953 7eedd16 55952->55953 55953->55950 56014 52eb5a8 56015 52eb5e2 56014->56015 56016 52eb65e 56015->56016 56017 52eb673 56015->56017 56022 52eb244 56016->56022 56018 52eb244 3 API calls 56017->56018 56020 52eb682 56018->56020 56024 52eb24f 56022->56024 56023 52eb669 56024->56023 56027 52ecd18 56024->56027 56034 52ecd07 56024->56034 56041 52eb92c 56027->56041 56029 52ecd3f 56029->56023 56031 52ecd67 CreateIconFromResourceEx 56033 52ecde6 56031->56033 56033->56023 56036 52ecd0f 56034->56036 56035 52eb92c CreateIconFromResourceEx 56035->56036 56036->56035 56037 52ecd3f 56036->56037 56038 52ecd67 CreateIconFromResourceEx 56036->56038 56037->56023 56040 52ecde6 56038->56040 56040->56023 56042 52ecd68 CreateIconFromResourceEx 56041->56042 56043 52ecd0f 56042->56043 56043->56027 56043->56029 56043->56031 56194 120944e0 56195 120944eb 56194->56195 56199 120950e1 56195->56199 56204 12095110 56195->56204 56196 120950f8 56200 12095110 56199->56200 56209 b8543f7 56200->56209 56214 b85441b 56200->56214 56201 1209515b 56201->56201 56205 12095137 56204->56205 56207 b8543f7 2 API calls 56205->56207 56208 b85441b 2 API calls 56205->56208 56206 1209515b 56207->56206 56208->56206 56210 b85441c 56209->56210 56211 b8543fd 56209->56211 56219 b854700 PostMessageW 56210->56219 56221 b8546fb PostMessageW 56210->56221 56211->56201 56215 b85442e 56214->56215 56217 b854700 PostMessageW 56215->56217 56218 b8546fb PostMessageW 56215->56218 56216 b854451 56216->56201 56217->56216 56218->56216 56220 b85476c 56219->56220 56220->56211 56222 b85476c 56221->56222 56222->56211 56044 b85e308 PeekMessageW 56045 b85e37f 56044->56045 56223 52e78c3 56226 52e79a1 56223->56226 56230 52e7dc0 56226->56230 56234 52e7dd0 56226->56234 56227 52e78de 56232 52e7d49 56230->56232 56231 52e7ed4 56231->56231 56232->56230 56232->56231 56238 52e7a30 56232->56238 56236 52e7df7 56234->56236 56235 52e7ed4 56235->56235 56236->56235 56237 52e7a30 CreateActCtxA 56236->56237 56237->56235 56239 52e8e60 CreateActCtxA 56238->56239 56241 52e8f23 56239->56241 55954 7eea180 55955 7eea110 55954->55955 55957 7eea18f 55954->55957 55956 7eea127 55955->55956 55960 7eea3f8 55955->55960 55965 7eea3e7 55955->55965 55961 7eea41b 55960->55961 55962 7eea550 55961->55962 55970 7673060 55961->55970 55977 76730fe 55961->55977 55962->55956 55966 7eea41b 55965->55966 55967 7eea550 55966->55967 55968 7673060 SetTimer 55966->55968 55969 76730fe SetTimer 55966->55969 55967->55956 55968->55967 55969->55967 55972 7673102 55970->55972 55973 767308a 55970->55973 55971 7673110 55971->55962 55972->55971 55983 b853cb0 55972->55983 55988 b853cc0 55972->55988 55973->55962 55974 7673147 55974->55962 55978 7673102 55977->55978 55979 7673110 55978->55979 55981 b853cb0 SetTimer 55978->55981 55982 b853cc0 SetTimer 55978->55982 55979->55962 55980 7673147 55980->55962 55981->55980 55982->55980 55984 b853cc4 55983->55984 55992 b853ce8 55984->55992 55998 b853cdb 55984->55998 55985 b853ccf 55985->55974 55989 b853ccf 55988->55989 55990 b853ce8 SetTimer 55988->55990 55991 b853cdb SetTimer 55988->55991 55989->55974 55990->55989 55991->55989 55993 b853d16 55992->55993 55994 b853da1 55993->55994 56005 b853498 55993->56005 55995 b853ea8 55994->55995 56009 b8534c8 55994->56009 55995->55985 55999 b853c65 55998->55999 56001 b853cdf 55998->56001 55999->55985 56000 b853ea8 56000->55985 56002 b853498 SetTimer 56001->56002 56003 b853da1 56001->56003 56002->56003 56003->56000 56004 b8534c8 SetTimer 56003->56004 56004->56000 56007 b8534a3 56005->56007 56006 b853ea8 56006->55994 56007->56006 56008 b8534c8 SetTimer 56007->56008 56008->56006 56010 b853fe0 SetTimer 56009->56010 56011 b85404c 56010->56011 56011->55995 55906 b8555b0 55907 b8555ca 55906->55907 55909 b8555dd 55906->55909 55912 b8535cc 55907->55912 55910 b855623 55909->55910 55911 b8535cc OleInitialize 55909->55911 55911->55910 55913 b8535d7 55912->55913 55914 b85564e 55913->55914 55917 b855688 55913->55917 55923 b855678 55913->55923 55914->55909 55918 b855990 55917->55918 55920 b8556b0 55917->55920 55918->55914 55919 b8556b9 55919->55914 55920->55919 55928 b852724 55920->55928 55922 b8556dc 55922->55914 55925 b855688 55923->55925 55924 b8556b9 55924->55914 55925->55924 55926 b852724 OleInitialize 55925->55926 55927 b8556dc 55926->55927 55927->55914 55929 b85272f 55928->55929 55930 b8531bb 55929->55930 55932 b852734 55929->55932 55930->55922 55933 b8535f8 OleInitialize 55932->55933 55935 b85365a 55933->55935 55935->55930 56050 b85e530 KiUserCallbackDispatcher 56051 b85e5a4 56050->56051 56046 7ee7f78 56047 7ee7fbd GetClassInfoW 56046->56047 56049 7ee8003 56047->56049 56052 12099bb0 56053 12099bfe EnumThreadWindows 56052->56053 56054 12099bf4 56052->56054 56055 12099c30 56053->56055 56054->56053 56157 120969d0 56158 120969df 56157->56158 56166 12095dc8 GetKeyState GetKeyState GetKeyState GetKeyState GetKeyState 56157->56166 56162 12096a13 56158->56162 56167 12095dc8 GetKeyState GetKeyState GetKeyState GetKeyState GetKeyState 56158->56167 56161 12096a41 56163 12096a45 56161->56163 56168 12095dc8 GetKeyState GetKeyState GetKeyState GetKeyState GetKeyState 56161->56168 56165 12096a66 56166->56158 56167->56161 56168->56165 56169 b852758 56170 b852776 56169->56170 56175 b853860 56169->56175 56179 b85375f 56169->56179 56185 b853830 56169->56185 56189 b853768 56169->56189 56176 b853863 56175->56176 56177 b8537e9 RegisterDragDrop 56175->56177 56176->56170 56178 b8537fd 56177->56178 56178->56175 56180 b853768 RegisterDragDrop 56179->56180 56182 b8537fd 56180->56182 56183 b853863 56182->56183 56184 b8537e9 RegisterDragDrop 56182->56184 56183->56170 56184->56182 56188 b8537fd 56185->56188 56186 b853863 56186->56170 56187 b8537e9 RegisterDragDrop 56187->56188 56188->56186 56188->56187 56190 b8537ba RegisterDragDrop 56189->56190 56191 b8537fd 56190->56191 56192 b853863 56191->56192 56193 b8537e9 RegisterDragDrop 56191->56193 56192->56170 56193->56191 56242 b853178 56243 b853180 56242->56243 56244 b852724 OleInitialize 56243->56244 56245 b853189 56244->56245

                                            Executed Functions

                                            Function 0B8C0428 Relevance: 5.3, Strings: 4, Instructions: 267COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 504 b8c0428-b8c0447 505 b8c044d-b8c046d 504->505 506 b8c0571-b8c0596 504->506 509 b8c047d-b8c0486 505->509 510 b8c046f-b8c0472 505->510 513 b8c059d-b8c05c9 506->513 567 b8c0488 call b8c0418 509->567 568 b8c0488 call b8c0428 509->568 569 b8c0488 call b8c05e0 509->569 510->509 512 b8c0474-b8c0477 510->512 512->509 512->513 537 b8c05d0 513->537 514 b8c048e-b8c0490 516 b8c0564-b8c056e 514->516 517 b8c0496-b8c04a6 514->517 519 b8c04af-b8c04b4 517->519 520 b8c04a8-b8c04ad 517->520 521 b8c04c4-b8c04c9 519->521 522 b8c04b6-b8c04c2 519->522 523 b8c04df-b8c0507 520->523 524 b8c04da-b8c04dc 521->524 525 b8c04cb-b8c04d8 521->525 522->523 529 b8c050d-b8c0520 523->529 530 b8c05d5-b8c0620 523->530 524->523 525->523 534 b8c0560-b8c0562 529->534 535 b8c0522-b8c055e 529->535 536 b8c0627-b8c0632 530->536 534->516 534->537 535->534 538 b8c072c 536->538 539 b8c0638-b8c0649 536->539 537->530 541 b8c0731-b8c0735 538->541 545 b8c064f-b8c0697 539->545 546 b8c06f9-b8c0725 539->546 543 b8c0749 541->543 544 b8c0737-b8c0746 541->544 549 b8c074a 543->549 544->543 562 b8c0699-b8c06be 545->562 563 b8c06c0-b8c06c4 545->563 546->538 549->549 562->541 564 b8c06dd-b8c06f7 563->564 565 b8c06c6-b8c06d6 563->565 564->541 565->564 567->514 568->514 569->514
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $(&^q$(bq$Hbq
                                            • API String ID: 0-1723523991
                                            • Opcode ID: 24472fdb43734c67b5aa2f84eddd6a306eb31cbfcef7a5b4cdaad147c4bcba94
                                            • Instruction ID: 4a52f1fc1e3694b8210c6eeb253f63c9e3564861526b26d4a843d6a0f43fc971
                                            • Opcode Fuzzy Hash: 24472fdb43734c67b5aa2f84eddd6a306eb31cbfcef7a5b4cdaad147c4bcba94
                                            • Instruction Fuzzy Hash: 45919EB0E002189FDB18DF69C854AAFBBF6EF88740F10852DE405EB290DB74D905CBA1
                                            Function 0B8C3AE8 Relevance: 2.0, Strings: 1, Instructions: 701COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1153 b8c3ae8-b8c3c0f 1158 b8c3c15-b8c3ce1 1153->1158 1159 b8c3ce6-b8c3cf0 1153->1159 1171 b8c401f-b8c402b 1158->1171 1160 b8c3e8d-b8c4013 1159->1160 1161 b8c3cf6-b8c3d3e 1159->1161 1160->1171 1163 b8c3d4a-b8c3e88 1161->1163 1163->1171 1172 b8c402d-b8c4034 1171->1172 1173 b8c4060-b8c4089 1171->1173 1177 b8c403d-b8c4044 1172->1177 1178 b8c4036-b8c403b 1172->1178 1174 b8c40fc-b8c4132 1173->1174 1187 b8c413b-b8c4151 1174->1187 1180 b8c404a-b8c4059 1177->1180 1181 b8c4046-b8c4048 1177->1181 1179 b8c405c-b8c405e 1178->1179 1179->1173 1182 b8c408b-b8c40f5 1179->1182 1180->1179 1181->1179 1182->1174 1189 b8c415c-b8c41ef 1187->1189 1190 b8c4153 1187->1190 1200 b8c41fa-b8c426e 1189->1200 1201 b8c41f1 1189->1201 1190->1189 1191 b8c4155 1190->1191 1191->1189 1210 b8c4329-b8c435f 1200->1210 1211 b8c4274-b8c4319 1200->1211 1201->1200 1202 b8c41f3 1201->1202 1202->1200 1217 b8c4361 1210->1217 1218 b8c4373-b8c4380 1210->1218 1211->1210 1214 b8c431b-b8c4328 1211->1214 1214->1210 1217->1218 1219 b8c4363-b8c4371 1217->1219 1222 b8c4381-b8c438b 1218->1222 1219->1222 1223 b8c438d-b8c43a5 1222->1223 1224 b8c43fb-b8c440b 1222->1224 1227 b8c440c-b8c456c 1223->1227 1228 b8c43a7-b8c43ae 1223->1228 1224->1227 1251 b8c456e 1227->1251 1252 b8c457a 1227->1252 1229 b8c43b7-b8c43be 1228->1229 1230 b8c43b0-b8c43b5 1228->1230 1233 b8c43c4-b8c43d3 1229->1233 1234 b8c43c0-b8c43c2 1229->1234 1232 b8c43d6-b8c43d8 1230->1232 1232->1227 1235 b8c43da-b8c43f9 1232->1235 1233->1232 1234->1232 1235->1227 1251->1252
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: fff?
                                            • API String ID: 0-4136771917
                                            • Opcode ID: 1ed90e8da8f18d5fda3800fcc2cd5dff1b16903258d3c4999827224470e7df9a
                                            • Instruction ID: cdb874e212fa774312e75e441aca6cee31040c062330281f11b29646e57ffed9
                                            • Opcode Fuzzy Hash: 1ed90e8da8f18d5fda3800fcc2cd5dff1b16903258d3c4999827224470e7df9a
                                            • Instruction Fuzzy Hash: 6D62293580061ADFCF11DF50C884ADAB7B2FF99304F1586D5E909AB261EB71AAD5CF80
                                            Function 0B85DDA1 Relevance: 1.8, APIs: 1, Instructions: 329COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1253 b85dda1-b85ddd8 1255 b85ddde-b85ddf2 1253->1255 1256 b85e209 1253->1256 1257 b85ddf4-b85de1e 1255->1257 1258 b85de21-b85de40 1255->1258 1259 b85e20e-b85e224 1256->1259 1257->1258 1265 b85de42-b85de48 1258->1265 1266 b85de58-b85de5a 1258->1266 1267 b85de4c-b85de4e 1265->1267 1268 b85de4a 1265->1268 1269 b85de5c-b85de74 1266->1269 1270 b85de79-b85de82 1266->1270 1267->1266 1268->1266 1269->1259 1272 b85de8a-b85de91 1270->1272 1273 b85de93-b85de99 1272->1273 1274 b85de9b-b85dea2 1272->1274 1275 b85deaf-b85decc call b85d854 1273->1275 1276 b85dea4-b85deaa 1274->1276 1277 b85deac 1274->1277 1280 b85e021-b85e025 1275->1280 1281 b85ded2-b85ded9 1275->1281 1276->1275 1277->1275 1283 b85e1f4-b85e207 1280->1283 1284 b85e02b-b85e02f 1280->1284 1281->1256 1282 b85dedf-b85df1c 1281->1282 1292 b85df22-b85df27 1282->1292 1293 b85e1ea-b85e1ee 1282->1293 1283->1259 1285 b85e031-b85e044 1284->1285 1286 b85e049-b85e052 1284->1286 1285->1259 1288 b85e054-b85e07e 1286->1288 1289 b85e081-b85e088 1286->1289 1288->1289 1290 b85e127-b85e13c 1289->1290 1291 b85e08e-b85e095 1289->1291 1290->1293 1302 b85e142-b85e144 1290->1302 1294 b85e0c4-b85e0e6 1291->1294 1295 b85e097-b85e0c1 1291->1295 1296 b85df59-b85df6e call b85d878 1292->1296 1297 b85df29-b85df37 call b85d860 1292->1297 1293->1272 1293->1283 1294->1290 1330 b85e0e8-b85e0f2 1294->1330 1295->1294 1306 b85df73-b85df77 1296->1306 1297->1296 1310 b85df39-b85df52 call b85d86c 1297->1310 1308 b85e146-b85e17f 1302->1308 1309 b85e191-b85e1a7 call b85d854 1302->1309 1311 b85df79-b85df8b call b85d884 1306->1311 1312 b85dfe8-b85dff5 1306->1312 1325 b85e181-b85e187 1308->1325 1326 b85e188-b85e18f 1308->1326 1320 b85e1ac-b85e1ae 1309->1320 1321 b85df57 1310->1321 1335 b85df8d-b85dfbd 1311->1335 1336 b85dfcb-b85dfe3 1311->1336 1312->1293 1329 b85dffb-b85e005 call b85d894 1312->1329 1320->1293 1328 b85e1b0-b85e1dc WaitMessage 1320->1328 1321->1306 1325->1326 1326->1293 1332 b85e1e3 1328->1332 1333 b85e1de 1328->1333 1339 b85e014-b85e01c call b85d8ac 1329->1339 1340 b85e007-b85e00a call b85d8a0 1329->1340 1344 b85e0f4-b85e0fa 1330->1344 1345 b85e10a-b85e125 1330->1345 1332->1293 1333->1332 1351 b85dfc4 1335->1351 1352 b85dfbf 1335->1352 1336->1259 1339->1293 1347 b85e00f 1340->1347 1349 b85e0fc 1344->1349 1350 b85e0fe-b85e100 1344->1350 1345->1290 1345->1330 1347->1293 1349->1345 1350->1345 1351->1336 1352->1351
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552349607.000000000B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B850000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b850000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 777e4195ac3b79358e325abd6d20dfc273c1d8fb898f26d63fc3c628eed6b4af
                                            • Instruction ID: 3c41e783dba369d87e6b0e7fc285ff4a5dee080fed481a1162f3d3f3484f23a3
                                            • Opcode Fuzzy Hash: 777e4195ac3b79358e325abd6d20dfc273c1d8fb898f26d63fc3c628eed6b4af
                                            • Instruction Fuzzy Hash: 35D12D74A00309CFDB14DFA9C848B9DBBF2BF48305F158569E819EB2A5DB70DA85CB41
                                            Function 0B8C2A78 Relevance: .6, Instructions: 635COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 860ce59d20725aac7c6b0b0b6e84cc24d3ea19c3a67c3de4c4e82db96245a0b7
                                            • Instruction ID: a5dcacba929810e84495fc6baf0e4c5977f5a33e9ff482428297288c4834e286
                                            • Opcode Fuzzy Hash: 860ce59d20725aac7c6b0b0b6e84cc24d3ea19c3a67c3de4c4e82db96245a0b7
                                            • Instruction Fuzzy Hash: DE521C75900619CFCB21DF68C844AEAB7B1FF49304F1485D9E949AB271EB31EA86CF41
                                            Function 0B8C6C80 Relevance: .5, Instructions: 526COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0e43778ede5f51f1bc69427d66ff0e8cc6a55985ac8c1afdad30b7b97ceef448
                                            • Instruction ID: 4b4747865cf510fcd97adad380df5575409dcb80af24d0f7b074df9c7f4520a2
                                            • Opcode Fuzzy Hash: 0e43778ede5f51f1bc69427d66ff0e8cc6a55985ac8c1afdad30b7b97ceef448
                                            • Instruction Fuzzy Hash: 08323875900619CFDB21DF64C984BDAB7B2BF49300F1485E9E509AB260EB71EE85CF41
                                            Function 0B8C923C Relevance: 4.0, Strings: 3, Instructions: 239COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 659 b8c923c-b8cde72 662 b8cde74-b8cde9b call b8c93e4 659->662 663 b8cdea2-b8cdec7 659->663 669 b8cde9d-b8cdea1 662->669 670 b8cdece-b8cdf10 662->670 663->670 675 b8cdf16-b8cdf18 670->675 676 b8cdfd1-b8cdff6 670->676 677 b8cdf1a-b8cdf1e 675->677 678 b8cdf20-b8cdf27 675->678 681 b8cdffd-b8ce086 676->681 677->678 679 b8cdf2a-b8cdf2e 677->679 679->681 682 b8cdf34-b8cdf50 679->682 699 b8ce088-b8ce08e 681->699 700 b8ce091-b8ce0d1 681->700 683 b8cdf64-b8cdf66 682->683 684 b8cdf52-b8cdf62 682->684 686 b8cdf69-b8cdf93 call b8c38bc 683->686 684->686 694 b8cdf98-b8cdfb9 call b8cd96c 686->694 696 b8cdfbe-b8cdfce call b8c1758 694->696 699->700 702 b8ce0d7-b8ce0e2 700->702 703 b8ce0eb-b8ce108 702->703 704 b8ce0e4-b8ce0ea 702->704 704->703
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (bq$(bq$(bq
                                            • API String ID: 0-2716923250
                                            • Opcode ID: 02d0554ba72e9567c9d7d63f5c6619c4fe33e096ca695fc8817806f5ff0ee0a9
                                            • Instruction ID: b6cc527c60af1b8d1e5601b2d9653bb3b40d51a3a04c558b0340de356902479e
                                            • Opcode Fuzzy Hash: 02d0554ba72e9567c9d7d63f5c6619c4fe33e096ca695fc8817806f5ff0ee0a9
                                            • Instruction Fuzzy Hash: 52813AB5E002599FCF14DFA9D884AEEBBF5FF88310F10846AE915E3250DB349911CBA5
                                            Function 1209AE0C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 744 1209ae0c-1209b301 746 1209b309-1209b33c SHILCreateFromPath 744->746 747 1209b303-1209b306 744->747 748 1209b33e-1209b344 746->748 749 1209b345-1209b359 746->749 747->746 748->749
                                            APIs
                                            • SHILCreateFromPath.SHELL32(00000000,?,?), ref: 1209B32F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3555079880.0000000012090000.00000040.00000800.00020000.00000000.sdmp, Offset: 12090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_12090000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID: CreateFromPath
                                            • String ID: Q-H3
                                            • API String ID: 2014392061-1700438896
                                            • Opcode ID: 8ad0f9729d32ab4c4b1e290b266086a7baad8a0517b45e3fe2de29f36c6b8825
                                            • Instruction ID: 1caf99af317386c1889a838682fe557dfbca2922bf2e5b3ae5a4d9b8a076d095
                                            • Opcode Fuzzy Hash: 8ad0f9729d32ab4c4b1e290b266086a7baad8a0517b45e3fe2de29f36c6b8825
                                            • Instruction Fuzzy Hash: E521E3B2C017489FCB14CF9AD584ADEFBF4FB48324F60816EE919A7200D3756A45CBA5
                                            Function 120991C8 Relevance: 3.3, APIs: 2, Instructions: 264COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 751 120991c8-12099237 756 1209950a-120995a2 751->756 757 1209923d-1209924e 751->757 783 120995a8-120995ce GetProcessWindowStation 756->783 784 1209963f 756->784 758 1209925b-12099267 757->758 759 12099250-12099258 757->759 764 12099269-12099295 GetActiveWindow 758->764 765 120992a8-120992b4 758->765 759->758 766 1209929e-120992a5 764->766 767 12099297-1209929d 764->767 771 120992f8-1209930e 765->771 772 120992b6-120992f5 765->772 766->765 767->766 776 12099320-12099398 771->776 777 12099310-1209931b 771->777 772->771 808 1209939a-1209939f 776->808 809 120993a2 776->809 777->776 786 120995d0-120995d6 783->786 787 120995d7-120995e2 783->787 788 12099646-1209965f 784->788 786->787 787->788 791 120995e4-120995eb 787->791 791->788 792 120995ed-12099625 call 12098814 791->792 804 12099637-1209963d 792->804 805 12099627-1209962e 792->805 804->788 805->804 807 12099630 805->807 807->804 808->809 819 120993a2 call 120997ab 809->819 820 120993a2 call 12099790 809->820 811 120993a8-120993b0 821 120993b3 call 1209a0f0 811->821 822 120993b3 call 1209a100 811->822 812 120993b6-120993b8 813 120993ba-120993bf 812->813 814 120993c1 812->814 815 120993c6-120993e5 813->815 814->815 815->756 819->811 820->811 821->812 822->812
                                            APIs
                                            • GetActiveWindow.USER32 ref: 12099281
                                            • GetProcessWindowStation.USER32 ref: 120995BD
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3555079880.0000000012090000.00000040.00000800.00020000.00000000.sdmp, Offset: 12090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_12090000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID: Window$ActiveProcessStation
                                            • String ID:
                                            • API String ID: 2153864693-0
                                            • Opcode ID: 6a5549c386c7baf91b2bd418364c2c1dba0ec17f6e7dc408d0541c7bd265eb6a
                                            • Instruction ID: e08a7bca61cb8b5b8c42f5eb77a24f5d7cb304e129da7c31e666b9e6b210787b
                                            • Opcode Fuzzy Hash: 6a5549c386c7baf91b2bd418364c2c1dba0ec17f6e7dc408d0541c7bd265eb6a
                                            • Instruction Fuzzy Hash: 0CA19DB1E002498FDB05DFA9C49869EBFF6EF88314F108569D80AAB380DB749845DB91
                                            Function 12099D10 Relevance: 3.3, APIs: 2, Instructions: 262windowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 823 12099d10-12099d27 825 12099d29-12099d36 823->825 826 12099da0-12099da9 823->826 825->826 828 12099d38-12099d41 825->828 829 12099d50-12099d52 828->829 830 12099d43-12099d4c 828->830 829->826 831 12099d54-12099d5d 829->831 830->829 837 12099d4e 830->837 833 12099d8b-12099d9a 831->833 834 12099d5f-12099d83 831->834 835 12099dac-12099e10 833->835 836 12099d9c 833->836 834->833 842 12099ec9-12099ed2 835->842 843 12099e16-12099e1b 835->843 836->826 837->829 845 12099f13-12099f28 842->845 846 12099ed4-12099ed7 842->846 843->842 844 12099e21-12099e4d GetActiveWindow 843->844 849 12099e4f-12099e55 844->849 850 12099e56-12099e73 call 120988f4 844->850 847 12099f2a-12099f32 845->847 848 12099f82-12099f92 845->848 851 12099eda-12099ee3 846->851 852 12099f34-12099f45 847->852 853 12099f56-12099f5e 847->853 849->850 869 12099e75-12099e85 850->869 870 12099e87-12099eb3 GetFocus 850->870 854 12099ee9-12099efa 851->854 855 12099f93-12099fbb 851->855 852->853 867 12099f47-12099f51 call 12098904 852->867 853->848 857 12099f60-12099f71 853->857 863 12099f0a-12099f11 854->863 864 12099efc-12099f02 854->864 872 12099fbd-12099fc7 855->872 873 12099fe3-12099fe7 855->873 857->848 874 12099f73-12099f7c 857->874 863->845 863->851 883 12099f05 call 7eedc98 864->883 884 12099f05 call 7ee3314 864->884 867->853 869->842 875 12099ebc-12099ec6 870->875 876 12099eb5-12099ebb 870->876 872->873 879 12099fc9-12099fe2 872->879 874->848 875->842 876->875 883->863 884->863
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3555079880.0000000012090000.00000040.00000800.00020000.00000000.sdmp, Offset: 12090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_12090000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID: ActiveFocusWindow
                                            • String ID:
                                            • API String ID: 2022189218-0
                                            • Opcode ID: e68bf04b3f3538e5fabaeb166af4ee2988fb7516e1bda09bf651bc98b268d903
                                            • Instruction ID: 19ed0b72a7f6bffa0b8e5ef5abd42800efd882aefe8743c228f1fbefd52dd0ab
                                            • Opcode Fuzzy Hash: e68bf04b3f3538e5fabaeb166af4ee2988fb7516e1bda09bf651bc98b268d903
                                            • Instruction Fuzzy Hash: 85A1C1B5A0434A8FDB01DF69C984BABBBF9EF84304F158599E40ADB251C734EC44DBA1
                                            Function 0B8CA518 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 885 b8ca518-b8ca5b9 call b8c91ac call b8c1ec8 call b8c91bc 896 b8ca5d8-b8ca5e5 885->896 897 b8ca5bb-b8ca5d3 call b8c91cc 885->897 900 b8ca668-b8ca66e 896->900 901 b8ca5eb-b8ca646 call b8c91dc 896->901 907 b8cb19d-b8cb1bb call b8c927c 897->907 903 b8ca675-b8ca682 900->903 917 b8ca648-b8ca654 901->917 918 b8ca656 901->918 910 b8cae7c-b8caede call b8c91cc call b8c925c call b8c920c 903->910 911 b8ca688-b8ca721 call b8c91ec 903->911 940 b8cafc9-b8cb03c call b8c926c 910->940 941 b8caee4-b8cafc4 call b8c926c call b8c91dc 910->941 934 b8ca73b-b8ca79b 911->934 935 b8ca723-b8ca736 call b8c91cc 911->935 921 b8ca65b-b8ca666 917->921 918->921 921->903 956 b8caba9-b8cabd0 934->956 957 b8ca7a1-b8ca7d3 934->957 935->934 966 b8cb03e 940->966 967 b8cb04a 940->967 973 b8cb17e-b8cb19a 941->973 971 b8cac27-b8cac4e 956->971 972 b8cabd2-b8cabe0 956->972 976 b8ca7eb-b8ca811 call b8c91fc 957->976 977 b8ca7d5-b8ca7db 957->977 966->967 967->973 992 b8cac58 971->992 993 b8cac50 971->993 984 b8cabf8-b8cabfe 972->984 985 b8cabe2-b8cabe8 972->985 973->907 1004 b8ca816-b8ca823 976->1004 981 b8ca7dd 977->981 982 b8ca7df-b8ca7e1 977->982 981->976 982->976 989 b8cac17-b8cac25 984->989 990 b8cac00-b8cac12 call b8c923c 984->990 986 b8cabec-b8cabee 985->986 987 b8cabea 985->987 986->984 987->984 989->971 989->972 990->989 995 b8cac5b-b8cac68 992->995 993->992 1002 b8cacaf-b8cacd6 995->1002 1003 b8cac6a-b8cacaa call b8c924c 995->1003 1013 b8cacdc-b8cacea 1002->1013 1014 b8cad58-b8cad7f 1002->1014 1003->1002 1004->995 1005 b8ca829-b8ca833 1004->1005 1005->995 1008 b8ca839-b8ca849 call b8c920c 1005->1008 1015 b8ca84f-b8ca86b 1008->1015 1016 b8ca957-b8caa4e call b8c91dc call b8c921c 1008->1016 1023 b8cacec-b8cacf2 1013->1023 1024 b8cad02-b8cad56 call b8c924c 1013->1024 1027 b8cad89 1014->1027 1028 b8cad81 1014->1028 1020 b8cae1f-b8cae41 1015->1020 1021 b8ca871-b8ca8d9 1015->1021 1064 b8caa70-b8cab2a call b8c91dc 1016->1064 1065 b8caa50 1016->1065 1020->910 1037 b8ca8df 1021->1037 1038 b8cab33-b8cab98 call b8c922c call b8c923c 1021->1038 1029 b8cacf4 1023->1029 1030 b8cacf6-b8cacf8 1023->1030 1024->1013 1024->1014 1027->1020 1028->1027 1029->1024 1030->1024 1042 b8ca8e5-b8ca950 1037->1042 1059 b8cab9a 1038->1059 1060 b8caba6 1038->1060 1050 b8ca952 1042->1050 1050->1038 1059->1060 1060->956 1064->1038 1065->1064 1066 b8caa52-b8caa67 1065->1066 1066->1064
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PH^q$PH^q
                                            • API String ID: 0-1598597984
                                            • Opcode ID: 29913c56ccffd3759b9f778a0b87fbcaba784a4dbe9439d459f2fb3fea66895b
                                            • Instruction ID: fe60161fac7ee0bae63bd33f62966a3ddb65f92200ba80091ef8a5309d102701
                                            • Opcode Fuzzy Hash: 29913c56ccffd3759b9f778a0b87fbcaba784a4dbe9439d459f2fb3fea66895b
                                            • Instruction Fuzzy Hash: 0162E874A14619CFCB15EF78C895AEDB7B1BF49300F5086E9D549AB260EB30AE81CF41
                                            Function 0B8C7B2B Relevance: 2.7, Strings: 2, Instructions: 216COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1073 b8c7b2b-b8c7b2c 1074 b8c7b2e 1073->1074 1075 b8c7b90-b8c7b95 1073->1075 1076 b8c7b18-b8c7b27 1074->1076 1077 b8c7b30-b8c7b60 1074->1077 1078 b8c7b97-b8c7b99 1075->1078 1077->1078 1096 b8c7b62-b8c7b8f 1077->1096 1079 b8c7cbd-b8c7cf0 1078->1079 1080 b8c7b9a-b8c7ba3 1078->1080 1098 b8c7d28 1079->1098 1099 b8c7cf2-b8c7d1b 1079->1099 1081 b8c7bab-b8c7bb2 1080->1081 1082 b8c7ba4-b8c7ba9 1080->1082 1082->1081 1084 b8c7bb5-b8c7bc2 1082->1084 1089 b8c7c7e-b8c7c85 1084->1089 1090 b8c7bc8-b8c7c4f call b8c37dc 1084->1090 1137 b8c7c54-b8c7c70 1090->1137 1096->1075 1100 b8c7c91-b8c7cb6 1096->1100 1102 b8c7d2a-b8c7d30 1098->1102 1109 b8c7d1d-b8c7d25 1099->1109 1110 b8c7d4a-b8c7d62 1099->1110 1100->1079 1106 b8c7d35-b8c7d37 1102->1106 1107 b8c7d32 1102->1107 1111 b8c7d6c-b8c7d70 1106->1111 1112 b8c7d39-b8c7d48 1106->1112 1107->1106 1109->1102 1114 b8c7d27 1109->1114 1110->1111 1133 b8c7d64 1110->1133 1115 b8c7d91-b8c7d97 1111->1115 1116 b8c7d72-b8c7d89 1111->1116 1112->1111 1114->1098 1119 b8c7daf-b8c7db5 1115->1119 1120 b8c7d99-b8c7dac call b8c37e8 1115->1120 1116->1115 1125 b8c7dc6-b8c7dca 1119->1125 1126 b8c7db7-b8c7dc1 call b8c37e8 1119->1126 1126->1125 1133->1111 1139 b8c7c7b 1137->1139 1140 b8c7c72 1137->1140 1139->1089 1140->1139
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (bq$(bq
                                            • API String ID: 0-4224401849
                                            • Opcode ID: c56806681276d6f41678de19b16affd0155c66e84ec0e4a4773ae6b510227523
                                            • Instruction ID: 5ade6caccb302b9e54c252059facae641cab1d7402e4fe2c33f02f1001dc6453
                                            • Opcode Fuzzy Hash: c56806681276d6f41678de19b16affd0155c66e84ec0e4a4773ae6b510227523
                                            • Instruction Fuzzy Hash: DA712079A003549FCB15EB68D8507AE7BB2EF85210F1484AEE906DB2A1DF35DC42CB91
                                            Function 120991B8 Relevance: 1.7, APIs: 1, Instructions: 162COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetActiveWindow.USER32 ref: 12099281
                                            • GetProcessWindowStation.USER32 ref: 120995BD
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3555079880.0000000012090000.00000040.00000800.00020000.00000000.sdmp, Offset: 12090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_12090000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID: Window$ActiveProcessStation
                                            • String ID:
                                            • API String ID: 2153864693-0
                                            • Opcode ID: 34b9e335065b78eca87ffb34947c63a44a4f68b2131a8a2bcd74a5950a4e5339
                                            • Instruction ID: d81531129fe65d9488564bff891f68940df517a7f97b8ed122d620d6549cf2d4
                                            • Opcode Fuzzy Hash: 34b9e335065b78eca87ffb34947c63a44a4f68b2131a8a2bcd74a5950a4e5339
                                            • Instruction Fuzzy Hash: 5C6169B5E00259CFDB04DFA9C498A9EBFF6EF88310F108519D81AAB394DB349845DF91
                                            Function 1209AD40 Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3555079880.0000000012090000.00000040.00000800.00020000.00000000.sdmp, Offset: 12090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_12090000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 202b747854afb3f3fe61bbffe788d0eaddcc61168d5524dbb9062783cb893e0d
                                            • Instruction ID: a21de368e9a8c10ad436f2b7baf24eecb9452bf33042ecdaf3c9602351b5ae13
                                            • Opcode Fuzzy Hash: 202b747854afb3f3fe61bbffe788d0eaddcc61168d5524dbb9062783cb893e0d
                                            • Instruction Fuzzy Hash: AF518872E04248DFCB04CFA9D884AEEBFF5EF48314F5485AAD40AE7251D730AA44DB50
                                            Function 052E8E57 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 052E8F11
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3548818152.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_52e0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 734fb9f3046457d0db445f712fbbc8f81f6160c82d24c400565551ab6fca2cf8
                                            • Instruction ID: 2f38585f1a654a7a668ec5e8fae1a541bc050d867bdcdaa271bf39e7498e0a55
                                            • Opcode Fuzzy Hash: 734fb9f3046457d0db445f712fbbc8f81f6160c82d24c400565551ab6fca2cf8
                                            • Instruction Fuzzy Hash: 91510FB1C00719CEDB24CFA9C844BDEBBF5BF48314F60806AD459AB251DB74A946CF91
                                            Function 052E7A30 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 052E8F11
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3548818152.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_52e0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: fa47ef913a790c40eba0c4d5f9ae58cd7aae756b6508ee85c8a9c5720965c23e
                                            • Instruction ID: e133c1868f652144826f31c0c51677595cfe8af79f0d6fcb0920033579886049
                                            • Opcode Fuzzy Hash: fa47ef913a790c40eba0c4d5f9ae58cd7aae756b6508ee85c8a9c5720965c23e
                                            • Instruction Fuzzy Hash: 9041F0B0C1071DCBDB24DFA9C844B9EBBF6BF48304F60806AD419AB251DBB56946CF91
                                            Function 052ECD18 Relevance: 1.6, APIs: 1, Instructions: 90COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3548818152.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_52e0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID: CreateFromIconResource
                                            • String ID:
                                            • API String ID: 3668623891-0
                                            • Opcode ID: 459d3bc16ad94787e672cdb305c2ec9173c184b36e14f485b74baeb9c9a6bda4
                                            • Instruction ID: c3343d9b109a84164ac5e84e74ba8588abaf9ca70997ab4e00bb86266ef59947
                                            • Opcode Fuzzy Hash: 459d3bc16ad94787e672cdb305c2ec9173c184b36e14f485b74baeb9c9a6bda4
                                            • Instruction Fuzzy Hash: 5C31DE719043899FCB118FA9D840AEEBFF8EF0A310F14805AE554A7261C3359850DFA1
                                            Function 1209B364 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                            Download Yara Rule
                                            APIs
                                            • SHCreateShellItem.SHELL32(00000000,00000000,?,?), ref: 1209B3E9
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3555079880.0000000012090000.00000040.00000800.00020000.00000000.sdmp, Offset: 12090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_12090000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID: CreateItemShell
                                            • String ID:
                                            • API String ID: 2884959600-0
                                            • Opcode ID: 10081454d1348b9558d50b7470b64b6fac7bd69f4efebfcdc4a7f8895cb78738
                                            • Instruction ID: 4714bd158b79fc6db142ebd6e074044d979b29c999ad1eb9747761032bcd9f05
                                            • Opcode Fuzzy Hash: 10081454d1348b9558d50b7470b64b6fac7bd69f4efebfcdc4a7f8895cb78738
                                            • Instruction Fuzzy Hash: 2B3102B1D10208DFDB10CFA9D884BDEBBF5EB08314F50812AE509AB250D775A945EFA1
                                            Function 1209AE18 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                            Download Yara Rule
                                            APIs
                                            • SHCreateShellItem.SHELL32(00000000,00000000,?,?), ref: 1209B3E9
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3555079880.0000000012090000.00000040.00000800.00020000.00000000.sdmp, Offset: 12090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_12090000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID: CreateItemShell
                                            • String ID:
                                            • API String ID: 2884959600-0
                                            • Opcode ID: 60d48227813f95bebc28e1a320b9c2c4c19f6bbeb7a9943623d61386cd1b7968
                                            • Instruction ID: 31451b1522b8f7c0207085ccf929eff99f3a58f255769c3d8f55a413d7b17ef2
                                            • Opcode Fuzzy Hash: 60d48227813f95bebc28e1a320b9c2c4c19f6bbeb7a9943623d61386cd1b7968
                                            • Instruction Fuzzy Hash: D13102B1D0024CEFDF10CFA9C884BDEBBF4AB09314F508129E509AB250E774A945EFA5
                                            Function 07EE7F70 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetClassInfoW.USER32(?,00000000), ref: 07EE7FF4
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3551575208.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7ee0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID: ClassInfo
                                            • String ID:
                                            • API String ID: 3534257612-0
                                            • Opcode ID: 62c575e71fa2aac2f105d849bdcadc2dd12cc6f0a2c9f7fbe7a0128d8501c8bf
                                            • Instruction ID: e20c248179afff90d7be1369dc56ea71fded98d0095e0b96a6fc591f1f1f9bcf
                                            • Opcode Fuzzy Hash: 62c575e71fa2aac2f105d849bdcadc2dd12cc6f0a2c9f7fbe7a0128d8501c8bf
                                            • Instruction Fuzzy Hash: FB2137B1D0130A9FDB14CF9AD885ADEFBF8FB48324F10842AE918A3240D774A544CB65
                                            Function 12099BA8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • EnumThreadWindows.USER32(?,00000000,?), ref: 12099C21
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3555079880.0000000012090000.00000040.00000800.00020000.00000000.sdmp, Offset: 12090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_12090000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID: EnumThreadWindows
                                            • String ID:
                                            • API String ID: 2941952884-0
                                            • Opcode ID: 964ba6ab1ab1ee4009bb44e5e07d712330c7ce11a9d250e1fa1e0b6552ea033f
                                            • Instruction ID: 5cde53cde8ea821add306d1f1b918283ef48c63482dbfc83177e28a1a2cf4d7f
                                            • Opcode Fuzzy Hash: 964ba6ab1ab1ee4009bb44e5e07d712330c7ce11a9d250e1fa1e0b6552ea033f
                                            • Instruction Fuzzy Hash: 9D2168B1D002498FDB00CFAAC884BEEFBF4EB88320F10842AD419A7240D778A945DF61
                                            Function 0B85375F Relevance: 1.6, APIs: 1, Instructions: 62registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegisterDragDrop.OLE32(?,?), ref: 0B8537EB
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552349607.000000000B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B850000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b850000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID: DragDropRegister
                                            • String ID:
                                            • API String ID: 1555377906-0
                                            • Opcode ID: dbe449e09f852dac3d596657c96d09e4b89ab5ede4704f353e1e271aa340253f
                                            • Instruction ID: 4f6208963bd8effe852f866aa0c29649c2358a1d633c3de4f3959fe90302da57
                                            • Opcode Fuzzy Hash: dbe449e09f852dac3d596657c96d09e4b89ab5ede4704f353e1e271aa340253f
                                            • Instruction Fuzzy Hash: 8221D2B0D00208EFDB14CF99D889B8EBBF5AB48714F208059E415A7260C7755845CFA5
                                            Function 07EE7F78 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetClassInfoW.USER32(?,00000000), ref: 07EE7FF4
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3551575208.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7ee0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID: ClassInfo
                                            • String ID:
                                            • API String ID: 3534257612-0
                                            • Opcode ID: 69942d471793eba0658841f73637b09f224668de6f1ede255272d0cb3c91355a
                                            • Instruction ID: aac941728041ca18b57a3afd62341f54e121e87e99b3fe55007344317b19f564
                                            • Opcode Fuzzy Hash: 69942d471793eba0658841f73637b09f224668de6f1ede255272d0cb3c91355a
                                            • Instruction Fuzzy Hash: F22104B1D0134A9FDB14CF9AC884ADEFBF8FB48224F14842AE818A3240D774A944CB65
                                            Function 0B853768 Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegisterDragDrop.OLE32(?,?), ref: 0B8537EB
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552349607.000000000B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B850000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b850000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID: DragDropRegister
                                            • String ID:
                                            • API String ID: 1555377906-0
                                            • Opcode ID: c944332d86625a3900bfeaf89b1c71083892f133a62b94eb0283c2f0c1161295
                                            • Instruction ID: 7296a945dccf0d8e1ff1168c8a2d11aaaaa9ae503b6c15b4eba3ac6d6f9a6c75
                                            • Opcode Fuzzy Hash: c944332d86625a3900bfeaf89b1c71083892f133a62b94eb0283c2f0c1161295
                                            • Instruction Fuzzy Hash: 7521CFB0D00248EFDB18DF99D989BCEBBF5AB48714F248019E819A7360C7755845CF65
                                            Function 12099BB0 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • EnumThreadWindows.USER32(?,00000000,?), ref: 12099C21
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3555079880.0000000012090000.00000040.00000800.00020000.00000000.sdmp, Offset: 12090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_12090000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID: EnumThreadWindows
                                            • String ID:
                                            • API String ID: 2941952884-0
                                            • Opcode ID: 378fb029978c496bdc594c409f98808a4c97c3da788c57dccd39b61b79327120
                                            • Instruction ID: 57fea71ec2c09da14913e64e539f99d17ec0698ae8887af168f5a487a4bcf99b
                                            • Opcode Fuzzy Hash: 378fb029978c496bdc594c409f98808a4c97c3da788c57dccd39b61b79327120
                                            • Instruction Fuzzy Hash: 6B2138B1D00249CFDB14DF9AC845BEEFBF4EB88324F10842AD419A7250D778A945DF65
                                            Function 1209B2B0 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                            Download Yara Rule
                                            APIs
                                            • SHILCreateFromPath.SHELL32(00000000,?,?), ref: 1209B32F
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3555079880.0000000012090000.00000040.00000800.00020000.00000000.sdmp, Offset: 12090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_12090000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID: CreateFromPath
                                            • String ID:
                                            • API String ID: 2014392061-0
                                            • Opcode ID: ea6bd1465a12d765e8f317e21dd2faf46e0732a1f9e3db3993167e02f34a02b0
                                            • Instruction ID: 4c84a0827cf5581fff067ee92597a91deecde7aa27b3d145206f57ce8c38014d
                                            • Opcode Fuzzy Hash: ea6bd1465a12d765e8f317e21dd2faf46e0732a1f9e3db3993167e02f34a02b0
                                            • Instruction Fuzzy Hash: 3D21E2B1C016489ECB10CF9AD584ADEFBF4FB88314F60816ED819A7200D3756A45CFA5
                                            Function 0B85E301 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PeekMessageW.USER32(?,?,?,?,?), ref: 0B85E370
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552349607.000000000B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B850000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b850000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID: MessagePeek
                                            • String ID:
                                            • API String ID: 2222842502-0
                                            • Opcode ID: ea47d1345d6b91d35cf036ff85773884e593f6080eae4c1d15576e10b7f3902d
                                            • Instruction ID: 19c0675d006176578762b6df723bc36ffb17c1640a734db958c418d89e684593
                                            • Opcode Fuzzy Hash: ea47d1345d6b91d35cf036ff85773884e593f6080eae4c1d15576e10b7f3902d
                                            • Instruction Fuzzy Hash: 1A2106B18042599FDB10CF9AD884BDEBBF4EB49360F10846AE958A7251C374A644CFA1
                                            Function 052EB92C Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,052ECD32,?,?,?,?,?), ref: 052ECDD7
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3548818152.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_52e0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID: CreateFromIconResource
                                            • String ID:
                                            • API String ID: 3668623891-0
                                            • Opcode ID: bd76bd3ffa8d4bd6cf8085d4c4db95cacb7800aaa6e8fac2140c35b2a595ea38
                                            • Instruction ID: 04a35000773beca2427cc741cd2a69cf2cfa2d717883623de0889c6f8880145c
                                            • Opcode Fuzzy Hash: bd76bd3ffa8d4bd6cf8085d4c4db95cacb7800aaa6e8fac2140c35b2a595ea38
                                            • Instruction Fuzzy Hash: 991126B58003499FDB10DFAAD845BDEBFF8EF48320F14841AE919A7210C375A954DFA5
                                            Function 0B85E528 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserCallbackDispatcher.NTDLL(?,?,?,?), ref: 0B85E595
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552349607.000000000B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B850000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b850000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID: CallbackDispatcherUser
                                            • String ID:
                                            • API String ID: 2492992576-0
                                            • Opcode ID: 0a6f29f0427c85da8401b605d9c542fc6046d3b922596ea5e19aae91b6d9074c
                                            • Instruction ID: 0800c6345537d6bd1d608dc5e596608e16b6c8b7d5742be38f72c7df5b3625d9
                                            • Opcode Fuzzy Hash: 0a6f29f0427c85da8401b605d9c542fc6046d3b922596ea5e19aae91b6d9074c
                                            • Instruction Fuzzy Hash: F01117B1C00249DFDB10CFAAD884BDEFBF4EB48310F14852AE818A3251C378A645CFA1
                                            Function 0B85368B Relevance: 1.6, APIs: 1, Instructions: 54comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OleInitialize.OLE32(00000000), ref: 0B85364D
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552349607.000000000B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B850000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b850000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID: Initialize
                                            • String ID:
                                            • API String ID: 2538663250-0
                                            • Opcode ID: 693d530262f21485d891d890a39b30b762ad044d783089bed473cbd9c6a30bf5
                                            • Instruction ID: f1bfd2ca2579914c4caa065e19bb8d1bcc7cc1d873f9bfd9dcd6a3994e8ff758
                                            • Opcode Fuzzy Hash: 693d530262f21485d891d890a39b30b762ad044d783089bed473cbd9c6a30bf5
                                            • Instruction Fuzzy Hash: D7115BB09003098FDB10EFA9E44879ABBF2EF49354F20885ED549E7260C774A945CBA6
                                            Function 07EE3314 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,07EE3D6B,00000001,00000000,07EE3DCF), ref: 07EEDD07
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3551575208.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7ee0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID: CallbackDispatcherUser
                                            • String ID:
                                            • API String ID: 2492992576-0
                                            • Opcode ID: 10f9e6e22b24ef5dbb81004592326f08ff05c041a06675c7d4331762bd5e3660
                                            • Instruction ID: 3483b2bc2591c85663f55d6643fae5abb02c228ac52e5ff3051f233b8a1db5a2
                                            • Opcode Fuzzy Hash: 10f9e6e22b24ef5dbb81004592326f08ff05c041a06675c7d4331762bd5e3660
                                            • Instruction Fuzzy Hash: 52115EB5900249CFCB10DF9AC845BEEBBF4EB48320F148419D454A3241D378A584CFA1
                                            Function 07EEDC98 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,07EE3D6B,00000001,00000000,07EE3DCF), ref: 07EEDD07
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3551575208.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7ee0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID: CallbackDispatcherUser
                                            • String ID:
                                            • API String ID: 2492992576-0
                                            • Opcode ID: 504dcdc1812d6af0069c323bca7c4eb7953db08f567d8dcfb0cd9de149b8d15f
                                            • Instruction ID: dae17277eaf96716033e1b86501b72955bf7cec4e0d35904352f5a0278762b68
                                            • Opcode Fuzzy Hash: 504dcdc1812d6af0069c323bca7c4eb7953db08f567d8dcfb0cd9de149b8d15f
                                            • Instruction Fuzzy Hash: 1C115EB5800249CFDB10DF9AD445BEEBFF4EB49320F148469D454A3641D738A545CFA1
                                            Function 0B85E308 Relevance: 1.6, APIs: 1, Instructions: 52windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PeekMessageW.USER32(?,?,?,?,?), ref: 0B85E370
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552349607.000000000B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B850000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b850000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID: MessagePeek
                                            • String ID:
                                            • API String ID: 2222842502-0
                                            • Opcode ID: 956882c600a10c0f36e0028cafb41729dddf84b2e069330b844baec4bd69b353
                                            • Instruction ID: 52cbfba3f7000d2958c0ad008b0a111a1b1f4c4d8248069e91f7295c3c1402a9
                                            • Opcode Fuzzy Hash: 956882c600a10c0f36e0028cafb41729dddf84b2e069330b844baec4bd69b353
                                            • Instruction Fuzzy Hash: 7811C9B5C042499FDB10CF9AD985BDEFBF4EB48314F10842AE958A3251C374A644DF65
                                            Function 0B85E530 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserCallbackDispatcher.NTDLL(?,?,?,?), ref: 0B85E595
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552349607.000000000B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B850000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b850000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID: CallbackDispatcherUser
                                            • String ID:
                                            • API String ID: 2492992576-0
                                            • Opcode ID: c0aa02fea730aa7b8201652e0b3708a30e84b0fae4ec076a0304fed430035acf
                                            • Instruction ID: f457e6660dd7e6bb6712a659f3b42da7609b2d8776125884beb6a68abae350a6
                                            • Opcode Fuzzy Hash: c0aa02fea730aa7b8201652e0b3708a30e84b0fae4ec076a0304fed430035acf
                                            • Instruction Fuzzy Hash: B311C6B58003499FDB10CF9AD885BDEFBF8EB48314F10842AE958A3650D378A644CFA5
                                            Function 0B8546FB Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,?,?,?), ref: 0B85475D
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552349607.000000000B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B850000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b850000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: 88f0fafd1b2700f8084dfb417cd777744d0c734996c478bef754991a53eda2f5
                                            • Instruction ID: 2fdce57d05bac6d13694f0b02ea9ced6433d824035dda095bbffb37fabe273cb
                                            • Opcode Fuzzy Hash: 88f0fafd1b2700f8084dfb417cd777744d0c734996c478bef754991a53eda2f5
                                            • Instruction Fuzzy Hash: C61128B5800249DFDB10CF9AD885BEEFBF4FB48310F24845AD968A3251C374A585CFA1
                                            Function 0B854700 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,?,?,?), ref: 0B85475D
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552349607.000000000B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B850000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b850000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: 5c4d5408712c8a94e60f22eeb8bc2b5c8dcd36732c445cd6fa10a2049260ad88
                                            • Instruction ID: d4326daea39989c93099d2d39a897e7ec44ba5b0c4dfa86891ff892418c65e9a
                                            • Opcode Fuzzy Hash: 5c4d5408712c8a94e60f22eeb8bc2b5c8dcd36732c445cd6fa10a2049260ad88
                                            • Instruction Fuzzy Hash: B4110AB5800349DFDB10CF9AD885BDEFBF8EB48320F14845AD968A3251D374A584CFA5
                                            Function 0B8534C8 Relevance: 1.5, APIs: 1, Instructions: 47timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SetTimer.USER32(?,076FF598,?,?,?,?,?,?,0B853EA8,00000000,00000000,?), ref: 0B85403D
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552349607.000000000B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B850000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b850000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID: Timer
                                            • String ID:
                                            • API String ID: 2870079774-0
                                            • Opcode ID: 7ec1b4f4f9faa4c217e302dd7461fc4ca08507e8e58f4c0296e6558e87173cfb
                                            • Instruction ID: 756e180af412d4efb075ceb34e5e7b97104c23a7dd672642ecd1622eed489a0f
                                            • Opcode Fuzzy Hash: 7ec1b4f4f9faa4c217e302dd7461fc4ca08507e8e58f4c0296e6558e87173cfb
                                            • Instruction Fuzzy Hash: 1711F8B58003499FCB50DF9AD845BDEBBF4EB48314F108459D919A7210C375A984CFA5
                                            Function 0B85E9F8 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552349607.000000000B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B850000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b850000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID: DispatchMessage
                                            • String ID:
                                            • API String ID: 2061451462-0
                                            • Opcode ID: 94c4cac8dc7e8b59a90f42bc5c3325e42918757f61dc584371fc2ff0da65ea3e
                                            • Instruction ID: 4f2d038ff25c3754c70db7a2740ccc4aeefe03f1798da643165f36f53772869f
                                            • Opcode Fuzzy Hash: 94c4cac8dc7e8b59a90f42bc5c3325e42918757f61dc584371fc2ff0da65ea3e
                                            • Instruction Fuzzy Hash: 2E11DFB5C00259CFCB24DFAAD885ADEFBF4EB48314F10855AE929A7210D374A644CFA5
                                            Function 0B853860 Relevance: 1.5, APIs: 1, Instructions: 46registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegisterDragDrop.OLE32(?,?), ref: 0B8537EB
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552349607.000000000B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B850000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b850000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID: DragDropRegister
                                            • String ID:
                                            • API String ID: 1555377906-0
                                            • Opcode ID: 7b7a32bb3e6bf25338d6f8d121176736e4b938d19bad019f606e7a4a9c8adc4b
                                            • Instruction ID: eb1ebca25a4e0d792e392e0c3b73ea9177f6984935e3b49d585d95820adb513d
                                            • Opcode Fuzzy Hash: 7b7a32bb3e6bf25338d6f8d121176736e4b938d19bad019f606e7a4a9c8adc4b
                                            • Instruction Fuzzy Hash: D711A170905204DFCB19DB58C4947ADBFF0AF49318F248099D40ADB2A2CB76884ACB55
                                            Function 0B853FDB Relevance: 1.5, APIs: 1, Instructions: 46timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SetTimer.USER32(?,076FF598,?,?,?,?,?,?,0B853EA8,00000000,00000000,?), ref: 0B85403D
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552349607.000000000B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B850000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b850000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID: Timer
                                            • String ID:
                                            • API String ID: 2870079774-0
                                            • Opcode ID: b7cc6b5bfadbb8dca93061fbd0e61ecec854d38602d30500f1903cbc5f4440f7
                                            • Instruction ID: 2c53c047c5a0f4d379b08a7bc73df1b7c00be7b1491f59c5b2f70ae9e1655b38
                                            • Opcode Fuzzy Hash: b7cc6b5bfadbb8dca93061fbd0e61ecec854d38602d30500f1903cbc5f4440f7
                                            • Instruction Fuzzy Hash: 0011E3B58003489FDB10DF9AD885BDEBBF8EB48314F20845AD918A7210C375A984CFA1
                                            Function 0B852734 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OleInitialize.OLE32(00000000), ref: 0B85364D
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552349607.000000000B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B850000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b850000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID: Initialize
                                            • String ID:
                                            • API String ID: 2538663250-0
                                            • Opcode ID: c920c094909bc3f2470314664862bc054ec78a835d5fa1073bdadf4f62950c9a
                                            • Instruction ID: 7f27cf81f8ae33cd0a76eb09bb8e26f5248b47ffc78fed7ca3ae65cb7ee40784
                                            • Opcode Fuzzy Hash: c920c094909bc3f2470314664862bc054ec78a835d5fa1073bdadf4f62950c9a
                                            • Instruction Fuzzy Hash: 801115B58043498FCB20DF9AD489B9EFBF4EB48324F208459D929A7310C374A944CFA5
                                            Function 0B8535F3 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OleInitialize.OLE32(00000000), ref: 0B85364D
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552349607.000000000B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B850000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b850000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID: Initialize
                                            • String ID:
                                            • API String ID: 2538663250-0
                                            • Opcode ID: 444b5784c1236c47cfe470eb7446ead4507934e35e045d5871c5618f2c87c575
                                            • Instruction ID: 89378076b4407b58b44d8b54bf48f6e03b242e25365586cdf3aad90837cb3e49
                                            • Opcode Fuzzy Hash: 444b5784c1236c47cfe470eb7446ead4507934e35e045d5871c5618f2c87c575
                                            • Instruction Fuzzy Hash: 1011D3B58003498FDB20DF9AD489B9EBBF4EB48324F20845AD519A7350D774A944CFA5
                                            Function 0B85EA00 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552349607.000000000B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B850000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b850000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID: DispatchMessage
                                            • String ID:
                                            • API String ID: 2061451462-0
                                            • Opcode ID: c783f489d7f9756bb52fbae702c943cd140bfaa671d15041bf0ac83b482f0a86
                                            • Instruction ID: b85dc24ce264f4e81bc6bd3c8883d957860d36a8766d875db3092d4c5e06a039
                                            • Opcode Fuzzy Hash: c783f489d7f9756bb52fbae702c943cd140bfaa671d15041bf0ac83b482f0a86
                                            • Instruction Fuzzy Hash: D111D3B5C04649CFCB14DFAAD844BDEFBF4EB48314F10855AD929A3210D374A644CFA5
                                            Function 0B8C92F0 Relevance: 1.5, Strings: 1, Instructions: 246COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (bq
                                            • API String ID: 0-149360118
                                            • Opcode ID: 907756cbedcc032c15eb05780bf242a304e20f219feb67f9f2a2eccf8400b02d
                                            • Instruction ID: ab50f96e12a98404d8488cc56bb7ff79fcb141819d8e862dd17d5d78522300f2
                                            • Opcode Fuzzy Hash: 907756cbedcc032c15eb05780bf242a304e20f219feb67f9f2a2eccf8400b02d
                                            • Instruction Fuzzy Hash: BAA1E5B5E00218DFCB14DFA9D884AEEBBF1FF88310F14846AE915A7350DB34A955CB91
                                            Function 0B8C8000 Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (bq
                                            • API String ID: 0-149360118
                                            • Opcode ID: 5c66da89cc80a5aba91b12ef60929e665c014eb109e575d798da82494348b70f
                                            • Instruction ID: 5d0e2218088c41de7b4ad5f2df6ac03b44a5d1e46c1e891bd6b6fcab9208513c
                                            • Opcode Fuzzy Hash: 5c66da89cc80a5aba91b12ef60929e665c014eb109e575d798da82494348b70f
                                            • Instruction Fuzzy Hash: 4441BE71E40618DFDB18DF69D8506AEBBF2FF85300F10856AE405EB2A1DB719C46CB81
                                            Function 0B8C9A58 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (bq
                                            • API String ID: 0-149360118
                                            • Opcode ID: a7213a8575fab40fbd69dd04c77cb74daa8ebc6bbb5c162c5e940cc243245b36
                                            • Instruction ID: 4397a8b5e85932a5242262badf82e17e0025b14b09f4640d16e8b33a4cbb5e08
                                            • Opcode Fuzzy Hash: a7213a8575fab40fbd69dd04c77cb74daa8ebc6bbb5c162c5e940cc243245b36
                                            • Instruction Fuzzy Hash: F541C2B0A04248DFCB069B68C4146AF7BF2AF89700F0184EED416EB261DA35DC85CB51
                                            Function 0B8CFAF8 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (bq
                                            • API String ID: 0-149360118
                                            • Opcode ID: 30865ea7b5413cb28759bfba8e66290620aeef0f2fdafb11062eb31bed55b1bf
                                            • Instruction ID: 4fa673b367fe454a75a72e2f76f1cef66c0919bb6bd05b4960126061fbc24fe6
                                            • Opcode Fuzzy Hash: 30865ea7b5413cb28759bfba8e66290620aeef0f2fdafb11062eb31bed55b1bf
                                            • Instruction Fuzzy Hash: 8821DF306093D44FD307AB78886452A7FB69F872117194AEBD18ACB6E3DA649C0AC356
                                            Function 0B8C172C Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (bq
                                            • API String ID: 0-149360118
                                            • Opcode ID: 73fa98d6e0746114728853c5de2c2757da0a533f8b3ad29be01d6a06ef77cbc0
                                            • Instruction ID: 0849e9c7b1a4f9fc38944d6a00ee135c5aa31b13d2c561d7db15bfb86e509e6b
                                            • Opcode Fuzzy Hash: 73fa98d6e0746114728853c5de2c2757da0a533f8b3ad29be01d6a06ef77cbc0
                                            • Instruction Fuzzy Hash: 2E1127B5B10118AFCB05EF6CC8544BF7BEAEFC9300720892AE915E3380DA709D0587A2
                                            Function 0B8C7768 Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Hbq
                                            • API String ID: 0-1245868
                                            • Opcode ID: c46b4358aa3aea156bc20c9e996e22b5dafa70e0017da7146df912efa866145f
                                            • Instruction ID: 506110100bc78a18bd4b1e33415b212edae7c4be3f1396fbab75a6ef86c6a4fa
                                            • Opcode Fuzzy Hash: c46b4358aa3aea156bc20c9e996e22b5dafa70e0017da7146df912efa866145f
                                            • Instruction Fuzzy Hash: 5BF0AF35B002144BC7149F6A945595FBBE6EFD4220751843EE91AC7740DF349C168BA0
                                            Function 0B8C5CD0 Relevance: .7, Instructions: 736COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2a5ca621b6241ec2e21e3313d49e491c5b2bd90af135c49440ea05829fb538f6
                                            • Instruction ID: 9c668e57900a8460215667814f9c539a42478a07a89837f43012f1a132456c58
                                            • Opcode Fuzzy Hash: 2a5ca621b6241ec2e21e3313d49e491c5b2bd90af135c49440ea05829fb538f6
                                            • Instruction Fuzzy Hash: 32722F31910619CFCB14EF68C895ADDBBB1FF55304F0082A9D54AA7265EF34AAC5CF81
                                            Function 0B8C924C Relevance: .5, Instructions: 476COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f4ea128d71ce976c347f4e978afb8f42ff2376742409b950a95317d95197b342
                                            • Instruction ID: a45db1997dcdaad67db826227de0138731565c24d49e2dc5b721de6446276fc5
                                            • Opcode Fuzzy Hash: f4ea128d71ce976c347f4e978afb8f42ff2376742409b950a95317d95197b342
                                            • Instruction Fuzzy Hash: 1D221475A00618CFDB11DF68C994ADAB7B2FF49304F0585D9E609AB271DB31EA81CF81
                                            Function 0B8C9438 Relevance: .5, Instructions: 468COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a7c1f7e5aa25ec4d7031923c2157035612f446a30f288bd6a149c0f742fa8b6d
                                            • Instruction ID: 5837cb56532494033bc66658182be82f9851714bfca2e8be42ef22b49da8e5d9
                                            • Opcode Fuzzy Hash: a7c1f7e5aa25ec4d7031923c2157035612f446a30f288bd6a149c0f742fa8b6d
                                            • Instruction Fuzzy Hash: 1C120675900608DFDB11DF68C888AAABBB6FF49314F1485A9E50ADB271DB32D981DF40
                                            Function 0B8C5E00 Relevance: .4, Instructions: 418COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 785e4accb0ee8fe62043757a98c0d7475f47cf784b9cd319ae990ad3b95b4a17
                                            • Instruction ID: 46335b41d40bc93c90ac0879f3f32f607e719e3f592b61c2719bcb5bbfe010b1
                                            • Opcode Fuzzy Hash: 785e4accb0ee8fe62043757a98c0d7475f47cf784b9cd319ae990ad3b95b4a17
                                            • Instruction Fuzzy Hash: C0121A31900619CFCB14DF28C895AD9BBB5FF55304F1082A9D94AA7265EF34AEC6CF81
                                            Function 0B8C91BC Relevance: .4, Instructions: 366COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: abb2fabd616837aeb77d0fee9d34ce50f22e97cd93cb9574b7081eacbb4f4c63
                                            • Instruction ID: 265186410a14eeba09fd14b8a1a146d4c3e254b09c720eee8e20020f21c28dbf
                                            • Opcode Fuzzy Hash: abb2fabd616837aeb77d0fee9d34ce50f22e97cd93cb9574b7081eacbb4f4c63
                                            • Instruction Fuzzy Hash: D9F10574A00618CFDB24DB28C985BA9B7B2EF89300F1585E9D509AB362DB70ED81CF51
                                            Function 0B8C2A68 Relevance: .3, Instructions: 345COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bed019d29449394f7938079ade7f68872eafd7e9c823040c945d3b0c031d2654
                                            • Instruction ID: 4c6786b4eabebf82ed0f10cad597426cf325e9cb4608aa4d794cf47a92fac0ee
                                            • Opcode Fuzzy Hash: bed019d29449394f7938079ade7f68872eafd7e9c823040c945d3b0c031d2654
                                            • Instruction Fuzzy Hash: 88F11A75900219CFCB21DF64C944AEABBB5FF49305F1481D9E909EB261EB31EA82CF51
                                            Function 0B8C9084 Relevance: .3, Instructions: 323COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2140ae57ceb194293891aa182d2221b32f4c3d8aa51aa46e30c8540a3cc849ad
                                            • Instruction ID: 6149031a5fe10a91be316d8f3dce91939e807b25834bef9c7f1994602a4dbe3b
                                            • Opcode Fuzzy Hash: 2140ae57ceb194293891aa182d2221b32f4c3d8aa51aa46e30c8540a3cc849ad
                                            • Instruction Fuzzy Hash: 71E1F975900619DFCF15CF64C880ADAB7B6FF49304F15C199E908AB221E772EA95CF90
                                            Function 0B8C5651 Relevance: .2, Instructions: 206COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f1ba40dd992e97d7db8416ef2f99995a192b9de5d873d2d2cd217b969582cb93
                                            • Instruction ID: 8eeab4549e98e5e08c3435160010e853a095f2bbfa0a346c1101a10aa63e125b
                                            • Opcode Fuzzy Hash: f1ba40dd992e97d7db8416ef2f99995a192b9de5d873d2d2cd217b969582cb93
                                            • Instruction Fuzzy Hash: 6791F87190071ADFCB01DF68C884999FBF5FF59310B14879AE819EB266E730E985CB80
                                            Function 0767293E Relevance: .2, Instructions: 203COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 79bf8c5830d06a5e5ac5e1010e9605ece4453dfb7255069daade38b4b94581e2
                                            • Instruction ID: f91d6f8ba2a1a396bbc72df6da5fed26ff36b8a12ba29a30778299d83b1383ed
                                            • Opcode Fuzzy Hash: 79bf8c5830d06a5e5ac5e1010e9605ece4453dfb7255069daade38b4b94581e2
                                            • Instruction Fuzzy Hash: 297158B290E3D19FCB038B759C240867FB1BE8725431E41EBD085DF5A3D639594ACBA2
                                            Function 0B8C0221 Relevance: .2, Instructions: 170COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a09a09a92697f380b6027bcdc1ced09a8c12934890af1a611743aa5fc846c9e2
                                            • Instruction ID: bfa06157d04dbfceb4b63a7037be8b070c4d14d437e0f24f2deda517e6f10297
                                            • Opcode Fuzzy Hash: a09a09a92697f380b6027bcdc1ced09a8c12934890af1a611743aa5fc846c9e2
                                            • Instruction Fuzzy Hash: DC6127B4A0060ADFCB21DF69C5849AFBBF5FF88350B10C96AE859D7620D730E915CB91
                                            Function 07672B8F Relevance: .2, Instructions: 160COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3eabeca490ec6eab64b4e94dcbe07943ce297c56d9ad7d2b950ec35fb1592780
                                            • Instruction ID: c5fe9cc565085e4d4aa6c73e16ca406f7d423cafd57c0cfdeb90358cacbee536
                                            • Opcode Fuzzy Hash: 3eabeca490ec6eab64b4e94dcbe07943ce297c56d9ad7d2b950ec35fb1592780
                                            • Instruction Fuzzy Hash: 77519BB250E3C09FC7138B748CA56957FB1AF53284B1A41D7D482CF1B3E6299A4AC762
                                            Function 0B8C0078 Relevance: .1, Instructions: 136COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 69be69fba225aa5b4d99e6708b4d36a071e74303653b088c6520f38d1ca7304f
                                            • Instruction ID: e58c9a5627950ea44c3b05e803207027c9f961c8ee1d59ba3f6fb062e8250255
                                            • Opcode Fuzzy Hash: 69be69fba225aa5b4d99e6708b4d36a071e74303653b088c6520f38d1ca7304f
                                            • Instruction Fuzzy Hash: 8251D575A00209DFCB00CFA8D88499EFBB1FF88355B14C65AE819AB321D731E956CB90
                                            Function 07673060 Relevance: .1, Instructions: 119COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: eb1e7d00ba524551e87f70b2c0fc3fa2d40e33ad782d0cd3d07666087be6cc9a
                                            • Instruction ID: 48ddcc63c1a799276fc63e971618f8675a562bf4b46f6083769b05b369ddcec3
                                            • Opcode Fuzzy Hash: eb1e7d00ba524551e87f70b2c0fc3fa2d40e33ad782d0cd3d07666087be6cc9a
                                            • Instruction Fuzzy Hash: 6131E16551E3D04FC7136B7A58620853FB1AE4319438B41DBC4C2CF6B3D62A9D4AC7A3
                                            Function 07672F5C Relevance: .1, Instructions: 113COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a9db9a99f5b46e0da92b5233f2842db65071d4f33459a310d38e9cd11232b875
                                            • Instruction ID: 628df35f362ee444f73cbced6667ebc8b8280688c4094c82c84a3eb723fc65d1
                                            • Opcode Fuzzy Hash: a9db9a99f5b46e0da92b5233f2842db65071d4f33459a310d38e9cd11232b875
                                            • Instruction Fuzzy Hash: AC31AA6501E7D18FCB239B3188A54803FB0AE5325839E41DBD1C5CF1B3D22A9A4AC773
                                            Function 0767318E Relevance: .1, Instructions: 108COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0ec7366a7b3bc214dc3cac6dab15f986a3799827b43b9364436747b08e38763c
                                            • Instruction ID: fe8914dee82277543db8c6cc2e263d208e924a0ca7c9ebed8eab8ebd550b9db3
                                            • Opcode Fuzzy Hash: 0ec7366a7b3bc214dc3cac6dab15f986a3799827b43b9364436747b08e38763c
                                            • Instruction Fuzzy Hash: F731267500E3C49FC7139B7588668843FB0AE1725436B41EBD096CF2B3C22A9D4ADB63
                                            Function 0B8C1758 Relevance: .1, Instructions: 106COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c09c1f8ad6f08accf2f519d6485d8807508fa27f4e8b534267b5976f3e782255
                                            • Instruction ID: 5d43cea33636e49f2565feead759e6c76338a174733f16a7279d2732529abb2f
                                            • Opcode Fuzzy Hash: c09c1f8ad6f08accf2f519d6485d8807508fa27f4e8b534267b5976f3e782255
                                            • Instruction Fuzzy Hash: 9D3155B1B042244BCB26FB7CD494AAF77A6CFC5711F14082ED44ADB3A0CE34D84187A6
                                            Function 0B8CEE60 Relevance: .1, Instructions: 105COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 625fcac5cd71957f07832b7573503c6c27bdca2c14f41e8ccdbcd58c33792db4
                                            • Instruction ID: 3b64f9b0219d84d6320f0b84fa3343e3cc526acccd178e2255fcc6cfd9af4b2d
                                            • Opcode Fuzzy Hash: 625fcac5cd71957f07832b7573503c6c27bdca2c14f41e8ccdbcd58c33792db4
                                            • Instruction Fuzzy Hash: 964121B5B002098FDB18DF69D454AAEBBF1AF8C221F1550A9D405EB3A1DB34ED41CFA1
                                            Function 0B8C0418 Relevance: .1, Instructions: 103COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 96637f3d5a8f17b68dc9c3840ed678439a3bd896b128b30ac46eb06f0c34422c
                                            • Instruction ID: a422e68e1a6c0418902d5239d403fa27a150faace950c82b94a51d5d32b29715
                                            • Opcode Fuzzy Hash: 96637f3d5a8f17b68dc9c3840ed678439a3bd896b128b30ac46eb06f0c34422c
                                            • Instruction Fuzzy Hash: D0318FB1F002199FCB25DF69C4549AFBBF6EF88750B04852EE915EB260EB70D901CB90
                                            Function 0B8CEAD0 Relevance: .1, Instructions: 97COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c7f468db973bccaa3068ec0e1f5eb9e09698092b5f6a8ecfd1af37071b04b53c
                                            • Instruction ID: 3114101e8ee7f2fa76107966b629582f27ed9ef24c665e5a6e082bc116c2b330
                                            • Opcode Fuzzy Hash: c7f468db973bccaa3068ec0e1f5eb9e09698092b5f6a8ecfd1af37071b04b53c
                                            • Instruction Fuzzy Hash: 24318DB5E042599FDB14DB59C545BFFBBB5AF88711F048029E801F72A0CB74E940CBA1
                                            Function 0B8C7EB8 Relevance: .1, Instructions: 96COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 51f999665bbeaa073e39a61d9d723f541cb8be23e6c57b58e675519f31fc8030
                                            • Instruction ID: 78d969144802d35b2945b4753b8bb09c7e7a727fbe334c96ad883e516d5a6c84
                                            • Opcode Fuzzy Hash: 51f999665bbeaa073e39a61d9d723f541cb8be23e6c57b58e675519f31fc8030
                                            • Instruction Fuzzy Hash: 7A414972D0070ACBCB04CFA9C44059DFBF1FF98310B25866AE819AB355EB71A985CF80
                                            Function 0B8CEE50 Relevance: .1, Instructions: 93COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 51d2a95a206723d9a3625ac4d74444ad34f9210e56f4ea5e3b70b645ea062984
                                            • Instruction ID: 3532c017d34af3d251faebc03ebe00ca632b973fb89467b2ac09d02b509bd738
                                            • Opcode Fuzzy Hash: 51d2a95a206723d9a3625ac4d74444ad34f9210e56f4ea5e3b70b645ea062984
                                            • Instruction Fuzzy Hash: 5D3123B4A002098FD718DF69C454A9EBBF2AF4C225F095069D805AB3A1DB34EC41CFA1
                                            Function 0B8C7EC8 Relevance: .1, Instructions: 90COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: db5001ee3ccb1aef9ba88626b98b2b7c4a1fe5bc012ef5f4d8ea206c3d5f4794
                                            • Instruction ID: db5a8f4098396849f3843894fccdf828ae08bdfa1daf3f6309259562422598b1
                                            • Opcode Fuzzy Hash: db5001ee3ccb1aef9ba88626b98b2b7c4a1fe5bc012ef5f4d8ea206c3d5f4794
                                            • Instruction Fuzzy Hash: EB410476D007099BCB04CFA9C44459EFBF1FF98310B21866AE819AB311EB71A981CF80
                                            Function 07671970 Relevance: .1, Instructions: 89COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 59c60be396157adb3f99b167d2f4e203b155667b194032ce16d4345cd8abed1b
                                            • Instruction ID: d754a73319130e104a34c63788c7385a75dc9dc2df620bf9eb8e35ce4959bc12
                                            • Opcode Fuzzy Hash: 59c60be396157adb3f99b167d2f4e203b155667b194032ce16d4345cd8abed1b
                                            • Instruction Fuzzy Hash: 0421AE7220E3C45FCB0B67766C644967F74AE8726531A41EBE0C9CF5A3D6188C0AC3A7
                                            Function 0B8CECC8 Relevance: .1, Instructions: 87COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6e87b7fa072a53c3e53bbac9864b3cca4d3dad3aaa3d36fbf75424c5535f0da1
                                            • Instruction ID: 092d3bd32aaa33826c15dbee49348f5117b04f56eeaf595d6286ce18be564e7a
                                            • Opcode Fuzzy Hash: 6e87b7fa072a53c3e53bbac9864b3cca4d3dad3aaa3d36fbf75424c5535f0da1
                                            • Instruction Fuzzy Hash: A0319970E0020AAFCB04DFA4D450ADEFBB6AF98300F118559E515AB2A0EF70E945CB91
                                            Function 0B8C05E0 Relevance: .1, Instructions: 86COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 585ee0c9efc8dc459fb174549ddaf68828dbf5f59702038a1b9a2d2e1ff48156
                                            • Instruction ID: 81be5bc8d16645890549d91c615edc1e7d6623ce08c6dde9c30dcbec46df2e93
                                            • Opcode Fuzzy Hash: 585ee0c9efc8dc459fb174549ddaf68828dbf5f59702038a1b9a2d2e1ff48156
                                            • Instruction Fuzzy Hash: 96314CB0E00208DFDB18DFA9C844AAFBBFAEF88640F108429D505E7264DB75D905CBA5
                                            Function 0B8C1AB0 Relevance: .1, Instructions: 80COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 74d543e9e99d88aca5de439c9bfa9b4940bf8eb700249d2498df8d26b7a94c4c
                                            • Instruction ID: f40991ac5ff5ab335877a066e41059831e3cc07247fe0c20f52f9e353e2504e7
                                            • Opcode Fuzzy Hash: 74d543e9e99d88aca5de439c9bfa9b4940bf8eb700249d2498df8d26b7a94c4c
                                            • Instruction Fuzzy Hash: 62315E75A11208EFDB14EB98E894D9EBB76FF84214F408568F501AB361DB30AC41CF41
                                            Function 0B8CECD8 Relevance: .1, Instructions: 80COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3093705901aef3999018c086fbf9ef79003328ef9f7a074e1012c6bb8fe6e622
                                            • Instruction ID: 45ffdffe699395e16d991f0d29670d497fa70c4e0f552c069215000aef569b41
                                            • Opcode Fuzzy Hash: 3093705901aef3999018c086fbf9ef79003328ef9f7a074e1012c6bb8fe6e622
                                            • Instruction Fuzzy Hash: 9A316975E0020AAFCB08DFB5D450ADEFBB7AF98300F118569E515AB260DF70E945CB91
                                            Function 0B8C9428 Relevance: .1, Instructions: 79COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7d53281980ab77dec9e6aa11615f42538d24751d28b90484e0b47ad69d2c078e
                                            • Instruction ID: 5daace68748544c0b12e2a2e0fd4f6ffc2390d7ae63aebd8c3791ae609968d54
                                            • Opcode Fuzzy Hash: 7d53281980ab77dec9e6aa11615f42538d24751d28b90484e0b47ad69d2c078e
                                            • Instruction Fuzzy Hash: 1031DFB5D002099FCB14DF99D884ADEBBF5FB88320F54812EE919A7310D775A951CFA0
                                            Function 0B8CDD68 Relevance: .1, Instructions: 78COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 99689ae8e200d56bedae6995832fa86f2b03f93ee24ffbad241f92457adcaf16
                                            • Instruction ID: c51692e2aa1b451804f58c57a42896c2237686323487f188b568bb7dd888b4f5
                                            • Opcode Fuzzy Hash: 99689ae8e200d56bedae6995832fa86f2b03f93ee24ffbad241f92457adcaf16
                                            • Instruction Fuzzy Hash: 2E31ADB5D002499FCB14CFA9D885ADEBBF1FB88324F14812EE919A7210C775A955CFA0
                                            Function 0767087C Relevance: .1, Instructions: 78COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 273cd072eb3b69a7784da2dbaa6dab822c9dc8f420a8e4aecdc6a37a14e332d7
                                            • Instruction ID: 14a5a7594bdfc50fbfb9bd0fc1ef9c54853038328dc14a93616b21ab1915abd7
                                            • Opcode Fuzzy Hash: 273cd072eb3b69a7784da2dbaa6dab822c9dc8f420a8e4aecdc6a37a14e332d7
                                            • Instruction Fuzzy Hash: 142164BA44E7C08FC3038B3498288807FB4AE0721430E40DBD085CF9B3D629A959CBB3
                                            Function 0B8C7DCF Relevance: .1, Instructions: 76COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 28bfcc219b28790d63baaf6bd0d87c27f57db00d9e50e5347076dc718b6b22c8
                                            • Instruction ID: d4b370cfcdb05a682889a5539715a67977bbaa42f4a9c3a9a81aca3636f9e5f3
                                            • Opcode Fuzzy Hash: 28bfcc219b28790d63baaf6bd0d87c27f57db00d9e50e5347076dc718b6b22c8
                                            • Instruction Fuzzy Hash: E63124B6904349DFCB10CF99D884A8ABBF4FF49314F14855AE819AB341D374E945CFA1
                                            Function 0B8C1AA0 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4838b54fa10a6f9b517b13ce4de9d6028d4d2d6d1b9cf1f95ff327151aec846d
                                            • Instruction ID: 5b30f7cded07530183b6870b7b6cf1f84f23d233c474125609d5bc0fe4c839f5
                                            • Opcode Fuzzy Hash: 4838b54fa10a6f9b517b13ce4de9d6028d4d2d6d1b9cf1f95ff327151aec846d
                                            • Instruction Fuzzy Hash: 66215C75A11108EFDB18EB98E4D499EBBB2FF88314F108569E505AB361DB30E845CF41
                                            Function 0B8C9A49 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 243115c1ab000666e6b3fb0f5fc16ac12fc3a6028455d37c180bdff0ab5e52bf
                                            • Instruction ID: d7f9ee98a08f635463cb43096ae99b19afe86f490a8f02c7b1c1d94aea934366
                                            • Opcode Fuzzy Hash: 243115c1ab000666e6b3fb0f5fc16ac12fc3a6028455d37c180bdff0ab5e52bf
                                            • Instruction Fuzzy Hash: B1217175D00208DFCF06DFA8C4549EEBBB2EF88310F04C55EE916AB264EB319945DB91
                                            Function 0B8C79E7 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ccd1a583d20ea91f9a660135b2814fe59b56ceae31a88641fcffe6c435529b82
                                            • Instruction ID: 064f601e8fc0368f2300dd395033db537e98080e5988e2c3a788af4c19975360
                                            • Opcode Fuzzy Hash: ccd1a583d20ea91f9a660135b2814fe59b56ceae31a88641fcffe6c435529b82
                                            • Instruction Fuzzy Hash: 39212675B142598FC7196B78882526F3BA2DF92340F01457DD50ADB6E1EF38CD02CB92
                                            Function 0510D56C Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3548293670.000000000510D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0510D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_510d000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3f66ae6a3ab58a1972bc675d2fb1f8e88087c06d58da346fc4d42c507f523f2a
                                            • Instruction ID: a9feeac88a0ac48e174d2bb7c617842c11582a8a50373ae076f5c4fd0eb36b0e
                                            • Opcode Fuzzy Hash: 3f66ae6a3ab58a1972bc675d2fb1f8e88087c06d58da346fc4d42c507f523f2a
                                            • Instruction Fuzzy Hash: 6E2103B1504200EFCB15DF94E9C4F26BFA6FB98324F24C569ED090B286C776D416CBA1
                                            Function 0767268D Relevance: .1, Instructions: 74COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 49a43c922c474a1ab5eee391ac8637011940409f91ef20fc53aed8d8e6817be1
                                            • Instruction ID: 0e8f22c99b0f092651665d239b30de322743d565b04a86f243b2e379f199b17f
                                            • Opcode Fuzzy Hash: 49a43c922c474a1ab5eee391ac8637011940409f91ef20fc53aed8d8e6817be1
                                            • Instruction Fuzzy Hash: 1221FF7250E3D08FE30387359C256913FB1AF5325470A41EBD090CF0E3D268484ACBA2
                                            Function 076716B0 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c603857b55f6a1df41de31dde3527c765a23b5d8734a17c9cad132545939bbbb
                                            • Instruction ID: acde0a16c7a234648aaf8bafea0562d1922ae3f834511f1245c0657ae9362ed5
                                            • Opcode Fuzzy Hash: c603857b55f6a1df41de31dde3527c765a23b5d8734a17c9cad132545939bbbb
                                            • Instruction Fuzzy Hash: 401113AA20E3D51FC71797746C210D57F719E872A034A01E7E080DF0A3C5194E8AC7B3
                                            Function 0B8CD96C Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9b2c9d970de8d013f02992fc0ceaf78e13e5d4e85977a5a4d7a8c4773c51ab4a
                                            • Instruction ID: 0eedbac44ad4b0bf99d49b9f6a0e5c894f5793225ac2c74e29bfced7b45bcdd3
                                            • Opcode Fuzzy Hash: 9b2c9d970de8d013f02992fc0ceaf78e13e5d4e85977a5a4d7a8c4773c51ab4a
                                            • Instruction Fuzzy Hash: F731BDB5D002499FCB14CFAAD884ADEBBF4FB48314F14842EE929A3210D775A954CFA5
                                            Function 0B8CA509 Relevance: .1, Instructions: 66COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6a51b11ac8999a459d7b267e48584d7b2fa386100f6ed6116d9f01bdfa862ef2
                                            • Instruction ID: 82e1fc2c5da2b42115dd7f7c11fc4b3643ea7cfa7309ce15f4d374426cd19abf
                                            • Opcode Fuzzy Hash: 6a51b11ac8999a459d7b267e48584d7b2fa386100f6ed6116d9f01bdfa862ef2
                                            • Instruction Fuzzy Hash: 63214C75A14228DBCB15EB38DC55AD9B3B6FF89310F8051EAD50DA7260DB30AE81CF81
                                            Function 0767219E Relevance: .1, Instructions: 65COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8913cbb68df7350665757b494f3d45d42a3647dc6673bec83dd094ac37f00308
                                            • Instruction ID: d07fc15b434240add925959e0a9a161954a2403b2bb28061be7cdb0d3b8803ff
                                            • Opcode Fuzzy Hash: 8913cbb68df7350665757b494f3d45d42a3647dc6673bec83dd094ac37f00308
                                            • Instruction Fuzzy Hash: 30119CA601F3D09FC7239B7488254917F707E5B19078A8AEBD1C1CF4B3D56A8A49C363
                                            Function 076701E4 Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 02090229ed1df7c50ad6adea0bde0c145b68a71b88244efe673dbee5e4bb97f2
                                            • Instruction ID: 6692504356aa0b467c56c5328d910707b8b1a2e6cdbcafee88597e04eb5b608f
                                            • Opcode Fuzzy Hash: 02090229ed1df7c50ad6adea0bde0c145b68a71b88244efe673dbee5e4bb97f2
                                            • Instruction Fuzzy Hash: C111BDA244E3D15FDB53877498381957FB0AE0329571F04DBC481CF8B3E1184E8AC762
                                            Function 0B8CFA30 Relevance: .1, Instructions: 59COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4c164ee84a882e6def73fb0b8f35ef7ea8fd611dae050e73009f278d322f2e58
                                            • Instruction ID: 0a3b978eda6e4ba09a8aea52b3d7ddfdc2f8fea2d3cb09355262f5f8563d773a
                                            • Opcode Fuzzy Hash: 4c164ee84a882e6def73fb0b8f35ef7ea8fd611dae050e73009f278d322f2e58
                                            • Instruction Fuzzy Hash: 8A112631B142904FC706AB78C89882E3FF7AF8A25130905AAE10ACB3F2CE24CC09C351
                                            Function 07672D08 Relevance: .1, Instructions: 58COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 83a087f3bf968bf1f7485256c7fcde78e4e75190ba3d222fc743dc35c1b3f165
                                            • Instruction ID: e278d16226eb7b4fd1e47e95b3dc791eaef5152851fc7a6fe3c425fe7c7dc346
                                            • Opcode Fuzzy Hash: 83a087f3bf968bf1f7485256c7fcde78e4e75190ba3d222fc743dc35c1b3f165
                                            • Instruction Fuzzy Hash: 4111067250D384AFC3229B78DC90A46BF75EB43350F1581E7E446CF1A2D771A902C7A2
                                            Function 0511D1F4 Relevance: .1, Instructions: 57COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3548352452.000000000511D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0511D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_511d000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bba46da9f7c99d5293a20e4e8d6bd8c4cfb7cfd414d9dec227af656dfc76a82f
                                            • Instruction ID: 6f1c00004fdf3c61aa81c489837329c7bd22854fb56d1691a60039844b531ed6
                                            • Opcode Fuzzy Hash: bba46da9f7c99d5293a20e4e8d6bd8c4cfb7cfd414d9dec227af656dfc76a82f
                                            • Instruction Fuzzy Hash: B8119DB5A44241AFCB05CF14E980F26BBA2FB84324F24CAEDED594F646C336D416CA65
                                            Function 0511D03C Relevance: .1, Instructions: 57COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3548352452.000000000511D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0511D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_511d000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c02189813ec35dd74324dc93030e104e00ea5a0fa1f2ec038a5cc92740a7b95f
                                            • Instruction ID: d4bf3476911d18d5bb95d6f05e9a1132f20644fb4a6154d64554121b6301d222
                                            • Opcode Fuzzy Hash: c02189813ec35dd74324dc93030e104e00ea5a0fa1f2ec038a5cc92740a7b95f
                                            • Instruction Fuzzy Hash: 5611B2B5604340DFCB19CF24E984B26BB62FB84314F64C6EDED494B246C336D417CA55
                                            Function 0510D567 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3548293670.000000000510D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0510D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_510d000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4c1ea8eb396886bc21d4bbc4d557cc667e50a73a325577031493f2042378f38b
                                            • Instruction ID: a658b4d549e34f3aaa8656fb0ee7b8fb766e37cacd0d69e3921be41d5d1d59e4
                                            • Opcode Fuzzy Hash: 4c1ea8eb396886bc21d4bbc4d557cc667e50a73a325577031493f2042378f38b
                                            • Instruction Fuzzy Hash: 0311D376504240DFCB06CF50D9C4B26BF72FB88324F28C5A9D8090B256C336D45ACBA1
                                            Function 0B8C1B04 Relevance: .1, Instructions: 55COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 035768a078e270e75e3aaf4b26796029377768bc41ab588862abc5271dca9562
                                            • Instruction ID: 70cfb9e324d9beb6433a8a09dedd2a37692e19911fbf3ee9dd232fb9ccee7973
                                            • Opcode Fuzzy Hash: 035768a078e270e75e3aaf4b26796029377768bc41ab588862abc5271dca9562
                                            • Instruction Fuzzy Hash: 9A21F935A01209EFCB04EFA4E49899DBBB2FF84315F1085A8E505AB261DB30EC81CF91
                                            Function 0B8C173C Relevance: .1, Instructions: 54COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8463fd2350978b10bc1e938fbf31679aedfe6c7e9476bc2ec57761b44ae90f3f
                                            • Instruction ID: 89adec806919cda63f68db204746a8ac58604cd5a8c17e4ad8cd6cd23e7fbb8c
                                            • Opcode Fuzzy Hash: 8463fd2350978b10bc1e938fbf31679aedfe6c7e9476bc2ec57761b44ae90f3f
                                            • Instruction Fuzzy Hash: 7B11F6B58002499FDB50DF9AD844ADFBBF8EB48314F10841AE929A7351D374AA54CFA1
                                            Function 07670B34 Relevance: .1, Instructions: 54COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5d6efec462eb1b535244d9657b420a47af6283587282c73a60980b388713f9e3
                                            • Instruction ID: f63b32f089a768b5b142a407561fe937a0319411ae2361c6485b69efe02704e5
                                            • Opcode Fuzzy Hash: 5d6efec462eb1b535244d9657b420a47af6283587282c73a60980b388713f9e3
                                            • Instruction Fuzzy Hash: 5A01B1752193C4AFC7129B69AC50CA67FB9DF4B62130A00E7F148CB663C5259D04C772
                                            Function 0B8C7E18 Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3cf33dab133243ca4c7dbcd480793f05eb8de88a5820e57860ca16f1e4d21113
                                            • Instruction ID: cd25361aec608f26feb4e58710a65d414cc2604dfdba9fd698acd84a9dbfaf1d
                                            • Opcode Fuzzy Hash: 3cf33dab133243ca4c7dbcd480793f05eb8de88a5820e57860ca16f1e4d21113
                                            • Instruction Fuzzy Hash: 3811F6B5D007498FDB14CF9AD844ADFBBF8EB88314F10851AE819A3350D374A944CFA5
                                            Function 0B8C250F Relevance: .1, Instructions: 51COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e22d9f401aeea9ac3a34d6e1f096965f146aae7568086f5ef24d9eb501dbc8fa
                                            • Instruction ID: e79c1ab621306915bcc39064e957654edbf70f6b2fc16b1dc3189927bd35816d
                                            • Opcode Fuzzy Hash: e22d9f401aeea9ac3a34d6e1f096965f146aae7568086f5ef24d9eb501dbc8fa
                                            • Instruction Fuzzy Hash: 4611D7B5C00249DFDB50CFAAD885ADEFBF4EB48314F10851AE929A7350C374A945CFA1
                                            Function 0B8C2459 Relevance: .0, Instructions: 48COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 66c9160760dd8ad457ee640e5b0873bb66281e618b1b9677978df4b760acee91
                                            • Instruction ID: 670794b6ee33ed80662b9f5c678b8ca7b290949fbf555a32dd72cb892ad0427b
                                            • Opcode Fuzzy Hash: 66c9160760dd8ad457ee640e5b0873bb66281e618b1b9677978df4b760acee91
                                            • Instruction Fuzzy Hash: A3015EB5A00119AFCB14EF98DC459EFBBFAEBC8210B10452AE914E3355DA719D118BA1
                                            Function 0B8C7FE9 Relevance: .0, Instructions: 47COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f56c1cad681421c4dbe74724f7f31d19f763ec8552d57794e14255ed4a14ac6f
                                            • Instruction ID: 3acb9089269bd2eceb9cb76ff6fdab9bce88d1114ac0ac1aa8916b52b94e453e
                                            • Opcode Fuzzy Hash: f56c1cad681421c4dbe74724f7f31d19f763ec8552d57794e14255ed4a14ac6f
                                            • Instruction Fuzzy Hash: 1101DF30A04254DFCF16CA58CCA56EDBB72EF82210F4401ABC501EB2A6DB746C0AC781
                                            Function 0B8C76D8 Relevance: .0, Instructions: 46COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3385bdddb1fcb30695ecbaf55b0b5510c74216cdfee70bdfde41f099013f1f7a
                                            • Instruction ID: cc953a9cf9d7f15884cd517c44d40ec8c917436fcc6ef126fa37170da03bbdde
                                            • Opcode Fuzzy Hash: 3385bdddb1fcb30695ecbaf55b0b5510c74216cdfee70bdfde41f099013f1f7a
                                            • Instruction Fuzzy Hash: 2601B135B002159FCF04DFA8E8408AEB7B5FB893217108569E619E7744D730AC028BA1
                                            Function 07670EDD Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e389166d2c278ca9b6b66d380d0b6ce2eb3ede7a477aa0f69080753f84881aa7
                                            • Instruction ID: df5b3231e20a996d7d6d561a0400f962faa924b2154cb59e6c4df5e2a0da4255
                                            • Opcode Fuzzy Hash: e389166d2c278ca9b6b66d380d0b6ce2eb3ede7a477aa0f69080753f84881aa7
                                            • Instruction Fuzzy Hash: EF0152A684F3D0AFCB036B309C64482BFB1AD6721074F52D7C5C0CB1A3E14A0A89CB63
                                            Function 0B8C76C8 Relevance: .0, Instructions: 40COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f016919f10297302091a33f1ca7faa3b06dd105115f7c7f71930260526a051df
                                            • Instruction ID: 61e326151d2d9a0a59483b52c55e237a311310dfdee81a9b10e5c439e5dd4cf7
                                            • Opcode Fuzzy Hash: f016919f10297302091a33f1ca7faa3b06dd105115f7c7f71930260526a051df
                                            • Instruction Fuzzy Hash: 9701D170A002559FCF04DB68D8909EFBBF1EF8A311B1044AED549E7285D7706D06CFA1
                                            Function 0B8CFA22 Relevance: .0, Instructions: 39COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c3e876cd990611a26fc14ab6ee17117eb8890ef19ea9325cc71e7259275f65e6
                                            • Instruction ID: 68e564d262e913b066d66a94e0dea015d8bce71e153a4ac9d671ec271d30f55f
                                            • Opcode Fuzzy Hash: c3e876cd990611a26fc14ab6ee17117eb8890ef19ea9325cc71e7259275f65e6
                                            • Instruction Fuzzy Hash: 4EF0F0353002604FC7069B29D89CA2E7BF6EF8A66570A05AAE106CB3B2CF70DC05C791
                                            Function 0B8C7A70 Relevance: .0, Instructions: 39COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0dcc3b393b5ebec2e4181f66c5f63eb38b57e8d9ec4c7e960cf2af928f25d9a6
                                            • Instruction ID: a449c2178e00ddb0d2461a79fbe1954df355cf23ad3ac551d0a56e3abf96cba8
                                            • Opcode Fuzzy Hash: 0dcc3b393b5ebec2e4181f66c5f63eb38b57e8d9ec4c7e960cf2af928f25d9a6
                                            • Instruction Fuzzy Hash: FCF0C2796142069AD310667CD8016AB3BA9DF86350F04857EA40ADB6A0EF74D951CBA2
                                            Function 0767032B Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 47ee15cfcefdf6a395c255a43e28b6a2264ac0d2a17020dc2d9036aa9f46c321
                                            • Instruction ID: 4b92f4c655a30c471676c96681901ba1ca16416d28cf0dfc56f6691bca5947c7
                                            • Opcode Fuzzy Hash: 47ee15cfcefdf6a395c255a43e28b6a2264ac0d2a17020dc2d9036aa9f46c321
                                            • Instruction Fuzzy Hash: B8F0F87110E7C29FCB429F74D9598453FB0AF1732571A40DBE088CF973D226A955CB22
                                            Function 0B8CFF7A Relevance: .0, Instructions: 34COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2978f483246ec4fbc27e63390e8bf058029c0cb3fd975b68c1cc64b0f2e705fb
                                            • Instruction ID: 95c9c8e247e586c7e963354f03757873a11221c7fd7121c9f03cf8d65278ca6a
                                            • Opcode Fuzzy Hash: 2978f483246ec4fbc27e63390e8bf058029c0cb3fd975b68c1cc64b0f2e705fb
                                            • Instruction Fuzzy Hash: E4F0E932B052908FE719CB38E89455F7FE3DFD93413048A6ED04AC7254DE709909C752
                                            Function 07670B68 Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ec9610a17f4dcd3f8046765b91e7690790b7c3f7ea38cad7218d53959b32bb37
                                            • Instruction ID: 3d367b18f7f290da7edaf675c97d738c8c7d2f6641faf2868c6b5c9a01c79dfd
                                            • Opcode Fuzzy Hash: ec9610a17f4dcd3f8046765b91e7690790b7c3f7ea38cad7218d53959b32bb37
                                            • Instruction Fuzzy Hash: 73F065A620D3D46FC71357B91C50CAB7F799B8712170940EBF958DB293C4288D54C7B2
                                            Function 07672D8C Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 55b8085f9f1e48e4602c39d0c4f497d05ea5e61d99be123a8de94d57f211246d
                                            • Instruction ID: b6a6a281f6efbcdec6d5183cd225178abd0749240246fa425b93f1931d3e65b6
                                            • Opcode Fuzzy Hash: 55b8085f9f1e48e4602c39d0c4f497d05ea5e61d99be123a8de94d57f211246d
                                            • Instruction Fuzzy Hash: 3FF058A144E7C5AFD71387B05C616853F70AB03154F2902D7E4CACF1E3C62A0A0AD363
                                            Function 07672A1D Relevance: .0, Instructions: 32COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fc19b7e311b8247b8b1607427174ffddc7ad8b738968fab12ea2d89803ef780a
                                            • Instruction ID: 19a7139c6db5d4b15120d5f861ed8c0e50308d3b9ed127eafb9bf066efb7b63a
                                            • Opcode Fuzzy Hash: fc19b7e311b8247b8b1607427174ffddc7ad8b738968fab12ea2d89803ef780a
                                            • Instruction Fuzzy Hash: 9FF05FA240E7D15FD3134B3588241957FB1AE9325831F44DBC090CF9A3D129195AD726
                                            Function 0B8C9D1F Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e675dab17cda1276cf50fd8be32b3978eddb3b83337b2b7cd0c5d729727507e8
                                            • Instruction ID: c964dc75904dbbbfda8b05b610d3fdc0058a15ee4adb39dd91b71f2788188c03
                                            • Opcode Fuzzy Hash: e675dab17cda1276cf50fd8be32b3978eddb3b83337b2b7cd0c5d729727507e8
                                            • Instruction Fuzzy Hash: 75F0123A004648EFCF02AF98C814DC5BFB5EF59310B05C196F6585B132E732D5A4EB41
                                            Function 0767272D Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e6b385dd06d2fd74c70685785637227d8843660d7a974f11ff8b3f41da27a56b
                                            • Instruction ID: c568144aacfea687200743ebb839bfa9484f60351d3ed2aee9d3debdbbfc7dca
                                            • Opcode Fuzzy Hash: e6b385dd06d2fd74c70685785637227d8843660d7a974f11ff8b3f41da27a56b
                                            • Instruction Fuzzy Hash: 7DF0AAB241E3C08FE3038B6198216917FB0AF2320071B50E7D090DF0F3D2282918DB72
                                            Function 07672A70 Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a5cb47c686f778d78a9deec26613dd6cd437b89cea8e8aa8c8fb808c024d0ad6
                                            • Instruction ID: 6e0c9c6c120608278eca69c132ad2636e7ee9876da077982953b6ec96400d8da
                                            • Opcode Fuzzy Hash: a5cb47c686f778d78a9deec26613dd6cd437b89cea8e8aa8c8fb808c024d0ad6
                                            • Instruction Fuzzy Hash: 1CF06D6230D3E11FC31756295C24857BFB4AA8B26034A01EBE589DB2A3C9184C85C3A2
                                            Function 076714DD Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c88503e1168e58284a1f0b3bd5f65e54849220328809d8d2ac9758d4fc98e5ec
                                            • Instruction ID: 79ee859f14c762dcd35a03a7461106e9e6893abb261beb38e35b953f977038b9
                                            • Opcode Fuzzy Hash: c88503e1168e58284a1f0b3bd5f65e54849220328809d8d2ac9758d4fc98e5ec
                                            • Instruction Fuzzy Hash: 8AF0486611F3D08FD71717302D610857F705E0B52838E06D7D0D5CE1A3C62A8E4AC766
                                            Function 0B8C7758 Relevance: .0, Instructions: 29COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 116d19350e8791131e637eac02445aaf7b0d562b898a1d0c64f048ce76bc712b
                                            • Instruction ID: 68f1d113c15fb1938f3064f0984f33083d1062f1ba755b4a3d46caf6d2cb3101
                                            • Opcode Fuzzy Hash: 116d19350e8791131e637eac02445aaf7b0d562b898a1d0c64f048ce76bc712b
                                            • Instruction Fuzzy Hash: 34F039726047149BC720DE5AD890A9BBBA9EF94261B51C52EE88A87251DB30E905CBA0
                                            Function 0B8C9058 Relevance: .0, Instructions: 28COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 11a8aef504bd863145efdcd173a2fe2a3f9494c77cd48fbbefa6cbab0e05ead9
                                            • Instruction ID: be3b1ba08d27bb4629f556679b70e4c8890b104cc8e517f3c759e5b389655252
                                            • Opcode Fuzzy Hash: 11a8aef504bd863145efdcd173a2fe2a3f9494c77cd48fbbefa6cbab0e05ead9
                                            • Instruction Fuzzy Hash: 47F0DA76010609EFCF02AF98C844C95BFB6FF49314B06C595F6185B131E732D5A0EB45
                                            Function 07671494 Relevance: .0, Instructions: 27COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d9cf0f4dd6fe1bcf902d1ec18efb1f09e791087b000fe75a72feec9363bb1c7a
                                            • Instruction ID: 25fd2936e6d4869866d111e5a6fa6e931cddfb66f37ac905edba722b73335fde
                                            • Opcode Fuzzy Hash: d9cf0f4dd6fe1bcf902d1ec18efb1f09e791087b000fe75a72feec9363bb1c7a
                                            • Instruction Fuzzy Hash: CEE0922520E3D04FC75B537D2CA24A67FB58E8746034A01EBE085CFAA7C8984C4AC3B3
                                            Function 0B8C7528 Relevance: .0, Instructions: 25COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 911d98b42ea5631c4b80564efcd34a2c1b269b2cb66faf4d0c5a3903c3979cec
                                            • Instruction ID: 4106b13fb52fd2ae9b06c2930d264c44d4f0b4c00f29959b5aafa4c8b511f91d
                                            • Opcode Fuzzy Hash: 911d98b42ea5631c4b80564efcd34a2c1b269b2cb66faf4d0c5a3903c3979cec
                                            • Instruction Fuzzy Hash: 93E09A713043218FCB0A5B24E81809D3B79EF0661570000EAE006CB3A8CB35ED02CBE2
                                            Function 0B8CFF88 Relevance: .0, Instructions: 24COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9d79a373e11c64626b9c202b564ed2bd8ea5083908cc7b306ab6882800c3f8e1
                                            • Instruction ID: fd177aae2a2958fdd08c9d1a7f3dad5d4207daaf2cc79e867e6026f83c2037be
                                            • Opcode Fuzzy Hash: 9d79a373e11c64626b9c202b564ed2bd8ea5083908cc7b306ab6882800c3f8e1
                                            • Instruction Fuzzy Hash: D9E026317002244FC708AB3AE80856F7BEBEBC8361700CA3DD00AC3244DE709C4647D0
                                            Function 0767031D Relevance: .0, Instructions: 24COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ea71854093f7d70c23590830c477a8091162d71d34885a0d85389f782caafd36
                                            • Instruction ID: 34e58c54ec9915f1df8d652c2670e7cb27331055b95c3b729e354ccb0e93522b
                                            • Opcode Fuzzy Hash: ea71854093f7d70c23590830c477a8091162d71d34885a0d85389f782caafd36
                                            • Instruction Fuzzy Hash: 7DF0536114E3C18FC7038735AA294503F70AE17215B0E41CBE099CF9B3D21AAA29C722
                                            Function 07670B80 Relevance: .0, Instructions: 24COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c4abca0068841f729abbac2af90fe56b4eeb4b0ca47d6bfd2a23f7ae5e18b63d
                                            • Instruction ID: 4140598b7a449e6a4c8ed796592f0eda25d949419a8a47522d408cdcfcef8a8b
                                            • Opcode Fuzzy Hash: c4abca0068841f729abbac2af90fe56b4eeb4b0ca47d6bfd2a23f7ae5e18b63d
                                            • Instruction Fuzzy Hash: 69E012B23041947B47145A9F5C44CABBF9EDBC9661704403AFA18D7341C9318D1097F0
                                            Function 07670A3C Relevance: .0, Instructions: 23COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9b81a347dd5ad4d94d364bcc3848c2ea129c739d8c1874664e2ae510c92b6582
                                            • Instruction ID: 89bb9fc3e96b3b57a0d91526931a53ec1d2f3335bbe2e1eccc9d11e78dc07b38
                                            • Opcode Fuzzy Hash: 9b81a347dd5ad4d94d364bcc3848c2ea129c739d8c1874664e2ae510c92b6582
                                            • Instruction Fuzzy Hash: D6E0B67641EBC08ED3172B3459260D57F70AE1320474A49DBD0C1CE0B3E5295A9DC7A7
                                            Function 0B8C7538 Relevance: .0, Instructions: 22COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c568ac8db175a4ff6f5ee9feefa776be74d66afbb3d39d8d1a1e16182eb60bad
                                            • Instruction ID: 5b77506f0a61ab20415266a3ca62786cd9fb2fbfe3d44f5a144a8f679d6f512f
                                            • Opcode Fuzzy Hash: c568ac8db175a4ff6f5ee9feefa776be74d66afbb3d39d8d1a1e16182eb60bad
                                            • Instruction Fuzzy Hash: F4E05B713502158BC7186FB5B41849E379DEF4566670000BAD50EC7794CF75DD01CBD0
                                            Function 07670904 Relevance: .0, Instructions: 21COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 53471462a91b980afd3a313b429f3a9f2c777bedd015d3e44c16ced4d20b4f9f
                                            • Instruction ID: 7e44201c47cbdbcc9051449dfb6c1e650b361efd25318b8d7274ebcb8b5799f8
                                            • Opcode Fuzzy Hash: 53471462a91b980afd3a313b429f3a9f2c777bedd015d3e44c16ced4d20b4f9f
                                            • Instruction Fuzzy Hash: F6E09A3A00A7C49FC7039BA5D918C80BFB5AF4B22030A80D7E5898F573D625D968EB61
                                            Function 076709D4 Relevance: .0, Instructions: 21COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e7603e87e07ea7acf8567b19b2787b8ca7e9cf3f7d9d57e934c424558aa7d3b5
                                            • Instruction ID: 773c5d46b0f4d29ddd4836de3a61d5fc7a19ae0e2de52a862e268524b219b307
                                            • Opcode Fuzzy Hash: e7603e87e07ea7acf8567b19b2787b8ca7e9cf3f7d9d57e934c424558aa7d3b5
                                            • Instruction Fuzzy Hash: ACE0B62140EBC48FD307AB3499200857F306E1320074A45D7D0C4CF1A3E5298A8EC773
                                            Function 07670A10 Relevance: .0, Instructions: 21COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e279e793048af1f2a0f2fb155c906b2b0d2a3b4791b2bf1274a629a2fda04bab
                                            • Instruction ID: ef6d2dc94bb645e16c30f0b0ffeb8023357a5e745ae19064c0bf39f088ec0505
                                            • Opcode Fuzzy Hash: e279e793048af1f2a0f2fb155c906b2b0d2a3b4791b2bf1274a629a2fda04bab
                                            • Instruction Fuzzy Hash: BCD0EA6A00E7C08FD707677469701C27F306E2762574B06D7D095CE2A3D52A8A4AC7B7
                                            Function 0767078D Relevance: .0, Instructions: 20COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 84d17b7b7f4215ec9d7e628bcc9d1c139e6b0c7aaa3a058afc43058d2f72264d
                                            • Instruction ID: 2a2c80b4372ef263319a4ab4ae15421fcc0ee08e2209eb5217f024d0a75d47b2
                                            • Opcode Fuzzy Hash: 84d17b7b7f4215ec9d7e628bcc9d1c139e6b0c7aaa3a058afc43058d2f72264d
                                            • Instruction Fuzzy Hash: 7DD052A260EBF45FC74393382C220E86F718E8302031A06DBC080CF1E3DA088D0AC7E2
                                            Function 07670754 Relevance: .0, Instructions: 19COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ae96f12985a325d1f1488c1d751c8d5ebae10b6f60f1b483a61f2343345554ef
                                            • Instruction ID: 9e936b61141bae2b02d2e51ea7d04ab4b46a5b95f862f9ef248dbab8d42e3b80
                                            • Opcode Fuzzy Hash: ae96f12985a325d1f1488c1d751c8d5ebae10b6f60f1b483a61f2343345554ef
                                            • Instruction Fuzzy Hash: F6D09E5520F7E11FD343927839710D97F655D4706034B05D7D180DB693C9080E8983F7
                                            Function 0767152C Relevance: .0, Instructions: 19COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6b7c1cd56601ddd18c7e0c815795be5fa01e6fb484f34eaad069538f98345a13
                                            • Instruction ID: 2f1c646062cbe423d5f92970aa9459ff1ae7e4f1a4d5bfb7ddbdabe7d4c5ab7f
                                            • Opcode Fuzzy Hash: 6b7c1cd56601ddd18c7e0c815795be5fa01e6fb484f34eaad069538f98345a13
                                            • Instruction Fuzzy Hash: C8D0956580EBC08EEB0743366A240883F70AE5322830B05DFC0D48B1A3E22A0889DB62
                                            Function 0767071D Relevance: .0, Instructions: 19COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 49c82d6241a5b5ad4e8b31fbdd69d83f4efb72f16124a8e2d995abd00909b641
                                            • Instruction ID: e95dadfbd47263ecf6903f86de7938aee2c856188606fa2026aa0a91ce8ad58a
                                            • Opcode Fuzzy Hash: 49c82d6241a5b5ad4e8b31fbdd69d83f4efb72f16124a8e2d995abd00909b641
                                            • Instruction Fuzzy Hash: A3D0177520A7E09FC743167828200E43F708E4345030601C7E140CBA93CA140E04C3E6
                                            Function 0B8CEBDB Relevance: .0, Instructions: 18COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 34badabdd9f964e34f3afafc04eee8ed1ce9a2535f1e6c70b906f83579f70f5e
                                            • Instruction ID: e855565bb7d6631e2e594250ccce57010d0b7ae578212d7cb693bcf4300aae9a
                                            • Opcode Fuzzy Hash: 34badabdd9f964e34f3afafc04eee8ed1ce9a2535f1e6c70b906f83579f70f5e
                                            • Instruction Fuzzy Hash: B2E04FB1A0919A8ADF10CF90D515BBFBFB06B04606F14441ED452F7291CB78EA00CB61
                                            Function 0767115C Relevance: .0, Instructions: 18COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 247eeafc4dc24b7afb9d822267fd925335f1b2f7b6e1aa29d153fc3084e1c9c7
                                            • Instruction ID: 2c9316a02c416b51b2d37d0a7d5b172e693ccb743d7bb0204c0dcc5c1cc72b53
                                            • Opcode Fuzzy Hash: 247eeafc4dc24b7afb9d822267fd925335f1b2f7b6e1aa29d153fc3084e1c9c7
                                            • Instruction Fuzzy Hash: 20D0C96151E7D29FDB932724ADA5296BF306F4329074E41EBD090CB8D3D2185C1987E3
                                            Function 07672DA8 Relevance: .0, Instructions: 18COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9a099a55bf4350ce1f0d924417d2e67d4ba695371194ff75f1a7a45f951d2aae
                                            • Instruction ID: 169d455600ed5625ae840e1cee8c451dbde3aaa2c595b43ffe2c455589f34719
                                            • Opcode Fuzzy Hash: 9a099a55bf4350ce1f0d924417d2e67d4ba695371194ff75f1a7a45f951d2aae
                                            • Instruction Fuzzy Hash: 5CD05EB5E46309FEDB01DAB09911BA9BBB9FB05244F2081D5FD0A9B341E6319A1097A1
                                            Function 0B8CE9B0 Relevance: .0, Instructions: 17COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ba05f981492c46d6af25b3b43c852adc2d773c114769cdcf0e08e17ac2521692
                                            • Instruction ID: b38b4ab09e513322261230f5c236ab57aa94d5d8fe620bd33290513f37c89837
                                            • Opcode Fuzzy Hash: ba05f981492c46d6af25b3b43c852adc2d773c114769cdcf0e08e17ac2521692
                                            • Instruction Fuzzy Hash: 45E0173430A2518FC789DF14ECA48A1B765EF9620432980EE9846CB696DA31AA4AC791
                                            Function 07673344 Relevance: .0, Instructions: 17COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 308f271576f022d09ebc8e79fae236cd686d1455be9965ca780eeb3054024131
                                            • Instruction ID: 64d9b98f79068583bdf1ba6514fca4c0c11082d85a4677811baa4c56fd0e3387
                                            • Opcode Fuzzy Hash: 308f271576f022d09ebc8e79fae236cd686d1455be9965ca780eeb3054024131
                                            • Instruction Fuzzy Hash: 0EE0616118E3D48FC3038BB4A9648903F709E0B12030B02D3E08ACF2B3C61A8D0EC722
                                            Function 076709AC Relevance: .0, Instructions: 17COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 81924b417e1f0b17929962d214513609b97c7df227012b54936898f88bab2636
                                            • Instruction ID: a70cf5a000328bd6c77c0c418a5e3e3f4932f644bf598e10130f5d917bd491af
                                            • Opcode Fuzzy Hash: 81924b417e1f0b17929962d214513609b97c7df227012b54936898f88bab2636
                                            • Instruction Fuzzy Hash: ADD09E3011D7948FC3029B28D8544907FB4EE0750530601D7D155CB573D665A815CB61
                                            Function 07670BB8 Relevance: .0, Instructions: 16COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 34e1f343780a538f2038894e72320d3b696f1588fc4d71db51ddc4f0cc207273
                                            • Instruction ID: 53544f53d900ff196dd1837d12af51e98f55b4e40b13bf08cdd2eda9603c259a
                                            • Opcode Fuzzy Hash: 34e1f343780a538f2038894e72320d3b696f1588fc4d71db51ddc4f0cc207273
                                            • Instruction Fuzzy Hash: 71D0423914A7C08FD703973898658943F709E1712431A02C3E0A4CB2B3D61999498B21
                                            Function 0767321D Relevance: .0, Instructions: 16COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 36654aef6d0dec89340ab640aca3e8486e823907f24dc691510bddcf365daa2c
                                            • Instruction ID: 2005589253ad826d909049ea4dad51a2e9923e485d17de19ff337c942f9f2f5c
                                            • Opcode Fuzzy Hash: 36654aef6d0dec89340ab640aca3e8486e823907f24dc691510bddcf365daa2c
                                            • Instruction Fuzzy Hash: AAD0173400D7C09FD3138B78C8548847FB0AE4726030A02C3E0A9CF5B3C2215846CB22
                                            Function 07671CFD Relevance: .0, Instructions: 15COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 93d2977305565fd55245ace086b11efa7e67a5aacc46880a98979d27b8bf7cc7
                                            • Instruction ID: 45151ff7110a76d5ced2c13802522937e54bcbc13f3741969974e22dc6f8e785
                                            • Opcode Fuzzy Hash: 93d2977305565fd55245ace086b11efa7e67a5aacc46880a98979d27b8bf7cc7
                                            • Instruction Fuzzy Hash: 1DC0020751E7D40FCB4396202D65081FF70591B22134A0BC3C995CE5A3D5584E5983A7
                                            Function 0767351D Relevance: .0, Instructions: 14COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2abb976a07e73fc07aa05dc19f5b89aac884f5b60ed8ca8d0b5f761a588cf580
                                            • Instruction ID: 49d9f00f2562ea639e335d54a91380f8863294cc9463ad3f6eef79e92e5fbc73
                                            • Opcode Fuzzy Hash: 2abb976a07e73fc07aa05dc19f5b89aac884f5b60ed8ca8d0b5f761a588cf580
                                            • Instruction Fuzzy Hash: ACD0A97144D380AFD3028B20EC118983F30AFA7300B0901A3E046CB0A3C2361852DBA1
                                            Function 0767348D Relevance: .0, Instructions: 14COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 39cb6945718b1dc6dd7e5a1fe8d60657f6bbc21d50b7d8bb5c6415a23364b4f2
                                            • Instruction ID: a5d87bf2ce8f7405f115fa4cdd00cfcc60aadec07b1bddbb83a58d6233a2dbc3
                                            • Opcode Fuzzy Hash: 39cb6945718b1dc6dd7e5a1fe8d60657f6bbc21d50b7d8bb5c6415a23364b4f2
                                            • Instruction Fuzzy Hash: 25D0CA2000E3C48FC3038B299C248813FB89E0BA1834A00C3E189CF2B3C229AC09D762
                                            Function 0B8CF9FA Relevance: .0, Instructions: 13COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fce7d7d0bbd6917d475515e3be179ec47781ff4d512df1f1439574bf4daf759b
                                            • Instruction ID: c12380a609c8bdb67302e735520376314768af2ac37692a94a89b4d50314eb7d
                                            • Opcode Fuzzy Hash: fce7d7d0bbd6917d475515e3be179ec47781ff4d512df1f1439574bf4daf759b
                                            • Instruction Fuzzy Hash: 62D0C93420D290AFC70BCB14D8A18147FB1EF9B35031484DAF945CB396CB22AC06DB66
                                            Function 0B8C16A0 Relevance: .0, Instructions: 13COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5cf9ea95b6692c0c014281ee6f9d2a910e27d85a0260204b450e4ffa9a9f6e68
                                            • Instruction ID: 755707bc786ac735c41cde4547c915bef3af497ab34f196b63080a6b43e44cf3
                                            • Opcode Fuzzy Hash: 5cf9ea95b6692c0c014281ee6f9d2a910e27d85a0260204b450e4ffa9a9f6e68
                                            • Instruction Fuzzy Hash: 2AD012B700010DFBCF026E95DC459AB3F56FB14355F00DC05BA14550718632D930AB56
                                            Function 0B8C2430 Relevance: .0, Instructions: 13COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b54987ae0e7839e65d5a03c5a5ae583f076d5003885c7524e1dd9656e85029e0
                                            • Instruction ID: 3b03bbb51dc0cdb789cf065062d7667bf160590aac61bb0a087eef3240e54330
                                            • Opcode Fuzzy Hash: b54987ae0e7839e65d5a03c5a5ae583f076d5003885c7524e1dd9656e85029e0
                                            • Instruction Fuzzy Hash: 10D09B351492C9DECF03DF649C659D63F329F16244704548AF994590B3C3315575FB11
                                            Function 0B8CEE28 Relevance: .0, Instructions: 12COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c0a869d93ccf9bbaa2a2c3a9a69e6c08817849ca986ca1c8d514cc1fa719e92b
                                            • Instruction ID: 600fde733b8bf6b3829e16a14c96ded0d463b39f546cbd68ea7fb5cb5c43ba51
                                            • Opcode Fuzzy Hash: c0a869d93ccf9bbaa2a2c3a9a69e6c08817849ca986ca1c8d514cc1fa719e92b
                                            • Instruction Fuzzy Hash: EDD0C936004208AECB18FF50DD4ADD6FBECEB01600F00806AE9095A0318631A368EB96
                                            Function 07671B2D Relevance: .0, Instructions: 12COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 939d0fbf88b573de31c27af2b8b0e9781b8b776471d3f03f1a3928db8ab3cf9c
                                            • Instruction ID: 8bfb030ef08f05fa54241c30f80774b51e9212b9a88a95afad1f402f3ac3b95a
                                            • Opcode Fuzzy Hash: 939d0fbf88b573de31c27af2b8b0e9781b8b776471d3f03f1a3928db8ab3cf9c
                                            • Instruction Fuzzy Hash: 9ED0126100F7C09ECB03AB3848240907F30AC5311074A00E7C0E0CB0A3D22A6C29CB63
                                            Function 0767172D Relevance: .0, Instructions: 12COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7e6c9b39a2cd4e96c7c88b08839cbc99c622d89f927d3b94f8542cb55c62a114
                                            • Instruction ID: bf58dd61934d0fafc496fcbaf3a912116eaaead5db38647408138b1ae55f84e8
                                            • Opcode Fuzzy Hash: 7e6c9b39a2cd4e96c7c88b08839cbc99c622d89f927d3b94f8542cb55c62a114
                                            • Instruction Fuzzy Hash: FED0027840E3C58FE7575B7098246957F306F07218FAA45DBC094DE5A3C63E5D49CB22
                                            Function 07670918 Relevance: .0, Instructions: 12COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 85169fc87b71f57d5aa492c07526c5ed712ceec0f566398e23f9cb67febdcbf1
                                            • Instruction ID: 3045b9ebbd5b0ab0e87daa25aef618a4c10ced9251c464f65d40ddb2f48428ae
                                            • Opcode Fuzzy Hash: 85169fc87b71f57d5aa492c07526c5ed712ceec0f566398e23f9cb67febdcbf1
                                            • Instruction Fuzzy Hash: B7D0C53A140508EFCB429F95D949C85BFAAEF4972174A8091F60A8B632D772E960EB50
                                            Function 076710FE Relevance: .0, Instructions: 12COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fbf70e1a19c89772d5cfd6852bdae4ce75a4f1e0bb1a38277b10c56a98afb549
                                            • Instruction ID: 35a61e56a94b888c6e163e83fa00661b2dff9215aa29057a936d03c4379b7cb2
                                            • Opcode Fuzzy Hash: fbf70e1a19c89772d5cfd6852bdae4ce75a4f1e0bb1a38277b10c56a98afb549
                                            • Instruction Fuzzy Hash: B1C0484640E3D00FD78722A04C600812F34885342038E07E3D0A1DA5A7C01C8A0887B3
                                            Function 07670988 Relevance: .0, Instructions: 11COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9a660c2293a9308394a5d70ca8409df310ec312f3d41a509e03470fdf8b0fb85
                                            • Instruction ID: 2c08444e308c83333874e08de3ded3e64eef124bedb1045b6d660f1f45fee84d
                                            • Opcode Fuzzy Hash: 9a660c2293a9308394a5d70ca8409df310ec312f3d41a509e03470fdf8b0fb85
                                            • Instruction Fuzzy Hash: EAC09B3A574604CFC1009E69F555DD0779CFF2991534510D5F54447B32C722FE41C791
                                            Function 07670F6C Relevance: .0, Instructions: 10COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 19bcddc42c332680f85008d4f81f713b204ed5ac3cad1ce289cb47568201d495
                                            • Instruction ID: 5726d51803c3bb6a2d530bb089cf9aab6dddaeb087f6b33102365a4f6f1d2b1e
                                            • Opcode Fuzzy Hash: 19bcddc42c332680f85008d4f81f713b204ed5ac3cad1ce289cb47568201d495
                                            • Instruction Fuzzy Hash: 9DC0025504F7D66FE74363341831084AF71AC0310435A08D7C581CB0A3E50D0898C726
                                            Function 0B8CEA81 Relevance: .0, Instructions: 9COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0fde847a1f468a2eb2f2a90335017e944ceeb6e36febca9ae418b6a91b9cd6ef
                                            • Instruction ID: 41977f813940fe5e2ba43544d59ae727dc9cf8d79ddd4311d01b15c164695efb
                                            • Opcode Fuzzy Hash: 0fde847a1f468a2eb2f2a90335017e944ceeb6e36febca9ae418b6a91b9cd6ef
                                            • Instruction Fuzzy Hash: B2C08C7069A3808FE7016BB0944A0483FB82FC262930880CBD2D48F4F2CB6A8845CA80
                                            Function 0B8CEA9F Relevance: .0, Instructions: 9COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 47f074afd5e8ab16c29f9ad4270022a4bb5e26e50d7608c2ef37c4f114a9c449
                                            • Instruction ID: ed0fe8bd87f0d726cf013cb52b8e56e0414bb1bd8ae048040bf576087f75d9cb
                                            • Opcode Fuzzy Hash: 47f074afd5e8ab16c29f9ad4270022a4bb5e26e50d7608c2ef37c4f114a9c449
                                            • Instruction Fuzzy Hash: 6EC022302883802EFB0B0A00A823BA033008B82308F8080E2A2000F2F38CA20802C3A2
                                            Function 0B8C2941 Relevance: .0, Instructions: 9COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5ffd1c4f93a051c5261b2626d65e47cc80900a45cd7ec04f965ee140cdc1cf35
                                            • Instruction ID: b633182a526e57c0089cbc042b857772c101cb677874e20143a3329664ed6a60
                                            • Opcode Fuzzy Hash: 5ffd1c4f93a051c5261b2626d65e47cc80900a45cd7ec04f965ee140cdc1cf35
                                            • Instruction Fuzzy Hash: 2AC08C300482406FDF078E20CC49B463FE0AF11328F0480A6A200C81B4C7618844C6A1
                                            Function 07673971 Relevance: .0, Instructions: 9COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f9442946b783d916661ae78dd7a0559b0cfed5f858aaa67aeda3f0212c6c6697
                                            • Instruction ID: 7b818c596226434a44e2bde7483c7f33cd2bc8a95eb05b357184fcf17a4ba116
                                            • Opcode Fuzzy Hash: f9442946b783d916661ae78dd7a0559b0cfed5f858aaa67aeda3f0212c6c6697
                                            • Instruction Fuzzy Hash: 5EC08C350A1401CFC304EEA5D048A503765FF04600B0200F0E4084BE32D222F8008E80
                                            Function 0B8CEA90 Relevance: .0, Instructions: 8COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1f59a637e7e58d7f44de42355c66f3f66190a23c5f28d1737bcbf93f934a8f66
                                            • Instruction ID: 46896fc12547e1df07c1052224a5ece70537c833b9204281d67ebdc155878b08
                                            • Opcode Fuzzy Hash: 1f59a637e7e58d7f44de42355c66f3f66190a23c5f28d1737bcbf93f934a8f66
                                            • Instruction Fuzzy Hash: 1BB092302505088F8200DA6AD84480173ADAF89A0434080E4E1088B631DA31A8009A40
                                            Function 0B8C993F Relevance: .0, Instructions: 8COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 31e117911d39d0954a1c5e2818fd69ef63fa9f14701b8b512178173ce7160043
                                            • Instruction ID: e360ef254c440f0ef150f50b818311869a657ca726b86e2c21c020f92002bc2d
                                            • Opcode Fuzzy Hash: 31e117911d39d0954a1c5e2818fd69ef63fa9f14701b8b512178173ce7160043
                                            • Instruction Fuzzy Hash: 68B09277A4400C99DB009A84B8413EEF730F780329F104067C62992001837142689AD1
                                            Function 0B8C9933 Relevance: .0, Instructions: 8COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3552447342.000000000B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8c0000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 31e117911d39d0954a1c5e2818fd69ef63fa9f14701b8b512178173ce7160043
                                            • Instruction ID: e360ef254c440f0ef150f50b818311869a657ca726b86e2c21c020f92002bc2d
                                            • Opcode Fuzzy Hash: 31e117911d39d0954a1c5e2818fd69ef63fa9f14701b8b512178173ce7160043
                                            • Instruction Fuzzy Hash: 68B09277A4400C99DB009A84B8413EEF730F780329F104067C62992001837142689AD1
                                            Function 07673978 Relevance: .0, Instructions: 8COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0280f8fb1a0f58d08b7ce9f212045bca15be88f6dd88c2e8920af26f12947f85
                                            • Instruction ID: fecf56d22cad18bb6c711cea2b46f9b73380eaa9aa85c67cf09792972fa3c02e
                                            • Opcode Fuzzy Hash: 0280f8fb1a0f58d08b7ce9f212045bca15be88f6dd88c2e8920af26f12947f85
                                            • Instruction Fuzzy Hash: 5DB092311A45098FC310AE59E848E6137ADEF44A05B4100F0E1088BA32D622F8008A55
                                            Function 07670B50 Relevance: .0, Instructions: 8COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0280f8fb1a0f58d08b7ce9f212045bca15be88f6dd88c2e8920af26f12947f85
                                            • Instruction ID: fecf56d22cad18bb6c711cea2b46f9b73380eaa9aa85c67cf09792972fa3c02e
                                            • Opcode Fuzzy Hash: 0280f8fb1a0f58d08b7ce9f212045bca15be88f6dd88c2e8920af26f12947f85
                                            • Instruction Fuzzy Hash: 5DB092311A45098FC310AE59E848E6137ADEF44A05B4100F0E1088BA32D622F8008A55
                                            Function 07673048 Relevance: .0, Instructions: 8COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c5e608f08ab64ae41cf1edb1fa7d790ee8a25a02bd1c52868b6dffc2521c7bd1
                                            • Instruction ID: e60a9b2934022d58ddad3e083b9af6452f7e611bae98ac8a321dce98add4d2b0
                                            • Opcode Fuzzy Hash: c5e608f08ab64ae41cf1edb1fa7d790ee8a25a02bd1c52868b6dffc2521c7bd1
                                            • Instruction Fuzzy Hash: E6B092351A45098FC310AB59D848E6077ADEF44A05B4580F0E1088BA32D622F8008A44
                                            Function 07670370 Relevance: .0, Instructions: 7COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0c5aa06abd19b972ef5ffdcdd9d868785c862436591dc722b60b57511d1520ba
                                            • Instruction ID: 38f246181df111d5429a8bd68a772e0fce3d181c3253e5a9de7ce3dab65c4b62
                                            • Opcode Fuzzy Hash: 0c5aa06abd19b972ef5ffdcdd9d868785c862436591dc722b60b57511d1520ba
                                            • Instruction Fuzzy Hash: F4B01230240208CFC300DB5DD445C003BFCAF49A0434000D0F1088B731C721FC008A40
                                            Function 0767332B Relevance: .0, Instructions: 7COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 158319e608109285b0aabb45af1329535cf3f27f2a2a52c1d394dad0d3b92d00
                                            • Instruction ID: 58d4941535eaf10daeeafe6fcca48bf06ebc2ed42ee6eaf851f773474605c848
                                            • Opcode Fuzzy Hash: 158319e608109285b0aabb45af1329535cf3f27f2a2a52c1d394dad0d3b92d00
                                            • Instruction Fuzzy Hash: EEC048752404148FC314DF78E1888803B60AF18218B6101A5E119CB622DB22E8128A01
                                            Function 07673330 Relevance: .0, Instructions: 7COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 79a13f34584defdca235b799d1b828a2c8c31dd1e8bba79713e0f379b1fe5d5a
                                            • Instruction ID: 3500fcb77b3068117070a2755b6df40992440358c719d221bb354a181ae4356b
                                            • Opcode Fuzzy Hash: 79a13f34584defdca235b799d1b828a2c8c31dd1e8bba79713e0f379b1fe5d5a
                                            • Instruction Fuzzy Hash: 22B092311502088F83009B68E548C0137A8AB08A143110090E1088B232C621F8008A51
                                            Function 076709C0 Relevance: .0, Instructions: 7COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7c75d1f359baf881aebbd545750fb125bd9c5c0c39637b878c602c40b716e62d
                                            • Instruction ID: c33795987177c21f5cbdac8c9888cd4206e67c0f7a04de651ea4cb362d1e97b6
                                            • Opcode Fuzzy Hash: 7c75d1f359baf881aebbd545750fb125bd9c5c0c39637b878c602c40b716e62d
                                            • Instruction Fuzzy Hash: 29B092301502088FC200DA58D444C4077A8BB08A0430100D0E2088B232D622F8008A40
                                            Function 07670BD0 Relevance: .0, Instructions: 7COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 92a417cdb34d81c1afb0df4d08a39985e4c55831df0d27270f9c4b8acb859ff3
                                            • Instruction ID: de8dc64e72719d8615f5572672be4b6ff8fccd44edac4ca872f7aefcae7638d8
                                            • Opcode Fuzzy Hash: 92a417cdb34d81c1afb0df4d08a39985e4c55831df0d27270f9c4b8acb859ff3
                                            • Instruction Fuzzy Hash: EEB01234140208CFC300DB5CD549C507BECEF08A0430540D0F20C8B332D722FC008A40
                                            Function 07670990 Relevance: .0, Instructions: 7COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 149b3b8abd7c2fab9b7e4a745b5e7cb4a54d10e8afa2e5da7e96e67ea0595db2
                                            • Instruction ID: 0666db46a6e83b03bdbc4174638f5755fda2c091e5cd55f036d48e3d7623dd39
                                            • Opcode Fuzzy Hash: 149b3b8abd7c2fab9b7e4a745b5e7cb4a54d10e8afa2e5da7e96e67ea0595db2
                                            • Instruction Fuzzy Hash: 44B092301A02088F82009A59D444C4033ACAF08A1534100D0E1088B632C621FC008A80
                                            Function 0767346B Relevance: .0, Instructions: 7COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ecb6a1eb7e88e2c35bf374eb778226a9c81a968f610bcaecfab9886b2a358817
                                            • Instruction ID: 5b737b4da65856a6f4701deb2e3952c9cca447871c42ec6e23c78e245a08f0d3
                                            • Opcode Fuzzy Hash: ecb6a1eb7e88e2c35bf374eb778226a9c81a968f610bcaecfab9886b2a358817
                                            • Instruction Fuzzy Hash: 1DC092341A0608CFC244EF98D098C0833A4EF0862870200E0F6098B733D735EC92CB40
                                            Function 07673470 Relevance: .0, Instructions: 7COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 901620a7f2b9dd4091141eb96992825778dc560f8c705c10b144c0f3bf9f7286
                                            • Instruction ID: bc08162c7b03c7ddb5c483f2b39994bf13d10df8561089b0163c2ef345907767
                                            • Opcode Fuzzy Hash: 901620a7f2b9dd4091141eb96992825778dc560f8c705c10b144c0f3bf9f7286
                                            • Instruction Fuzzy Hash: FCB092301502088F82409A59D444C0073A8AF08A143410090F1098B632C621FC018A40
                                            Function 07673230 Relevance: .0, Instructions: 7COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dd305c8682803f8cd3e48e9c3dbcc1fee737f5508fafbcd0c04e1af5ccb145ee
                                            • Instruction ID: 72132c6f8b91f458710192d15283a2ad4454807dde311452799a13bc4270f6e4
                                            • Opcode Fuzzy Hash: dd305c8682803f8cd3e48e9c3dbcc1fee737f5508fafbcd0c04e1af5ccb145ee
                                            • Instruction Fuzzy Hash: 61B01234140208CFC200DB5DD448C4073ECEF08A1534100D0F10D8B732C721FC40CA40
                                            Function 07673530 Relevance: .0, Instructions: 6COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3550247368.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_7670000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c88cbada9dee4a1eadc7b7c67270da32ab86cc7c012763ad930920f0800970f7
                                            • Instruction ID: f88e7cd8e595fbf5d51c8739bac1d247ff6ed52f7d952e1388ec4f35935b580c
                                            • Opcode Fuzzy Hash: c88cbada9dee4a1eadc7b7c67270da32ab86cc7c012763ad930920f0800970f7
                                            • Instruction Fuzzy Hash: 71B0127101010CA787002A41E9098497F1CE714250B404021F504010108B325860D594

                                            Non-executed Functions

                                            Function 12095DC8 Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetKeyState.USER32(00000001), ref: 12095E15
                                            • GetKeyState.USER32(00000002), ref: 12095E5A
                                            • GetKeyState.USER32(00000004), ref: 12095E9F
                                            • GetKeyState.USER32(00000005), ref: 12095EE4
                                            • GetKeyState.USER32(00000006), ref: 12095F29
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3555079880.0000000012090000.00000040.00000800.00020000.00000000.sdmp, Offset: 12090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_12090000_BlackBerryBackupExtractor.jbxd
                                            Similarity
                                            • API ID: State
                                            • String ID:
                                            • API String ID: 1649606143-0
                                            • Opcode ID: 7fa6e6ff925c6c2c77e4006ee3d70ca34ab31ac11f1a301f5478e0ebbaa1d1c6
                                            • Instruction ID: b676636012f5e6fc2f6c4e8191b76d06f68864d5b9a367675fb3764e4f1995b6
                                            • Opcode Fuzzy Hash: 7fa6e6ff925c6c2c77e4006ee3d70ca34ab31ac11f1a301f5478e0ebbaa1d1c6
                                            • Instruction Fuzzy Hash: D341A2B1C01785CEEB11DFABD5493AFBFF8AB04315F208449D14EA7280C77A9685DBA1