Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Colby Dupe Script.exe

Overview

General Information

Sample name:Colby Dupe Script.exe
Analysis ID:1441703
MD5:67bd09879e6fe66763074091f57f3150
SHA1:43825d37d0821a6a21aee73e30ecb71c04b14119
SHA256:5604246ead9eb4b6ddd749a285e1bb3296f186988c3eb298964a3138cece1446
Tags:exe
Infos:

Detection

Luna Logger
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Yara detected Luna Logger
Potentially malicious time measurement code found
Binary contains a suspicious time stamp
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May check the online IP address of the machine
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

  • System is w10x64
  • Colby Dupe Script.exe (PID: 5912 cmdline: "C:\Users\user\Desktop\Colby Dupe Script.exe" MD5: 67BD09879E6FE66763074091F57F3150)
    • Colby Dupe Script.exe (PID: 7052 cmdline: "C:\Users\user\Desktop\Colby Dupe Script.exe" MD5: 67BD09879E6FE66763074091F57F3150)
      • cmd.exe (PID: 2680 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000001.00000003.1711175421.0000012E33430000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000001.00000003.1711175421.0000012E33430000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LunaLoggerYara detected Luna LoggerJoe Security
      00000001.00000003.1706757137.0000012E33412000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000001.00000003.1706757137.0000012E33412000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LunaLoggerYara detected Luna LoggerJoe Security
          00000001.00000003.1715762119.0000012E33431000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 21 entries
            No Sigma rule has matched
            No Snort rule has matched

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: https://raw.githubusercontent.com/Smug246/luna-injection/main/obfuscated-injection.jsrAvira URL Cloud: Label: malware
            Source: https://raw.githubusercontent.com/Smug246/luna-injection/main/obfuscated-injection.jsAvira URL Cloud: Label: malware
            Source: Colby Dupe Script.exeReversingLabs: Detection: 50%
            Source: Colby Dupe Script.exeVirustotal: Detection: 35%Perma Link
            Source: C:\Users\user\Desktop\Colby Dupe Script.exeFile created: C:\Users\user\AppData\Local\Temp\dd_setup.txtJump to behavior
            Source: C:\Users\user\Desktop\Colby Dupe Script.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI59122\wheel-0.43.0.dist-info\LICENSE.txtJump to behavior
            Source: Colby Dupe Script.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pythoncom.pdb source: Colby Dupe Script.exe, 00000001.00000002.1729225966.00007FFE004B1000.00000040.00000001.01000000.00000011.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\sqlite3.pdb source: Colby Dupe Script.exe, Colby Dupe Script.exe, 00000001.00000002.1726716991.00007FFDFAF41000.00000040.00000001.01000000.00000019.sdmp
            Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: Colby Dupe Script.exe
            Source: Binary string: D:\_w\1\b\libssl-1_1.pdb source: Colby Dupe Script.exe, Colby Dupe Script.exe, 00000001.00000002.1728246199.00007FFDFF2C6000.00000040.00000001.01000000.00000015.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\_uuid.pdb source: Colby Dupe Script.exe, 00000001.00000002.1729061849.00007FFE004A1000.00000040.00000001.01000000.00000032.sdmp
            Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pythoncom.pdb}},GCTL source: Colby Dupe Script.exe, 00000001.00000002.1729225966.00007FFE004B1000.00000040.00000001.01000000.00000011.sdmp
            Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32crypt.pdb source: Colby Dupe Script.exe, Colby Dupe Script.exe, 00000001.00000002.1728657653.00007FFDFFAF1000.00000040.00000001.01000000.00000033.sdmp
            Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: Colby Dupe Script.exe, 00000001.00000002.1726926360.00007FFDFB30E000.00000040.00000001.01000000.00000014.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\python3.pdb source: Colby Dupe Script.exe, 00000000.00000003.1622186763.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1718569021.0000012E32130000.00000002.00000001.01000000.00000006.sdmp
            Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: Colby Dupe Script.exe, 00000000.00000003.1617973037.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1732985131.00007FFE14641000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\_ctypes.pdb source: Colby Dupe Script.exe, 00000001.00000002.1731795476.00007FFE126D1000.00000040.00000001.01000000.00000007.sdmp
            Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: Colby Dupe Script.exe, 00000000.00000003.1617973037.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1732985131.00007FFE14641000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\_sqlite3.pdb source: Colby Dupe Script.exe, 00000001.00000002.1730410375.00007FFE0EB21000.00000040.00000001.01000000.00000018.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\_queue.pdb source: Colby Dupe Script.exe, 00000001.00000002.1732322580.00007FFE13201000.00000040.00000001.01000000.0000000E.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\python310.pdb source: Colby Dupe Script.exe, 00000001.00000002.1727473962.00007FFDFB784000.00000040.00000001.01000000.00000004.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\_overlapped.pdb source: Colby Dupe Script.exe, 00000001.00000002.1731982148.00007FFE12E11000.00000040.00000001.01000000.00000017.sdmp
            Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pywintypes.pdb source: Colby Dupe Script.exe, 00000001.00000002.1730594110.00007FFE0EB41000.00000040.00000001.01000000.0000000F.sdmp
            Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: Colby Dupe Script.exe, 00000000.00000003.1618083988.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1732185301.00007FFE130C5000.00000002.00000001.01000000.00000010.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\_lzma.pdbNN source: Colby Dupe Script.exe, 00000001.00000002.1731264639.00007FFE11EBC000.00000040.00000001.01000000.0000000A.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\_lzma.pdb source: Colby Dupe Script.exe, 00000001.00000002.1731264639.00007FFE11EBC000.00000040.00000001.01000000.0000000A.sdmp
            Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32api.pdb!! source: Colby Dupe Script.exe, 00000001.00000002.1730245094.00007FFE0E161000.00000040.00000001.01000000.00000012.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\select.pdb source: Colby Dupe Script.exe, 00000001.00000002.1732500989.00007FFE13381000.00000040.00000001.01000000.0000000D.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\unicodedata.pdb source: Colby Dupe Script.exe, 00000001.00000002.1726484532.00007FFDFAF2C000.00000040.00000001.01000000.0000001E.sdmp
            Source: Binary string: D:\_w\1\b\libssl-1_1.pdb@@ source: Colby Dupe Script.exe, 00000001.00000002.1728246199.00007FFDFF2C6000.00000040.00000001.01000000.00000015.sdmp
            Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32api.pdb source: Colby Dupe Script.exe, 00000001.00000002.1730245094.00007FFE0E161000.00000040.00000001.01000000.00000012.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\_socket.pdb source: Colby Dupe Script.exe, 00000001.00000002.1731103648.00007FFE10301000.00000040.00000001.01000000.0000000C.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\_ssl.pdb source: Colby Dupe Script.exe, 00000001.00000002.1730106014.00007FFE0E131000.00000040.00000001.01000000.00000013.sdmp
            Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pywintypes.pdb** source: Colby Dupe Script.exe, 00000001.00000002.1730594110.00007FFE0EB41000.00000040.00000001.01000000.0000000F.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\_bz2.pdb source: Colby Dupe Script.exe, 00000001.00000002.1731542743.00007FFE11ED1000.00000040.00000001.01000000.00000009.sdmp
            Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1q 5 Jul 2022built on: Thu Aug 18 20:15:42 2022 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: Colby Dupe Script.exe, 00000001.00000002.1726926360.00007FFDFB30E000.00000040.00000001.01000000.00000014.sdmp
            Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: Colby Dupe Script.exe, 00000000.00000003.1618083988.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1732185301.00007FFE130C5000.00000002.00000001.01000000.00000010.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\_hashlib.pdb source: Colby Dupe Script.exe, 00000001.00000002.1729845180.00007FFE0CFB1000.00000040.00000001.01000000.0000001B.sdmp
            Source: Binary string: D:\_w\1\b\libcrypto-1_1.pdb source: Colby Dupe Script.exe
            Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32crypt.pdb!! source: Colby Dupe Script.exe, 00000001.00000002.1728657653.00007FFDFFAF1000.00000040.00000001.01000000.00000033.sdmp
            Source: C:\Users\user\Desktop\Colby Dupe Script.exeCode function: 0_2_00007FF698EE8D00 FindFirstFileExW,FindClose,0_2_00007FF698EE8D00
            Source: C:\Users\user\Desktop\Colby Dupe Script.exeCode function: 0_2_00007FF698EF8670 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,0_2_00007FF698EF8670
            Source: C:\Users\user\Desktop\Colby Dupe Script.exeCode function: 0_2_00007FF698F026C4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF698F026C4
            Source: C:\Users\user\Desktop\Colby Dupe Script.exeCode function: 0_2_00007FF698EF8670 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,0_2_00007FF698EF8670
            Source: C:\Users\user\Desktop\Colby Dupe Script.exeCode function: 1_2_00007FFDFB0C3229 MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,00007FFE1FF9F020,FindFirstFileW,FindNextFileW,WideCharToMultiByte,1_2_00007FFDFB0C3229
            Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
            Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: api.ipify.org
            Source: Colby Dupe Script.exe, 00000001.00000002.1724920395.0000012E3470C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.../back.jpeg
            Source: Colby Dupe Script.exe, 00000001.00000002.1721233798.0000012E33A40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://aka.ms/vcpython27
            Source: Colby Dupe Script.exe, 00000001.00000002.1721233798.0000012E33A40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://aka.ms/vcpython27P:
            Source: Colby Dupe Script.exe, 00000001.00000003.1715388690.0000012E32D08000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1713541464.0000012E3358A000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704537151.0000012E3351C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705854816.0000012E32D08000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710461872.0000012E33DC1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1714437345.0000012E33D5D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710314552.0000012E3358A000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1717384939.0000012E33D5F000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1713561629.0000012E33D50000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707392854.0000012E32D08000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1721842223.0000012E33D5F000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715667576.0000012E33D5F000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706027731.0000012E33567000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706562972.0000012E33DC1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1720717142.0000012E3358B000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1712670599.0000012E32D08000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1716103204.0000012E335F9000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1720805133.0000012E335FB000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704775210.0000012E33DC1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709463462.0000012E33D5D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1713483176.0000012E33DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html
            Source: Colby Dupe Script.exe, 00000001.00000002.1725090024.0000012E34990000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://bugs.python.org/issue23606)
            Source: Colby Dupe Script.exe, 00000000.00000003.1621732137.000001CB67E96000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621732137.000001CB67E89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
            Source: Colby Dupe Script.exe, 00000000.00000003.1618831863.000001CB67E96000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618216684.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618701164.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618773341.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621133254.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618701164.000001CB67E96000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1625206313.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618375247.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622186763.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621851828.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1619038795.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622055958.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622333526.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1625001192.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618452370.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618551428.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618965478.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618610966.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1623846898.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1623846898.000001CB67E96000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618153602.000001CB67E89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
            Source: Colby Dupe Script.exe, 00000000.00000003.1621732137.000001CB67E96000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621732137.000001CB67E89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
            Source: Colby Dupe Script.exe, 00000000.00000003.1618216684.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618701164.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618773341.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621133254.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1625206313.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618375247.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622186763.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621851828.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1619038795.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622055958.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622333526.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1625001192.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618452370.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618551428.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618965478.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618610966.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1623846898.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618153602.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618899172.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1619109877.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618831863.000001CB67E89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
            Source: Colby Dupe Script.exe, 00000000.00000003.1618216684.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618701164.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618773341.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621133254.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1625206313.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618375247.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622186763.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621851828.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1619038795.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622055958.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622333526.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1625001192.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618452370.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618551428.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618965478.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618610966.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1623846898.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618153602.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618899172.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1619109877.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618831863.000001CB67E89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
            Source: Colby Dupe Script.exe, 00000000.00000003.1618831863.000001CB67E96000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618216684.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618701164.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618773341.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621133254.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618701164.000001CB67E96000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1625206313.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618375247.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622186763.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621851828.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1619038795.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622055958.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622333526.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1625001192.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618452370.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618551428.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618965478.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe S