Edit tour

Windows Analysis Report
Colby Dupe Script.exe

Overview

General Information

Sample name:	Colby Dupe Script.exe
Analysis ID:	1441703
MD5:	67bd09879e6fe66763074091f57f3150
SHA1:	43825d37d0821a6a21aee73e30ecb71c04b14119
SHA256:	5604246ead9eb4b6ddd749a285e1bb3296f186988c3eb298964a3138cece1446
Tags:	exe
Infos:

Detection

Luna Logger

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Yara detected Luna Logger

Potentially malicious time measurement code found

Binary contains a suspicious time stamp

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May check the online IP address of the machine

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Colby Dupe Script.exe (PID: 5912 cmdline: "C:\Users\user\Desktop\Colby Dupe Script.exe" MD5: 67BD09879E6FE66763074091F57F3150)

Colby Dupe Script.exe (PID: 7052 cmdline: "C:\Users\user\Desktop\Colby Dupe Script.exe" MD5: 67BD09879E6FE66763074091F57F3150)

cmd.exe (PID: 2680 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000001.00000003.1711175421.0000012E33430000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1711175421.0000012E33430000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LunaLogger	Yara detected Luna Logger	Joe Security
00000001.00000003.1706757137.0000012E33412000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1706757137.0000012E33412000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LunaLogger	Yara detected Luna Logger	Joe Security
00000001.00000003.1715762119.0000012E33431000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1715762119.0000012E33431000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LunaLogger	Yara detected Luna Logger	Joe Security
00000001.00000003.1704964886.0000012E33412000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1704964886.0000012E33412000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LunaLogger	Yara detected Luna Logger	Joe Security
00000001.00000003.1707046871.0000012E33412000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1707046871.0000012E33412000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LunaLogger	Yara detected Luna Logger	Joe Security
00000001.00000003.1706862797.0000012E33412000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1706862797.0000012E33412000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LunaLogger	Yara detected Luna Logger	Joe Security
00000001.00000003.1706447898.0000012E33412000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1706447898.0000012E33412000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LunaLogger	Yara detected Luna Logger	Joe Security
00000001.00000003.1708877182.0000012E33412000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1708877182.0000012E33412000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LunaLogger	Yara detected Luna Logger	Joe Security
00000001.00000002.1720480190.0000012E33431000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1720480190.0000012E33431000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LunaLogger	Yara detected Luna Logger	Joe Security
00000001.00000003.1709214739.0000012E33412000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1709214739.0000012E33412000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LunaLogger	Yara detected Luna Logger	Joe Security
00000001.00000002.1724839216.0000012E34540000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1724839216.0000012E34540000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LunaLogger	Yara detected Luna Logger	Joe Security
00000001.00000003.1709585773.0000012E3341D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1709585773.0000012E3341D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LunaLogger	Yara detected Luna Logger	Joe Security
Process Memory Space: Colby Dupe Script.exe PID: 7052	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Colby Dupe Script.exe PID: 7052	JoeSecurity_LunaLogger	Yara detected Luna Logger	Joe Security
Click to see the 21 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://raw.githubusercontent.com/Smug246/luna-injection/main/obfuscated-injection.jsr	Avira URL Cloud: Label: malware
Source: https://raw.githubusercontent.com/Smug246/luna-injection/main/obfuscated-injection.js	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: Colby Dupe Script.exe	ReversingLabs: Detection: 50%
Source: Colby Dupe Script.exe	Virustotal: Detection: 35%			Perma Link

Source: C:\Users\user\Desktop\Colby Dupe Script.exe

File created: C:\Users\user\AppData\Local\Temp\dd_setup.txt

Jump to behavior

Source: C:\Users\user\Desktop\Colby Dupe Script.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI59122\wheel-0.43.0.dist-info\LICENSE.txt

Jump to behavior

Source: Colby Dupe Script.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pythoncom.pdb source: Colby Dupe Script.exe, 00000001.00000002.1729225966.00007FFE004B1000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\sqlite3.pdb source: Colby Dupe Script.exe, Colby Dupe Script.exe, 00000001.00000002.1726716991.00007FFDFAF41000.00000040.00000001.01000000.00000019.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: Colby Dupe Script.exe
Source:	Binary string: D:\_w\1\b\libssl-1_1.pdb source: Colby Dupe Script.exe, Colby Dupe Script.exe, 00000001.00000002.1728246199.00007FFDFF2C6000.00000040.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_uuid.pdb source: Colby Dupe Script.exe, 00000001.00000002.1729061849.00007FFE004A1000.00000040.00000001.01000000.00000032.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pythoncom.pdb}},GCTL source: Colby Dupe Script.exe, 00000001.00000002.1729225966.00007FFE004B1000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32crypt.pdb source: Colby Dupe Script.exe, Colby Dupe Script.exe, 00000001.00000002.1728657653.00007FFDFFAF1000.00000040.00000001.01000000.00000033.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: Colby Dupe Script.exe, 00000001.00000002.1726926360.00007FFDFB30E000.00000040.00000001.01000000.00000014.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\python3.pdb source: Colby Dupe Script.exe, 00000000.00000003.1622186763.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1718569021.0000012E32130000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: Colby Dupe Script.exe, 00000000.00000003.1617973037.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1732985131.00007FFE14641000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_ctypes.pdb source: Colby Dupe Script.exe, 00000001.00000002.1731795476.00007FFE126D1000.00000040.00000001.01000000.00000007.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: Colby Dupe Script.exe, 00000000.00000003.1617973037.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1732985131.00007FFE14641000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_sqlite3.pdb source: Colby Dupe Script.exe, 00000001.00000002.1730410375.00007FFE0EB21000.00000040.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_queue.pdb source: Colby Dupe Script.exe, 00000001.00000002.1732322580.00007FFE13201000.00000040.00000001.01000000.0000000E.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\python310.pdb source: Colby Dupe Script.exe, 00000001.00000002.1727473962.00007FFDFB784000.00000040.00000001.01000000.00000004.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_overlapped.pdb source: Colby Dupe Script.exe, 00000001.00000002.1731982148.00007FFE12E11000.00000040.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pywintypes.pdb source: Colby Dupe Script.exe, 00000001.00000002.1730594110.00007FFE0EB41000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: Colby Dupe Script.exe, 00000000.00000003.1618083988.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1732185301.00007FFE130C5000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_lzma.pdbNN source: Colby Dupe Script.exe, 00000001.00000002.1731264639.00007FFE11EBC000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_lzma.pdb source: Colby Dupe Script.exe, 00000001.00000002.1731264639.00007FFE11EBC000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32api.pdb!! source: Colby Dupe Script.exe, 00000001.00000002.1730245094.00007FFE0E161000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\select.pdb source: Colby Dupe Script.exe, 00000001.00000002.1732500989.00007FFE13381000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\unicodedata.pdb source: Colby Dupe Script.exe, 00000001.00000002.1726484532.00007FFDFAF2C000.00000040.00000001.01000000.0000001E.sdmp
Source:	Binary string: D:\_w\1\b\libssl-1_1.pdb@@ source: Colby Dupe Script.exe, 00000001.00000002.1728246199.00007FFDFF2C6000.00000040.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32api.pdb source: Colby Dupe Script.exe, 00000001.00000002.1730245094.00007FFE0E161000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_socket.pdb source: Colby Dupe Script.exe, 00000001.00000002.1731103648.00007FFE10301000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_ssl.pdb source: Colby Dupe Script.exe, 00000001.00000002.1730106014.00007FFE0E131000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pywintypes.pdb** source: Colby Dupe Script.exe, 00000001.00000002.1730594110.00007FFE0EB41000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_bz2.pdb source: Colby Dupe Script.exe, 00000001.00000002.1731542743.00007FFE11ED1000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1q 5 Jul 2022built on: Thu Aug 18 20:15:42 2022 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: Colby Dupe Script.exe, 00000001.00000002.1726926360.00007FFDFB30E000.00000040.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: Colby Dupe Script.exe, 00000000.00000003.1618083988.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1732185301.00007FFE130C5000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_hashlib.pdb source: Colby Dupe Script.exe, 00000001.00000002.1729845180.00007FFE0CFB1000.00000040.00000001.01000000.0000001B.sdmp
Source:	Binary string: D:\_w\1\b\libcrypto-1_1.pdb source: Colby Dupe Script.exe
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32crypt.pdb!! source: Colby Dupe Script.exe, 00000001.00000002.1728657653.00007FFDFFAF1000.00000040.00000001.01000000.00000033.sdmp

Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698EE8D00 FindFirstFileExW,FindClose,	0_2_00007FF698EE8D00
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698EF8670 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF698EF8670
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698F026C4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF698F026C4
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698EF8670 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF698EF8670
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C3229 MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,00007FFE1FF9F020,FindFirstFileW,FindNextFileW,WideCharToMultiByte,	1_2_00007FFDFB0C3229

Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: api.ipify.org

Source: Colby Dupe Script.exe, 00000001.00000002.1724920395.0000012E3470C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.../back.jpeg
Source: Colby Dupe Script.exe, 00000001.00000002.1721233798.0000012E33A40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://aka.ms/vcpython27
Source: Colby Dupe Script.exe, 00000001.00000002.1721233798.0000012E33A40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://aka.ms/vcpython27P:
Source: Colby Dupe Script.exe, 00000001.00000003.1715388690.0000012E32D08000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1713541464.0000012E3358A000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704537151.0000012E3351C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705854816.0000012E32D08000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710461872.0000012E33DC1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1714437345.0000012E33D5D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710314552.0000012E3358A000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1717384939.0000012E33D5F000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1713561629.0000012E33D50000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707392854.0000012E32D08000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1721842223.0000012E33D5F000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715667576.0000012E33D5F000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706027731.0000012E33567000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706562972.0000012E33DC1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1720717142.0000012E3358B000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1712670599.0000012E32D08000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1716103204.0000012E335F9000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1720805133.0000012E335FB000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704775210.0000012E33DC1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709463462.0000012E33D5D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1713483176.0000012E33DC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html
Source: Colby Dupe Script.exe, 00000001.00000002.1725090024.0000012E34990000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://bugs.python.org/issue23606)
Source: Colby Dupe Script.exe, 00000000.00000003.1621732137.000001CB67E96000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621732137.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Colby Dupe Script.exe, 00000000.00000003.1618831863.000001CB67E96000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618216684.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618701164.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618773341.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621133254.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618701164.000001CB67E96000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1625206313.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618375247.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622186763.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621851828.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1619038795.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622055958.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622333526.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1625001192.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618452370.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618551428.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618965478.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618610966.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1623846898.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1623846898.000001CB67E96000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618153602.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Colby Dupe Script.exe, 00000000.00000003.1621732137.000001CB67E96000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621732137.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: Colby Dupe Script.exe, 00000000.00000003.1618216684.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618701164.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618773341.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621133254.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1625206313.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618375247.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622186763.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621851828.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1619038795.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622055958.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622333526.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1625001192.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618452370.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618551428.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618965478.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618610966.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1623846898.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618153602.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618899172.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1619109877.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618831863.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Colby Dupe Script.exe, 00000000.00000003.1618216684.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618701164.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618773341.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621133254.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1625206313.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618375247.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622186763.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621851828.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1619038795.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622055958.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622333526.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1625001192.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618452370.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618551428.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618965478.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618610966.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1623846898.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618153602.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618899172.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1619109877.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618831863.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Colby Dupe Script.exe, 00000000.00000003.1618831863.000001CB67E96000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618216684.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618701164.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618773341.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621133254.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618701164.000001CB67E96000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1625206313.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618375247.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622186763.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621851828.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1619038795.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622055958.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622333526.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1625001192.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618452370.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618551428.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618965478.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618610966.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1623846898.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1623846898.000001CB67E96000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618153602.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Colby Dupe Script.exe, 00000001.00000002.1725090024.0000012E34990000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cffi.readthedocs.io/en/latest/cdef.html#ffi-cdef-limitations
Source: Colby Dupe Script.exe, 00000001.00000003.1707821250.0000012E32BDA000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710769468.0000012E3327A000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704537151.0000012E3351C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710370689.0000012E32BDC000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1711978527.0000012E32BFD000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706431007.0000012E3355D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707149366.0000012E32BD8000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1720218950.0000012E3327A000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708190498.0000012E33277000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705547606.0000012E3351C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1639918901.0000012E33270000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709567165.0000012E33279000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710735753.0000012E32BFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: Colby Dupe Script.exe, 00000001.00000002.1718839918.0000012E328E6000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709621107.0000012E328E3000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1635583610.0000012E32C0C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1635730524.0000012E328AA000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707334221.0000012E3288F000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708322964.0000012E3289C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577916/
Source: Colby Dupe Script.exe, 00000001.00000003.1708646545.0000012E32CD5000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705166363.0000012E32CD1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709973632.0000012E32CD5000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715150228.0000012E32CD8000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706202806.0000012E33F43000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707654708.0000012E32CD1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705307571.0000012E33F40000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1714073811.0000012E32CD5000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706413891.0000012E33F51000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708033815.0000012E33D5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: Colby Dupe Script.exe, 00000001.00000003.1709621107.0000012E32903000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708135727.0000012E32901000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709678067.0000012E334D2000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1712112159.0000012E334D5000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1718948130.0000012E32915000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705547606.0000012E334A2000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1717086129.0000012E3290E000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1713650293.0000012E32905000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707334221.0000012E3288F000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710527502.0000012E32903000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Colby Dupe Script.exe, 00000001.00000003.1704775210.0000012E33DD1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1713100519.0000012E33561000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
Source: Colby Dupe Script.exe, 00000001.00000003.1704537151.0000012E3351C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1714916470.0000012E33561000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706431007.0000012E3355D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705547606.0000012E3351C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1713100519.0000012E33561000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crlM
Source: Colby Dupe Script.exe, 00000001.00000003.1708646545.0000012E32CD5000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705166363.0000012E32CD1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709973632.0000012E32CD5000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715150228.0000012E32CD8000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706202806.0000012E33F43000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707654708.0000012E32CD1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705307571.0000012E33F40000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1714073811.0000012E32CD5000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706413891.0000012E33F51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
Source: Colby Dupe Script.exe, 00000001.00000003.1708033815.0000012E33D5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: Colby Dupe Script.exe, 00000001.00000003.1706202806.0000012E33F43000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705307571.0000012E33F40000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706413891.0000012E33F51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crlJ
Source: Colby Dupe Script.exe, 00000001.00000003.1705373771.0000012E33DDA000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705955374.0000012E33DDD000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704775210.0000012E33DD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl
Source: Colby Dupe Script.exe, 00000001.00000003.1708646545.0000012E32CD5000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705166363.0000012E32CD1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715597750.0000012E32CE0000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709973632.0000012E32CD5000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715150228.0000012E32CD8000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707654708.0000012E32CD1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1714073811.0000012E32CD5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: Colby Dupe Script.exe, 00000001.00000003.1705373771.0000012E33DDA000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705955374.0000012E33DDD000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704775210.0000012E33DD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crlage.alpha_
Source: Colby Dupe Script.exe, 00000001.00000003.1705373771.0000012E33DDA000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705955374.0000012E33DDD000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704775210.0000012E33DD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: Colby Dupe Script.exe, 00000001.00000003.1708646545.0000012E32CD5000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705166363.0000012E32CD1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715597750.0000012E32CE0000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709973632.0000012E32CD5000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715150228.0000012E32CD8000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707654708.0000012E32CD1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1714073811.0000012E32CD5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: Colby Dupe Script.exe, 00000001.00000003.1705373771.0000012E33DDA000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705955374.0000012E33DDD000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704775210.0000012E33DD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crlr
Source: Colby Dupe Script.exe, 00000000.00000003.1621732137.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Colby Dupe Script.exe, 00000001.00000003.1708135727.0000012E32901000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1719023805.0000012E32937000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707334221.0000012E3288F000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708595664.0000012E32936000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: Colby Dupe Script.exe, 00000001.00000003.1709678067.0000012E334D2000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1712112159.0000012E334D5000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705547606.0000012E334A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: Colby Dupe Script.exe, 00000000.00000003.1618965478.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/
Source: Colby Dupe Script.exe, 00000000.00000003.1618831863.000001CB67E96000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618216684.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618701164.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618773341.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621133254.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618701164.000001CB67E96000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1625206313.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618375247.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622186763.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621851828.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1619038795.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622055958.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622333526.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1625001192.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618452370.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618551428.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618965478.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618610966.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1623846898.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1623846898.000001CB67E96000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618153602.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Colby Dupe Script.exe, 00000000.00000003.1621732137.000001CB67E96000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621732137.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Colby Dupe Script.exe, 00000000.00000003.1618216684.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618701164.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618773341.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621133254.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1625206313.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618375247.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622186763.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621851828.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1619038795.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622055958.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622333526.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1625001192.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618452370.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618551428.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618965478.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618610966.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1623846898.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618153602.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618899172.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1619109877.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618831863.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Colby Dupe Script.exe, 00000000.00000003.1618216684.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618701164.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618773341.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621133254.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1625206313.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618375247.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622186763.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621851828.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1619038795.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622055958.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622333526.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1625001192.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618452370.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618551428.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618965478.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618610966.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1623846898.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618153602.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618899172.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1619109877.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618831863.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Colby Dupe Script.exe, 00000000.00000003.1618831863.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1619109877.000001CB67E96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Colby Dupe Script.exe, 00000000.00000003.1621732137.000001CB67E96000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621732137.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Colby Dupe Script.exe, 00000000.00000003.1621732137.000001CB67E96000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621732137.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Colby Dupe Script.exe, 00000000.00000003.1618216684.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618701164.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618773341.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621133254.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1625206313.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618375247.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622186763.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621851828.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1619038795.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622055958.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622333526.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1625001192.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618452370.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618551428.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618965478.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618610966.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1623846898.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618153602.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618899172.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1619109877.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618831863.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Colby Dupe Script.exe, 00000000.00000003.1621732137.000001CB67E96000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621732137.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: Colby Dupe Script.exe, 00000001.00000003.1715388690.0000012E32D08000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705854816.0000012E32D08000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710461872.0000012E33DC1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707392854.0000012E32D08000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706562972.0000012E33DC1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1712670599.0000012E32D08000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704775210.0000012E33DC1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1713483176.0000012E33DC1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1714517499.0000012E32D08000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1716307275.0000012E32D08000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709338552.0000012E33DC1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705166363.0000012E32D08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/eax/eax-spec.pdf
Source: Colby Dupe Script.exe, 00000001.00000003.1714437345.0000012E33D5D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1717384939.0000012E33D5F000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1713561629.0000012E33D50000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1721842223.0000012E33D5F000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715667576.0000012E33D5F000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709463462.0000012E33D5D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710945718.0000012E33D3E000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708033815.0000012E33D5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf
Source: Colby Dupe Script.exe, 00000001.00000003.1713541464.0000012E3358A000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704537151.0000012E3351C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710314552.0000012E3358A000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706027731.0000012E33567000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1720717142.0000012E3358B000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1716103204.0000012E335F9000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1720805133.0000012E335FB000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705547606.0000012E3351C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707807420.0000012E3358A000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715503146.0000012E3358B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
Source: Colby Dupe Script.exe, 00000001.00000003.1704537151.0000012E3351C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1713974440.0000012E333A6000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704457723.0000012E33DE1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707732388.0000012E33C8F000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705955374.0000012E33DF2000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1722022192.0000012E33D9B000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1721154573.0000012E33940000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1712904383.0000012E33E65000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1725090024.0000012E34A08000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706975802.0000012E3339D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1720679087.0000012E33542000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708412488.0000012E33541000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706757137.0000012E33381000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1713756901.0000012E33C91000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706447898.0000012E33369000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1722349213.0000012E33E94000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705547606.0000012E3351C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715224998.0000012E33C95000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1724920395.0000012E34640000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1724920395.0000012E3470C000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704775210.0000012E33D9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: Colby Dupe Script.exe, 00000001.00000002.1721308720.0000012E33B40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.kill
Source: Colby Dupe Script.exe, 00000001.00000002.1724701056.0000012E34440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode
Source: Colby Dupe Script.exe, 00000001.00000002.1721233798.0000012E33A40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate
Source: Colby Dupe Script.exe, 00000001.00000003.1639918901.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706757137.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704964886.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706447898.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708877182.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1719844582.0000012E32D70000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1640772567.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1720921669.0000012E33640000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1641696445.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709585773.0000012E3341D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715762119.0000012E33428000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/library/itertools.html#recipes
Source: Colby Dupe Script.exe, 00000001.00000003.1704537151.0000012E3351C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706027731.0000012E33567000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710065692.0000012E3358E000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705547606.0000012E3351C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707807420.0000012E3358A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/library/unittest.html
Source: Colby Dupe Script.exe, 00000001.00000002.1719844582.0000012E32D70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://github.com/ActiveState/appdirs
Source: Colby Dupe Script.exe, 00000001.00000002.1724839216.0000012E34540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://goo.gl/zeJZl.
Source: Colby Dupe Script.exe, 00000001.00000002.1720582325.0000012E334A2000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705547606.0000012E334A2000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1711482730.0000012E334A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: Colby Dupe Script.exe, 00000001.00000003.1713541464.0000012E3358A000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704537151.0000012E3351C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710314552.0000012E3358A000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706027731.0000012E33567000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1720717142.0000012E3358B000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705547606.0000012E3351C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707807420.0000012E3358A000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715503146.0000012E3358B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: Colby Dupe Script.exe, 00000001.00000003.1712590285.0000012E33605000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1711278766.0000012E33603000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1720500434.0000012E3344C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704537151.0000012E33449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: Colby Dupe Script.exe, 00000001.00000002.1724839216.0000012E34540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://mail.python.org/pipermail/python-dev/2012-June/120787.html.
Source: Colby Dupe Script.exe, 00000001.00000003.1705333402.0000012E33F21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es
Source: Colby Dupe Script.exe, 00000001.00000003.1704457723.0000012E33DE1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705955374.0000012E33DF2000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1722189174.0000012E33DFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: Colby Dupe Script.exe, 00000000.00000003.1618216684.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618701164.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618773341.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621133254.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1625206313.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618375247.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622186763.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621851828.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1619038795.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622055958.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622333526.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1625001192.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618452370.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618551428.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618965478.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618610966.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1623846898.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618153602.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618899172.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1619109877.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618831863.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Colby Dupe Script.exe, 00000000.00000003.1618831863.000001CB67E96000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618216684.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618701164.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618773341.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621133254.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618701164.000001CB67E96000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1625206313.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618375247.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622186763.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621851828.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1619038795.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622055958.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622333526.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1625001192.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618452370.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618551428.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618965478.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618610966.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1623846898.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1623846898.000001CB67E96000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618153602.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: Colby Dupe Script.exe, 00000000.00000003.1618831863.000001CB67E96000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618216684.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618701164.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618773341.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621133254.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618701164.000001CB67E96000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1625206313.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618375247.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622186763.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621851828.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1619038795.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622055958.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622333526.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1625001192.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618452370.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618551428.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618965478.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618610966.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1623846898.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1623846898.000001CB67E96000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618153602.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: Colby Dupe Script.exe, 00000000.00000003.1621732137.000001CB67E96000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621732137.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: Colby Dupe Script.exe, 00000000.00000003.1618216684.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618701164.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618773341.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621133254.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1625206313.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618375247.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622186763.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621851828.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1619038795.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622055958.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622333526.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1625001192.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618452370.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618551428.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618965478.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618610966.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1623846898.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618153602.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618899172.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1619109877.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618831863.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: Colby Dupe Script.exe, 00000000.00000003.1621732137.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: Colby Dupe Script.exe, 00000001.00000002.1719231230.0000012E32A70000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1718495470.0000012E32030000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://opensource.apple.com/source/CF/CF-744.18/CFBinaryPList.c
Source: Colby Dupe Script.exe, 00000001.00000003.1704775210.0000012E33DD1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1711019338.0000012E33CF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: Colby Dupe Script.exe, 00000001.00000003.1639918901.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1720999127.0000012E33740000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1640772567.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1641696445.0000012E33412000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://stackoverflow.com/questions/19622133/
Source: Colby Dupe Script.exe, 00000001.00000003.1711109310.0000012E334A5000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706391727.0000012E32C86000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705547606.0000012E334A2000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1711568354.0000012E32C8B000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1714402222.0000012E32CA3000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705166363.0000012E32C51000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1720600187.0000012E334A6000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1714239103.0000012E32C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc4880
Source: Colby Dupe Script.exe, 00000001.00000002.1725202471.0000012E34ADC000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1725090024.0000012E34990000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5297
Source: Colby Dupe Script.exe, 00000001.00000003.1710461872.0000012E33DC1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706562972.0000012E33DC1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704775210.0000012E33DC1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1713483176.0000012E33DC1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709338552.0000012E33DC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5869
Source: Colby Dupe Script.exe, 00000001.00000002.1724839216.0000012E34540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: Colby Dupe Script.exe, 00000000.00000003.1621732137.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Colby Dupe Script.exe, 00000000.00000003.1621732137.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Colby Dupe Script.exe, 00000000.00000003.1621732137.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Colby Dupe Script.exe, 00000001.00000003.1706391727.0000012E32C86000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705166363.0000012E32C51000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708582564.0000012E32CA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm
Source: Colby Dupe Script.exe, 00000001.00000003.1705333402.0000012E33F21000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704457723.0000012E33DE1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705955374.0000012E33DF2000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1722189174.0000012E33DFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: Colby Dupe Script.exe, 00000001.00000003.1707821250.0000012E32C0E000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1719549383.0000012E32C1E000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1713676718.0000012E32C1E000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707109456.0000012E32C0C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708521339.0000012E32C1A000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710907105.0000012E32C1C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708168779.0000012E32C17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
Source: Colby Dupe Script.exe, 00000001.00000003.1707821250.0000012E32C0E000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1719549383.0000012E32C1E000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1713676718.0000012E32C1E000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707109456.0000012E32C0C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708521339.0000012E32C1A000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710907105.0000012E32C1C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708168779.0000012E32C17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl-
Source: Colby Dupe Script.exe, 00000001.00000003.1704457723.0000012E33DE1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705955374.0000012E33DF2000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1722189174.0000012E33DFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: Colby Dupe Script.exe, 00000001.00000003.1709463462.0000012E33D5D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1712784057.0000012E33D60000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1721842223.0000012E33D61000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708033815.0000012E33D5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm
Source: Colby Dupe Script.exe, 00000001.00000003.1704457723.0000012E33DE1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705955374.0000012E33DF2000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1722189174.0000012E33DFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: Colby Dupe Script.exe, 00000001.00000003.1704457723.0000012E33DE1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705955374.0000012E33DF2000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709463462.0000012E33D5D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1712784057.0000012E33D60000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1722189174.0000012E33DFB000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1721842223.0000012E33D61000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708033815.0000012E33D5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: Colby Dupe Script.exe, 00000001.00000002.1719844582.0000012E32D70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: Colby Dupe Script.exe, 00000001.00000003.1710769468.0000012E3327A000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706202806.0000012E33F43000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1713861342.0000012E33287000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705307571.0000012E33F40000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708190498.0000012E33277000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709567165.0000012E33279000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/
Source: Colby Dupe Script.exe, 00000001.00000003.1634970702.0000012E32BAD000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1634970702.0000012E32BBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: Colby Dupe Script.exe, 00000001.00000003.1712822913.0000012E33D58000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715667576.0000012E33D59000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710945718.0000012E33D3E000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1713561629.0000012E33D59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf
Source: Colby Dupe Script.exe, 00000001.00000002.1725090024.0000012E34A08000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dabeaz.com/ply)
Source: Colby Dupe Script.exe, 00000000.00000003.1618216684.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618701164.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618773341.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621133254.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1625206313.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618375247.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622186763.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621851828.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1619038795.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622055958.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1622333526.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1625001192.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618452370.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618551428.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618965478.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618610966.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1623846898.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618153602.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618899172.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1619109877.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1618831863.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: Colby Dupe Script.exe, 00000001.00000003.1717044109.0000012E33C77000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1724346425.0000012E33F4B000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706202806.0000012E33F43000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705307571.0000012E33F40000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1721482981.0000012E33C7D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707732388.0000012E33C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: Colby Dupe Script.exe, 00000001.00000003.1712590285.0000012E33605000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1711278766.0000012E33603000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: Colby Dupe Script.exe, 00000001.00000003.1634970702.0000012E32BBD000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1634970702.0000012E32B9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: Colby Dupe Script.exe, 00000001.00000003.1634970702.0000012E32BAD000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1634970702.0000012E32BBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: Colby Dupe Script.exe, 00000001.00000003.1705547606.0000012E3345C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704537151.0000012E33449000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1716123016.0000012E3347E000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1720563875.0000012E33480000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: Colby Dupe Script.exe, 00000001.00000003.1704964886.0000012E33312000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: Colby Dupe Script.exe, 00000001.00000003.1706391727.0000012E32C86000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1711568354.0000012E32C8B000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1714402222.0000012E32CA3000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705166363.0000012E32C51000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1714239103.0000012E32C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rfc-editor.org/info/rfc7253
Source: Colby Dupe Script.exe, 00000001.00000003.1704457723.0000012E33DE1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705955374.0000012E33DF2000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1713719290.0000012E33DFD000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1722228943.0000012E33E00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tarsnap.com/scrypt/scrypt-slides.pdf
Source: Colby Dupe Script.exe, 00000001.00000003.1709463462.0000012E33D5D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1645179843.0000012E33D5F000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1712784057.0000012E33D60000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1721842223.0000012E33D61000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708033815.0000012E33D5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwwsearch.sf.net/):
Source: Colby Dupe Script.exe, 00000001.00000002.1724839216.0000012E34540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: Colby Dupe Script.exe, 00000001.00000002.1725469599.0000012E34DBC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: Colby Dupe Script.exe, 00000001.00000003.1711175421.0000012E33430000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706757137.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715762119.0000012E33431000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704964886.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706447898.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708877182.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709585773.0000012E3341D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgr
Source: Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://blog.jaraco.com/skeleton
Source: Colby Dupe Script.exe, 00000001.00000002.1720999127.0000012E33740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugs.python.org/issue44497.
Source: Colby Dupe Script.exe, 00000001.00000003.1711175421.0000012E33430000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706757137.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715762119.0000012E33431000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704964886.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706447898.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708877182.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1724839216.0000012E34540000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709585773.0000012E3341D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/avatars/
Source: Colby Dupe Script.exe, 00000001.00000003.1711175421.0000012E33430000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706757137.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715762119.0000012E33431000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704964886.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706447898.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708877182.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1724701056.0000012E34440000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709585773.0000012E3341D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/icons/958782767255158876/a_0949440b832bda90a3b95dc43feb9fb7.gif?size=4096
Source: Colby Dupe Script.exe, Colby Dupe Script.exe, 00000001.00000002.1728863300.00007FFDFFB21000.00000040.00000001.01000000.0000001F.sdmp	String found in binary or memory: https://cffi.readthedocs.io/en/latest/using.html#callbacks
Source: Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://codecov.io/gh/pypa/setuptools
Source: Colby Dupe Script.exe, 00000000.00000003.1620256650.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io
Source: Colby Dupe Script.exe, 00000000.00000003.1620256650.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/
Source: Colby Dupe Script.exe, 00000000.00000003.1620256650.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/en/latest/changelog/
Source: Colby Dupe Script.exe, 00000000.00000003.1620256650.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/en/latest/installation/
Source: Colby Dupe Script.exe, 00000000.00000003.1620256650.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/en/latest/security/
Source: Colby Dupe Script.exe, 00000001.00000003.1711175421.0000012E33430000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706757137.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715762119.0000012E33431000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704964886.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706447898.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708877182.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1724839216.0000012E34540000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709585773.0000012E3341D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v6/users/
Source: Colby Dupe Script.exe, 00000001.00000003.1711175421.0000012E33430000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706757137.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715762119.0000012E33431000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704964886.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706447898.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708877182.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1724839216.0000012E34540000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709585773.0000012E3341D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: Colby Dupe Script.exe, 00000001.00000003.1711175421.0000012E33430000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706757137.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715762119.0000012E33431000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704964886.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706447898.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708877182.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1724839216.0000012E34540000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709585773.0000012E3341D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/webhooks/1239953787624488971/a3wwJZwTIyBieIMg9itK_L1J2NSxqLbai8Ke1Wb5FQJB3lE
Source: Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/channels/803025117553754132/815945031150993468
Source: Colby Dupe Script.exe, 00000001.00000003.1640870485.0000012E33298000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708292032.0000012E332A0000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709000193.0000012E332A1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1641308670.0000012E334A2000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707879900.0000012E33298000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710102914.0000012E33261000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1638249488.0000012E33298000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1711682471.0000012E332A1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1712573489.0000012E332A1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709273413.0000012E33259000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1641308670.0000012E334B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/pprint.html
Source: Colby Dupe Script.exe, 00000001.00000003.1640870485.0000012E33298000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708292032.0000012E332A0000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709000193.0000012E332A1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1641308670.0000012E334A2000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707879900.0000012E33298000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710102914.0000012E33261000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1638249488.0000012E33298000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1711682471.0000012E332A1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1712573489.0000012E332A1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709273413.0000012E33259000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1641308670.0000012E334B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/pprint.html#pprint.pprint
Source: Colby Dupe Script.exe, 00000001.00000003.1637239907.0000012E332E6000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710573638.0000012E332AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/re.html
Source: Colby Dupe Script.exe, 00000001.00000003.1709678067.0000012E334D2000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1712112159.0000012E334DB000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1641308670.0000012E334BE000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1720999127.0000012E33740000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1637239907.0000012E3328F000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705547606.0000012E334A2000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1719095820.0000012E32970000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709738285.0000012E334D9000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1720635274.0000012E334DB000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1714367312.0000012E334DB000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1637239907.0000012E332E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/re.html#re.sub
Source: Colby Dupe Script.exe, 00000001.00000002.1721308720.0000012E33B40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: Colby Dupe Script.exe, 00000001.00000002.1720999127.0000012E33740000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1637097532.0000012E32D18000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1719844582.0000012E32D70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbca
Source: Colby Dupe Script.exe, 00000001.00000003.1709463462.0000012E33D5D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1645179843.0000012E33D5F000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1712784057.0000012E33D60000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715266041.0000012E33D64000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1721842223.0000012E33D68000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1721842223.0000012E33D61000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708033815.0000012E33D5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: Colby Dupe Script.exe, 00000001.00000003.1708208043.0000012E30740000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708120917.0000012E3077D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707273712.0000012E30702000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1717717838.0000012E30742000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1718438971.0000012E30780000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707213340.0000012E30700000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1718375557.0000012E30747000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707999724.0000012E30716000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: Colby Dupe Script.exe, 00000001.00000002.1724839216.0000012E34540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/giampaolo/psutil/issues/875.
Source: Colby Dupe Script.exe, 00000001.00000002.1720999127.0000012E33740000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1719844582.0000012E32D70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jaraco/jaraco.functools/issues/5
Source: Colby Dupe Script.exe, 00000000.00000003.1617846084.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1623719184.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1627509103.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1623549039.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1627641693.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1627000502.000001CB67E96000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1627392909.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1627751375.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1627641693.000001CB67E96000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1627000502.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1730730722.00007FFE0EB69000.00000004.00000001.01000000.0000000F.sdmp, Colby Dupe Script.exe, 00000001.00000002.1729584611.00007FFE00565000.00000004.00000001.01000000.00000011.sdmp, Colby Dupe Script.exe, 00000001.00000002.1728794504.00007FFDFFB16000.00000004.00000001.01000000.00000033.sdmp, Colby Dupe Script.exe, 00000001.00000002.1730367196.00007FFE0E18A000.00000004.00000001.01000000.00000012.sdmp	String found in binary or memory: https://github.com/mhammond/pywin32
Source: Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/psf/black
Source: Colby Dupe Script.exe, 00000000.00000003.1620256650.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography
Source: Colby Dupe Script.exe, 00000000.00000003.1620256650.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/
Source: Colby Dupe Script.exe, 00000000.00000003.1620256650.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/actions?query=workflow%3ACI
Source: Colby Dupe Script.exe, 00000000.00000003.1620256650.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/issues
Source: Colby Dupe Script.exe, 00000000.00000003.1620256650.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main
Source: Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1626504632.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/.github/blob/main/CODE_OF_CONDUCT.md
Source: Colby Dupe Script.exe, 00000001.00000002.1720999127.0000012E33740000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1719919808.0000012E32E70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/packaging
Source: Colby Dupe Script.exe, 00000001.00000002.1719919808.0000012E32E70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/packagingn_py
Source: Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools
Source: Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/actions?query=workflow%3A%22tests%22
Source: Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/discussions
Source: Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/issues
Source: Colby Dupe Script.exe, 00000001.00000002.1720999127.0000012E33740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/issues/1024.
Source: Colby Dupe Script.exe, 00000001.00000002.1719996242.0000012E32F70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/issues/417#issuecomment-392298401
Source: Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/workflows/tests/badge.svg
Source: Colby Dupe Script.exe, 00000000.00000003.1626504632.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/wheel
Source: Colby Dupe Script.exe, 00000000.00000003.1626504632.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/wheel/issues
Source: Colby Dupe Script.exe, 00000001.00000003.1705166363.0000012E32D4D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1711682471.0000012E332A1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1716672726.0000012E332A3000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1712573489.0000012E332A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyparsing/pyparsing/wiki
Source: Colby Dupe Script.exe, 00000001.00000002.1725202471.0000012E34AE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-pillow/Pillow/
Source: Colby Dupe Script.exe, 00000001.00000002.1718495470.0000012E32030000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: Colby Dupe Script.exe, 00000001.00000003.1707999724.0000012E30716000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1713879089.0000012E30728000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: Colby Dupe Script.exe, 00000001.00000003.1708208043.0000012E30740000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708120917.0000012E3077D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707273712.0000012E30702000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1717717838.0000012E30742000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1718438971.0000012E30780000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707213340.0000012E30700000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1718375557.0000012E30747000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707999724.0000012E30716000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: Colby Dupe Script.exe, 00000001.00000003.1708961652.0000012E3351C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704537151.0000012E3351C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710011768.0000012E33520000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1711245076.0000012E32CA9000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706391727.0000012E32C86000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1714239103.0000012E32CA9000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705547606.0000012E3351C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1712858183.0000012E33520000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705166363.0000012E32C51000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708582564.0000012E32CA8000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709547064.0000012E3351D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/requests/toolbelt/issues/75
Source: Colby Dupe Script.exe, 00000001.00000003.1708646545.0000012E32CD5000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705166363.0000012E32CD1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715597750.0000012E32CE0000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709973632.0000012E32CD5000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715150228.0000012E32CD8000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707654708.0000012E32CD1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1714073811.0000012E32CD5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/requests/toolbelt/issues/80
Source: Colby Dupe Script.exe, 00000001.00000003.1708208043.0000012E30740000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708120917.0000012E3077D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707273712.0000012E30702000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1717717838.0000012E30742000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1718438971.0000012E30780000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707213340.0000012E30700000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1718375557.0000012E30747000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707999724.0000012E30716000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: Colby Dupe Script.exe, 00000001.00000002.1721308720.0000012E33B40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: Colby Dupe Script.exe, 00000001.00000003.1704537151.0000012E33449000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710496541.0000012E33457000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1720519861.0000012E33457000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705675254.0000012E33456000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1645179843.0000012E33D51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: Colby Dupe Script.exe, 00000001.00000002.1724920395.0000012E34640000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: Colby Dupe Script.exe, 00000001.00000002.1724920395.0000012E34640000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920f4.
Source: Colby Dupe Script.exe, 00000001.00000003.1708033815.0000012E33D5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: Colby Dupe Script.exe, 00000001.00000003.1704537151.0000012E33449000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709463462.0000012E33D5D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1645179843.0000012E33D5F000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1712784057.0000012E33D60000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710496541.0000012E33452000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708033815.0000012E33D5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: Colby Dupe Script.exe, 00000001.00000003.1709567165.0000012E33279000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: Colby Dupe Script.exe, 00000001.00000003.1704939527.0000012E3294C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715131813.0000012E32953000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715742573.0000012E32955000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: Colby Dupe Script.exe, 00000001.00000003.1708033815.0000012E33D5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: Colby Dupe Script.exe, 00000001.00000003.1706562972.0000012E33DB2000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708033815.0000012E33D5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/get
Source: Colby Dupe Script.exe, 00000001.00000003.1706562972.0000012E33DC1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1711245076.0000012E32CA9000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704775210.0000012E33DC1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706391727.0000012E32C86000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1714239103.0000012E32CA9000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709338552.0000012E33DC1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705166363.0000012E32C51000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708582564.0000012E32CA8000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710336220.0000012E33DC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/image/png
Source: Colby Dupe Script.exe, 00000001.00000003.1709547064.0000012E3351D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1711886460.0000012E33F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/post
Source: Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/badge/code%20style-black-000000.svg
Source: Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/badge/skeleton-2022-informational
Source: Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/codecov/c/github/pypa/setuptools/master.svg?logo=codecov&logoColor=white
Source: Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/discord/803025117553754132
Source: Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/pypi/pyversions/setuptools.svg
Source: Colby Dupe Script.exe, 00000000.00000003.1620256650.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/pypi/v/cryptography.svg
Source: Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/pypi/v/setuptools.svg
Source: Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/readthedocs/setuptools/latest.svg
Source: Colby Dupe Script.exe, 00000001.00000002.1720735340.0000012E335A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: Colby Dupe Script.exe, 00000001.00000002.1725090024.0000012E34990000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://lukasa.co.uk/2013/01/Choosing_SSL_Version_In_Requests/
Source: Colby Dupe Script.exe, 00000001.00000003.1645179843.0000012E33D92000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706628105.0000012E33DB6000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1722022192.0000012E33D9B000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1645285448.0000012E33D93000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704775210.0000012E33D9B000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706562972.0000012E33DB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: Colby Dupe Script.exe, 00000000.00000003.1620256650.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mail.python.org/mailman/listinfo/cryptography-dev
Source: Colby Dupe Script.exe, 00000001.00000003.1705854816.0000012E32D08000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707392854.0000012E32D08000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1712670599.0000012E32D08000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1713818381.0000012E32D2A000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705166363.0000012E32D08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf
Source: Colby Dupe Script.exe, 00000001.00000003.1709820076.0000012E3354D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704537151.0000012E3351C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1641308670.0000012E3351C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1641764648.0000012E33599000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705547606.0000012E3351C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710413986.0000012E3354D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1713632426.0000012E3354D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708090019.0000012E33547000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1714916470.0000012E3354D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/declaring-project-metadata/
Source: Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/installing/
Source: Colby Dupe Script.exe, 00000001.00000002.1720107189.0000012E33140000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1719996242.0000012E32F70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: Colby Dupe Script.exe, 00000000.00000003.1620256650.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/cryptography/
Source: Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/setuptools
Source: Colby Dupe Script.exe, 00000000.00000003.1626504632.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/setuptools/
Source: Colby Dupe Script.exe, 00000001.00000002.1727473962.00007FFDFB784000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: https://python.org/dev/peps/pep-0263/
Source: Colby Dupe Script.exe, 00000001.00000002.1724839216.0000012E34540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Smug246/luna-injection/main/obfuscated-injection.js
Source: Colby Dupe Script.exe, 00000001.00000003.1711175421.0000012E33430000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706757137.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715762119.0000012E33431000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704964886.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706447898.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708877182.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709585773.0000012E3341D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Smug246/luna-injection/main/obfuscated-injection.jsr
Source: Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/pypa/setuptools/main/docs/images/banner-640x320.svg
Source: Colby Dupe Script.exe, 00000000.00000003.1620256650.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://readthedocs.org/projects/cryptography/badge/?version=latest
Source: Colby Dupe Script.exe, 00000001.00000002.1720999127.0000012E33740000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1637097532.0000012E32D18000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1719844582.0000012E32D70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://refspecs.linuxfoundation.org/elf/gabi4
Source: Colby Dupe Script.exe, 00000001.00000003.1710681710.0000012E3326C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708398470.0000012E33268000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1720201355.0000012E33274000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1714347673.0000012E3326C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708445499.0000012E3326B000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1714792578.0000012E33274000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.io
Source: Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io
Source: Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/
Source: Colby Dupe Script.exe, 00000001.00000003.1634706275.0000012E32B95000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1718118220.0000012E306A0000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1634746635.0000012E32BEC000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1634639177.0000012E32BEC000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1634746635.0000012E32B9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access
Source: Colby Dupe Script.exe, 00000001.00000002.1721076607.0000012E33840000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1639918901.0000012E33286000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/userguide/declarative_config.html#opt-2
Source: Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/stable/history.html
Source: Colby Dupe Script.exe, 00000001.00000003.1711109310.0000012E334A5000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708398470.0000012E33268000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710681710.0000012E33269000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1640870485.0000012E33298000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708292032.0000012E332A0000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709000193.0000012E332A1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1641308670.0000012E334A2000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707879900.0000012E33298000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1637239907.0000012E3328F000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705547606.0000012E334A2000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1638249488.0000012E33298000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1637239907.0000012E332E6000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710573638.0000012E332AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/267399/how-do-you-match-only-valid-roman-numerals-with-a-regular
Source: Colby Dupe Script.exe, 00000001.00000002.1724839216.0000012E34540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/4457745#4457745.
Source: Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/badges/github/pypa/setuptools?style=flat
Source: Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/security
Source: Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/subscription/pkg/pypi-setuptools?utm_source=pypi-setuptools&utm_medium=readme
Source: Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/subscription/pkg/pypi-setuptools?utm_source=pypi-setuptools&utm_medium=referral
Source: Colby Dupe Script.exe, 00000001.00000002.1725202471.0000012E34ADC000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1725090024.0000012E34990000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://toolbelt.readthedocs.io/
Source: Colby Dupe Script.exe, 00000001.00000003.1706992150.0000012E32C51000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1711592723.0000012E32C55000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707682903.0000012E32C51000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705166363.0000012E32C51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: Colby Dupe Script.exe, 00000001.00000003.1714437345.0000012E33D5D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1717384939.0000012E33D5F000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1713561629.0000012E33D50000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1721842223.0000012E33D5F000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715667576.0000012E33D5F000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709463462.0000012E33D5D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710945718.0000012E33D3E000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708033815.0000012E33D5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc3610
Source: Colby Dupe Script.exe, 00000001.00000003.1712822913.0000012E33D58000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715667576.0000012E33D59000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710945718.0000012E33D3E000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1713561629.0000012E33D59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc5297
Source: Colby Dupe Script.exe, 00000001.00000003.1710655680.0000012E328A6000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709463462.0000012E33D5D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1645179843.0000012E33D5F000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1712296481.0000012E328DA000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1712784057.0000012E33D60000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707334221.0000012E3288F000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708322964.0000012E3289C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708033815.0000012E33D5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: Colby Dupe Script.exe, 00000001.00000002.1720999127.0000012E33740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://upload.pypi.org/legacy/
Source: Colby Dupe Script.exe, 00000001.00000002.1720999127.0000012E33740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://upload.pypi.org/legacy/P5
Source: Colby Dupe Script.exe, 00000001.00000002.1724920395.0000012E3470C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: Colby Dupe Script.exe, 00000001.00000002.1724839216.0000012E34540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: Colby Dupe Script.exe, 00000000.00000003.1626504632.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wheel.readthedocs.io/
Source: Colby Dupe Script.exe, 00000000.00000003.1626504632.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wheel.readthedocs.io/en/stable/news.html
Source: Colby Dupe Script.exe, 00000001.00000003.1708208043.0000012E30740000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707273712.0000012E30702000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709517694.0000012E30776000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707213340.0000012E30700000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707999724.0000012E30716000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wiki.debian.org/XDGBaseDirectorySpecification#state
Source: Colby Dupe Script.exe, 00000000.00000003.1620113540.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.apache.org/licenses/
Source: Colby Dupe Script.exe, 00000000.00000003.1620113540.000001CB67E97000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1620172956.000001CB67E97000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1620113540.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.apache.org/licenses/LICENSE-2.0
Source: Colby Dupe Script.exe, 00000000.00000003.1621732137.000001CB67E96000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1621732137.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: Colby Dupe Script.exe, 00000001.00000003.1707187855.0000012E32BB8000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1719425544.0000012E32BC7000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709445925.0000012E32BB9000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710836555.0000012E32BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ietf.org/rfc/rfc2898.txt
Source: Colby Dupe Script.exe, 00000000.00000003.1621851828.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1728579219.00007FFDFF303000.00000004.00000001.01000000.00000015.sdmp, Colby Dupe Script.exe, 00000001.00000002.1727429814.00007FFDFB414000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: Colby Dupe Script.exe, 00000001.00000003.1710681710.0000012E3326C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708398470.0000012E33268000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1720201355.0000012E33274000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1714347673.0000012E3326C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708445499.0000012E3326B000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1714792578.0000012E33274000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org
Source: Colby Dupe Script.exe, 00000001.00000003.1645179843.0000012E33D92000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706628105.0000012E33DB6000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1722022192.0000012E33D9B000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1645285448.0000012E33D93000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704775210.0000012E33D9B000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706562972.0000012E33DB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/
Source: Colby Dupe Script.exe, 00000000.00000003.1619232060.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1719844582.0000012E32D70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/dev/peps/pep-0205/
Source: Colby Dupe Script.exe, 00000000.00000003.1626504632.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/dev/peps/pep-0427/
Source: Colby Dupe Script.exe, 00000001.00000002.1718495470.0000012E32030000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: Colby Dupe Script.exe, 00000001.00000002.1724839216.0000012E34540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.roblox.com/mobileapi/userinfo
Source: Colby Dupe Script.exe, 00000001.00000003.1711175421.0000012E33430000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706757137.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715762119.0000012E33431000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704964886.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706447898.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708877182.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709585773.0000012E3341D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.roblox.com/mobileapi/userinfor=
Source: Colby Dupe Script.exe, 00000001.00000003.1706202806.0000012E33F43000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705307571.0000012E33F40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/
Source: Colby Dupe Script.exe, 00000001.00000003.1708646545.0000012E32CD5000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705166363.0000012E32CD1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709973632.0000012E32CD5000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715150228.0000012E32CD8000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707654708.0000012E32CD1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1714073811.0000012E32CD5000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708033815.0000012E33D5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: Colby Dupe Script.exe, 00000001.00000003.1704537151.0000012E33449000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709463462.0000012E33D5D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1645179843.0000012E33D5F000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1712784057.0000012E33D60000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710496541.0000012E33452000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708033815.0000012E33D5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443

Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698F07A9C	0_2_00007FF698F07A9C
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698EE7B60	0_2_00007FF698EE7B60
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698F06B50	0_2_00007FF698F06B50
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698F01720	0_2_00007FF698F01720
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698EF8670	0_2_00007FF698EF8670
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698EE1000	0_2_00007FF698EE1000
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698EFF320	0_2_00007FF698EFF320
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698EF42D4	0_2_00007FF698EF42D4
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698EE92D0	0_2_00007FF698EE92D0
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698EF2A94	0_2_00007FF698EF2A94
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698F01720	0_2_00007FF698F01720
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698EF2274	0_2_00007FF698EF2274
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698F04A60	0_2_00007FF698F04A60
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698EF84BC	0_2_00007FF698EF84BC
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698EFECA0	0_2_00007FF698EFECA0
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698EF2480	0_2_00007FF698EF2480
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698EFAC50	0_2_00007FF698EFAC50
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698F06DCC	0_2_00007FF698F06DCC
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698EE9D9B	0_2_00007FF698EE9D9B
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698F07550	0_2_00007FF698F07550
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698EF3540	0_2_00007FF698EF3540
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698F04EFC	0_2_00007FF698F04EFC
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698EF8EF4	0_2_00007FF698EF8EF4
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698EF3ED0	0_2_00007FF698EF3ED0
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698F026C4	0_2_00007FF698F026C4
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698EF2684	0_2_00007FF698EF2684
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698EFE80C	0_2_00007FF698EFE80C
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698EF8670	0_2_00007FF698EF8670
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698EEA76D	0_2_00007FF698EEA76D
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698EF6750	0_2_00007FF698EF6750
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698EE9F3B	0_2_00007FF698EE9F3B
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698F0A7D8	0_2_00007FF698F0A7D8
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698EF2890	0_2_00007FF698EF2890
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698EF2070	0_2_00007FF698EF2070
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAE12340	1_2_00007FFDFAE12340
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAE21880	1_2_00007FFDFAE21880
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAFFBBA0	1_2_00007FFDFAFFBBA0
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAFDEC40	1_2_00007FFDFAFDEC40
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF48AB0	1_2_00007FFDFAF48AB0
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAFE3AF0	1_2_00007FFDFAFE3AF0
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAFE2B30	1_2_00007FFDFAFE2B30
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAFE7970	1_2_00007FFDFAFE7970
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF9B980	1_2_00007FFDFAF9B980
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAFDF990	1_2_00007FFDFAFDF990
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF469A2	1_2_00007FFDFAF469A2
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAFA6A00	1_2_00007FFDFAFA6A00
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF43A50	1_2_00007FFDFAF43A50
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAFC4870	1_2_00007FFDFAFC4870
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF86880	1_2_00007FFDFAF86880
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAFC58B0	1_2_00007FFDFAFC58B0
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF6B910	1_2_00007FFDFAF6B910
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAFEEF60	1_2_00007FFDFAFEEF60
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAFCB000	1_2_00007FFDFAFCB000
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF5B010	1_2_00007FFDFAF5B010
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAFE6030	1_2_00007FFDFAFE6030
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF4E040	1_2_00007FFDFAF4E040
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF81E60	1_2_00007FFDFAF81E60
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF9FEA0	1_2_00007FFDFAF9FEA0
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF8BEC0	1_2_00007FFDFAF8BEC0
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF43F10	1_2_00007FFDFAF43F10
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF5FF20	1_2_00007FFDFAF5FF20
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF54F20	1_2_00007FFDFAF54F20
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAFABD60	1_2_00007FFDFAFABD60
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF9DD60	1_2_00007FFDFAF9DD60
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAFB6D70	1_2_00007FFDFAFB6D70
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAFEFD70	1_2_00007FFDFAFEFD70
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAFB7D80	1_2_00007FFDFAFB7D80
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAFDDE30	1_2_00007FFDFAFDDE30
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAFAEE50	1_2_00007FFDFAFAEE50
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF96C70	1_2_00007FFDFAF96C70
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAFECC70	1_2_00007FFDFAFECC70
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF51CB0	1_2_00007FFDFAF51CB0
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF8CCF0	1_2_00007FFDFAF8CCF0
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAFBED10	1_2_00007FFDFAFBED10
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAFDFD10	1_2_00007FFDFAFDFD10
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF87D40	1_2_00007FFDFAF87D40
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF4F400	1_2_00007FFDFAF4F400
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAFE9440	1_2_00007FFDFAFE9440
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF84270	1_2_00007FFDFAF84270
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF62280	1_2_00007FFDFAF62280
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF58290	1_2_00007FFDFAF58290
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF972C0	1_2_00007FFDFAF972C0
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF8B300	1_2_00007FFDFAF8B300
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAFF1340	1_2_00007FFDFAFF1340
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF981A0	1_2_00007FFDFAF981A0
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF46060	1_2_00007FFDFAF46060
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF4A060	1_2_00007FFDFAF4A060
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAFC4060	1_2_00007FFDFAFC4060
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAFD1070	1_2_00007FFDFAFD1070
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF670B0	1_2_00007FFDFAF670B0
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF6B150	1_2_00007FFDFAF6B150
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF6A770	1_2_00007FFDFAF6A770
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF5A7B0	1_2_00007FFDFAF5A7B0
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF65800	1_2_00007FFDFAF65800
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF64810	1_2_00007FFDFAF64810
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAFEA850	1_2_00007FFDFAFEA850
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAFC7660	1_2_00007FFDFAFC7660
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF6C690	1_2_00007FFDFAF6C690
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF5B6B0	1_2_00007FFDFAF5B6B0
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF8C6E0	1_2_00007FFDFAF8C6E0
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF6E710	1_2_00007FFDFAF6E710
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF56740	1_2_00007FFDFAF56740
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF42758	1_2_00007FFDFAF42758
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAFF05A0	1_2_00007FFDFAFF05A0
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAFB25D0	1_2_00007FFDFAFB25D0
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF465DB	1_2_00007FFDFAF465DB
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAFC25E0	1_2_00007FFDFAFC25E0
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAFD1460	1_2_00007FFDFAFD1460
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAFA24F0	1_2_00007FFDFAFA24F0
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAFF2500	1_2_00007FFDFAFF2500
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAF73510	1_2_00007FFDFAF73510
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB413230	1_2_00007FFDFB413230
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C30C1	1_2_00007FFDFB0C30C1
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB1F7AF0	1_2_00007FFDFB1F7AF0
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB2639D0	1_2_00007FFDFB2639D0
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB277A10	1_2_00007FFDFB277A10
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C4165	1_2_00007FFDFB0C4165
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C3FDA	1_2_00007FFDFB0C3FDA
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C6A82	1_2_00007FFDFB0C6A82
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C655A	1_2_00007FFDFB0C655A
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C4C37	1_2_00007FFDFB0C4C37
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0DBF20	1_2_00007FFDFB0DBF20
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0DBD60	1_2_00007FFDFB0DBD60
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C2289	1_2_00007FFDFB0C2289
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C2766	1_2_00007FFDFB0C2766
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB1EFE30	1_2_00007FFDFB1EFE30
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C32E7	1_2_00007FFDFB0C32E7
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C3B93	1_2_00007FFDFB0C3B93
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB1F7310	1_2_00007FFDFB1F7310
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C5169	1_2_00007FFDFB0C5169
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C5D85	1_2_00007FFDFB0C5D85
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C114F	1_2_00007FFDFB0C114F
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0EB1C0	1_2_00007FFDFB0EB1C0
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0DF200	1_2_00007FFDFB0DF200
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0DF060	1_2_00007FFDFB0DF060
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C29CD	1_2_00007FFDFB0C29CD
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C6CB7	1_2_00007FFDFB0C6CB7
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C21B7	1_2_00007FFDFB0C21B7
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C609B	1_2_00007FFDFB0C609B
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C6F23	1_2_00007FFDFB0C6F23
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB12F700	1_2_00007FFDFB12F700
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C22E8	1_2_00007FFDFB0C22E8
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C7045	1_2_00007FFDFB0C7045
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C1EA1	1_2_00007FFDFB0C1EA1
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB2FF460	1_2_00007FFDFB2FF460
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0EB550	1_2_00007FFDFB0EB550
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C5B0F	1_2_00007FFDFB0C5B0F
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C1B22	1_2_00007FFDFB0C1B22
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB262A90	1_2_00007FFDFB262A90
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C4D04	1_2_00007FFDFB0C4D04
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB1A2B40	1_2_00007FFDFB1A2B40
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C5D9E	1_2_00007FFDFB0C5D9E
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C23F1	1_2_00007FFDFB0C23F1
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB1FB020	1_2_00007FFDFB1FB020
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C6EEC	1_2_00007FFDFB0C6EEC
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C213F	1_2_00007FFDFB0C213F
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0DEF00	1_2_00007FFDFB0DEF00
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C72C0	1_2_00007FFDFB0C72C0
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C4633	1_2_00007FFDFB0C4633
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C1A4B	1_2_00007FFDFB0C1A4B
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C7077	1_2_00007FFDFB0C7077
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C6FFA	1_2_00007FFDFB0C6FFA
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C3693	1_2_00007FFDFB0C3693
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C3486	1_2_00007FFDFB0C3486
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C1B31	1_2_00007FFDFB0C1B31
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB1F6130	1_2_00007FFDFB1F6130
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C60D7	1_2_00007FFDFB0C60D7
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C5E20	1_2_00007FFDFB0C5E20
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB1F2670	1_2_00007FFDFB1F2670
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C1CC1	1_2_00007FFDFB0C1CC1
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C4E4E	1_2_00007FFDFB0C4E4E
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C5A60	1_2_00007FFDFB0C5A60
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C7252	1_2_00007FFDFB0C7252
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C3832	1_2_00007FFDFB0C3832
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C35FD	1_2_00007FFDFB0C35FD
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C1CFD	1_2_00007FFDFB0C1CFD
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C59F7	1_2_00007FFDFB0C59F7
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C3A85	1_2_00007FFDFB0C3A85
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB2799E0	1_2_00007FFDFB2799E0
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C50AB	1_2_00007FFDFB0C50AB
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB261920	1_2_00007FFDFB261920
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C4746	1_2_00007FFDFB0C4746
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C57D1	1_2_00007FFDFB0C57D1
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C378D	1_2_00007FFDFB0C378D
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C4359	1_2_00007FFDFB0C4359
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C7365	1_2_00007FFDFB0C7365
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C1D83	1_2_00007FFDFB0C1D83
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB1F5E30	1_2_00007FFDFB1F5E30
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C266C	1_2_00007FFDFB0C266C
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C72A7	1_2_00007FFDFB0C72A7
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C3BA2	1_2_00007FFDFB0C3BA2
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C2982	1_2_00007FFDFB0C2982
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C2D0B	1_2_00007FFDFB0C2D0B
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C1622	1_2_00007FFDFB0C1622
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C5F0B	1_2_00007FFDFB0C5F0B
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C5510	1_2_00007FFDFB0C5510
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C44C6	1_2_00007FFDFB0C44C6
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0DD260	1_2_00007FFDFB0DD260
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C53A8	1_2_00007FFDFB0C53A8
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C4287	1_2_00007FFDFB0C4287
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C5BF0	1_2_00007FFDFB0C5BF0
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB279210	1_2_00007FFDFB279210
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0E5200	1_2_00007FFDFB0E5200

Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: String function: 00007FFDFB0C24B9 appears 63 times
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: String function: 00007FFDFB0C483B appears 95 times
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: String function: 00007FFDFB0C1EF1 appears 947 times
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: String function: 00007FF698EE2B10 appears 47 times
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: String function: 00007FFDFB0C4057 appears 543 times
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: String function: 00007FFDFAF49310 appears 174 times
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: String function: 00007FFDFB0C2A04 appears 87 times
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: String function: 00007FFDFB0C6988 appears 33 times
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: String function: 00007FFDFB0C300D appears 50 times
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: String function: 00007FFDFB0C2734 appears 368 times
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: String function: 00007FFDFAF486B0 appears 120 times

Source: unicodedata.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: win32ui.pyd.0.dr	Static PE information: Resource name: RT_MENU type: COM executable for DOS
Source: win32ui.pyd.0.dr	Static PE information: Resource name: RT_GROUP_CURSOR type: DOS executable (COM, 0x8C-variant)
Source: _overlapped.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: python3.dll.0.dr

Static PE information: No import functions for PE file found

Source: Colby Dupe Script.exe, 00000000.00000003.1618216684.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000000.00000003.1617846084.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32ui.pyd0 vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000000.00000003.1618083988.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000000.00000003.1618701164.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_multiprocessing.pyd. vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000000.00000003.1623719184.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepywintypes310.dll0 vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000000.00000003.1627509103.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32crypt.pyd0 vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000000.00000003.1623549039.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepythoncom310.dll0 vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000000.00000003.1618773341.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_overlapped.pyd. vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000000.00000003.1627641693.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32trace.pyd0 vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000000.00000003.1627000502.000001CB67E96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_win32sysloader.pyd0 vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000000.00000003.1625206313.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000000.00000003.1618375247.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000000.00000003.1622186763.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepython3.dll. vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000000.00000003.1621851828.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000000.00000003.1619038795.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000000.00000003.1622055958.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepyexpat.pyd. vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000000.00000003.1625001192.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000000.00000003.1618452370.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000000.00000003.1618551428.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000000.00000003.1627392909.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32api.pyd0 vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000000.00000003.1627751375.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshell.pyd0 vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000000.00000003.1618965478.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000000.00000003.1618610966.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000000.00000003.1623846898.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000000.00000003.1618153602.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_asyncio.pyd. vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000000.00000003.1618899172.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000000.00000003.1627641693.000001CB67E96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32trace.pyd0 vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000000.00000003.1617973037.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000000.00000003.1619109877.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_uuid.pyd. vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000000.00000003.1618831863.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000000.00000003.1627000502.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_win32sysloader.pyd0 vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000001.00000002.1728579219.00007FFDFF303000.00000004.00000001.01000000.00000015.sdmp	Binary or memory string: OriginalFilenamelibsslH vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000001.00000002.1730730722.00007FFE0EB69000.00000004.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilenamepywintypes310.dll0 vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000001.00000002.1732588073.00007FFE1338C000.00000004.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000001.00000002.1718569021.0000012E32130000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenamepython3.dll. vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000001.00000002.1733023111.00007FFE14647000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000001.00000002.1728168378.00007FFDFB8A0000.00000004.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamepython310.dll. vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000001.00000002.1726888688.00007FFDFB0AE000.00000004.00000001.01000000.00000019.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000001.00000002.1731037336.00007FFE10263000.00000004.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilenamepyexpat.pyd. vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000001.00000002.1727429814.00007FFDFB414000.00000004.00000001.01000000.00000014.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000001.00000002.1731947201.00007FFE126F3000.00000004.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000001.00000002.1729147678.00007FFE004A9000.00000004.00000001.01000000.00000032.sdmp	Binary or memory string: OriginalFilename_uuid.pyd. vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000001.00000002.1729926788.00007FFE0CFC3000.00000004.00000001.01000000.0000001B.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000001.00000002.1732097360.00007FFE12E1F000.00000004.00000001.01000000.00000017.sdmp	Binary or memory string: OriginalFilename_overlapped.pyd. vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000001.00000002.1730549840.00007FFE0EB3E000.00000004.00000001.01000000.00000018.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000001.00000002.1731446716.00007FFE11ECC000.00000004.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000001.00000002.1731610294.00007FFE11EE8000.00000004.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000001.00000002.1726679942.00007FFDFAF37000.00000004.00000001.01000000.0000001E.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000001.00000002.1729584611.00007FFE00565000.00000004.00000001.01000000.00000011.sdmp	Binary or memory string: OriginalFilenamepythoncom310.dll0 vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000001.00000002.1728794504.00007FFDFFB16000.00000004.00000001.01000000.00000033.sdmp	Binary or memory string: OriginalFilenamewin32crypt.pyd0 vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000001.00000002.1732383156.00007FFE1320C000.00000004.00000001.01000000.0000000E.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000001.00000002.1731194432.00007FFE10318000.00000004.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000001.00000002.1732227786.00007FFE130C9000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000001.00000002.1730367196.00007FFE0E18A000.00000004.00000001.01000000.00000012.sdmp	Binary or memory string: OriginalFilenamewin32api.pyd0 vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000001.00000002.1730202195.00007FFE0E15D000.00000004.00000001.01000000.00000013.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs Colby Dupe Script.exe
Source: Colby Dupe Script.exe, 00000001.00000002.1730885725.00007FFE101E4000.00000004.00000001.01000000.00000016.sdmp	Binary or memory string: OriginalFilename_asyncio.pyd. vs Colby Dupe Script.exe

Source: sqlite3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9974986001493175
Source: libcrypto-1_1.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9987754672181373
Source: libssl-1_1.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9903915229885057
Source: python310.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9989695677157001
Source: pythoncom310.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9899216389728097
Source: unicodedata.pyd.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9949597928113553
Source: _ec_ws.pyd.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9973796096262058
Source: _imaging.cp310-win_amd64.pyd.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9980095456484641
Source: _webp.cp310-win_amd64.pyd.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9901831268221575
Source: win32ui.pyd.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9930269281914894
Source: shell.pyd.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9900537778253424

Source: classification engine

Classification label: mal68.troj.evad.winEXE@6/108@1/1

Source: C:\Users\user\Desktop\Colby Dupe Script.exe

Code function: 0_2_00007FF698EE8770 GetLastError,FormatMessageW,WideCharToMultiByte,

0_2_00007FF698EE8770

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:908:120:WilError_03

Source: C:\Users\user\Desktop\Colby Dupe Script.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI59122

Jump to behavior

Source: Colby Dupe Script.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Colby Dupe Script.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Colby Dupe Script.exe, 00000001.00000002.1726716991.00007FFDFAF41000.00000040.00000001.01000000.00000019.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: Colby Dupe Script.exe, Colby Dupe Script.exe, 00000001.00000002.1726716991.00007FFDFAF41000.00000040.00000001.01000000.00000019.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: Colby Dupe Script.exe, Colby Dupe Script.exe, 00000001.00000002.1726716991.00007FFDFAF41000.00000040.00000001.01000000.00000019.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: Colby Dupe Script.exe, Colby Dupe Script.exe, 00000001.00000002.1726716991.00007FFDFAF41000.00000040.00000001.01000000.00000019.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: Colby Dupe Script.exe, Colby Dupe Script.exe, 00000001.00000002.1726716991.00007FFDFAF41000.00000040.00000001.01000000.00000019.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: Colby Dupe Script.exe, Colby Dupe Script.exe, 00000001.00000002.1726716991.00007FFDFAF41000.00000040.00000001.01000000.00000019.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: Colby Dupe Script.exe, Colby Dupe Script.exe, 00000001.00000002.1726716991.00007FFDFAF41000.00000040.00000001.01000000.00000019.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: Colby Dupe Script.exe	ReversingLabs: Detection: 50%
Source: Colby Dupe Script.exe	Virustotal: Detection: 35%

Source: Colby Dupe Script.exe	String found in binary or memory: set-addPolicy
Source: Colby Dupe Script.exe	String found in binary or memory: id-cmc-addExtensions
Source: Colby Dupe Script.exe	String found in binary or memory: can't send non-None value to a just-started generator
Source: Colby Dupe Script.exe	String found in binary or memory: --help
Source: Colby Dupe Script.exe	String found in binary or memory: --help

Source: C:\Users\user\Desktop\Colby Dupe Script.exe

File read: C:\Users\user\Desktop\Colby Dupe Script.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Colby Dupe Script.exe "C:\Users\user\Desktop\Colby Dupe Script.exe"
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Process created: C:\Users\user\Desktop\Colby Dupe Script.exe "C:\Users\user\Desktop\Colby Dupe Script.exe"
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Process created: C:\Users\user\Desktop\Colby Dupe Script.exe "C:\Users\user\Desktop\Colby Dupe Script.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior

Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Section loaded: libffi-7.dll	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Section loaded: libcrypto-1_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Section loaded: libssl-1_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\Colby Dupe Script.exe

File opened: C:\Users\user\Desktop\pyvenv.cfg

Jump to behavior

Source: Colby Dupe Script.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Colby Dupe Script.exe

Static file information: File size 27886092 > 1048576

Source: Colby Dupe Script.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Colby Dupe Script.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Colby Dupe Script.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Colby Dupe Script.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Colby Dupe Script.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Colby Dupe Script.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Colby Dupe Script.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: Colby Dupe Script.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pythoncom.pdb source: Colby Dupe Script.exe, 00000001.00000002.1729225966.00007FFE004B1000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\sqlite3.pdb source: Colby Dupe Script.exe, Colby Dupe Script.exe, 00000001.00000002.1726716991.00007FFDFAF41000.00000040.00000001.01000000.00000019.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: Colby Dupe Script.exe
Source:	Binary string: D:\_w\1\b\libssl-1_1.pdb source: Colby Dupe Script.exe, Colby Dupe Script.exe, 00000001.00000002.1728246199.00007FFDFF2C6000.00000040.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_uuid.pdb source: Colby Dupe Script.exe, 00000001.00000002.1729061849.00007FFE004A1000.00000040.00000001.01000000.00000032.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pythoncom.pdb}},GCTL source: Colby Dupe Script.exe, 00000001.00000002.1729225966.00007FFE004B1000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32crypt.pdb source: Colby Dupe Script.exe, Colby Dupe Script.exe, 00000001.00000002.1728657653.00007FFDFFAF1000.00000040.00000001.01000000.00000033.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: Colby Dupe Script.exe, 00000001.00000002.1726926360.00007FFDFB30E000.00000040.00000001.01000000.00000014.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\python3.pdb source: Colby Dupe Script.exe, 00000000.00000003.1622186763.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1718569021.0000012E32130000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: Colby Dupe Script.exe, 00000000.00000003.1617973037.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1732985131.00007FFE14641000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_ctypes.pdb source: Colby Dupe Script.exe, 00000001.00000002.1731795476.00007FFE126D1000.00000040.00000001.01000000.00000007.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: Colby Dupe Script.exe, 00000000.00000003.1617973037.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1732985131.00007FFE14641000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_sqlite3.pdb source: Colby Dupe Script.exe, 00000001.00000002.1730410375.00007FFE0EB21000.00000040.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_queue.pdb source: Colby Dupe Script.exe, 00000001.00000002.1732322580.00007FFE13201000.00000040.00000001.01000000.0000000E.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\python310.pdb source: Colby Dupe Script.exe, 00000001.00000002.1727473962.00007FFDFB784000.00000040.00000001.01000000.00000004.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_overlapped.pdb source: Colby Dupe Script.exe, 00000001.00000002.1731982148.00007FFE12E11000.00000040.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pywintypes.pdb source: Colby Dupe Script.exe, 00000001.00000002.1730594110.00007FFE0EB41000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: Colby Dupe Script.exe, 00000000.00000003.1618083988.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1732185301.00007FFE130C5000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_lzma.pdbNN source: Colby Dupe Script.exe, 00000001.00000002.1731264639.00007FFE11EBC000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_lzma.pdb source: Colby Dupe Script.exe, 00000001.00000002.1731264639.00007FFE11EBC000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32api.pdb!! source: Colby Dupe Script.exe, 00000001.00000002.1730245094.00007FFE0E161000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\select.pdb source: Colby Dupe Script.exe, 00000001.00000002.1732500989.00007FFE13381000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\unicodedata.pdb source: Colby Dupe Script.exe, 00000001.00000002.1726484532.00007FFDFAF2C000.00000040.00000001.01000000.0000001E.sdmp
Source:	Binary string: D:\_w\1\b\libssl-1_1.pdb@@ source: Colby Dupe Script.exe, 00000001.00000002.1728246199.00007FFDFF2C6000.00000040.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32api.pdb source: Colby Dupe Script.exe, 00000001.00000002.1730245094.00007FFE0E161000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_socket.pdb source: Colby Dupe Script.exe, 00000001.00000002.1731103648.00007FFE10301000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_ssl.pdb source: Colby Dupe Script.exe, 00000001.00000002.1730106014.00007FFE0E131000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pywintypes.pdb** source: Colby Dupe Script.exe, 00000001.00000002.1730594110.00007FFE0EB41000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_bz2.pdb source: Colby Dupe Script.exe, 00000001.00000002.1731542743.00007FFE11ED1000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1q 5 Jul 2022built on: Thu Aug 18 20:15:42 2022 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: Colby Dupe Script.exe, 00000001.00000002.1726926360.00007FFDFB30E000.00000040.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: Colby Dupe Script.exe, 00000000.00000003.1618083988.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1732185301.00007FFE130C5000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_hashlib.pdb source: Colby Dupe Script.exe, 00000001.00000002.1729845180.00007FFE0CFB1000.00000040.00000001.01000000.0000001B.sdmp
Source:	Binary string: D:\_w\1\b\libcrypto-1_1.pdb source: Colby Dupe Script.exe
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32crypt.pdb!! source: Colby Dupe Script.exe, 00000001.00000002.1728657653.00007FFDFFAF1000.00000040.00000001.01000000.00000033.sdmp

Source: Colby Dupe Script.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Colby Dupe Script.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Colby Dupe Script.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Colby Dupe Script.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Colby Dupe Script.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: VCRUNTIME140.dll.0.dr

Static PE information: 0x8E79CD85 [Sat Sep 30 01:19:01 2045 UTC]

Source: C:\Users\user\Desktop\Colby Dupe Script.exe

Code function: 1_2_00007FFDFAE12340 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

1_2_00007FFDFAE12340

Source: Colby Dupe Script.exe	Static PE information: section name: _RDATA
Source: mfc140u.dll.0.dr	Static PE information: section name: .didat
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA
Source: libffi-7.dll.0.dr	Static PE information: section name: UPX2
Source: _rust.pyd.0.dr	Static PE information: section name: UPX2

Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFABD4AEE push 6FFDC5D5h; iretd	1_2_00007FFDFABD4AF4
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFABD76D3 push 6FFDC5D5h; iretd	1_2_00007FFDFABD76D9
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFABD7425 push 60F5C5F1h; iretd	1_2_00007FFDFABD742D
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFABD4640 push 60F5C5F1h; iretd	1_2_00007FFDFABD4648
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFABD4FEA push 6FFDC5C3h; iretd	1_2_00007FFDFABD4FF0
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFABD4F9E push 6FFDC5CAh; ret	1_2_00007FFDFABD4FA4
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFABD79CF push 6FFDC5C3h; iretd	1_2_00007FFDFABD79D5
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFABD7983 push 6FFDC5CAh; ret	1_2_00007FFDFABD7989
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAE28F53 push r12; iretd	1_2_00007FFDFAE28F6A
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAE26F54 push r8; ret	1_2_00007FFDFAE26F5C
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAE2855C push rbp; retf	1_2_00007FFDFAE28575
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAE26E44 push rdi; iretd	1_2_00007FFDFAE26E46
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAE26F32 push r12; ret	1_2_00007FFDFAE26F4A
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAE26C21 push r10; ret	1_2_00007FFDFAE26C23
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAE28EFE push r12; ret	1_2_00007FFDFAE28F25
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAE29C02 push rsp; retf	1_2_00007FFDFAE29C03
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAE26CF6 push r12; ret	1_2_00007FFDFAE26CF8
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAE26DFB push rsp; ret	1_2_00007FFDFAE26E03
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAE292E4 push r10; retf	1_2_00007FFDFAE29350
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAE2A2E5 push rsp; retf	1_2_00007FFDFAE2A2E6
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAE26CEA push rdx; ret	1_2_00007FFDFAE26CF1
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAE277EA push rsi; ret	1_2_00007FFDFAE27821
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAE26ED0 push r12; ret	1_2_00007FFDFAE26EEE
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAE26CCC push r8; ret	1_2_00007FFDFAE26CD9
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAE26EB6 push r10; retf	1_2_00007FFDFAE26EB9
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAE291A3 push rdi; iretd	1_2_00007FFDFAE291A5
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAE285A7 push r12; ret	1_2_00007FFDFAE285E3
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAE2A4A9 push rdx; ret	1_2_00007FFDFAE2A500
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAE26F8D push r10; ret	1_2_00007FFDFAE26FA0
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAE26E9B push rsi; ret	1_2_00007FFDFAE26E9C
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAE29D85 push rsp; iretq	1_2_00007FFDFAE29D86

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\win32\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\python310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\PIL\_imagingtk.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\_cffi_backend.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\PIL\_imagingcms.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\pywin32_system32\pywintypes310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Pythonwin\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\pywin32_system32\pythoncom310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Pythonwin\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\PIL\_imagingmath.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\charset_normalizer\md.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\win32\win32crypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\PIL\_webp.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\PIL\_imaging.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\charset_normalizer\md__mypyc.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\win32\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59122\win32com\shell\shell.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\Colby Dupe Script.exe

File created: C:\Users\user\AppData\Local\Temp\dd_setup.txt

Jump to behavior

Source: C:\Users\user\Desktop\Colby Dupe Script.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI59122\wheel-0.43.0.dist-info\LICENSE.txt

Jump to behavior

Source: C:\Users\user\Desktop\Colby Dupe Script.exe

Code function: 0_2_00007FF698EE53F0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF698EE53F0

Source: C:\Users\user\Desktop\Colby Dupe Script.exe

Code function: 1_2_00007FFDFB0C572C rdtsc

1_2_00007FFDFB0C572C

Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\python310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\win32\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\PIL\_imagingtk.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\_cffi_backend.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\PIL\_imagingcms.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\pywin32_system32\pywintypes310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Pythonwin\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\pywin32_system32\pythoncom310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Pythonwin\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\PIL\_imagingmath.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\charset_normalizer\md.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\win32\win32crypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\PIL\_webp.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\PIL\_imaging.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\charset_normalizer\md__mypyc.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\win32\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\win32com\shell\shell.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59122\_asyncio.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\Colby Dupe Script.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-18183

Source: C:\Users\user\Desktop\Colby Dupe Script.exe

API coverage: 2.3 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698EE8D00 FindFirstFileExW,FindClose,	0_2_00007FF698EE8D00
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698EF8670 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF698EF8670
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698F026C4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF698F026C4
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698EF8670 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF698EF8670
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C3229 MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,00007FFE1FF9F020,FindFirstFileW,FindNextFileW,WideCharToMultiByte,	1_2_00007FFDFB0C3229

Source: C:\Users\user\Desktop\Colby Dupe Script.exe

Code function: 1_2_00007FFDFAF4F820 GetSystemInfo,

1_2_00007FFDFAF4F820

Source: Colby Dupe Script.exe, 00000000.00000003.1619718814.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: j2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU
Source: Colby Dupe Script.exe, 00000001.00000003.1711175421.0000012E33430000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706757137.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715762119.0000012E33431000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704964886.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706447898.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708877182.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1724839216.0000012E34540000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709585773.0000012E3341D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxtray
Source: Colby Dupe Script.exe, 00000001.00000003.1709585773.0000012E3341D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: Colby Dupe Script.exe, 00000001.00000003.1711175421.0000012E33430000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706757137.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715762119.0000012E33431000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704964886.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706447898.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708877182.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1724839216.0000012E34540000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709585773.0000012E3341D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: Colby Dupe Script.exe, 00000001.00000003.1709585773.0000012E3341D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareuser
Source: Colby Dupe Script.exe, 00000001.00000003.1711175421.0000012E33430000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706757137.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715762119.0000012E33431000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704964886.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706447898.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708877182.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1724839216.0000012E34540000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709585773.0000012E3341D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmusrvc
Source: Colby Dupe Script.exe, 00000001.00000003.1709585773.0000012E3341D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmsrvc
Source: Colby Dupe Script.exe, 00000001.00000003.1709585773.0000012E3341D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmtoolsd
Source: Colby Dupe Script.exe, 00000001.00000003.1709585773.0000012E3341D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwaretray
Source: Colby Dupe Script.exe, 00000001.00000003.1707187855.0000012E32BB8000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1719425544.0000012E32BC7000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709445925.0000012E32BB9000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710836555.0000012E32BC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWd.

Source: C:\Users\user\Desktop\Colby Dupe Script.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\Colby Dupe Script.exe

Code function: 1_2_00007FFDFB0C572C

1_2_00007FFDFB0C572C

Source: C:\Users\user\Desktop\Colby Dupe Script.exe

Code function: 1_2_00007FFDFB0C572C rdtsc

1_2_00007FFDFB0C572C

Source: C:\Users\user\Desktop\Colby Dupe Script.exe

Code function: 0_2_00007FF698EFB3CC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF698EFB3CC

Source: C:\Users\user\Desktop\Colby Dupe Script.exe

Code function: 1_2_00007FFDFAE12340 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

1_2_00007FFDFAE12340

Source: C:\Users\user\Desktop\Colby Dupe Script.exe

Code function: 0_2_00007FF698F042D0 GetProcessHeap,

0_2_00007FF698F042D0

Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698EECA9C SetUnhandledExceptionFilter,	0_2_00007FF698EECA9C
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698EFB3CC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF698EFB3CC
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698EEC030 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF698EEC030
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 0_2_00007FF698EEC8BC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF698EEC8BC
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFAE23048 IsProcessorFeaturePresent,00007FFE146319C0,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFE146319C0,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FFDFAE23048
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Code function: 1_2_00007FFDFB0C5A1F IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FFDFB0C5A1F

Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Process created: C:\Users\user\Desktop\Colby Dupe Script.exe "C:\Users\user\Desktop\Colby Dupe Script.exe"			Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"			Jump to behavior

Source: C:\Users\user\Desktop\Colby Dupe Script.exe

Code function: 0_2_00007FF698F0A620 cpuid

0_2_00007FF698F0A620

Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Util VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\PIL VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\PIL VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\PIL VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography-42.0.7.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography-42.0.7.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography-42.0.7.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography-42.0.7.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography-42.0.7.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography-42.0.7.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography-42.0.7.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\wheel-0.43.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\wheel-0.43.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\wheel-0.43.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\wheel-0.43.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\wheel-0.43.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\python3.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\_cffi_backend.cp310-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\_decimal.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\_multiprocessing.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\_overlapped.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\_sqlite3.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\_uuid.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\pyexpat.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\pywin32_system32\pywintypes310.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\pywin32_system32\pythoncom310.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\win32\win32api.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\win32com VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\win32com VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\win32com VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography-42.0.7.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography-42.0.7.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography-42.0.7.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography-42.0.7.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography-42.0.7.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\wheel-0.43.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\wheel-0.43.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Colby Dupe Script.exe	Queries volume information: C:\Users\user\Desktop\Colby Dupe Script.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Colby Dupe Script.exe

Code function: 0_2_00007FF698EEC7A0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF698EEC7A0

Source: C:\Users\user\Desktop\Colby Dupe Script.exe

Code function: 0_2_00007FF698F06B50 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF698F06B50

Source: C:\Users\user\Desktop\Colby Dupe Script.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Luna Logger

Source: Yara match	File source: 00000001.00000003.1711175421.0000012E33430000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1706757137.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1715762119.0000012E33431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1704964886.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1707046871.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1706862797.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1706447898.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1708877182.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1720480190.0000012E33431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1709214739.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1724839216.0000012E34540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1709585773.0000012E3341D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Colby Dupe Script.exe PID: 7052, type: MEMORYSTR

Source: Yara match	File source: 00000001.00000003.1711175421.0000012E33430000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1706757137.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1715762119.0000012E33431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1704964886.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1707046871.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1706862797.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1706447898.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1708877182.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1720480190.0000012E33431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1709214739.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1724839216.0000012E34540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1709585773.0000012E3341D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Colby Dupe Script.exe PID: 7052, type: MEMORYSTR

Remote Access Functionality

Yara detected Luna Logger

Source: Yara match	File source: 00000001.00000003.1711175421.0000012E33430000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1706757137.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1715762119.0000012E33431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1704964886.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1707046871.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1706862797.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1706447898.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1708877182.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1720480190.0000012E33431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1709214739.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1724839216.0000012E34540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1709585773.0000012E3341D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Colby Dupe Script.exe PID: 7052, type: MEMORYSTR

Source: C:\Users\user\Desktop\Colby Dupe Script.exe

Code function: 1_2_00007FFDFB0C2B5D bind,WSAGetLastError,

1_2_00007FFDFB0C2B5D

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	11 Process Injection	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	21 Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Software Packing	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Colby Dupe Script.exe	50%	ReversingLabs	Win64.Trojan.Generic
Colby Dupe Script.exe	36%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_ARC4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_Salsa20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_chacha20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_pkcs1_decode.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_aes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_aesni.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_arc2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_blowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_cast.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_cbc.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_cfb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_ctr.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_des.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_des3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_ecb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_eksblowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_ocb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_ofb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_BLAKE2b.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_BLAKE2s.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_MD2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_MD4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_MD5.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_RIPEMD160.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_SHA1.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_SHA224.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_SHA256.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_SHA384.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_SHA512.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_ghash_clmul.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_ghash_portable.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_keccak.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_poly1305.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Math\_modexp.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Protocol\_scrypt.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\PublicKey\_ec_ws.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\PublicKey\_ed25519.pyd	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
api.ipify.org	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://crl.dhimyotis.com/certignarootca.crl0	0%	URL Reputation	safe
http://crl.dhimyotis.com/certignarootca.crl	0%	URL Reputation	safe
https://wwww.certigna.fr/autorites/0m	0%	URL Reputation	safe
https://www.apache.org/licenses/	0%	URL Reputation	safe
http://docs.python.org/library/unittest.html	0%	Avira URL Cloud	safe
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	0%	URL Reputation	safe
https://github.com/giampaolo/psutil/issues/875.	0%	Avira URL Cloud	safe
https://img.shields.io/pypi/pyversions/setuptools.svg	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/Smug246/luna-injection/main/obfuscated-injection.jsr	100%	Avira URL Cloud	malware
https://img.shields.io/pypi/v/setuptools.svg	0%	Avira URL Cloud	safe
http://crl.securetrust.com/STCA.crl	0%	URL Reputation	safe
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	0%	URL Reputation	safe
http://www.accv.es00	0%	URL Reputation	safe
http://crl.securetrust.com/SGCA.crl0	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
http://www.quovadisglobal.com/cps0	0%	URL Reputation	safe
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	0%	Avira URL Cloud	safe
https://python.org/dev/peps/pep-0263/	0%	Avira URL Cloud	safe
https://api.ipify.org/	0%	URL Reputation	safe
http://ocsp.accv.es0	0%	URL Reputation	safe
http://www.quovadisglobal.com/cps	0%	URL Reputation	safe
https://www.openssl.org/H	0%	URL Reputation	safe
https://wheel.readthedocs.io/en/stable/news.html	0%	Avira URL Cloud	safe
http://goo.gl/zeJZl.	0%	Avira URL Cloud	safe
https://wheel.readthedocs.io/en/stable/news.html	0%	Virustotal		Browse
https://img.shields.io/pypi/v/setuptools.svg	0%	Virustotal		Browse
https://www.apache.org/licenses/LICENSE-2.0	0%	Virustotal		Browse
https://www.apache.org/licenses/LICENSE-2.0	0%	Avira URL Cloud	safe
https://python.org/dev/peps/pep-0263/	0%	Virustotal		Browse
https://img.shields.io/codecov/c/github/pypa/setuptools/master.svg?logo=codecov&logoColor=white	0%	Avira URL Cloud	safe
https://github.com/pypa/packaging	0%	Avira URL Cloud	safe
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	0%	Virustotal		Browse
http://crl.dhimyotis.com/certignarootca.crlJ	0%	Avira URL Cloud	safe
http://goo.gl/zeJZl.	0%	Virustotal		Browse
https://raw.githubusercontent.com/Smug246/luna-injection/main/obfuscated-injection.jsr	4%	Virustotal		Browse
https://refspecs.linuxfoundation.org/elf/gabi4	0%	Avira URL Cloud	safe
https://github.com/giampaolo/psutil/issues/875.	0%	Virustotal		Browse
https://github.com/pypa/packaging	0%	Virustotal		Browse
https://pypi.org/project/setuptools	0%	Avira URL Cloud	safe
https://github.com/pypa/setuptools/workflows/tests/badge.svg	0%	Avira URL Cloud	safe
http://crl.dhimyotis.com/certignarootca.crlJ	0%	Virustotal		Browse
https://img.shields.io/pypi/pyversions/setuptools.svg	0%	Virustotal		Browse
https://refspecs.linuxfoundation.org/elf/gabi4	0%	Virustotal		Browse
https://discord.com/api/v9/users/	0%	Avira URL Cloud	safe
http://docs.python.org/library/unittest.html	0%	Virustotal		Browse
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	0%	Avira URL Cloud	safe
https://blog.jaraco.com/skeleton	0%	Avira URL Cloud	safe
https://tools.ietf.org/html/rfc3610	0%	Avira URL Cloud	safe
https://pypi.org/project/setuptools	0%	Virustotal		Browse
http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode	0%	Avira URL Cloud	safe
https://github.com/pypa/.github/blob/main/CODE_OF_CONDUCT.md	0%	Avira URL Cloud	safe
https://github.com/pypa/setuptools/workflows/tests/badge.svg	0%	Virustotal		Browse
https://img.shields.io/codecov/c/github/pypa/setuptools/master.svg?logo=codecov&logoColor=white	0%	Virustotal		Browse
https://discord.com/api/v9/users/	0%	Virustotal		Browse
https://blog.jaraco.com/skeleton	0%	Virustotal		Browse
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	0%	Avira URL Cloud	safe
https://tools.ietf.org/html/rfc3610	0%	Virustotal		Browse
https://github.com/pypa/wheel	0%	Avira URL Cloud	safe
https://www.python.org/dev/peps/pep-0427/	0%	Avira URL Cloud	safe
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	0%	Avira URL Cloud	safe
http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode	0%	Virustotal		Browse
http://mail.python.org/pipermail/python-dev/2012-June/120787.html.	0%	Avira URL Cloud	safe
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	0%	Virustotal		Browse
https://httpbin.org/	0%	Avira URL Cloud	safe
https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main	0%	Avira URL Cloud	safe
https://www.python.org/dev/peps/pep-0427/	0%	Virustotal		Browse
https://github.com/pypa/wheel	0%	Virustotal		Browse
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	0%	Avira URL Cloud	safe
https://cryptography.io/en/latest/installation/	0%	Avira URL Cloud	safe
http://mail.python.org/pipermail/python-dev/2012-June/120787.html.	0%	Virustotal		Browse
https://httpbin.org/	1%	Virustotal		Browse
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	0%	Virustotal		Browse
https://httpbin.org/image/png	0%	Avira URL Cloud	safe
https://github.com/pypa/.github/blob/main/CODE_OF_CONDUCT.md	0%	Virustotal		Browse
https://github.com/pypa/setuptools/issues/417#issuecomment-392298401	0%	Avira URL Cloud	safe
https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main	0%	Virustotal		Browse
https://wiki.debian.org/XDGBaseDirectorySpecification#state	0%	Avira URL Cloud	safe
http://tools.ietf.org/html/rfc6125#section-6.4.3	0%	Avira URL Cloud	safe
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	0%	Virustotal		Browse
https://cryptography.io/en/latest/installation/	0%	Virustotal		Browse
http://www.cert.fnmt.es/dpcs/	0%	Avira URL Cloud	safe
https://google.com/mail	0%	Avira URL Cloud	safe
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	0%	Virustotal		Browse
https://github.com/jaraco/jaraco.functools/issues/5	0%	Avira URL Cloud	safe
http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm	0%	Avira URL Cloud	safe
https://httpbin.org/image/png	0%	Virustotal		Browse
https://wiki.debian.org/XDGBaseDirectorySpecification#state	0%	Virustotal		Browse
http://www.rfc-editor.org/info/rfc7253	0%	Avira URL Cloud	safe
https://github.com/pyca/cryptography/issues	0%	Avira URL Cloud	safe
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	0%	Avira URL Cloud	safe
https://github.com/jaraco/jaraco.functools/issues/5	0%	Virustotal		Browse
http://www.cert.fnmt.es/dpcs/	0%	Virustotal		Browse
http://tools.ietf.org/html/rfc6125#section-6.4.3	0%	Virustotal		Browse
https://google.com/mail	0%	Virustotal		Browse
http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm	0%	Virustotal		Browse
https://packaging.python.org/installing/	0%	Avira URL Cloud	safe
https://github.com/pypa/setuptools/issues/417#issuecomment-392298401	0%	Virustotal		Browse
https://mahler:8092/site-updates.py	0%	Avira URL Cloud	safe
https://cryptography.io/	0%	Avira URL Cloud	safe
https://api.ipify.orgr	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	172.67.74.152	true	false	1%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/giampaolo/psutil/issues/875.	Colby Dupe Script.exe, 00000001.00000002.1724839216.0000012E34540000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/Smug246/luna-injection/main/obfuscated-injection.jsr	Colby Dupe Script.exe, 00000001.00000003.1711175421.0000012E33430000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706757137.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715762119.0000012E33431000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704964886.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706447898.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708877182.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709585773.0000012E3341D000.00000004.00000020.00020000.00000000.sdmp	true	4%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://crl.dhimyotis.com/certignarootca.crl0	Colby Dupe Script.exe, 00000001.00000003.1708033815.0000012E33D5A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://img.shields.io/pypi/pyversions/setuptools.svg	Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://img.shields.io/pypi/v/setuptools.svg	Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://docs.python.org/library/unittest.html	Colby Dupe Script.exe, 00000001.00000003.1704537151.0000012E3351C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706027731.0000012E33567000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710065692.0000012E3358E000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705547606.0000012E3351C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707807420.0000012E3358A000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://python.org/dev/peps/pep-0263/	Colby Dupe Script.exe, 00000001.00000002.1727473962.00007FFDFB784000.00000040.00000001.01000000.00000004.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	Colby Dupe Script.exe, 00000001.00000003.1708208043.0000012E30740000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708120917.0000012E3077D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707273712.0000012E30702000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1717717838.0000012E30742000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1718438971.0000012E30780000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707213340.0000012E30700000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1718375557.0000012E30747000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707999724.0000012E30716000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://wheel.readthedocs.io/en/stable/news.html	Colby Dupe Script.exe, 00000000.00000003.1626504632.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://goo.gl/zeJZl.	Colby Dupe Script.exe, 00000001.00000002.1724839216.0000012E34540000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.apache.org/licenses/LICENSE-2.0	Colby Dupe Script.exe, 00000000.00000003.1620113540.000001CB67E97000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1620172956.000001CB67E97000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1620113540.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://img.shields.io/codecov/c/github/pypa/setuptools/master.svg?logo=codecov&logoColor=white	Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/pypa/packaging	Colby Dupe Script.exe, 00000001.00000002.1720999127.0000012E33740000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1719919808.0000012E32E70000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.dhimyotis.com/certignarootca.crlJ	Colby Dupe Script.exe, 00000001.00000003.1706202806.0000012E33F43000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705307571.0000012E33F40000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706413891.0000012E33F51000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://refspecs.linuxfoundation.org/elf/gabi4	Colby Dupe Script.exe, 00000001.00000002.1720999127.0000012E33740000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1637097532.0000012E32D18000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1719844582.0000012E32D70000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://pypi.org/project/setuptools	Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/pypa/setuptools/workflows/tests/badge.svg	Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://discord.com/api/v9/users/	Colby Dupe Script.exe, 00000001.00000003.1711175421.0000012E33430000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706757137.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715762119.0000012E33431000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704964886.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706447898.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708877182.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1724839216.0000012E34540000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709585773.0000012E3341D000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	Colby Dupe Script.exe, 00000001.00000002.1721308720.0000012E33B40000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://blog.jaraco.com/skeleton	Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://tools.ietf.org/html/rfc3610	Colby Dupe Script.exe, 00000001.00000003.1714437345.0000012E33D5D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1717384939.0000012E33D5F000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1713561629.0000012E33D50000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1721842223.0000012E33D5F000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715667576.0000012E33D5F000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709463462.0000012E33D5D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710945718.0000012E33D3E000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708033815.0000012E33D5A000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.dhimyotis.com/certignarootca.crl	Colby Dupe Script.exe, 00000001.00000003.1708646545.0000012E32CD5000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705166363.0000012E32CD1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709973632.0000012E32CD5000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715150228.0000012E32CD8000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706202806.0000012E33F43000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707654708.0000012E32CD1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705307571.0000012E33F40000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1714073811.0000012E32CD5000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706413891.0000012E33F51000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode	Colby Dupe Script.exe, 00000001.00000002.1724701056.0000012E34440000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/pypa/.github/blob/main/CODE_OF_CONDUCT.md	Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000000.00000003.1626504632.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	Colby Dupe Script.exe, 00000001.00000002.1724920395.0000012E3470C000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://wwww.certigna.fr/autorites/0m	Colby Dupe Script.exe, 00000001.00000003.1708646545.0000012E32CD5000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705166363.0000012E32CD1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709973632.0000012E32CD5000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715150228.0000012E32CD8000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707654708.0000012E32CD1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1714073811.0000012E32CD5000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708033815.0000012E33D5A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/pypa/wheel	Colby Dupe Script.exe, 00000000.00000003.1626504632.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.python.org/dev/peps/pep-0427/	Colby Dupe Script.exe, 00000000.00000003.1626504632.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	Colby Dupe Script.exe, 00000001.00000003.1708208043.0000012E30740000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708120917.0000012E3077D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707273712.0000012E30702000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1717717838.0000012E30742000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1718438971.0000012E30780000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707213340.0000012E30700000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1718375557.0000012E30747000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707999724.0000012E30716000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://mail.python.org/pipermail/python-dev/2012-June/120787.html.	Colby Dupe Script.exe, 00000001.00000002.1724839216.0000012E34540000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://httpbin.org/	Colby Dupe Script.exe, 00000001.00000003.1708033815.0000012E33D5A000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.apache.org/licenses/	Colby Dupe Script.exe, 00000000.00000003.1620113540.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main	Colby Dupe Script.exe, 00000000.00000003.1620256650.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	Colby Dupe Script.exe, 00000001.00000003.1634970702.0000012E32BAD000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1634970702.0000012E32BBD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	Colby Dupe Script.exe, 00000001.00000003.1712590285.0000012E33605000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1711278766.0000012E33603000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1720500434.0000012E3344C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704537151.0000012E33449000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cryptography.io/en/latest/installation/	Colby Dupe Script.exe, 00000000.00000003.1620256650.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://httpbin.org/image/png	Colby Dupe Script.exe, 00000001.00000003.1706562972.0000012E33DC1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1711245076.0000012E32CA9000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704775210.0000012E33DC1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706391727.0000012E32C86000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1714239103.0000012E32CA9000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709338552.0000012E33DC1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705166363.0000012E32C51000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708582564.0000012E32CA8000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710336220.0000012E33DC6000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/pypa/setuptools/issues/417#issuecomment-392298401	Colby Dupe Script.exe, 00000001.00000002.1719996242.0000012E32F70000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://wiki.debian.org/XDGBaseDirectorySpecification#state	Colby Dupe Script.exe, 00000001.00000003.1708208043.0000012E30740000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707273712.0000012E30702000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709517694.0000012E30776000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707213340.0000012E30700000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707999724.0000012E30716000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.securetrust.com/STCA.crl	Colby Dupe Script.exe, 00000001.00000003.1705373771.0000012E33DDA000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705955374.0000012E33DDD000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704775210.0000012E33DD1000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	Colby Dupe Script.exe, 00000001.00000003.1705333402.0000012E33F21000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704457723.0000012E33DE1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705955374.0000012E33DF2000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1722189174.0000012E33DFB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tools.ietf.org/html/rfc6125#section-6.4.3	Colby Dupe Script.exe, 00000001.00000002.1724839216.0000012E34540000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.cert.fnmt.es/dpcs/	Colby Dupe Script.exe, 00000001.00000003.1710769468.0000012E3327A000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706202806.0000012E33F43000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1713861342.0000012E33287000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705307571.0000012E33F40000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708190498.0000012E33277000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709567165.0000012E33279000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://google.com/mail	Colby Dupe Script.exe, 00000001.00000003.1704537151.0000012E33449000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709463462.0000012E33D5D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1645179843.0000012E33D5F000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1712784057.0000012E33D60000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710496541.0000012E33452000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708033815.0000012E33D5A000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/jaraco/jaraco.functools/issues/5	Colby Dupe Script.exe, 00000001.00000002.1720999127.0000012E33740000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1719844582.0000012E32D70000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.accv.es00	Colby Dupe Script.exe, 00000001.00000003.1704457723.0000012E33DE1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705955374.0000012E33DF2000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709463462.0000012E33D5D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1712784057.0000012E33D60000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1722189174.0000012E33DFB000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1721842223.0000012E33D61000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708033815.0000012E33D5A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm	Colby Dupe Script.exe, 00000001.00000003.1634970702.0000012E32BAD000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1634970702.0000012E32BBD000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.rfc-editor.org/info/rfc7253	Colby Dupe Script.exe, 00000001.00000003.1706391727.0000012E32C86000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1711568354.0000012E32C8B000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1714402222.0000012E32CA3000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705166363.0000012E32C51000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1714239103.0000012E32C9E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/pyca/cryptography/issues	Colby Dupe Script.exe, 00000000.00000003.1620256650.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	Colby Dupe Script.exe, 00000001.00000003.1704537151.0000012E33449000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710496541.0000012E33457000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1720519861.0000012E33457000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705675254.0000012E33456000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1645179843.0000012E33D51000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://packaging.python.org/installing/	Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://mahler:8092/site-updates.py	Colby Dupe Script.exe, 00000001.00000003.1645179843.0000012E33D92000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706628105.0000012E33DB6000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1722022192.0000012E33D9B000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1645285448.0000012E33D93000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704775210.0000012E33D9B000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706562972.0000012E33DB2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cryptography.io/	Colby Dupe Script.exe, 00000000.00000003.1620256650.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.orgr	Colby Dupe Script.exe, 00000001.00000003.1711175421.0000012E33430000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706757137.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715762119.0000012E33431000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704964886.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706447898.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708877182.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709585773.0000012E3341D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.firmaprofesional.com/cps0	Colby Dupe Script.exe, 00000001.00000003.1717044109.0000012E33C77000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1724346425.0000012E33F4B000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706202806.0000012E33F43000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705307571.0000012E33F40000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1721482981.0000012E33C7D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707732388.0000012E33C52000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tidelift.com/subscription/pkg/pypi-setuptools?utm_source=pypi-setuptools&utm_medium=referral	Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.python.org/3/library/re.html#re.sub	Colby Dupe Script.exe, 00000001.00000003.1709678067.0000012E334D2000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1712112159.0000012E334DB000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1641308670.0000012E334BE000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1720999127.0000012E33740000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1637239907.0000012E3328F000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705547606.0000012E334A2000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1719095820.0000012E32970000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709738285.0000012E334D9000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1720635274.0000012E334DB000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1714367312.0000012E334DB000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1637239907.0000012E332E6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/urllib3/urllib3/issues/2920	Colby Dupe Script.exe, 00000001.00000002.1724920395.0000012E34640000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.securetrust.com/SGCA.crl0	Colby Dupe Script.exe, 00000001.00000003.1708646545.0000012E32CD5000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705166363.0000012E32CD1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715597750.0000012E32CE0000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709973632.0000012E32CD5000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715150228.0000012E32CD8000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707654708.0000012E32CD1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1714073811.0000012E32CD5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://setuptools.pypa.io/en/latest/userguide/declarative_config.html#opt-2	Colby Dupe Script.exe, 00000001.00000002.1721076607.0000012E33840000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1639918901.0000012E33286000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	Colby Dupe Script.exe, 00000000.00000003.1621732137.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.quovadisglobal.com/cps0	Colby Dupe Script.exe, 00000001.00000003.1704964886.0000012E33312000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/pyparsing/pyparsing/wiki	Colby Dupe Script.exe, 00000001.00000003.1705166363.0000012E32D4D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1711682471.0000012E332A1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1716672726.0000012E332A3000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1712573489.0000012E332A1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cryptography.io/en/latest/changelog/	Colby Dupe Script.exe, 00000000.00000003.1620256650.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://img.shields.io/badge/code%20style-black-000000.svg	Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://setuptools.pypa.io/en/stable/history.html	Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iana.org/time-zones/repository/tz-link.html	Colby Dupe Script.exe, 00000001.00000003.1634970702.0000012E32BBD000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1634970702.0000012E32B9A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://mail.python.org/mailman/listinfo/cryptography-dev	Colby Dupe Script.exe, 00000000.00000003.1620256650.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.python.org/library/itertools.html#recipes	Colby Dupe Script.exe, 00000001.00000003.1639918901.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706757137.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704964886.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706447898.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708877182.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1719844582.0000012E32D70000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1640772567.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1720921669.0000012E33640000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1641696445.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709585773.0000012E3341D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715762119.0000012E33428000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org/	Colby Dupe Script.exe, 00000001.00000002.1725469599.0000012E34DBC000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbca	Colby Dupe Script.exe, 00000001.00000002.1720999127.0000012E33740000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1637097532.0000012E32D18000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1719844582.0000012E32D70000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pypi.org/project/setuptools/	Colby Dupe Script.exe, 00000000.00000003.1626504632.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://packaging.python.org/en/latest/specifications/declaring-project-metadata/	Colby Dupe Script.exe, 00000001.00000003.1709820076.0000012E3354D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704537151.0000012E3351C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1641308670.0000012E3351C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1641764648.0000012E33599000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705547606.0000012E3351C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710413986.0000012E3354D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1713632426.0000012E3354D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708090019.0000012E33547000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1714916470.0000012E3354D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/pypa/setuptools/issues/1024.	Colby Dupe Script.exe, 00000001.00000002.1720999127.0000012E33740000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/	Colby Dupe Script.exe, 00000001.00000003.1707821250.0000012E32BDA000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710769468.0000012E3327A000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704537151.0000012E3351C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710370689.0000012E32BDC000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1711978527.0000012E32BFD000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706431007.0000012E3355D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707149366.0000012E32BD8000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1720218950.0000012E3327A000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708190498.0000012E33277000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705547606.0000012E3351C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1639918901.0000012E33270000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709567165.0000012E33279000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710735753.0000012E32BFA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/icons/958782767255158876/a_0949440b832bda90a3b95dc43feb9fb7.gif?size=4096	Colby Dupe Script.exe, 00000001.00000003.1711175421.0000012E33430000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706757137.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715762119.0000012E33431000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704964886.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706447898.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708877182.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1724701056.0000012E34440000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709585773.0000012E3341D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://img.shields.io/discord/803025117553754132	Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.accv.es0	Colby Dupe Script.exe, 00000001.00000003.1704457723.0000012E33DE1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705955374.0000012E33DF2000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1722189174.0000012E33DFB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.python.org/	Colby Dupe Script.exe, 00000001.00000003.1645179843.0000012E33D92000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706628105.0000012E33DB6000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1722022192.0000012E33D9B000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1645285448.0000012E33D93000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704775210.0000012E33D9B000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706562972.0000012E33DB2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.python.org/dev/peps/pep-0205/	Colby Dupe Script.exe, 00000000.00000003.1619232060.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1719844582.0000012E32D70000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://twitter.com/	Colby Dupe Script.exe, 00000001.00000003.1710655680.0000012E328A6000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709463462.0000012E33D5D000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1645179843.0000012E33D5F000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1712296481.0000012E328DA000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1712784057.0000012E33D60000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707334221.0000012E3288F000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708322964.0000012E3289C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708033815.0000012E33D5A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stackoverflow.com/questions/4457745#4457745.	Colby Dupe Script.exe, 00000001.00000002.1724839216.0000012E34540000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.python.org/3/library/pprint.html#pprint.pprint	Colby Dupe Script.exe, 00000001.00000003.1640870485.0000012E33298000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708292032.0000012E332A0000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709000193.0000012E332A1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1641308670.0000012E334A2000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707879900.0000012E33298000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710102914.0000012E33261000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1638249488.0000012E33298000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1711682471.0000012E332A1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1712573489.0000012E332A1000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709273413.0000012E33259000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1641308670.0000012E334B7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://setuptools.pypa.io/	Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quovadisglobal.com/cps	Colby Dupe Script.exe, 00000001.00000003.1705547606.0000012E3345C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704537151.0000012E33449000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1716123016.0000012E3347E000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1720563875.0000012E33480000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://discord.com/channels/803025117553754132/815945031150993468	Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://google.com/mail/	Colby Dupe Script.exe, 00000001.00000003.1709567165.0000012E33279000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://img.shields.io/pypi/v/cryptography.svg	Colby Dupe Script.exe, 00000000.00000003.1620256650.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://google.com/mail/	Colby Dupe Script.exe, 00000001.00000003.1713541464.0000012E3358A000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704537151.0000012E3351C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710314552.0000012E3358A000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706027731.0000012E33567000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1720717142.0000012E3358B000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1705547606.0000012E3351C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707807420.0000012E3358A000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715503146.0000012E3358B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/Smug246/luna-injection/main/obfuscated-injection.js	Colby Dupe Script.exe, 00000001.00000002.1724839216.0000012E34540000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://tools.ietf.org/html/rfc5297	Colby Dupe Script.exe, 00000001.00000003.1712822913.0000012E33D58000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715667576.0000012E33D59000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1710945718.0000012E33D3E000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1713561629.0000012E33D59000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tidelift.com/badges/github/pypa/setuptools?style=flat	Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.openssl.org/H	Colby Dupe Script.exe, 00000000.00000003.1621851828.000001CB67E89000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1728579219.00007FFDFF303000.00000004.00000001.01000000.00000015.sdmp, Colby Dupe Script.exe, 00000001.00000002.1727429814.00007FFDFB414000.00000004.00000001.01000000.00000014.sdmp	false	URL Reputation: safe	unknown
https://img.shields.io/readthedocs/setuptools/latest.svg	Colby Dupe Script.exe, 00000000.00000003.1624359795.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://code.activestate.com/recipes/577916/	Colby Dupe Script.exe, 00000001.00000002.1718839918.0000012E328E6000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709621107.0000012E328E3000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1635583610.0000012E32C0C000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1635730524.0000012E328AA000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1707334221.0000012E3288F000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708322964.0000012E3289C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/avatars/	Colby Dupe Script.exe, 00000001.00000003.1711175421.0000012E33430000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706757137.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715762119.0000012E33431000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704964886.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706447898.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708877182.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1724839216.0000012E34540000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709585773.0000012E3341D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cryptography.io	Colby Dupe Script.exe, 00000000.00000003.1620256650.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://toolbelt.readthedocs.io/	Colby Dupe Script.exe, 00000001.00000002.1725202471.0000012E34ADC000.00000004.00001000.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000002.1725090024.0000012E34990000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.roblox.com/mobileapi/userinfor=	Colby Dupe Script.exe, 00000001.00000003.1711175421.0000012E33430000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706757137.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1715762119.0000012E33431000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1704964886.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1706447898.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1708877182.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Colby Dupe Script.exe, 00000001.00000003.1709585773.0000012E3341D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pypi.org/project/cryptography/	Colby Dupe Script.exe, 00000000.00000003.1620256650.000001CB67E8C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.74.152	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1441703
Start date and time:	2024-05-15 02:24:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Colby Dupe Script.exe
Detection:	MAL
Classification:	mal68.troj.evad.winEXE@6/108@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 70% Number of executed functions: 48 Number of non-executed functions: 124
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Excluded IPs from analysis (whitelisted): 20.12.23.50
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, sls.update.microsoft.com, ctldl.windowsupdate.com, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.74.152	stub.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	stub.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Sonic-Glyder.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta-Setup.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SongOfVikings.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	SongOfVikings.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	New Order n. 4533452041, date 14.05.2024.hta	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205
	CHNSoT10HG.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	104.26.12.205
	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.13253.12913.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	935-24Aski.hta	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205
	25094.xls	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	POP.exe	Get hash	malicious	GuLoader	Browse	104.26.13.205
	4jCkCt5XGE.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	LPP Loading Advice Poland ETD 08-May.xlsx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	NOA, BL and invoice.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	PO# CB20240022.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://www.glwkce.shop/	Get hash	malicious	Unknown	Browse	1.1.1.1
	SecuriteInfo.com.Win32.SpywareX-gen.6594.13084.exe	Get hash	malicious	LummaC	Browse	104.21.54.246
	https://dhltarcking.sviluppo.host/RDGDESDZRFSYJNOI/index.php?FGDD=1	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	messages undelivered.htm_	Get hash	malicious	HTMLPhisher	Browse	104.21.84.200
	https://biggesttubesite.z13.web.core.windows.net/index.html	Get hash	malicious	TechSupportScam	Browse	104.18.10.207
	https://sharepoint-0a17.dideto2686.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	SecuriteInfo.com.Trojan.InstallCore.4086.7598.27088.exe	Get hash	malicious	PrivateLoader, PureLog Stealer	Browse	104.18.21.226
	https://www.knxzovc.asso.ci/	Get hash	malicious	Unknown	Browse	1.1.1.1
	SecuriteInfo.com.Trojan.InstallCore.4086.7598.27088.exe	Get hash	malicious	PrivateLoader, PureLog Stealer	Browse	104.18.20.226
	http://www.tinyurl.com/gamks929sk?pt3kt2YdFUY0XQQZU7seiJ2ZpJZPTXB02_WZcOJZXZlbHluQG5hbGV6eXR5LmNvbcOIPh9QAwFRcL3LXbxrhpGIqUzwaVw	Get hash	malicious	Unknown	Browse	172.67.197.117

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_chacha20.pyd	SecuriteInfo.com.Win64.Evo-gen.1340.7200.exe	Get hash	malicious	Luna Logger	Browse
	SecuriteInfo.com.Win64.Evo-gen.19254.19116.exe	Get hash	malicious	Luna Logger	Browse
	Splunk_Grabber.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_Salsa20.pyd	SecuriteInfo.com.Win64.Evo-gen.1340.7200.exe	Get hash	malicious	Luna Logger	Browse
	SecuriteInfo.com.Win64.Evo-gen.19254.19116.exe	Get hash	malicious	Luna Logger	Browse
	Splunk_Grabber.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_ARC4.pyd	SecuriteInfo.com.Win64.Evo-gen.1340.7200.exe	Get hash	malicious	Luna Logger	Browse
	SecuriteInfo.com.Win64.Evo-gen.19254.19116.exe	Get hash	malicious	Luna Logger	Browse
	Splunk_Grabber.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_ARC4.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	6.784099973801211
Encrypted:	false
SSDEEP:	192:Dz1519kKsPOR3popHp88o6UPmP2TINjzAN3DekYj273QJXpHM:Dz157kKsWR3puHp7o6mmP28tzAxeZa7p
MD5:	79CB88FD8430233F7A1016156F30CDC0
SHA1:	711180549115DBEB465E4BA5FD6469A9495013DD
SHA-256:	6FA90105B62E529AE76377B5E1BD182A8575B33DA8221041CB1D74B12FFF05EB
SHA-512:	0E35A951C7130EBDEE973E2FEA09212CCE8884D959269F9B3382B5AE091779104596EE2003B057C8856704EEF68CD75EB2358A6F89F46BCC4442AF4D10197D6B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SecuriteInfo.com.Win64.Evo-gen.1340.7200.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.Evo-gen.19254.19116.exe, Detection: malicious, Browse Filename: Splunk_Grabber.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...b..b..b..R...b..Uc..b.Rc..b..c..b..Ug..b..Uf..b..Ua..b..j..b..b..b....b..`..b.Rich.b.................PE..d...O..e.........." ...%. .......p........................................................`.........................................L..........\............@........................................................@...........................................UPX0.....p..............................UPX1..... ..........................@....rsrc................"..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_Salsa20.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	6.868813059433361
Encrypted:	false
SSDEEP:	192:Sy6LLPGQXSBqwVnSxrDZ6Wa9kYj273QJXhnDhny:X6L7G4SBfi6Wa9Za7gJXhE
MD5:	067672B26A276933CA266A4905411177
SHA1:	D0956DE75607E58C2456D1B0D65CA618A5DE3E32
SHA-256:	D0A372A717C35ED589FE00A93A182DE8C60F4284EA1174F80EEDFA61F073387E
SHA-512:	8C3EC1162CD2AFFA72A406FF4B09B15167CCE424C854F0132C91A3E60DF0E8C6702C27E541D33A6DF2D1475414160B0D6EC1F91517186192A586F22A49401449
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SecuriteInfo.com.Win64.Evo-gen.1340.7200.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.Evo-gen.19254.19116.exe, Detection: malicious, Browse Filename: Splunk_Grabber.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d...P..e.........." ...%.0.......p..P.....................................................`.........................................L..........\............P..L...............$...................................P...@...........................................UPX0.....p..............................UPX1.....0......."..................@....rsrc................&..............@......................................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_chacha20.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	6.901227659425816
Encrypted:	false
SSDEEP:	192:Yrp6LLPGQXSPkf1KDXH3z1O/yMJkYj273QJXbnGHdN9lk:G6L7G4S8d6H3+JZa7gJXi9N9
MD5:	B373B105751E4EB54D7BED60ABF38772
SHA1:	F06B3E656C4BFA9641B70BA1843A96DFCFDF26FF
SHA-256:	7E1066DEFB01B427EBA03C04159FBBA281BB2440AB622FECC408F9725E0FFC70
SHA-512:	C8BAA4B0523DAD655635DC3334C5DC3BB6C6250E4E26315C93E8DCA83ED155C1101751DE036E7B7CBEE787435FC0E736B9EED99E5C037EF60FDECFB50B8CF816
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SecuriteInfo.com.Win64.Evo-gen.1340.7200.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.Evo-gen.19254.19116.exe, Detection: malicious, Browse Filename: Splunk_Grabber.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d...P..e.........." ...%.0.......p........................................................`.........................................L..........\............P..d.......................................................@...........................................UPX0.....p..............................UPX1.....0.......$..................@....rsrc................(..............@......................................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_pkcs1_decode.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	6.921268073528014
Encrypted:	false
SSDEEP:	192:1411+odumD23wZjzKFyACX2OaIFpRHJLqqhthgkYj273QJXinCW:/Hp3wFzKFNEpFX9qqhTgZa7gJXr
MD5:	5A600939BEA7972085FCD1FB8C5AFC4B
SHA1:	491DEBBA06183ACB66C0A2BDD681F3E094DE9ED6
SHA-256:	656D8C5869F87D20385CEF4B8C43E5B49A259E57405B7DC3C92037C2E09BB311
SHA-512:	DC843AB511EE0C762A665EB514B1A7B2635044AC11590F8E941CC6BC44BCAE17C12E4AC8775343AD9EAC2C0A762E2924FAED50BCD44B483DC5F70754BC09FB97
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...........R......U.....R............U......U......U................}.........Rich...........................PE..d...N..e.........." ...%.0.......p..`.....................................................`.........................................L..........\............P..\|..................................................`...@...........................................UPX0.....p..............................UPX1.....0.......$..................@....rsrc................(..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_aes.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17920
Entropy (8bit):	7.4817614639653565
Encrypted:	false
SSDEEP:	384:Dzc0mElU25IfO5Vha1ALR8Hxy/JgqY1Sa0CyZa7gJXNq:Dz9hlNumYYcFh1f8p9q
MD5:	AC70E4D67A4B0B12B2ED3272F374D711
SHA1:	0DC76997EB6BFAD56E8497C30F85F0AEF1D4DDDF
SHA-256:	4D53D50CACAE3824A82B53C802A376EF17240425F06CBEA00E2783524B89E967
SHA-512:	EF412BDEE8FF044928DCDF47A01DB68E22C8076BF9EFDE88F789DC328ABA4C5FF19D353B3D49932195642CC2EC4FEC91E50BF8B670A4A9E9D3AB632473E1622A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...b..b..b..R...b..Uc..b.Rc..b..c..b..Ug..b..Uf..b..Ua..b..j..b..b..b....b..`..b.Rich.b.................PE..d...L..e.........." ...%.@................................................... ............`.........................................L...........\.......................................................................@...........................................UPX0....................................UPX1.....@.......>..................@....rsrc................B..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_aesni.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	6.9281038515383395
Encrypted:	false
SSDEEP:	192:Yv1jz8WmvrfVBUmDE9eekugaeD9urEb/ienWUkYj273QJX0nnd:Aza7ie4ublZa7gJXE
MD5:	17DD2E38FAAB69E6083043712025A48B
SHA1:	B3BB831CE31FAE52CF73629435FACB420108B599
SHA-256:	D558E1603DBF729F3742881F5FCA2C54459DB00C90E8034840DC80C430E49017
SHA-512:	C42C5C0C3DB379CBB9AE48DFA9CC4D13194752E8E8DA3F6A6EDB2CA5EBC3B2C3061EC111B7842819F962A00EAB128B8FFD6AA4B21FD316E56C65D166FC55A902
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........TX..:...:...:.....:..;...:...;...:...;...:..?...:..>...:..9...:..R2...:..R:...:..R....:..R8...:.Rich..:.................PE..d...L..e.........." ...%.0.......p........................................................`.........................................L..........\............P........................................................@...........................................UPX0.....p..............................UPX1.....0.......&..................@....rsrc................*..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_arc2.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	7.216357443903366
Encrypted:	false
SSDEEP:	192:/8Ui33HUci0GPIuf1ygBIaIViLYcEdaRwPXY7IGq81UH4kYj273QJXzHj:/8UmXU7ZQuxBkVl1dlPXY0G11o4Za7gJ
MD5:	B58DB42A88C8990F7A8B4AA53BE1B36B
SHA1:	2C76D5CD8249671CFDF3A98B6B3C08689262A7A8
SHA-256:	6C4A39EA9A9E7FA31AE5493D93FB9DAA5CCD55FAB8425FE8B9847330F2AA708B
SHA-512:	600D202C52D4CCE7F869188CF701B6310EDB0295991B3F8DB6D6CCA8611E991F023C8F6B53FBE9199689A270C31719AD1ABEAE3DFE71EE7640A21EDCA1D40F88
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d...L..e.........." ...%.0................................................................`.........................................L...........\............`..........................................................@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@......................................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_blowfish.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	7.385300209199526
Encrypted:	false
SSDEEP:	384:DmMoWcZrqnai5YEpXEHBWbru9tX/SZa7gJXtp:DmMoFrE5OB8r66pd
MD5:	0DE940D103A8B74532698F86EE910C29
SHA1:	87F904763D340AFBC8D356B7D24D7B0C5E7BEB3E
SHA-256:	E85AAE1EE31572630A15370C9412228360BCEAC685D3CEAF96A18F9BC583F1D1
SHA-512:	D8B8AABA7969F23E6020651E26B62F89A17D20DCC1FCBA06245AB6A74D8C654C6EBE0F48A90E2E4568E8110D70C586326E558733FF1C2C48D14921DB298E96B9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d...L..e.........." ...%.@.......... .....................................................`.........................................L...........\............p...................................................... ...@...........................................UPX0....................................UPX1.....@.......4..................@....rsrc................8..............@......................................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_cast.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	7.602252043128806
Encrypted:	false
SSDEEP:	384:JxxaC+SE5wRA5pKl3ScWGGyHgSbwKgCQKgdhAJZa7gJXcI:Z3Eipl3KxaDBpsI
MD5:	D0B0D6D172EE41D70B0F2CAE5BC5D872
SHA1:	DE0198E65DE559908FCCCE3C193243F6C13A8415
SHA-256:	300563C4557D1833B97470BB4A25AA1B502617BC75B9D96A99A9467806F11F8C
SHA-512:	1C1F5992D7962BB4943E0602FCF53E23E3812F565156DE20E69A7BABEDDFBD1DC55118B0FA29CAD81688FE6AC82753D3A3A2BF8F666660F22DC472D1D1931978
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d...M..e.........." ...%.P..........P.....................................................`.........................................L...........\...................................................................P...@...........................................UPX0....................................UPX1.....P.......H..................@....rsrc................L..............@......................................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_cbc.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	6.848590112788967
Encrypted:	false
SSDEEP:	192:56LLPGQXSPRw1RVAIATV7KukYj273QJX93ua:56L7G4SZURV3AMuZa7gJXs
MD5:	F2BF3F3CDCE0E6A8A29BD7FAD094736B
SHA1:	7EB4AF31B93EE38219EB31C2A867959BB7A3EC53
SHA-256:	D8A9EDFF4C8CBBD02CC89541CD1A9F8B1BA8381F000A86F910B4D6831BB9A034
SHA-512:	EA3DCDD0218F51BEDAFE9FB995D84A820D244673086F42276D7CB6C398C67F0E4F79EC343DD0A6FC0AF03AE605AABBBD93C8C612CBFD7DDF641B9F8A8DB13C83
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d...N..e.........." ...%. .......p........................................................`.........................................L..........\............P..X.......................................................@...........................................UPX0.....p..............................UPX1..... ....... ..................@....rsrc................$..............@......................................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_cfb.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	6.921521895410943
Encrypted:	false
SSDEEP:	192:ClmTnQI5hJ/fzLf2kyPCeN4Czw4v5RTZG9hiAZkYj273QJXhngQ:TnQYZfzByPJ2M/5RVY0AZZa7gJXe
MD5:	4D651469EFF9F0A3F904FCAC9B1A41D2
SHA1:	F9EB0D3AE58B8195E2485C6C378CE84F95C9EE54
SHA-256:	1B835A8C05DCC24C77FCF21AE0091CE34ACA3B6B3D153415E3F0CF0142C53F9B
SHA-512:	0C10C6A52E2FA9BDF89229AD9964CFFF6F3621EAAD6F3AACEBBBC8DA6FF742E087C79AF2D2D152C433160F25A9E45A2C41E13349CBA758640163832569D37CFD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K............RQ.....U.....R............U......U......U..................=..........Rich...................PE..d...N..e.........." ...%.0.......p........................................................`.........................................L..........\............P..d.......................................................@...........................................UPX0.....p..............................UPX1.....0......."..................@....rsrc................&..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_ctr.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	6.924881224263464
Encrypted:	false
SSDEEP:	192:jeAKe/cDRHpPJw3XF3VJtZuykYj273QJX1nmX:jyNReXXJtZuyZa7gJX0
MD5:	0A47AE20F5C45144EAA5C6AF1BA33757
SHA1:	DAD050EA948C1E327369A3644C7CC65E7927BF10
SHA-256:	77D5D375FA405F83FBA90FF51BDA86C2233146A3AA768367F8EF582ABA453AAB
SHA-512:	A8EB40AE7A390D2D13DEB0DF6E753A3D3FD1F02597271020EE46C1326578908E402F3A527D8BC69FE9638CC1960330C7E81578A3DBDC0E93636B90D506ED5CAE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K,..B..B..B..R...B..UC..B.RC..B..C..B..UG..B..UF..B..UA..B..J..B..B..B....B..@..B.Rich.B.........................PE..d...O..e.........." ...%.0.......p..@.....................................................`.........................................L..........\............P......................................................@...@...........................................UPX0.....p..............................UPX1.....0.......$..................@....rsrc................(..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_des.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17920
Entropy (8bit):	7.41383195233212
Encrypted:	false
SSDEEP:	384:9RqrotMlaakiQHVzTuyz1axe0ehq3gK59p5qJOIOZa7gJXX:9RqrY0dkiW9Tvz1hEgK572Apn
MD5:	B74E7AC2309BC4C6780522197605BAFC
SHA1:	D46FA3D3541EF9E64BEBB653BE5277A440C7C640
SHA-256:	1132F7F463C4928FB6AC4B77948B478075F2D5DF0FF984406E28412542F240B1
SHA-512:	5AD648BFE05C9CE06488A287F645833CF8CDC0E02052C6EA07EAB4FED7CFD26CE84182E84409950649B1E68F669406C6E097BB7238DFE76E3365220C464E3761
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.........................................................K......K......Ki.....K.....Rich...........................PE..d...M..e.........." ...%.@...........N... ...................................p............`.........................................Lb.......`..\....`..........l............b.......................................Z..@...........................................UPX0....................................UPX1.....@... ...>..................@....rsrc........`.......B..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_des3.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17408
Entropy (8bit):	7.47046946370741
Encrypted:	false
SSDEEP:	384:99rotMv4nDzAZ2wg90+Lx0EjhZa7gJXM:99rYYXoLx02pc
MD5:	7CEFBE1123ED3489A630A7111127D42B
SHA1:	3B2C7F2881CF80DCE00EEB3322ABDCB32036F15D
SHA-256:	4D61A89B941D29F9162812F3500D13BCE99C452ABF224E2F720204AD2A7A8F62
SHA-512:	65FC13560BF492C66240BD0C1FCBB2EA16CD645F90A8369E0444B5E9BB01C92C2E55452E4239FAEC8E6240E6F4AF5881450A56FED4446F57C6F807E81B13BB15
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.........................................................K......K......Ki.....K.....Rich...........................PE..d...N..e.........." ...%.@...........M... ...................................p............`.........................................Lb.......`..\....`.......................b.......................................Y..@...........................................UPX0....................................UPX1.....@... ...<..................@....rsrc........`.......@..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_ecb.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	9216
Entropy (8bit):	6.796729774507867
Encrypted:	false
SSDEEP:	192:g51aJhdZfybbKUtzyPwkYj273QJXpHbH:g5kKbOUtzSwZa7gJXxH
MD5:	B47C542168546FB875E74E49C84325B6
SHA1:	2AECAB080CC0507F9380756478EADAD2D3697503
SHA-256:	55657830C9AB79875AF923B5A92E7EE30E0560AFFC3BAA236C38039B4EF987F2
SHA-512:	FC25087C859C76DFF1126BBFE956EA6811DC3CA79E9BBFD237893144DB8B7CE3CAE3AEB0923F69E0BFFFA5575B5442AD1891D7088DD3857B62BE12B5326BE50D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.`.r.`.r.`.{...p.`.g.a.p.`.9.a.q.`.r.a.Q.`.g.e.y.`.g.d.z.`.g.c.q.`.H.h.s.`.H.`.s.`.H...s.`.H.b.s.`.Richr.`.................PE..d...N..e.........." ...%. .......p........................................................`.................................................................@..........................................................@...........................................UPX0.....p..............................UPX1..... ..........................@....rsrc................ ..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_eksblowfish.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	7.402716006836691
Encrypted:	false
SSDEEP:	384:xmMoWcZrqnyj+h0fvzyWj4vu7or6g7OiPZa7gJXvn:xmMoFrHj1nzy7fX7jpf
MD5:	9F06168B9D6A2F83D495AE2BE9118EDB
SHA1:	3E38D6D3A0FDC8E3F2915FA5ED4B546B9CEA451B
SHA-256:	1F1B0D2274576B2F36E79BC3EBA115C545764B29F37DAD5A2D62A3ADC3049FC1
SHA-512:	30F23D139C493652AB962C4F4392F092DC376986375921C4D9EA1D338862E1961EBD51E5B5BB22DF0E2F40208D4430A45BEEECF073D28B6C2CF1F447D28921D0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d...M..e.........." ...%.@................................................................`.........................................L...........\............p..........................................................@...........................................UPX0....................................UPX1.....@.......6..................@....rsrc................:..............@......................................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_ocb.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	7.032779919711558
Encrypted:	false
SSDEEP:	192:Tu3adl/1kJsPVTJIWO75b63Nvpn394yqwKMcL8ekYj273QJXRH7g:eeJIWM16DGtPeeZa7gJXq
MD5:	4F7465CEDDA4E01BB23EBE95467EFAA7
SHA1:	BC8153DB28583D45B411E5040FB6B01EE36AF83D
SHA-256:	2076F5AC5F56C43053CB61750B04933E120902C172053C0432E4686169431DB8
SHA-512:	B97E1CE4979EC8B4A4ABD32160ABE54BAC08E53E7AAB771F6740A78EEA45DF531E9861EC3A1A4AB8FD1BFA6E28B2E8A933C92C7796FBC9C78D5AD7749B7CF2DB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d...O..e.........." ...%.0..........`.....................................................`.........................................L...........\............`..............H.......................................`...@...........................................UPX0....................................UPX1.....0.......&..................@....rsrc................*..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_ofb.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	6.729835207850266
Encrypted:	false
SSDEEP:	192:C36LLPGQXSPG7xn5yE27OLkYj273QJX93C7:C36L7G4SSx5yEjLZa7gJXI
MD5:	6315A891EA3F996FC4B5EC384841F10C
SHA1:	ED76EF57517E35B7B721A8B1A3E1FFA7873AEC57
SHA-256:	087C238E1AA9038F53F8C92E7255F7ADC9CD9A60A895256962DC39A73D596382
SHA-512:	083859A84FF84E865CFC255FF1674134940C5A64CC703C4AE7815501D586005B6B6CABC28E52239AE24CD38A1253D634D8DE87D98A4A65F45DF2B34BC24C2483
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d...O..e.........." ...%. .......p........................................................`.........................................L..........\............P..X.......................................................@...........................................UPX0.....p..............................UPX1..... ....... ..................@....rsrc................$..............@......................................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_BLAKE2b.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	6.9607448530291185
Encrypted:	false
SSDEEP:	192:oR6LLPhjAm772BoThOlSC3ObOWkYj273QJX1no9uG:S6L7hjAcNlOv3ObOWZa7gJXas
MD5:	CEFA1801A2FC186822EE841A360B96BB
SHA1:	002C7A9E5FCB59F4C5D5A2B122AC8CD7B1A9ECD2
SHA-256:	8A43F2F47689FC68CBDF07465950FF6571A884292B5014EA0793FFE26C056736
SHA-512:	3BD76F658C29C016C493359D044260A9EF2541910F17DAF80D7A9F328903E5593D9980E93E1D048138741305DA6D3F93B6C412A22D826C40D75B195A437E8D2C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d...J..e.........." ...%.0.......p........................................................`.........................................L..........\............P..@.......................................................@...........................................UPX0.....p..............................UPX1.....0.......&..................@....rsrc................*..............@......................................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_BLAKE2s.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	7.135736917919551
Encrypted:	false
SSDEEP:	192:ms1UnFmx7ejRs3RtTWxpNoEjvbonw4tUkYj273QJXinPNua:0y7iItixpNpOZUZa7gJX28
MD5:	526078B253E0BCCD1DA0DEB45DD05C4C
SHA1:	C43198E7822DEE397B27B20605EA2E78F95E1D41
SHA-256:	1478F02374BCDDA6B4E736C47501C6AEDCEF273DE84240FF06E1797AA4941E84
SHA-512:	B91686F08551A13E8F1BA6098D9C7538751FBE29900AFE1233B63BDFB4882A20B3772CF3C284DB5473FBED48AAAC7D7A5641E33F3BB326B3DE56DEB5AB2AF8F4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d...K..e.........." ...%.0.......p........................................................`.........................................L..........\............P..@.......................................................@...........................................UPX0.....p..............................UPX1.....0.......$..................@....rsrc................(..............@......................................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_MD2.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	6.937339386902163
Encrypted:	false
SSDEEP:	192:vd11+odumD23wZjztFN4pRed/SWdr1ghNtdydkYj273QJXino1wWB:QHp3wFzHYekWRdZa7gJXv11B
MD5:	84C0EB11ED3BF596E9A42274E0673E07
SHA1:	7C967D93782E91721566B230C9874E0454C8B264
SHA-256:	7B236622248990B3A8F8C0A331DD115E2FBFD4245E6006AA36ACA07F7226B248
SHA-512:	62C91E7EEA0C61B0FB62421AC219246B99660A25410D4D1D286581D688C64E393E7BE028B0D51FFC37668755E99B28449122593F2446DF76DC8D7C9B887CC093
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d...A..e.........." ...%.0.......p........................................................`.........................................L..........\............P..(.......................................................@...........................................UPX0.....p..............................UPX1.....0......."..................@....rsrc................&..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_MD4.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	7.0093770381138585
Encrypted:	false
SSDEEP:	192:lSgknHOazCaUFFeWEeh35+iNu46kYj273QJXbn9nFQ:enHOr1FJhpF046Za7gJX5FQ
MD5:	6F7EDD258178F5A5E4B84A2D8FE044E1
SHA1:	6170118D8D9B71DC38CC4BEA17FD33B053B7C277
SHA-256:	179BE7F1A96C3A05B5A69ACBAF2C0E05DF02D6831E0C63F82B35F22CF43B8EB3
SHA-512:	05CA5D120A00482E6CB0CD5E1BC1724E0D634DC2D3554F75DE6A48CB9A9EB22F2346B8E6C72767C0DE332C895B61F1B59B34B6BEA6BCD8A63756EF0DA56DB884
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d...B..e.........." ...%.0.......p..p.....................................................`.........................................L..........\............P..(...................................................p...@...........................................UPX0.....p..............................UPX1.....0......."..................@....rsrc................&..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_MD5.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	7.123762867237682
Encrypted:	false
SSDEEP:	192:GI1qextX4NJ31BSsrBgxjLKpXMnnzfXe/0yunwOkYj273QJX0n5AS:IkX4NJlBcNKpcnnEPOZa7gJX2A
MD5:	B6C328D1BD218F6D79150BAF7AED0622
SHA1:	E9EE3B8D774140FA7F045A00FE31F8CD9CEB2A46
SHA-256:	EA347942A8B2BB0780A1A79B5E0E88ABD6D01091EEA07F1D1F5360DD1D5D3640
SHA-512:	700D3D6EED41792C9220D4C2AEC49992612C30DEBE7A3E3B9AF799A3F83AE7101791A14D80D5952ED0428FD6F38F4B796BFA3423595728F4027B7BD5DBA9BE3F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d...B..e.........." ...%.0.......p.......................................................`.........................................L..........\............P..X......................................................@...........................................UPX0.....p..............................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_RIPEMD160.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	7.121350701826669
Encrypted:	false
SSDEEP:	192:Z8Ui33nGwqV0n6Vd4C+Am8lDuKL39fZLnDkYj273QJXLH9n:Z8Um2hRVRnm8wGR9DZa7gJXp
MD5:	94A5E4F70FEB0117893A46945350A48D
SHA1:	992D6AB95E102431A08B712F576CB87F480D8A46
SHA-256:	CAEE802F01AF1AF46BF640AFC67C846C492EF2958CFF766AB094410576583C77
SHA-512:	CF27CDE8B4C372026C53F22065D2DDDE2DEBA2BA0D9FF3CC84283E8AA278C20AF1570E7A5323B50EDF2672B5F4DA78ABA0FA0B04585AB657200C88543FA6AAB0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d...J..e.........." ...%.0...............................................................`.........................................L...........\............`..............$..........................................@...........................................UPX0....................................UPX1.....0.......,..................@....rsrc................0..............@......................................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_SHA1.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	7.350463408569454
Encrypted:	false
SSDEEP:	192:ZU3adl/1kJsPVTJIW70wCkBlMeOuN0NkqJnENdVIJkmSkYj273QJXJ3p8:CeJIW70KBdO/iNz4kmSZa7gJXT
MD5:	24611153E8F1B08D045209D461A54D42
SHA1:	9D7D9119F80A0E6DF72B8F55DB638D6107C7AA61
SHA-256:	D76B2DC836F8EF43EEACC97E799CB1C3A1736A4F26E5C0D1F6C7031BCB06B78E
SHA-512:	DB3DD23D94C6CA715B3E48BABBA35C16447A843B1F8F17316D340F0903434373BE2FE1B2460A57ACE84802656FCEB6DDAE183B74D62EE1EF9A928D1D2F8EEF70
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d...B..e.........." ...%.0.......p........................................................`.........................................L..........\............`..X...........$...........................................@...........................................UPX0.....p..............................UPX1.....0..........................@....rsrc................2..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_SHA224.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	7.310514573337607
Encrypted:	false
SSDEEP:	384:JPTn8PuSwRaTYeToRcdZhq8g7LEZa7gJX+:JjEuTaTYeUMhMgpu
MD5:	BD8C2A8BCEE473703D2EB31635B88472
SHA1:	E654B2B0639C7F6AB4256A71ACD0C1AF5CF21717
SHA-256:	F830C7ACFC67080032E36408DA16B4B53DB7EAC8B9B06AC08B7303C1577C99EF
SHA-512:	73599CC3C34A1CF662A445A17E1A1FAF65A128F04CA6F824C76D0BF0B53C3B352AC617B8F15605F2269B2342B46FA990618B1B7913E747A4802F412E889CF3AD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d...F..e.........." ...%.@................................................................`.........................................L...........\............p..............4...$.......................................@...........................................UPX0....................................UPX1.....@.......2..................@....rsrc................6..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_SHA256.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	7.311541149215987
Encrypted:	false
SSDEEP:	384:NPTn8PuSw6yjFCbg7ruFSH3+xEZa7gJX+:NjEuDjMbciAXnpu
MD5:	012DB77EC11F1E7EB110AD0520670783
SHA1:	E2F18479A8178953E55C75BB001FF9EE870E8B06
SHA-256:	A9FA44A1B9BA35A463B5A2F6A8E124EA66AD54745759876B732989E188BFF7C9
SHA-512:	FAA4A0AA5A66F2D85812D991B6ED3C0C303309DC6A8E61379301884F4D9437C9A42DB4113B4A50FFB1D7A677242FA4A635617ED38DFB8F285FE49ECB78A11599
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d...D..e.........." ...%.@................................................................`.........................................L...........\............p..............4...$.......................................@...........................................UPX0....................................UPX1.....@.......2..................@....rsrc................6..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_SHA384.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	7.44553708409427
Encrypted:	false
SSDEEP:	384:zKa0RHzOUcuDNwwElhkLU+6i0cnBBYZa7gJX+:GlRHzWupzElhkLU+d0jpu
MD5:	78899500F9846A2E96C7C48FCDD009F9
SHA1:	15F9606987423EC24C618F4CAA92CFEF9258F8BA
SHA-256:	82866E3650453D1859407E779932DACACA7ADB8B9E2E2D6F1419C1C5D65E164B
SHA-512:	77FAC5814CD3637A2B47FDE6B2A094EC0356D9A849B47595821EE928CAE8DACB0C3282904CF420E15667BD485F6408AF67699D5C3A3036DD149437BED3029131
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d...G..e.........." ...%.@................................................................`.........................................L...........\...........................4...........................................@...........................................UPX0....................................UPX1.....@.......4..................@....rsrc................8..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_SHA512.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	7.3733988454718755
Encrypted:	false
SSDEEP:	384:FKa0RHzO8srTORYmZbM2mwzvxQREIr8ALZa7gJXB:4lRHz+UYWbM50gr5px
MD5:	EC3EEACA979B60064E1B65B6D0507E36
SHA1:	BB2F0ED88501B8DFB4C2295788748D99DDEC13C4
SHA-256:	A3B3694C202E2DEAAB91671727FF704E3FFC7E08D80C09FB83B891BA30EC0643
SHA-512:	51B0CC2A3DFDE4029183DC37D7098EC78C7F6F337288C0BF23623BA4A29B49261F9B795603E7723181266F6F930A69C6B70F77E0752E3F92E5C4EC768016F113
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d...I..e.........." ...%.@................................................................`.........................................L...........\...........................4...........................................@...........................................UPX0....................................UPX1.....@.......6..................@....rsrc................:..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_ghash_clmul.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	6.7921072720597175
Encrypted:	false
SSDEEP:	192:Dzo1UnFmx7eYCtScDioNWaVkkYj273QJXunThm:Dzzy7RWXbVkZa7gJXO
MD5:	F739418FA4A594F21D8375F734979B98
SHA1:	5945079860CF7F282EEE3AE6E39E35866CBE7800
SHA-256:	E164FAF2C12135EC632D465058974C93D0B48BC13AD0E6E0D48CD1CDD888C656
SHA-512:	FAB93729286C88379AEB0C4EB8A00440A43ED458AB77123B307DAB0B8DFCBE34BBCA91C182002D637B02178B58E4D7A53A4F6128590B5DD0E97D664A15CCB6C6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...b..b..b..R...b..Uc..b.Rc..b..c..b..Ug..b..Uf..b..Ua..b..j..b..b..b....b..`..b.Rich.b.................PE..d...K..e.........." ...%.0.......p.......................................................`.........................................T..........d............P..................$......................................@...........................................UPX0.....p..............................UPX1.....0......."..................@....rsrc................&..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_ghash_portable.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	6.823982230841589
Encrypted:	false
SSDEEP:	192:mu1UnFmx7eY5mF2fn/ZJtUSi3m2kYj273QJX8n7B:Sy7R9hS3m2Za7gJXQ
MD5:	141F0D92A6F9CCD1702A7398086B17CB
SHA1:	EECB712B76097E34A2DC81E702800BB0402EFCE1
SHA-256:	148728B95F3F92B7174EF3EE2E4023B0F53747FCCD84E3787AAABBAB682B74FE
SHA-512:	CE06966D40BEB2459A34EF6578CC251A0D73E01412F61E10F59CB95BFE4D80684D1D2FC623F585CD4EBF5272F85EBCE01C24B637D4A465E90A203E3EB742A180
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d...K..e.........." ...%.0.......p.......................................................`.........................................L..........\............P..X...............$......................................@...........................................UPX0.....p..............................UPX1.....0......."..................@....rsrc................&..............@......................................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_keccak.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	7.104874057607472
Encrypted:	false
SSDEEP:	192:1w3Spn0Q62BCzNMVDBi8HspQGYGjseFy9gAEkYj273QJXxHe:ICXBCRM+WU4CAEZa7gJXw
MD5:	BD2F14BF0EB8E592ED0390D723839AEC
SHA1:	DB06CE883A9F2A14742D758FEDCC7B98F1305F7B
SHA-256:	3E9366F3F0AA3C873F8E6F964FF36778C25C9AAF7F60AB625BCE3FE4E93304A5
SHA-512:	2F9EE66078A8EA71F1D108F9062BF47DDC55E03BF926DD5A5DBC8760B6DFA29EF89DC51FCDD4646C877E35316006068ED477C866A34059006F8507697FD24F44
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d...J..e.........." ...%.0................................................................`.........................................L...........\............`..p...........@...........................................@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_poly1305.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	7.004449437417802
Encrypted:	false
SSDEEP:	192:xP11I5vOYss/65mtfR/oESVBx5+g7i2kYj273QJXtn7g8:lY9ss/SQ15SVBxzi2Za7gJXm
MD5:	AE630570348EC9928E418BF3CF84F250
SHA1:	F3A74A373786D9D1263145E8755EDF131D7AE4EA
SHA-256:	FDDF13AE44FB2A5266A46C74E89A30428333298E1E0BA99F5B4EDC37548CD2AB
SHA-512:	515229985587D42CD0D3928E66C32F64872327D998110B7835D1D3F6CBAEAD5930E92FEDEA438EA1679F48A7F25FF76598103331EC437F75233CF4F912466C10
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d...K..e.........." ...%.0.......p..`.....................................................`.........................................L..........\............P..\|...................................................`...@...........................................UPX0.....p..............................UPX1.....0.......&..................@....rsrc................*..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Math\_modexp.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	7.5679245622297024
Encrypted:	false
SSDEEP:	384:Jp6z102BfyZCpish+INGsJ7Ed2BPZ5CxPFfBShSi8dLTPNZa7gJXtA:JUZ02BfyZF4yBFfrv1pdA
MD5:	9FDA28383EE442763BC32545EDF7B370
SHA1:	14C9C9D96182431CC050ED43CCCCD9EE2EC9F8C9
SHA-256:	7DA6853BDD8FD5F2E9F5AC98AB1F98EA8E69B1F524089BCE6F9335494E677B69
SHA-512:	D26B391D38DD4246A846EB0A60A90B0DE3DFFF686027FD97E87495BE06EFA7EC60EE026EC0C44DF92D64F2ABBDC1DE6D7467039333E56B65A15F5AD702414351
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N4.\|.U./.U./.U./.-a/.U./....U./A-...U./.U./!U./....U./....U./....U./0....U./0....U./0../.U./0....U./Rich.U./................PE..d...S..e.........." ...%.P................................................................`.........................................L...\|.......\.......................................................................@...........................................UPX0....................................UPX1.....P.......H..................@....rsrc................L..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Protocol\_scrypt.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	6.814520245777998
Encrypted:	false
SSDEEP:	192:g1Qxmkp6MifzJIJI409G/P+hb4HEEeTkYj273QJX432KK:5lo8/0M/P+hkH5eTZa7gJXt
MD5:	2C3EA7E1895D5A4804FDD5BDAEDB282E
SHA1:	96C51247AC56D3CC7525B2792C7A7B366F8D0AA7
SHA-256:	425DD18E3CD2619FF5DBBE4F1E2C043C5E053D839DFDD3C03B1AED432A0BFEB6
SHA-512:	8E3A67DC864B5FA1600C123D28ED2B38885E0DB2177F07FEF234E9B3DE338168FEACAB1715EA2D3DDD2860E0984C937BEBF3730D37DE9E6C8B89A46E581664D4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K............RQ.....U.....R............U......U......U..................=..........Rich...................PE..d...P..e.........." ...%. .......p.......................................................`.........................................L...d......\............P..4......................................................@...........................................UPX0.....p..............................UPX1..... ....... ..................@....rsrc................$..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\PublicKey\_ec_ws.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	638976
Entropy (8bit):	7.997940586383953
Encrypted:	true
SSDEEP:	12288:VjzZHMHtd1z4H062IfQM8EDPHPodIWchYQYJqhgQ1huBo:1Nqz4UefQ/EDvP7vYlJ2we
MD5:	AA836CCC148401F90D562CC33984BD54
SHA1:	1857D1029B872C801EBF30010C14EB100A767F9D
SHA-256:	50C5F9BF08A1E1830C9C581F3A2E27B5CB4F32A698DECDACE6AB9C4680213B21
SHA-512:	3BA0709412E083A7352F17D149BD89DF657E4BD3E591F01CDF8AFD6A41945D0D5554AA8941B0F4B117FA04E930E4C8782515094278914FCD321C9DA524F55B78
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&:..b[.Lb[.Lb[.Lk#sLd[.Lw$.M`[.L)#.Ma[.Lb[.LI[.Lw$.Mn[.Lw$.Mj[.Lw$.Ma[.LX..Mg[.LX..Mc[.LX..Lc[.LX..Mc[.LRichb[.L........................PE..d...R..e.........." ...%......... .......0................................................`.........................................L...d.......\...............0.......................................................@...........................................UPX0..... ..............................UPX1.........0......................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\PublicKey\_ed25519.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	7.4496261446037
Encrypted:	false
SSDEEP:	384:q/9g+4uX+CdazQ3QpW/YX7DUsTaxj1paZa7gJX8:y8uoQQAQ7DZaIps
MD5:	F2334D0DD7F099B47D7993EBF0DA4CEB
SHA1:	66B9B7E969526E86BA5A894B90C5E1EE38D65372
SHA-256:	62EB9E4C9FAD4AD02F8030A63708371032CA2AB86112AA209ABFEE164AB96AC8
SHA-512:	C4C5A603FB5C94AA0F9DC869D52C5CA4280917D149C32C3578FEF1C97E7941EA56752380CCBDEA7E636A44BE9C54C4866ABBEA69F140555D9D1823C18296CAB8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..........)......................................R......R......RE.....R.....Rich...........PE..d...R..e.........." ...%.@.......... .....................................................`.........................................L...0.......\...........................\|....................................... ...@...........................................UPX0....................................UPX1.....@.......6..................@....rsrc................:..............@......................................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\PublicKey\_ed448.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26624
Entropy (8bit):	7.747004268303169
Encrypted:	false
SSDEEP:	384:Isra4QwN9pWvBmNjICOKhgJLu+W3THheDe/RYdmPT62hIbPj6yZa7gJXSn:7am9pWBO39WkeDe/lPT6QQPOypC
MD5:	407793DF7C9FB01130E4AB4E3D5EBE87
SHA1:	CBB22AEFCEE09436B06ED10BD9B00C2213B41859
SHA-256:	378F571E9B4C1DDE631DE152EC08DE28E08FB14ADC1EDCCC2EF1BAF267D0F438
SHA-512:	0A522499B7A2C8AD61354DD6771897103A3C83275245BB2301ABBE81796F0EA77C5E18DE46D95384E88D81F164F57A2A022C01F5624BC7BAFEB3390C73771FB4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N4.\|.U./.U./.U./.-a/.U./....U./A-...U./.U./!U./....U./....U./....U./0....U./0....U./0../.U./0....U./Rich.U./................PE..d...S..e.........." ...%.`...........R.......................................p............`.........................................Lb..h....`..\....`.......................c.......................................^..@...........................................UPX0....................................UPX1.....`.......`..................@....rsrc........`.......d..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\PublicKey\_x25519.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	9216
Entropy (8bit):	6.709323406779303
Encrypted:	false
SSDEEP:	192:n51aJhdZfTI6jnLOKzYrkYj273QJXpHza:n5khHOWYrZa7gJXZa
MD5:	82BB6E1C1007267741EA7747CD3FCA30
SHA1:	C5810307F1DF869AA80F4B3514C82F814BB06820
SHA-256:	6FB2FAF00340FFCB71A4DF4A1CF47757E836C99A74F0A05F064525A1406896C0
SHA-512:	820CF0AEE8729A6AFC92E0D12AC985445CFA490A22B52A78E9987696751CF5D7DB26AB3A3E9953C0AF22E41C528047CB1DBC1735C1269F7BD7D383B0F0F88A2D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.h.r.h.r.h.{...p.h.g.i.p.h.9.i.q.h.r.i.V.h.g.m.y.h.g.l.z.h.g.k.q.h.H.`.s.h.H.h.s.h.H...s.h.H.j.s.h.Richr.h.........................PE..d...R..e.........." ...%. .......p........................................................`.............................................P...................@..............P...........................................@...........................................UPX0.....p..............................UPX1..... ..........................@....rsrc................ ..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Util\_cpuid_c.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	9216
Entropy (8bit):	6.756224040564772
Encrypted:	false
SSDEEP:	192:h51aJhdZfybbmkAsOum8FkYj273QJXpHr:h5kKbxu8FZa7gJXB
MD5:	1E11FE9316220AE1B4B58F3EDD43E7A7
SHA1:	EC32F80592D5E3DD75EEADE1D542A645FE5EEB79
SHA-256:	A0C879E6E344E785D585661EFCEC49E9D08B7412BBA4A7076E04B8A94E50A7F1
SHA-512:	D426C883CE048D06B585C4F6DBDCA53DAD99A36B3FA417DE7CBC72810B4DDE0B27DBCCCA00106F89782C8DF224A451922848B2340311871B738A33D8EF09C3ED
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.`.r.`.r.`.{...p.`.g.a.p.`.9.a.q.`.r.a.Q.`.g.e.y.`.g.d.z.`.g.c.q.`.H.h.s.`.H.`.s.`.H...s.`.H.b.s.`.Richr.`.................PE..d...N..e.........." ...%. .......p........................................................`.............................................\|...................@..............\|...........................................@...........................................UPX0.....p..............................UPX1..... ..........................@....rsrc................ ..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Util\_strxor.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	9216
Entropy (8bit):	6.752491525067528
Encrypted:	false
SSDEEP:	192:BeyNdtmbS0qAREp60aNELkYj273QJXEHbH:BeyNdobyARERLZa7gJX4H
MD5:	5514407EC9A5F75B9FE72A4DCEA9CA1A
SHA1:	96F0E027BBFD35F817AEB6B5991D89EA8CC8C10F
SHA-256:	FFEA9F021DF4E5DC728FEABDB3DE15A94CBCBB736FD0301F7772B2046A3B0070
SHA-512:	5326BC489E106906306FCE2B890C992A114F217D1001AFDAD16061E1E61D71B34DBDA5B0FA4A38F31F77756B1ADC8501EFFB662E028FABE361D064E63056FA83
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.`.r.`.r.`.{...p.`.g.a.p.`.9.a.q.`.r.a.Q.`.g.e.y.`.g.d.z.`.g.c.q.`.H.h.s.`.H.`.s.`.H...s.`.H.b.s.`.Richr.`.................PE..d...P..e.........." ...%. .......p........................................................`.............................................t...................@..............t...........................................@...........................................UPX0.....p..............................UPX1..... ..........................@....rsrc................ ..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\PIL\_imaging.cp310-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	752640
Entropy (8bit):	7.998296377436021
Encrypted:	true
SSDEEP:	12288:op0DgXVWG8dONamNnbdYk6Rlvph5pLHibf3ya/XPpleLFuxV5:op00XJ8dYamHYkehh/jwya/XPPt
MD5:	267D8640E40D4A5F583565DA89EC221A
SHA1:	13741624969F6443E45A23C0E435C1D9D6C5F3FE
SHA-256:	30DEB1A2E1B828623F47BCD76502E74E599258FA4E4166AE6C7423B82282BDFB
SHA-512:	002526F123DFE774B3B2C0E3473970614E6BCEF3A6ABCAE9ECB3136FEB8E7C4F79AE031DB1776C63B9F5F95D109B992C6AF0FD04A0F060273C2614843FE1C911
Malicious:	false
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........S$..=w..=w..=w...w..=w.}<v..=w.}.w..=w.}8v..=w.}9v..=w.}>v..=wx.<v..=w..<v..=w..<w..=w..=w..=w.}9v..=w.}5v..=w.}=v..=w.}.w..=w.}?v..=wRich..=w........................PE..d......f.........." ...&............@#$......................................P$...........`..........................................D$.`....@$......@$......."............. E$.(...........................`/$.(..../$.@...........................................UPX0....................................UPX1.............r..................@....rsrc........@$......v..............@......................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\PIL\_imagingcms.cp310-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	98816
Entropy (8bit):	7.959858343299162
Encrypted:	false
SSDEEP:	3072:r7aSz/RdbWjuZOKrJ/Zp+dZxm8n7w52sgHM:/aSz/2juZOwZZp+dZxm87w52PH
MD5:	84FCA69DDAFB2A33E361552EADDDF81C
SHA1:	38A6F44C43895372BF363227CCC6C8FEE9C719CB
SHA-256:	DD4443022E75D8D526240F790D09841DF3161786404E8D88049F027DC8612972
SHA-512:	E27029F0409B264E6B0C559594CA956884E73A0E8B5DE6B2596EC3C8DCF91B6052EBF52A44454C0AD526D1EF89B13BE46AFB2B43A66AFF9B3AF46A978FD53436
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l..v(..%(..%(..%!.+%&..%...$..%...$%..%...$ ..%...$,..%..$..%c.$/..%(..%D..%G..$>..%G..$)..%G.G%)..%G..$)..%Rich(..%........................PE..d......f.........." ...&.............Z....................................................`.........................................\|t..h....p.......p.........../...........t.......................................f..@...........................................UPX0....................................UPX1.............x..................@....rsrc........p.......\|..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\PIL\_imagingmath.cp310-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	7.184052370078995
Encrypted:	false
SSDEEP:	384:e0zs4wPljwST14G+x8R6oA6qa+Za7gJXG5:e0z3y9TEx846mp2
MD5:	68D106AFE450393B379F70513B7DA714
SHA1:	D0D22386FE48663FF10E2FB099C21FC7CC3931BD
SHA-256:	72AD913E773CDF39DB099273A7A18A95A1E3F0765687F438E6B2ADE622E55A76
SHA-512:	57700DA48531BA86F87E6DB0D3F6E2CAFF2BF63F607E616D846DBE19A78EA399652D9B609A75E5B09C4345F9B14C1409A7B20CBDA1EF5A247F3CA85BD9D4A5D9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............a...a...a.....a..@`...a...`...a..@d...a..@e...a..@b...a...`...a...`...a..@i...a..@a...a..@....a..@c...a.Rich..a.........PE..d......f.........." ...&.0................................................................`.............................................h.......................8.......................................................@...........................................UPX0....................................UPX1.....0.......*..................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\PIL\_imagingtk.cp310-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	6.914375908496255
Encrypted:	false
SSDEEP:	192:ueib7vaRBCBHqZI8Qmjmuuug7+kYj273QJXhHWYdryE:upWHCtKAuuD7+Za7gJXAYdry
MD5:	8660429CBB6E5645BA2B03B5B48A9462
SHA1:	60CD1368028953E294C86802A1B298ACC23290E5
SHA-256:	579B3969A204D09A87B297DD01AC5FF9924B053D9A715FA3F1073AED1D64837C
SHA-512:	37B6A759094928D912EEA4E7753A76D88F8B0C47779069ADD4C679B73ACAE02EDD9CC89857060714ACE86320F54AAC47326C3504C002D267EBD1F75EF8807452
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........P>R.>mR.>mR.>m[..mX.>mT8?lP.>mT8;l^.>mT8:lZ.>mT8=lQ.>m..?lP.>m..?lW.>mR.?mf.>m=86lP.>m=8>lS.>m=8.mS.>m=8<lS.>mRichR.>m........PE..d......f.........." ...&.0..........0.....................................................`.............................................d....................`..............,.......................................0...@...........................................UPX0....................................UPX1.....0.......$..................@....rsrc................(..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\PIL\_webp.cp310-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	177664
Entropy (8bit):	7.984163836837464
Encrypted:	false
SSDEEP:	3072:vSk4FQ4Ku8BgIfML2UXU1Q1Pbfrz8LNvoTJe/wpZUvOJaWSiiloBrNbfeKo:6JK4Ku8BP4EaDfONiLqvO0giKr
MD5:	5889213C4774928FB2CCEFCDA1E58F8C
SHA1:	2F4A2D83510F240B1CE331B3C13248FC3E38EE23
SHA-256:	E8D2EBE68C90172A4E94C724CE75572F005AA7793353B86A81C1A312BE9B7DAA
SHA-512:	83C83B627FD06EE76AA7EB32F452056B6C753AB5F69143657AA6A27DB231BAB0B5C20E0BE19B7386B329E3CAD5D769D7839F179423F81311D2542803290FE716
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........o.].............vd..............v..............................l{.................................................Rich............PE..d......f.........." ...&......... ..@....0................................................`.........................................x...\....................P...<..................................................@...@...........................................UPX0..... ..............................UPX1.........0......................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\Pythonwin\mfc140u.dll

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5653424
Entropy (8bit):	6.729277267882055
Encrypted:	false
SSDEEP:	49152:EuEsNcEc8/CK4b11P5ViH8gw0+NVQD5stWIlE7lva8iposS9j5fzSQzs7ID+AVuS:EnL8+5fiEnQFLOAkGkzdnEVomFHKnPS
MD5:	03A161718F1D5E41897236D48C91AE3C
SHA1:	32B10EB46BAFB9F81A402CB7EFF4767418956BD4
SHA-256:	E06C4BD078F4690AA8874A3DEB38E802B2A16CCB602A7EDC2E077E98C05B5807
SHA-512:	7ABCC90E845B43D264EE18C9565C7D0CBB383BFD72B9CEBB198BA60C4A46F56DA5480DA51C90FF82957AD4C84A4799FA3EB0CEDFFAA6195F1315B3FF3DA1BE47
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q.cu...&...&...&...'...&...'...&...'...&..&...&G..'...&G..'...&...'...&...&..&G..'...&G..'...&G..'...&G..'...&G..&...&G..'...&Rich...&................PE..d....~.a.........." .....(-..X)......X,.......................................V......YV...`A..........................................:.....h.;.......?......`=..8....V..'...PU.0p..p.5.T...........................`...8............@-.P...0.:......................text....&-......(-................. ..`.rdata.......@-......,-.............@..@.data....6... <.......<.............@....pdata...8...`=..:....<.............@..@.didat..H.....?.......?.............@....rsrc.........?.......?.............@..@.reloc..0p...PU..r....T.............@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\Pythonwin\win32ui.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	279040
Entropy (8bit):	7.864197084585191
Encrypted:	false
SSDEEP:	6144:IBjVLw7ShElYer9fB/YSYVye4ZgWJRi/tPUivxJSRYpnRr7G:IBpLwGalYU9fhYVd2gmi/tPUIWRsRr7G
MD5:	2DC4AFB4D80FE4F45CE23446D27A291E
SHA1:	0FCDCE4E5ED26B1AD8B9FA3AFFCC3B575F0C0771
SHA-256:	EFBD6798CE0F26704DF18139BECAF03CA47DA80B5BC127178EB0B67E36C60A69
SHA-512:	FD686595BACCE76E21CC75A914EF3918BD134E69E3965503DFB0ED3EA5D60ECFB335759F34CF31FDE06519CB1C84539AE5E519D1B3C78A210496669CE48DC273
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......aM.F%,r.%,r.%,r.,T../,r..Ys.',r..Es.',r.1Gs.+,r.wYv.-,r.wYq.!,r.wYw.3,r.%,s.-*r.wYs.",r..Y{..,r..Yr.$,r..Y..$,r..Yp.$,r.Rich%,r.........................PE..d......d.........." ................0}.......................................0............`..............................................T..<...........<8................... .. ...........................P...(.......8...........................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	109392
Entropy (8bit):	6.643764685776923
Encrypted:	false
SSDEEP:	1536:DcghbEGyzXJZDWnEzWG9q4lVOiVgXjO5/Auecbq8qZU34zW/K0zD:DV3iC0h9q4v6XjKAuecbq8qGISb/
MD5:	870FEA4E961E2FBD00110D3783E529BE
SHA1:	A948E65C6F73D7DA4FFDE4E8533C098A00CC7311
SHA-256:	76FDB83FDE238226B5BEBAF3392EE562E2CB7CA8D3EF75983BF5F9D6C7119644
SHA-512:	0B636A3CDEFA343EB4CB228B391BB657B5B4C20DF62889CD1BE44C7BEE94FFAD6EC82DC4DB79949EDEF576BFF57867E0D084E0A597BF7BF5C8E4ED1268477E88
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........u...u...u.E.t...u.....u...t...u..v...u..q...u..p...u..u...u......u..w...u.Rich..u.........PE..d.....y..........." ...".....`.......................................................5....`A........................................`C..4....K...............p.......\..PO...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......D..............@....pdata.......p.......H..............@..@_RDATA..\............T..............@..@.rsrc................V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\VCRUNTIME140_1.dll

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49488
Entropy (8bit):	6.652691609629867
Encrypted:	false
SSDEEP:	768:8EgYXUcHJcUJSDW/tfxL1qBS3hO6nb/TEHEXi9zufUKQXi9zug:8vGS8fZ1eUpreA+zuTc+zug
MD5:	BBA9680BC310D8D25E97B12463196C92
SHA1:	9A480C0CF9D377A4CAEDD4EA60E90FA79001F03A
SHA-256:	E0B66601CC28ECB171C3D4B7AC690C667F47DA6B6183BFF80604C84C00D265AB
SHA-512:	1575C786AC3324B17057255488DA5F0BC13AD943AC9383656BAF98DB64D4EC6E453230DE4CD26B535CE7E8B7D41A9F2D3F569A0EFF5A84AEB1C2F9D6E3429739
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............L...L...L...M...L...M...L.FL...L...L...L...M...L...M...L...M...L...M...L..*L...L...M...LRich...L........................PE..d...%CU..........." ...".<...8.......A...............................................@....`A........................................0m.......m..x....................r..PO......D....c..p...........................pb..@............P..h............................text...0:.......<.................. ..`.rdata..."...P...$...@..............@..@.data................d..............@....pdata...............f..............@..@.rsrc................l..............@..@.reloc..D............p..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\_asyncio.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	35712
Entropy (8bit):	7.645244129807927
Encrypted:	false
SSDEEP:	768:o2sbZA5n1we/lPgOb1koYpu53VnJ2gl+NfUpv+I75n2EYiSyvPRPxWED:o2RhZtXxkoYiTTENE+I75n2E7SynRPx
MD5:	233F9C811B60C49E06D453977FC41C65
SHA1:	97FFEAE5938C919C0733E4B60C79A47A1B173AC7
SHA-256:	548BAA872C4F1031BC0A77813629C6ECB864E4AB2F653B221BE6A7BAF2E1FC83
SHA-512:	46C7172E37A019987EC5844913823211F84A093FAEA8A2D7FD5727486AB79886EA0898B19BED18CB7AF9022FEBDAAFA7E154CDBA42423834208531BF79F58E94
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........TF.q.F.q.F.q.O...D.q...p.D.q...t.J.q...u.N.q...r.E.q...p.E.q...p.D.q.F.p...q...\|.G.q...q.G.q....G.q...s.G.q.RichF.q.................PE..d...$..c.........." ...".`.......... #.......................................P............`..........................................J..P....I..P....@......................DK..$................................... /..@...........................................UPX0....................................UPX1.....`.......R..................@....rsrc........@.......V..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	47992
Entropy (8bit):	7.809914406923306
Encrypted:	false
SSDEEP:	768:RiQxyc/3D2HGItfsKbsonbgiHUoYbcp87I7tVbeiYiSyv5PxWEDX:R5xdEsKbtnbgqUoYb7I7tVbh7SyxPx9
MD5:	93FE6D3A67B46370565DB12A9969D776
SHA1:	FF520DF8C24ED8AA6567DD0141EF65C4EA00903B
SHA-256:	92EC61CA9AC5742E0848A6BBB9B6B4CDA8E039E12AB0F17FB9342D082DDE471B
SHA-512:	5C91B56198A8295086C61B4F4E9F16900A7EC43CA4B84E793BC8A3FC8676048CAB576E936515BF2971318C7847F1314674B3336FE83B1734F9F70D09615519AC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................a.........................................t.........................................Rich....................PE..d...2..c.........." ..."............pd....................................................`.............................................H.................... .. ..................................................pp..@...........................................UPX0....................................UPX1................................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\_cffi_backend.cp310-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	72704
Entropy (8bit):	7.914710533185775
Encrypted:	false
SSDEEP:	1536:wxOMA3pvJDJAc1mHzO0jM0JpVTlJRf1AatOL8ewO6NRQep:E0uc1mTO0Y0b9lJRflOwe1wRQ
MD5:	76041575BFB6C23F89168485BA802CD3
SHA1:	740DBBBFB5A48985EE866139B2C3EDCC33E88587
SHA-256:	3ADF6B1CFCB47D99653C284DC74B13764F960873EDF651E99B52A1B6BA1DF590
SHA-512:	800FCAC9C2E1312A6F3D46148A9D621ECBDE07B473681D88A383D385C30ADCC660D763A8BABF32B8A4E815B2C2CE4A23D86660403C341F3DBC9EE021DF341070
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ih..-..C-..C-..C$qMC!..C.\|.B/..CKf#C)..C.\|.B&..C.\|.B%..C.\|.B)..Cfq.B)..C.\|.B...C-..C...C.\|.B)..C$qKC,..C.\|.B,..C.\|!C,..C.\|.B,..CRich-..C........PE..d.....e.........." ..... .......@..@S...P................................................`..........................................s..l....p.......p..........H...........ht..$...................................@_..8...........................................UPX0.....@..............................UPX1..... ...P......................@....rsrc........p......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\_ctypes.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	58232
Entropy (8bit):	7.819692209624967
Encrypted:	false
SSDEEP:	1536:/UP3/jolpinLX2rRaWMzhBuW9I7QP7h7SykPxiM:I3/jolwXuRaW6wUI7QP7h2xB
MD5:	813FC3981CAE89A4F93BF7336D3DC5EF
SHA1:	DAFF28BCD155A84E55D2603BE07CA57E3934A0DE
SHA-256:	4AC7FB7B354069E71EBF7FCC193C0F99AF559010A0AD82A03B49A92DEB0F4D06
SHA-512:	CE93F21B315D96FDE96517A7E13F66AA840D4AD1C6E69E68389E235E43581AD543095582EBCB9D2C6DDA11C17851B88F5B1ED1D59D354578FE27E7299BBEA1CC
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......NC..."..."..."...Z..."..E^..."..E^..."..E^..."..E^..."...^..."...P..."...P..."...K..."..."..."...^..."...^..."...^x.."...^..."..Rich."..........................PE..d.../..c.........." ...".........p..P........................................@............`.........................................H<.......9.......0..........,............<......................................`%..@...........................................UPX0.....p..............................UPX1................................@....rsrc........0......................@..............................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	106368
Entropy (8bit):	7.93479712134
Encrypted:	false
SSDEEP:	3072:ugCMV2Mz94bMgxECS8kePpTn8jI75qNp6mx:u1MV2Mz94og2tJePpwpp
MD5:	F65D2FED5417FEB5FA8C48F106E6CAF7
SHA1:	9260B1535BB811183C9789C23DDD684A9425FFAA
SHA-256:	574FE8E01054A5BA07950E41F37E9CF0AEA753F20FE1A31F58E19202D1F641D8
SHA-512:	030502FA4895E0D82C8CCE00E78831FC3B2E6D956C8CC3B9FB5E50CB23EF07CD6942949A9F16D02DA6908523D9D4EF5F722FB1336D4A80CD944C9F0CB11239AB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\|RTy..Ty..Ty..]...Zy......Vy......Yy......\y......Py......Wy......Vy..Ty...y......Uy......[y......Uy......Uy......Uy..RichTy..........PE..d...)..c.........." ...".p................................................... ............`.............................................P........................'......................................................@...........................................UPX0....................................UPX1.....p.......d..................@....rsrc................h..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	34176
Entropy (8bit):	7.670946753848895
Encrypted:	false
SSDEEP:	768:aq3dM1TMhvg8KNML5TOuzSsI/LpazI75ImyYiSyvfPxWEabVV/:aEdM1TMho8iMLPmv/AzI75Imy7SyXPxA
MD5:	4AE75C47DBDEBAA16A596F31B27ABD9E
SHA1:	A11F963139C715921DEDD24BC957AB6D14788C34
SHA-256:	2308EE238CC849B1110018B211B149D607BF447F4E4C1E61449049EAB0CF513D
SHA-512:	E908FECB52268FAC71933E2FDB96E539BDEBE4675DFB50065AEE26727BAC53E07CCA862193BCB3AB72D2AE62D660113A47E73E1E16DB401480E4D3FD34D54FA8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.A.>...>...>...F2..>...B...>...B...>...B...>...B...>..iB...>...L...>...D...>...>..Q>..iB...>..iB...>..iB^..>..iB...>..Rich.>..........................PE..d.../..c.........." ...".P..........p........................................@............`..........................................;..P....9.......0.......................;......................................p*..@...........................................UPX0....................................UPX1.....P.......L..................@....rsrc........0.......P..............@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	86392
Entropy (8bit):	7.91766123352546
Encrypted:	false
SSDEEP:	1536:EfKvmqFMCNL6eKmtYs76LBlBqLBxcZiV6IHxdc/k4Nc+VI7e1gf7SyJPxs:4qdLCOz76LBl4VxYcdc/11I7e1gfvxs
MD5:	6F810F46F308F7C6CCDDCA45D8F50039
SHA1:	6EE24FF6D1C95BA67E1275BB82B9D539A7F56CEA
SHA-256:	39497259B87038E86C53E7A39A0B5BBBFCEBE00B2F045A148041300B31F33B76
SHA-512:	C692367A26415016E05EBE828309D3FFEC290C6D2FD8CC7419D529A51B0BEDA00CCDC327C9F187AE3CA0CC96336D23D84A8FF95B729C8958B14FB91B6DA9E878
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b.J[&.$.&.$.&.$./..".$.i.%.$.$.i.!.*.$.i. ...$.i.'.%.$...%.%.$...%.$.$.&.%.C.$...)...$...$.'.$.....'.$...&.'.$.Rich&.$.........PE..d...B..c.........." ...". ................................................................`.........................................4...L....................P..........................................................@...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\_multiprocessing.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25984
Entropy (8bit):	7.488187631590162
Encrypted:	false
SSDEEP:	768:GIy6HNbpr+8C6LSf93zpALbI7Rt2fYiSyvPPxWEa5Z:39+8FKReLbI7Rt2f7SynPxeZ
MD5:	3AADB93005D6C2CE4FBA1DAD0C99547F
SHA1:	64AAEAF0A78BA60CF2C4324FAF3DD94AEEACC297
SHA-256:	EC92FD9277BB5AF0914C42F09D52651094793A7C4F79C35A4C9E4A2B6F955AF3
SHA-512:	863A78664A5D43577CC6FFABE6028E8289201A94DB81E00EBB29C301D996A46D496582779F22FD363820A0048245AC68E2AF110231190D4FDA2AB1E7B385BF98
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........$Z*.E4y.E4y.E4y.=.y.E4y.95x.E4y.91x.E4y.90x.E4y.97x.E4yS95x.E4y.E5y.E4y?75x.E4yS99x.E4yS94x.E4yS9.y.E4yS96x.E4yRich.E4y........................PE..d...+..c.........." ...".0..........p.....................................................`.........................................4...`....................`..........................................................@...........................................UPX0....................................UPX1.....0.......,..................@....rsrc................0..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\_overlapped.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	31104
Entropy (8bit):	7.628398010929569
Encrypted:	false
SSDEEP:	768:fk8GDYwKGtevarixdHpgTzI7st2xYiSyvxPxWEa:UETibTzI7st2x7SypPx
MD5:	9BD2B167101981C30C89D56492311553
SHA1:	AA8E175A7894486A16A2D5D3A399C8894A7F1CAE
SHA-256:	DD32FFBD9580876FB7FD1036F1FC3A6D9788627067AD9B0F3D366017B8865CCC
SHA-512:	0EC676E62F95B083142461745FDDA699A7EDF8597CEA952BA4297F153A1D11ABEC621D5CE192D0EBDC52EBF3D745BF34F3161F87AD6593153CF1C95ECF474F45
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........({..F(..F(..F(...(..F(..G)..F(..C)..F(..B)..F(..E)..F(..G)..F(..G(..F(c.G)..F(c.B)..F(..K)..F(..F)..F(...(..F(..D)..F(Rich..F(................PE..d...-..c.........." ...".@................................................................`.........................................x...X...............................................................................@...........................................UPX0....................................UPX1.....@.......@..................@....rsrc................D..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\_queue.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	24960
Entropy (8bit):	7.447047314489284
Encrypted:	false
SSDEEP:	768:BSxw19p9opxfI77U2bYiSyvlfUvPxWEl:Bj1HgfI77U2b7SyOvPx
MD5:	0E7612FC1A1FAD5A829D4E25CFA87C4F
SHA1:	3DB2D6274CE3DBE3DBB00D799963DF8C3046A1D6
SHA-256:	9F6965EB89BBF60DF0C51EF0750BBD0655675110D6C42ECA0274D109BD9F18A8
SHA-512:	52C57996385B9A573E3105EFA09FD6FD24561589B032EF2B2EE60A717F4B33713C35989F2265669F980646D673E3C387B30B9FC98033BB8CA7C59ECE1C17E517
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._ZF.1.F.1.F.1.O..D.1...0.D.1...4.J.1...5.N.1...2.E.1...0.E.1...0.D.1.F.0...1...<.G.1...1.G.1.....G.1...3.G.1.RichF.1.........PE..d...&..c.........." ...".0..........`.....................................................`.............................................L.......P............`..............<.......................................`...@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	42880
Entropy (8bit):	7.696654190779553
Encrypted:	false
SSDEEP:	768:oL7Syo5lzOt+ufVwPVXahccu0D+gFiPnmJqpE2SI7QwbmGYiSyvb9ZPxWEl:IkbzcKNGu0yXwN2SI7QwbmG7Syj/Px
MD5:	7A31BC84C0385590E5A01C4CBE3865C3
SHA1:	77C4121ABE6E134660575D9015308E4B76C69D7C
SHA-256:	5614017765322B81CC57D841B3A63CBDC88678FF605E5D4C8FDBBF8F0AC00F36
SHA-512:	B80CD51E395A3CE6F345B69243D8FC6C46E2E3828BD0A7E63673A508D889A9905D562CAC29F1ED394CCFCDA72F2F2E22F675963DD96261C19683B06DEA0A0882
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Z..{4..{4..{4......{4...5..{4...1..{4...0..{4...7..{4.U.5..{4..{5.\{4.9.5..{4.U.9..{4.U.4..{4.U....{4.U.6..{4.Rich.{4.........................PE..d...0..c.........." ...".p..........0m....................................................`.............................................P.......h............ ..l...........X.......................................@y..@...........................................UPX0....................................UPX1.....p.......l..................@....rsrc................p..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\_sqlite3.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	50048
Entropy (8bit):	7.761194500415829
Encrypted:	false
SSDEEP:	1536:c8Mdv1OCWk0z+q3QCjbouWxI75Qr27SyDPx:vQO00zrrvbQI75Qr2Nx
MD5:	BB4AA2D11444900C549E201EB1A4CDD6
SHA1:	CA3BB6FC64D66DEADDD804038EA98002D254C50E
SHA-256:	F44D80AB16C27CA65DA23AE5FDA17EB842065F3E956F10126322B2EA3ECDF43F
SHA-512:	CD3C5704E5D99980109FDC505D39AD5B26A951685E9D8E3FED9E0848CD44E24CC4611669DBDB58ACC20F1F4A5C37D5E01D9D965CF6FE74F94DA1B29AA2FF6931
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8..\|...\|...\|...u...z...3...~...3.~.}...3...q...3...t...3..........y.......~...\|..........u......}....\|.}......}...Rich\|...........PE..d...[..c.........." ...".........@..0....P................................................`.............................................P.......4............`..............(.......................................0...@...........................................UPX0.....@..............................UPX1.........P......................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\_ssl.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	62328
Entropy (8bit):	7.84875298158187
Encrypted:	false
SSDEEP:	1536:0edJItp3BP6kGsJMthwMtbyG68yTyI7t7QO67SycPxu:h8tVBPpGsUt+uyuI7t7Q/+xu
MD5:	081C878324505D643A70EFCC5A80A371
SHA1:	8BEF8336476D8B7C5C9EF71D7B7DB4100DE32348
SHA-256:	FCB70B58F94F5B0F9D027999CCE25E99DDCC8124E4DDCC521CB5B96A52FAAA66
SHA-512:	C36293B968A2F83705815EF3A207E444EEB7667AD9AF61DF75E85151F74F2FE0A299B3B1349DE0D410BBBAEA9F99CAC5228189099A221DE5FA1E20C97C648E32
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,z..h.gLh.gLh.gLac.Ln.gL'gfMj.gL'gbMe.gL'gcM`.gL'gdMk.gL.gfMj.gL.afMl.gLh.fL..gL.ifMo.gL.gjMj.gL.ggMi.gL.g.Li.gL.geMi.gLRichh.gL................PE..d...3..c.........." ..."............ .....................................................`.........................................p...d....................P......................................................0...@...........................................UPX0....................................UPX1................................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\_uuid.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22400
Entropy (8bit):	7.353729594367488
Encrypted:	false
SSDEEP:	384:ObjUslT24oGuNZa7gJXTwI7ewWY8IYiSy1pCQDMaPxh8E9VF0Nyvzo:kj3lcNpDwI7ewW4YiSyvfPxWEx
MD5:	B10F1F10513A8876913AB8E9B2491426
SHA1:	87E59BFF4BD9AC5842DE4D04DCAA84C870935183
SHA-256:	9C81EAB871F6324A54F8F6248812EADE891113BF45675A869553427BA5E963DA
SHA-512:	E589A600D4A6DB7720701E1ED0667E4CAB17AB96930ACFB6B91A2A5BBE5E672B5E4959A1767D5A2F48BCB53B387E5A268BA285B27CC4F08066F40447139E9F9C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;$p^ZJ#^ZJ#^ZJ#W".#\ZJ#.&K"\ZJ#.&O"RZJ#.&N"VZJ#.&I"]ZJ#.&K"\ZJ#.(K"[ZJ#^ZK#tZJ#.&B"_ZJ#.&J"_ZJ#.&.#_ZJ#.&H"_ZJ#Rich^ZJ#................PE..d...+..c.........." ...". .......`.......p................................................`.........................................8...L....................@..........................................................@...........................................UPX0.....`..............................UPX1..... ...p......................@....rsrc................"..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\base_library.zip

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	880537
Entropy (8bit):	5.683035771422093
Encrypted:	false
SSDEEP:	12288:lgYJu4KXWyBC6S4IEa8A4a2Y42dOVwx/fpEWertSLMNM:lgYJiVBFLa21nVwx/fpEWe+MNM
MD5:	22FEE1506D933ABB3335FFB4A1E1D230
SHA1:	18331CBA91F33FB6B11C6FDEFA031706AE6D43A0
SHA-256:	03F6A37FC2E166E99CE0AD8916DFB8A70945E089F9FC09B88E60A1649441AB6E
SHA-512:	3F764337A3FD4F8271CBA9602AEF0663D6B7C37A021389395A00D39BD305D2B927A150C2627B1C629FDBD41C044AF0F7BC9897F84C348C2BCCC085DF911EEE02
Malicious:	false
Preview:	PK..........!..^".5...5......._collections_abc.pyco....................................@.......d.Z.d.d.l.m.Z.m.Z...d.d.l.Z.e.e.e.....Z.e.d...Z.d.d...Z.e.e...Z.[.g.d...Z.d.Z.e.e.d.....Z.e.e.e.......Z.e.e.i.........Z.e.e.i.........Z.e.e.i.........Z.e.e.g.....Z.e.e.e.g.......Z.e.e.e.d.......Z.e.e.e.d.d.>.......Z.e.e.e.......Z.e.e.d.....Z e.e.d.....Z!e.e.e"......Z#e.i.......Z$e.i.......Z%e.i.......Z&e.e.j'..Z(e.d.d.......Z)d.d...Ze..Ze.e..Z+e.,....[d.d...Z-e-..Z-e.e-..Z.[-d.d...Z/G.d.d...d.e.d...Z0G.d.d...d.e.d...Z1G.d.d...d.e1..Z2e2.3e+....G.d.d...d.e.d...Z4G.d.d ..d e4..Z5G.d!d"..d"e5..Z6e6.3e.....G.d#d$..d$e.d...Z7G.d%d&..d&e7..Z8e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e ....e8.3e!....e8.3e#....G.d'd(..d(e7..Z9G.d)d..de8..Z:e:.3e)....G.d+d,..d,e.d...Z;G.d-d...d.e.d...Z<G.d/d0..d0e;e7e<..Z=G.d1d2..d2e...Z>d3d4..Z?d5d6..Z@d7d8..ZAG.d9d:..d:e.d...ZBG.d;d<..d<e=..ZCeC.3eD....G.d=d>..d>eC..ZEeE.3e.....G.d?d@..d@e=..ZFeF

C:\Users\user\AppData\Local\Temp\_MEI59122\certifi\cacert.pem

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292541
Entropy (8bit):	6.048162209044241
Encrypted:	false
SSDEEP:	6144:QW1x/M8fRR1jplkXURrVADwYCuCigT/Q5MSRqNb7d8iu5NF:QWb/TRJLWURrI55MWavdF0D
MD5:	D3E74C9D33719C8AB162BAA4AE743B27
SHA1:	EE32F2CCD4BC56CA68441A02BF33E32DC6205C2B
SHA-256:	7A347CA8FEF6E29F82B6E4785355A6635C17FA755E0940F65F15AA8FC7BD7F92
SHA-512:	E0FB35D6901A6DEBBF48A0655E2AA1040700EB5166E732AE2617E89EF5E6869E8DDD5C7875FA83F31D447D4ABC3DB14BFFD29600C9AF725D9B03F03363469B4C
Malicious:	false
Preview:	.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

C:\Users\user\AppData\Local\Temp\_MEI59122\charset_normalizer\md.cp310-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	6.604976146782397
Encrypted:	false
SSDEEP:	192:Z16tq4hfGNpeeiTJvbXlikYj273QJXpH48X:Z1gq4hfGNZi1vpiZa7gJX+8
MD5:	6CB45DDD63C231AFB8D090E6DF919BF8
SHA1:	88FF70C0704368A35C683C3B460A363F2A840B83
SHA-256:	7D5F6A03C33226F046A96988BA83BC03D29A776F32DD81DBEB895614CEF76ED3
SHA-512:	91216757972CCBE2E93E647C64FBAF8E2D29546410A22064779257A5FCDDFF866194ED0DDCF7B15DACEDD2E251CACA6EAD12C00C0254C26352717164294B8E04
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6..^W..^W..^W..W/..\W..K(..\W.../..\W..K(..UW..K(..VW..K(..]W.."..]W..^W..xW..g.._W..g.._W..g.a._W..g.._W..Rich^W..........PE..d....hAe.........." ...%. .......p........................................................`.........................................@...p......P............@..........................................................@...........................................UPX0.....p..............................UPX1..... ..........................@....rsrc................"..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\charset_normalizer\md__mypyc.cp310-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	7.847046321540009
Encrypted:	false
SSDEEP:	768:Ytuo81G+O8u/Ox+gOx8DmqXMdRKawNZG5HnzAa+S9FmgZMu2fY3ljm78OApp9:YQohf8umx+gOuDmImZwu5TAqmgZ6ajmG
MD5:	A2BB62FFF3D5458AE670A5F4D03F9116
SHA1:	878C92142856719D64EC07F38D4A342D4F7CFD3F
SHA-256:	C841E4AA267BE53A08AE2B989DABBD5F043661548C34A9916A06CD836A744319
SHA-512:	AFD0DD3C87015A0A774B3240694C9F4CB4EF50F780679ED1654ECACC930E57871F2672B3D19E5B2EA1E07FF6EC7A21A76262DFBAF6371D731508BD0C1FF3B674
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........SRxr.Rxr.Rxr.[...Zxr.G.s.Pxr...s.Pxr.G.w._xr.G.v.Zxr.G.q.Qxr...s.Qxr.Rxs..xr.k.z.Sxr.k.r.Sxr.k...Sxr.k.p.Sxr.RichRxr.........................PE..d....hAe.........." ...%.............6.......................................`............`..........................................R..d....P.......P......................<S.......................................B..@...........................................UPX0....................................UPX1................................@....rsrc........P......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography-42.0.7.dist-info\INSTALLER

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography-42.0.7.dist-info\LICENSE

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	197
Entropy (8bit):	4.61968998873571
Encrypted:	false
SSDEEP:	3:hWDncJhByZmJgXPForADu1QjygQuaAJygT2d5GeWreLRuOFEXAYeBKmJozlMHuO:h9Co8FyQjkDYc5tWreLBF/pn2mH1
MD5:	8C3617DB4FB6FAE01F1D253AB91511E4
SHA1:	E442040C26CD76D1B946822CAF29011A51F75D6D
SHA-256:	3E0C7C091A948B82533BA98FD7CBB40432D6F1A9ACBF85F5922D2F99A93AE6BB
SHA-512:	77A1919E380730BCCE5B55D76FBFFBA2F95874254FAD955BD2FE1DE7FC0E4E25B5FDAAB0FEFFD6F230FA5DC895F593CF8BFEDF8FDC113EFBD8E22FADAB0B8998
Malicious:	false
Preview:	This software is made available under the terms of either of the licenses.found in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made.under the terms of both these licenses..

C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography-42.0.7.dist-info\LICENSE.APACHE

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	11360
Entropy (8bit):	4.426756947907149
Encrypted:	false
SSDEEP:	192:nUDG5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEnQHbHR:UIvlKM1zJlFvmNz5VrlkTS0QHt
MD5:	4E168CCE331E5C827D4C2B68A6200E1B
SHA1:	DE33EAD2BEE64352544CE0AA9E410C0C44FDF7D9
SHA-256:	AAC73B3148F6D1D7111DBCA32099F68D26C644C6813AE1E4F05F6579AA2663FE
SHA-512:	F451048E81A49FBFA11B49DE16FF46C52A8E3042D1BCC3A50AAF7712B097BED9AE9AED9149C21476C2A1E12F1583D4810A6D36569E993FE1AD3879942E5B0D52
Malicious:	false
Preview:	. Apache License. Version 2.0, January 2004. https://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial ow

C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography-42.0.7.dist-info\LICENSE.BSD

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1532
Entropy (8bit):	5.058591167088024
Encrypted:	false
SSDEEP:	24:MjUnoorbOFFTJJyRrYFTjzMbmqEvBTP4m96432s4EOkUTKQROJ32s3yxsITf+3tY:MkOFJSrYJsaN5P406432svv32s3EsIqm
MD5:	5AE30BA4123BC4F2FA49AA0B0DCE887B
SHA1:	EA5B412C09F3B29BA1D81A61B878C5C16FFE69D8
SHA-256:	602C4C7482DE6479DD2E9793CDA275E5E63D773DACD1ECA689232AB7008FB4FB
SHA-512:	DDBB20C80ADBC8F4118C10D3E116A5CD6536F72077C5916D87258E155BE561B89EB45C6341A1E856EC308B49A4CB4DBA1408EABD6A781FBE18D6C71C32B72C41
Malicious:	false
Preview:	Copyright (c) Individual contributors..All rights reserved...Redistribution and use in source and binary forms, with or without.modification, are permitted provided that the following conditions are met:.. 1. Redistributions of source code must retain the above copyright notice,. this list of conditions and the following disclaimer... 2. Redistributions in binary form must reproduce the above copyright. notice, this list of conditions and the following disclaimer in the. documentation and/or other materials provided with the distribution... 3. Neither the name of PyCA Cryptography nor the names of its contributors. may be used to endorse or promote products derived from this software. without specific prior written permission...THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND.ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED.WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOS

C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography-42.0.7.dist-info\METADATA

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5430
Entropy (8bit):	5.111764645976891
Encrypted:	false
SSDEEP:	96:DxHpqZink/QIHQIyzQIZQILuQIR8vtklGovuxNx6rIWwCvCCcT+vIrrr9B+M6VwP:vJnkoBs/stL18cT+vIrrxsM6VwDjyeyM
MD5:	51E28E442AD9F3CA86FC022806F6B860
SHA1:	EC18E5A627FEBF6FC10FD28F77F03ABE0D45F1D3
SHA-256:	C783B299BF4110DE7F94A7DA362927657DD1CD0631B00F2D7A2F1242FF4C3A1A
SHA-512:	A2D54956DE9F2A896B270A6F2F738F1C83F13EBFA013CA21C7C8DE2C02109065EB8FEEE1E1C4B5593A3A91EEBA5CACCF24D174FE7E098A61ED73949330A94E62
Malicious:	false
Preview:	Metadata-Version: 2.1..Name: cryptography..Version: 42.0.7..Summary: cryptography is a package which provides cryptographic recipes and primitives to Python developers...Author-email: The Python Cryptographic Authority and individual contributors <cryptography-dev@python.org>..License: Apache-2.0 OR BSD-3-Clause..Project-URL: homepage, https://github.com/pyca/cryptography..Project-URL: documentation, https://cryptography.io/..Project-URL: source, https://github.com/pyca/cryptography/..Project-URL: issues, https://github.com/pyca/cryptography/issues..Project-URL: changelog, https://cryptography.io/en/latest/changelog/..Classifier: Development Status :: 5 - Production/Stable..Classifier: Intended Audience :: Developers..Classifier: License :: OSI Approved :: Apache Software License..Classifier: License :: OSI Approved :: BSD License..Classifier: Natural Language :: English..Classifier: Operating System :: MacOS :: MacOS X..Classifier: Operating System :: POSIX..Classifier: Operating Syst

C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography-42.0.7.dist-info\RECORD

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	15325
Entropy (8bit):	5.565404083454461
Encrypted:	false
SSDEEP:	192:oXVxv2sR5jF4e+6tkh4v4Ko29vZ6W1HepPN+NXwvn5ZnM:oXT2sbCWPoIvZ6W1HepPN+9wvnA
MD5:	5983CF46D3CCF49F05E0EE2A282D9331
SHA1:	2BB0C625C6E4A80DAE4BCCCC406544C081BC2C73
SHA-256:	4AA46ECC65DAA2C819B78AB0CFD1A27243822F6BA15EE26A99116E25B2AEC369
SHA-512:	8F36451E18BF8184256DF83C7A96189097F16CD41FFB41872E158B6356F95D0843AD2AB281033EB827357B6116BD1D1695C2D0FBEE8E2D462B18C44D057DF964
Malicious:	false
Preview:	cryptography-42.0.7.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..cryptography-42.0.7.dist-info/LICENSE,sha256=Pgx8CRqUi4JTO6mP18u0BDLW8amsv4X1ki0vmak65rs,197..cryptography-42.0.7.dist-info/LICENSE.APACHE,sha256=qsc7MUj20dcRHbyjIJn2jSbGRMaBOuHk8F9leaomY_4,11360..cryptography-42.0.7.dist-info/LICENSE.BSD,sha256=YCxMdILeZHndLpeTzaJ15eY9dz2s0eymiSMqtwCPtPs,1532..cryptography-42.0.7.dist-info/METADATA,sha256=x4Oymb9BEN5_lKfaNiknZX3RzQYxsA8tei8SQv9MOho,5430..cryptography-42.0.7.dist-info/RECORD,,..cryptography-42.0.7.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..cryptography-42.0.7.dist-info/WHEEL,sha256=ZzJfItdlTwUbeh2SvWRPbrqgDfW_djikghnwfRmqFIQ,100..cryptography-42.0.7.dist-info/top_level.txt,sha256=KNaT-Sn2K4uxNaEbe6mYdDn3qWDMlp4y-MtWfB73nJc,13..cryptography/__about__.py,sha256=LQGMBOUoJMoUWaehVZlolfa2ksqExrEG39Ii4p8BHUo,445..cryptography/__init__.py,sha256=iVPlBlXWTJyiFeRedxcbMPhyHB34viOM10d72vGnWuE,364..cryptography/__pycache__/_

C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography-42.0.7.dist-info\WHEEL

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	100
Entropy (8bit):	5.0203365408149025
Encrypted:	false
SSDEEP:	3:RtEeX7MWcSlVlbY3KgP+tkKciH/KQLn:RtBMwlVCxWKTQLn
MD5:	C48772FF6F9F408D7160FE9537E150E0
SHA1:	79D4978B413F7051C3721164812885381DE2FDF5
SHA-256:	67325F22D7654F051B7A1D92BD644F6EBAA00DF5BF7638A48219F07D19AA1484
SHA-512:	A817107D9F70177EA9CA6A370A2A0CB795346C9025388808402797F33144C1BAF7E3DE6406FF9E3D8A3486BDFAA630B90B63935925A36302AB19E4C78179674F
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: bdist_wheel (0.42.0).Root-Is-Purelib: false.Tag: cp39-abi3-win_amd64..

C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography-42.0.7.dist-info\top_level.txt

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	13
Entropy (8bit):	3.2389012566026314
Encrypted:	false
SSDEEP:	3:cOv:Nv
MD5:	E7274BD06FF93210298E7117D11EA631
SHA1:	7132C9EC1FD99924D658CC672F3AFE98AFEFAB8A
SHA-256:	28D693F929F62B8BB135A11B7BA9987439F7A960CC969E32F8CB567C1EF79C97
SHA-512:	AA6021C4E60A6382630BEBC1E16944F9B312359D645FC61219E9A3F19D876FD600E07DCA6932DCD7A1E15BFDEAC7DBDCEB9FFFCD5CA0E5377B82268ED19DE225
Malicious:	false
Preview:	cryptography.

C:\Users\user\AppData\Local\Temp\_MEI59122\cryptography\hazmat\bindings\_rust.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2100736
Entropy (8bit):	7.999659207803793
Encrypted:	true
SSDEEP:	49152:QYIcD5qwHvPgAmGgmQJgtxceY7m3p0FX15FDr9Z00tpvmD1fcEEag730wrqjGDb:QYIQ5qwHVuJgtxcAp2jx5ZfpYdpgwAL
MD5:	D85FD537A56A67FA5A1AFEC25AFFC010
SHA1:	47F7F26C6840DE1697D113AB3622235A35277DBB
SHA-256:	9B1A8477C284AAF301F03A07E76D00398AF03A9203374F6EEC788F6C5118EC09
SHA-512:	41BD3562490E5D01D4F08E8FCCD8E19BB3F14FEDA143C43A7BBE69D0D98FFC469F72D9072CA012EDD807FBF17B466E677ABA657E1240227327D17B496061889D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v.r.2x..2x..2x..;... x......0x......#x......:x......6x..]...0x..2x...z......#x..]...D{......3x..2x..x......3x......3x..Rich2x..........................PE..d.....9f.........." ...'.. ...... O..#o..0O..................................Po...........`.........................................(Eo.p....@o.(............`j..O...........Eo.,............................/o.(....0o.@...........................................UPX0..... O.............................UPX1...... ..0O... .................@...UPX2.........@o....... .............@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\libcrypto-1_1.dll

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1189728
Entropy (8bit):	7.945107908450931
Encrypted:	false
SSDEEP:	24576:jffQrZJIe6/4gho5HE1F03fkOyUU/BtSIgA0ft+rBFOWRIQ6sCY51CPwDv3uFfJv:Tf8JWwgho5HL3fknPSIKorCU1CPwDv3a
MD5:	DAA2EED9DCEAFAEF826557FF8A754204
SHA1:	27D668AF7015843104AA5C20EC6BBD30F673E901
SHA-256:	4DAB915333D42F071FE466DF5578FD98F38F9E0EFA6D9355E9B4445FFA1CA914
SHA-512:	7044715550B7098277A015219688C7E7A481A60E4D29F5F6558B10C7AC29195C6D5377DC234DA57D9DEF0C217BB3D7FECA332A64D632CA105503849F15E057EA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........a...2...2...2...2...2..3...2..3...2..3...2..3...2...2...2L.3...2..3...2..3.2..3...2..p2...2..3...2Rich...2........................PE..d...m..b.........." ... .........@%.025..P%..................................P7...........`......................................... H5......C5.h....@5......`2.............H7......................................=5.@...........................................UPX0.....@%.............................UPX1.........P%.....................@....rsrc........@5.....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\libffi-7.dll

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	24088
Entropy (8bit):	7.527291720504194
Encrypted:	false
SSDEEP:	384:hRZBxuj5W4IBzuU2CUvOEvba4Za7gJXkrZRCXEpnYPLxDG4y80uzFLhHj:rwlGuUm2Evb1p07pWDG4yKRF
MD5:	6F818913FAFE8E4DF7FEDC46131F201F
SHA1:	BBB7BA3EDBD4783F7F973D97B0B568CC69CADAC5
SHA-256:	3F94EE4F23F6C7702AB0CC12995A6457BF22183FA828C30CC12288ADF153AE56
SHA-512:	5473FE57DC40AF44EDB4F8A7EFD68C512784649D51B2045D570C7E49399990285B59CFA6BCD25EF1316E0A073EA2A89FE46BE3BFC33F05E3333037A1FD3A6639
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6.3.r}]Ar}]Ar}]A{..Ap}]A .\@p}]A..\@q}]Ar}\AU}]A .X@~}]A .Y@z}]A .^@q}]A..Y@t}]A..^@s}]A..]@s}]A.._@s}]ARichr}]A........................PE..d......].........." .....@................................................................`.........................................................................................................................................................................UPX0....................................UPX1.....@.......:..................@...UPX2.................>..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\libssl-1_1.dll

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	208224
Entropy (8bit):	7.9214932539909775
Encrypted:	false
SSDEEP:	3072:5SI3oPlWLlPVVc5MpJa1pOjJnnioIZW8/Qf6bRXGKrs8qJjueW1LR/oSB6hetz:EIek5VC0FiHof6Z1rgJ63R/oS3
MD5:	EAC369B3FDE5C6E8955BD0B8E31D0830
SHA1:	4BF77158C18FE3A290E44ABD2AC1834675DE66B4
SHA-256:	60771FB23EE37B4414D364E6477490324F142A907308A691F3DD88DC25E38D6C
SHA-512:	C51F05D26FDA5E995FE6763877D4FCDB89CD92EF2D6EE997E49CC1EE7A77146669D26EC00AD76F940EF55ADAE82921DEDE42E55F51BD10D1283ECFE7C5009778
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.p..p..p......p...+..p.\.+..p.../..p......p...)..p...+..p..p+.iq......p.....p.....p...(..p.Rich.p*.........PE..d......b.........." ... .....P...`..@....p................................................`..........................................6..4@...3.......0...........M...........v......................................@%..@...........................................UPX0.....`..............................UPX1.........p......................@....rsrc....P...0...H..................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\psutil\_psutil_windows.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	7.726901563596422
Encrypted:	false
SSDEEP:	768:XvaDMlccGli4/1LnromOJjNOzhtPTXuwKuzpSp6:XvaQlmUQFnrobNEht6wDY
MD5:	937FA2077AD3FB82F9EDC419627969A3
SHA1:	381011C5B575C03AB77AB943920B39EF8EC8E57B
SHA-256:	633FB691BC13E4D42B9CAA0AF3A0897E081C8CCCDAB37530745598FBA597A4C2
SHA-512:	DEB6F7F0DD850528AA78C32FDCB42E836507ED7DC1F198C4903810DBBA47EF37B87CABAE7F148F9017D6F628D93904250A11CDCE05D5E29758A422285B01025A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`T..$5..$5..$5..-M3..5..v@..&5..v@..(5..v@..,5..v@.. 5...k..&5..oM..55..$5...5...@..45...@..%5...@_.%5...@..%5..Rich$5..........................PE..d.....e.........." .................T....................................................`.........................................8u..`....p..H....p.......................u.......................................`..8...........................................UPX0....................................UPX1.............t..................@....rsrc........p.......x..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\pyexpat.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	88440
Entropy (8bit):	7.916428215878346
Encrypted:	false
SSDEEP:	1536:hqOsxiaMRf0wQhTR0lJrTMQLFrwAx0qHMKVqhgjOE+hpeWpUM2MkNphoacI7QhgR:Q8kmJfMQLFD+XWq+aDBplFkKI7QhgB0g
MD5:	0BCFD9AA6131D40693EA77FB593F6E2F
SHA1:	8B837D663AC7E186C7E427A272C7403C880A9D5F
SHA-256:	0B966BB1C97B5947A01AF98ABBE636F34BD492EDEBA99CE0276108FBE07D2EA6
SHA-512:	683B9C2C5B810CFEF68F684B2927A2123FF4ACF2D5377B368FE1D69054EBD2D96E99E850BD8C77A2950D55CE96ADA7AD7DB81B6C309D0FE7058FD9FD7E2524B3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9h..}..}..}..tqu.q..2u....2u.p..2u.u..2u.~...u....{.~..}......u.y...u.\|...u..\|...u.\|..Rich}..................PE..d...+..c.........." ...". ........... .......................................@............`..........................................<..P....9.......0.......................<.......................................,..@...........................................UPX0....................................UPX1..... ..........................@....rsrc........0......."..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\python3.dll

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	64896
Entropy (8bit):	6.101810529421494
Encrypted:	false
SSDEEP:	768:Y88LeBLeeFtp5V1BfO2yvSk70QZF1nEyjnskQkr/RFB1qucwdBeCw0myou6ZwJq9:Y8wewnvtjnsfwERI7Q0L7SyCPx
MD5:	C17B7A4B853827F538576F4C3521C653
SHA1:	6115047D02FBBAD4FF32AFB4EBD439F5D529485A
SHA-256:	D21E60F3DFBF2BAB0CC8A06656721FA3347F026DF10297674FC635EBF9559A68
SHA-512:	8E08E702D69DF6840781D174C4565E14A28022B40F650FDA88D60172BE2D4FFD96A3E9426D20718C54072CA0DA27E0455CC0394C098B75E062A27559234A3DF7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]{....e...e...e..fm...e..fe...e..f....e..fg...e.Rich..e.........................PE..d......c.........." ..."..................................................................`.........................................`...`................................)..............T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI59122\python310.dll

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1513336
Entropy (8bit):	7.991995760990047
Encrypted:	true
SSDEEP:	24576:Umhx0O5yMVUEV51zVZ/7KqaI0jVSn/OCNYLfUehwHqDdt9OJzoCr2TAY/f+TNX59:UmT0OjUK51xZ/7s6GDwKDD9OJEwsAE2V
MD5:	178A0F45FDE7DB40C238F1340A0C0EC0
SHA1:	DCD2D3D14E06DA3E8D7DC91A69B5FD785768B5FE
SHA-256:	9FCB5AD15BD33DD72122A171A5D950E8E47CEDA09372F25DF828010CDE24B8ED
SHA-512:	4B790046787E57B9414A796838A026B1530F497A75C8E62D62B56F8C16A0CBEDBEFAD3D4BE957BC18379F64374D8D3BF62D3C64B53476C7C5005A7355ACD2CEE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R..R..R...S..R......R...W..R...V..R...Q..R.....R.K.S..R..S..R.'._.X.R.'.R..R.'....R.'.P..R.Rich..R.........PE..d......c.........." ...". ......../...E.../...................................F...........`...........................................F.......F.d.....F.......B...............F.......................................E.@...........................................UPX0....../.............................UPX1..... ..../.....................@....rsrc.........F.....................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\pywin32_system32\pythoncom310.dll

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	198144
Entropy (8bit):	7.89890407356889
Encrypted:	false
SSDEEP:	6144:wrs7d9ovn0ICgOdewE9SJy9sZQ3Kfk1pd:R59ovn0IC1yl3H1pd
MD5:	2734510F76721A1C8EA6A51B09A75A96
SHA1:	06FBF486565E48ADF1194B61D59F89762C1744BD
SHA-256:	24E5AC372291424C9C6FD8447932EE326EB79E907D19F0E95FA21B274D5782D6
SHA-512:	0D9FA8728099C141D832CBEB419D7B0185AC03A9A40900872026BB21A52F9CCF4A5489F35E37E89917298F6B82AC8C8F9FDC1E87439CCBBD471C35221E6D5449
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..x...+...+...+..P+...+T.....+T.....+T.....+T.....+.....+......+......+......+...+U..+..W..+.....+..*...+Rich...+................PE..d...k..d.........." .........p.......7....................................................`.........................................0W...c..pS.......P..p....@...z..................................................C..8...........................................UPX0....................................UPX1................................@....rsrc....p...P...l..................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\pywin32_system32\pywintypes310.dll

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	63488
Entropy (8bit):	7.57146672365253
Encrypted:	false
SSDEEP:	1536:+2xBKwcTFzoNwouLGtUHhYrn/iraujB/uJm8ei:+aBKwGOwoKGtUHhsnav1/uTe
MD5:	004C56C566863587F81AC8FDF831AD7C
SHA1:	13E07A667E1A34ACC263495654740AF41899CAAE
SHA-256:	775B9ED9A1981481F1E65135568E2EC7B2DF8E7E9A484F15A0F8FBCE4C3A9E9C
SHA-512:	792E6E2814504B5191946270E39D8B80478CE0457F157113A3C48A7B28C387942EC0B9A6BBEE54D4A179FC5B97FCBC8A07B3FC4ABDC8826097F38F20C89726D0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9.$.X.w.X.w.X.w. [w.X.w.-.v.X.w.75w.X.w.-.v.X.w.-.v.X.w.-.v.X.w.3.v.X.wJ1.v.X.w.3.v.X.w.X.w.X.w,-.v.X.w,-.v.X.w,-.v.X.wRich.X.w........................PE..d......d.........." .........P.......z....................................................`.........................................p...dB..p...........p.......L.......................................................8...........................................UPX0....................................UPX1................................@....rsrc....P.......J..................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\select.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	24952
Entropy (8bit):	7.392326214954849
Encrypted:	false
SSDEEP:	384:+m71gl6dfHKsh8Za7gJXpDCI77G26IIYiSy1pCQ0AA7Pxh8E9VF0Nym5ty:11gl65HKNp5DCI77G2WYiSyv87PxWEgC
MD5:	666358E0D7752530FC4E074ED7E10E62
SHA1:	B9C6215821F5122C5176CE3CF6658C28C22D46BA
SHA-256:	6615C62FA010BFBA5527F5DA8AF97313A1AF986F8564277222A72A1731248841
SHA-512:	1D3D35C095892562DDD2868FBD08473E48B3BB0CB64EF9CCC5550A06C88DDA0D82383A1316B6C5584A49CA28ED1EF1E5CA94EC699A423A001CCD952BD6BD553D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........].t.<r'.<r'.<r'.D.'.<r'.@s&.<r'.@w&.<r'.@v&.<r'.@q&.<r'i@s&.<r'.<s'.<r'.Ns&.<r'i@.&.<r'i@r&.<r'i@.'.<r'i@p&.<r'Rich.<r'........PE..d...&..c.........." ...".0..........@.....................................................`......................................... ...L....................`..............l.......................................P...@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\setuptools-65.5.0.dist-info\INSTALLER

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI59122\setuptools-65.5.0.dist-info\LICENSE

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1050
Entropy (8bit):	5.072538194763298
Encrypted:	false
SSDEEP:	24:1rmJHcwH0MP3gt8Hw1hj9QHOsUv4eOk4/+/m3oqMSFJ:1aJ8YHvEH5QHOs5exm3oEFJ
MD5:	7A7126E068206290F3FE9F8D6C713EA6
SHA1:	8E6689D37F82D5617B7F7F7232C94024D41066D1
SHA-256:	DB3F0246B1F9278F15845B99FEC478B8B506EB76487993722F8C6E254285FAF8
SHA-512:	C9F0870BC5D5EFF8769D9919E6D8DDE1B773543634F7D03503A9E8F191BD4ACC00A97E0399E173785D1B65318BAC79F41D3974AE6855E5C432AC5DACF8D13E8A
Malicious:	false
Preview:	Copyright Jason R. Coombs..Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to.deal in the Software without restriction, including without limitation the.rights to use, copy, modify, merge, publish, distribute, sublicense, and/or.sell copies of the Software, and to permit persons to whom the Software is.furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in.all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE.AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING.FROM, OUT OF OR IN CONNECTION WITH THE SOFTW

C:\Users\user\AppData\Local\Temp\_MEI59122\setuptools-65.5.0.dist-info\METADATA

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	6301
Entropy (8bit):	5.107162422517841
Encrypted:	false
SSDEEP:	192:W4rkAIG0wRg8wbNDdq6T9927uoU/GBpHFwTZ:Sq0wRg8wbNDdBh927uoU/GBRFi
MD5:	9E59BD13BB75B38EB7962BF64AC30D6F
SHA1:	70F6A68B42695D1BFA55ACB63D8D3351352B2AAC
SHA-256:	80C7A3B78EA0DFF1F57855EE795E7D33842A0827AA1EF4EE17EC97172A80C892
SHA-512:	67AC61739692ECC249EBDC8F5E1089F68874DCD65365DB1C389FDD0CECE381591A30B99A2774B8CAAA00E104F3E35FF3745AFF6F5F0781289368398008537AE7
Malicious:	false
Preview:	Metadata-Version: 2.1.Name: setuptools.Version: 65.5.0.Summary: Easily download, build, install, upgrade, and uninstall Python packages.Home-page: https://github.com/pypa/setuptools.Author: Python Packaging Authority.Author-email: distutils-sig@python.org.Project-URL: Documentation, https://setuptools.pypa.io/.Project-URL: Changelog, https://setuptools.pypa.io/en/stable/history.html.Keywords: CPAN PyPI distutils eggs package management.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: License :: OSI Approved :: MIT License.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3 :: Only.Classifier: Topic :: Software Development :: Libraries :: Python Modules.Classifier: Topic :: System :: Archiving :: Packaging.Classifier: Topic :: System :: Systems Administration.Classifier: Topic :: Utilities.Requires-Python: >=3.7.License-File: LICENSE.Provides-Extra: certs.Provides-Extra: docs.Requi

C:\Users\user\AppData\Local\Temp\_MEI59122\setuptools-65.5.0.dist-info\RECORD

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	37694
Entropy (8bit):	5.560695955910088
Encrypted:	false
SSDEEP:	384:DDz9AkShgQUgq/kc2mIkpIVh498WjXYW1P5+Eu8X62aDoaQPKJfRQIbwA+hof2yf:Dn3OIyQgIAY8T/7T962lSsSGxt9Im
MD5:	E30355B5F7466BEE1691929B05EED672
SHA1:	B9F1275EF04F2D36DD1F801DE116AC12AA68722E
SHA-256:	CEBD9639E6923A470E818350691053C3CC846A72426A9BFCB70F092868FA0D5B
SHA-512:	C7A56FE3037A07035279FF063406F7999360D5B275D743C0EF88335EB98BE4CA539775CC1470BF121CE166AA53E3E55002BE7402350E62811EA2B4D0BBD6A617
Malicious:	false
Preview:	_distutils_hack/__init__.py,sha256=TSekhUW1fdE3rjU3b88ybSBkJxCEpIeWBob4cEuU3ko,6128.._distutils_hack/__pycache__/__init__.cpython-310.pyc,,.._distutils_hack/__pycache__/override.cpython-310.pyc,,.._distutils_hack/override.py,sha256=Eu_s-NF6VIZ4Cqd0tbbA5wtWky2IZPNd8et6GLt1mzo,44..distutils-precedence.pth,sha256=JjjOniUA5XKl4N5_rtZmHrVp0baW_LoHsN0iPaX10iQ,151..pkg_resources/__init__.py,sha256=fT5Y3P1tcSX8sJomClUU10WHeFmvqyNZM4UZHzdpAvg,108568..pkg_resources/__pycache__/__init__.cpython-310.pyc,,..pkg_resources/_vendor/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..pkg_resources/_vendor/__pycache__/__init__.cpython-310.pyc,,..pkg_resources/_vendor/__pycache__/appdirs.cpython-310.pyc,,..pkg_resources/_vendor/__pycache__/zipp.cpython-310.pyc,,..pkg_resources/_vendor/appdirs.py,sha256=MievUEuv3l_mQISH5SF0shDk_BNhHHzYiAPrT3ITN4I,24701..pkg_resources/_vendor/importlib_resources/__init__.py,sha256=evPm12kLgYqTm-pbzm60bOuumumT8IpBNWFp0uMyrzE,506..pkg_resources/_vendor/importli

C:\Users\user\AppData\Local\Temp\_MEI59122\setuptools-65.5.0.dist-info\WHEEL

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	92
Entropy (8bit):	4.820827594031884
Encrypted:	false
SSDEEP:	3:RtEeX7MWcSlViZHKRRP+tPCCfA5S:RtBMwlViojWBBf
MD5:	4D57030133E279CEB6A8236264823DFD
SHA1:	0FDC3988857C560E55D6C36DCC56EE21A51C196D
SHA-256:	1B5E87E00DC87A84269CEAD8578B9E6462928E18A95F1F3373C9EEF451A5BCC0
SHA-512:	CD98F2A416AC1B13BA82AF073D0819C0EA7C095079143CAB83037D48E9A5450D410DC5CF6B6CFF3F719544EDF1C5F0C7E32E87B746F1C04FE56FAFD614B39826
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: bdist_wheel (0.37.1).Root-Is-Purelib: true.Tag: py3-none-any..

C:\Users\user\AppData\Local\Temp\_MEI59122\setuptools-65.5.0.dist-info\entry_points.txt

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	2740
Entropy (8bit):	4.540737240939103
Encrypted:	false
SSDEEP:	48:lELcZDy3g6ySDsm90rZh2Phv4hhpTqTog:yLAP8arZoP94hTTqcg
MD5:	D3262B65DB35BFFAAC248075345A266C
SHA1:	93AD6FE5A696252B9DEF334D182432CDA2237D1D
SHA-256:	DEC880BB89189B5C9B1491C9EE8A2AA57E53016EF41A2B69F5D71D1C2FBB0453
SHA-512:	1726750B22A645F5537C20ADDF23E3D3BAD851CD4BDBA0F9666F9F6B0DC848F9919D7AF8AD8847BD4F18D0F8585DDE51AFBAE6A4CAD75008C3210D17241E0291
Malicious:	false
Preview:	[distutils.commands].alias = setuptools.command.alias:alias.bdist_egg = setuptools.command.bdist_egg:bdist_egg.bdist_rpm = setuptools.command.bdist_rpm:bdist_rpm.build = setuptools.command.build:build.build_clib = setuptools.command.build_clib:build_clib.build_ext = setuptools.command.build_ext:build_ext.build_py = setuptools.command.build_py:build_py.develop = setuptools.command.develop:develop.dist_info = setuptools.command.dist_info:dist_info.easy_install = setuptools.command.easy_install:easy_install.editable_wheel = setuptools.command.editable_wheel:editable_wheel.egg_info = setuptools.command.egg_info:egg_info.install = setuptools.command.install:install.install_egg_info = setuptools.command.install_egg_info:install_egg_info.install_lib = setuptools.command.install_lib:install_lib.install_scripts = setuptools.command.install_scripts:install_scripts.rotate = setuptools.command.rotate:rotate.saveopts = setuptools.command.saveopts:saveopts.sdist = setuptools.command.sdist:sdist.seto

C:\Users\user\AppData\Local\Temp\_MEI59122\setuptools-65.5.0.dist-info\top_level.txt

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	41
Entropy (8bit):	3.9115956018096876
Encrypted:	false
SSDEEP:	3:3Wd+Nt8AfQYv:3Wd+Nttv
MD5:	789A691C859DEA4BB010D18728BAD148
SHA1:	AEF2CBCCC6A9A8F43E4E150E7FCF1D7B03F0E249
SHA-256:	77DC8BDFDBFF5BBAA62830D21FAB13E1B1348FF2ECD4CDCFD7AD4E1A076C9B88
SHA-512:	BC2F7CAAD486EB056CB9F68E6C040D448788C3210FF028397CD9AF1277D0051746CAE58EB172F9E73EA731A65B2076C6091C10BCB54D911A7B09767AA6279EF6
Malicious:	false
Preview:	_distutils_hack.pkg_resources.setuptools.

C:\Users\user\AppData\Local\Temp\_MEI59122\sqlite3.dll

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	623480
Entropy (8bit):	7.993502110233887
Encrypted:	true
SSDEEP:	12288:IZNIrMyJHzTarSwdWd5Xhm/27cz5hQYuHDiL1IcUq4P8ryHn5+8ybL:YNPsHzTaWwdS5xV70QYMDiCc34e8nI82
MD5:	BD2819965B59F015EC4233BE2C06F0C1
SHA1:	CFF965068F1659D77BE6F4942CA1ADA3575CA6E2
SHA-256:	AB072D20CEE82AE925DAE78FD41CAE7CD6257D14FD867996382A69592091D8EC
SHA-512:	F7758BD71D2AD236BF3220DB0AD26F3866D9977EAB311A5912F6E079B59FA918735C852DE6DBF7B5FEE9E04124BC0CD438C4C71EDC0C04309330108BA0085D59
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......CG;..&U..&U..&U..^..&U.HZT..&U.HZP..&U.HZQ..&U.HZV..&U..TT..&U..&T..&U..Z]..&U..ZU..&U..Z...&U..ZW..&U.Rich.&U.................PE..d...X..c.........." ...".0...0............................................................`.............................................d"..................................x...........................................@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc....0...........,..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	294784
Entropy (8bit):	7.987175768019268
Encrypted:	false
SSDEEP:	6144:PudZUEjoXwDrGv4qJBd4R0u3FIp6O4LMHS+OsfW/+vzoFZ:EGEjyirGd+f3FIp7eMHS+CUUr
MD5:	7A462A10AA1495CEF8BFCA406FB3637E
SHA1:	6DCBD46198B89EF3007C76DEB42AB10BA4C4CF40
SHA-256:	459BCA991FCB88082D49D22CC6EBFFE37381A5BD3EFCC77C5A52F7A4BB3184C0
SHA-512:	D2B7C6997B4BD390257880A6F3336E88D1DD7159049811F8D7C54E3623E9B033E18E8922422869C81DE72FC8C10890C173D8A958D192DD03BFC57CFFAEA1AC7B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0...t..t..t..}...r..;...v..;...y..;...\|..;...w.....w......v..t..%.....u.....u...y.u.....u..Richt..........PE..d...(..c.........." ...".P..........@V... ................................................`..........................................{..X....y.......p..........<............{......................................@b..@...........................................UPX0....................................UPX1.....P... ...D..................@....rsrc........p.......H..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\wheel-0.43.0.dist-info\INSTALLER

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI59122\wheel-0.43.0.dist-info\LICENSE.txt

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1107
Entropy (8bit):	5.115074330424529
Encrypted:	false
SSDEEP:	24:PWmrRONJHLH0cPP3gtkHw1h39QHOsUv4eOk4/+jvho3nPz:ttONJbbvE/NQHOs5eNS3n7
MD5:	7FFB0DB04527CFE380E4F2726BD05EBF
SHA1:	5B39C45A91A556E5F1599604F1799E4027FA0E60
SHA-256:	30C23618679108F3E8EA1D2A658C7CA417BDFC891C98EF1A89FA4FF0C9828654
SHA-512:	205F284F3A7E8E696C70ED7B856EE98C1671C68893F0952EEC40915A383BC452B99899BDC401F9FE161A1BF9B6E2CEA3BCD90615EEE9173301657A2CE4BAFE14
Malicious:	false
Preview:	MIT License..Copyright (c) 2012 Daniel Holth <dholth@fastmail.fm> and contributors..Permission is hereby granted, free of charge, to any person obtaining a.copy of this software and associated documentation files (the "Software"),.to deal in the Software without restriction, including without limitation.the rights to use, copy, modify, merge, publish, distribute, sublicense,.and/or sell copies of the Software, and to permit persons to whom the.Software is furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included.in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL.THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR.OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERW

C:\Users\user\AppData\Local\Temp\_MEI59122\wheel-0.43.0.dist-info\METADATA

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	2153
Entropy (8bit):	5.088249746074878
Encrypted:	false
SSDEEP:	48:DEhpFu5MktjaywDK48d+md+7uT8RfkD1UKd+mOl1Awry:DEhpiMktjayq/7kOfsUzmbYy
MD5:	EBEA27DA14E3F453119DC72D84343E8C
SHA1:	7CEB6DBE498B69ABF4087637C6F500742FF7E2B4
SHA-256:	59BAC22B00A59D3E5608A56B8CF8EFC43831A36B72792EE4389C9CD4669C7841
SHA-512:	A41593939B9325D40CB67FD3F41CD1C9E9978F162487FB469094C41440B5F48016B9A66BE2E6E4A0406D6EEDB25CE4F5A860BA1E3DC924B81F63CEEE3AE31117
Malicious:	false
Preview:	Metadata-Version: 2.1.Name: wheel.Version: 0.43.0.Summary: A built-package format for Python.Keywords: wheel,packaging.Author-email: Daniel Holth <dholth@fastmail.fm>.Maintainer-email: Alex Gr.nholm <alex.gronholm@nextday.fi>.Requires-Python: >=3.8.Description-Content-Type: text/x-rst.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: Topic :: System :: Archiving :: Packaging.Classifier: License :: OSI Approved :: MIT License.Classifier: Programming Language :: Python.Classifier: Programming Language :: Python :: 3 :: Only.Classifier: Programming Language :: Python :: 3.8.Classifier: Programming Language :: Python :: 3.9.Classifier: Programming Language :: Python :: 3.10.Classifier: Programming Language :: Python :: 3.11.Classifier: Programming Language :: Python :: 3.12.Requires-Dist: pytest >= 6.0.0 ; extra == "test".Requires-Dist: setuptools >= 65 ; extra == "test".Project-URL: Changelog, https://wheel.readthedocs.io/en/s

C:\Users\user\AppData\Local\Temp\_MEI59122\wheel-0.43.0.dist-info\RECORD

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	4481
Entropy (8bit):	5.706524629349948
Encrypted:	false
SSDEEP:	96:sqkXVom4ix01TQIvLgAoDH/H7vp88FxTXiJP+GJPSocKEJq5sZF3GI78IegK5Eef:sqkXVwMbY+USocKEJq5sZF3GeV2BvTR5
MD5:	737488B0DD7D0240F05F54DCB0043E8E
SHA1:	FBE5D908B995B517BC83C5B29DDE60B27709731D
SHA-256:	E004D239B653932668962DC96AA60D6B0B0934168E805C9978DB23135E231BB1
SHA-512:	7B813D7E712E5CB15B094F9BA97B5809D444678D366A8C55AF6BACE25DAB303AE8BD65AE99E9C864FB5DE87BB2BBF717061CD4A9ACA93E200F6C1A748D047C49
Malicious:	false
Preview:	../../Scripts/wheel.exe,sha256=yCF6Aw9_GVlnEqG3UM6MzBMPPBTnmeCOI5ZesiQ2Go4,108411..wheel-0.43.0.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..wheel-0.43.0.dist-info/LICENSE.txt,sha256=MMI2GGeRCPPo6h0qZYx8pBe9_IkcmO8aifpP8MmChlQ,1107..wheel-0.43.0.dist-info/METADATA,sha256=WbrCKwClnT5WCKVrjPjvxDgxo2tyeS7kOJyc1GaceEE,2153..wheel-0.43.0.dist-info/RECORD,,..wheel-0.43.0.dist-info/WHEEL,sha256=EZbGkh7Ie4PoZfRQ8I0ZuP9VklN_TvcZ6DSE5Uar4z4,81..wheel-0.43.0.dist-info/entry_points.txt,sha256=rTY1BbkPHhkGMm4Q3F0pIzJBzW2kMxoG1oriffvGdA0,104..wheel/__init__.py,sha256=D6jhH00eMzbgrXGAeOwVfD5i-lCAMMycuG1L0useDlo,59..wheel/__main__.py,sha256=NkMUnuTCGcOkgY0IBLgBCVC_BGGcWORx2K8jYGS12UE,455..wheel/__pycache__/__init__.cpython-310.pyc,,..wheel/__pycache__/__main__.cpython-310.pyc,,..wheel/__pycache__/_setuptools_logging.cpython-310.pyc,,..wheel/__pycache__/bdist_wheel.cpython-310.pyc,,..wheel/__pycache__/macosx_libfile.cpython-310.pyc,,..wheel/__pycache__/metadata.cpython-310.

C:\Users\user\AppData\Local\Temp\_MEI59122\wheel-0.43.0.dist-info\WHEEL

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	81
Entropy (8bit):	4.672346887071811
Encrypted:	false
SSDEEP:	3:RtEeX/QFM+vxP+tPCCfA5I:Rt1Qq2WBB3
MD5:	24019423EA7C0C2DF41C8272A3791E7B
SHA1:	AAE9ECFB44813B68CA525BA7FA0D988615399C86
SHA-256:	1196C6921EC87B83E865F450F08D19B8FF5592537F4EF719E83484E546ABE33E
SHA-512:	09AB8E4DAA9193CFDEE6CF98CCAE9DB0601F3DCD4944D07BF3AE6FA5BCB9DC0DCAFD369DE9A650A38D1B46C758DB0721EBA884446A8A5AD82BB745FD5DB5F9B1
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: flit 3.9.0.Root-Is-Purelib: true.Tag: py3-none-any.

C:\Users\user\AppData\Local\Temp\_MEI59122\wheel-0.43.0.dist-info\entry_points.txt

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	104
Entropy (8bit):	4.271713330022269
Encrypted:	false
SSDEEP:	3:1SSAnAYgh+MWTMhk6WjrAM5t5ln:1Jb9WTMhk9jUM5t5ln
MD5:	6180E17C30BAE5B30DB371793FCE0085
SHA1:	E3A12C421562A77D90A13D8539A3A0F4D3228359
SHA-256:	AD363505B90F1E1906326E10DC5D29233241CD6DA4331A06D68AE27DFBC6740D
SHA-512:	69EAE7B1E181D7BA1D3E2864D31E1320625A375E76D3B2FBF8856B3B6515936ACE3138D4D442CABDE7576FCFBCBB0DEED054D90B95CFA1C99829DB12A9031E26
Malicious:	false
Preview:	[console_scripts].wheel=wheel.cli:main..[distutils.commands].bdist_wheel=wheel.bdist_wheel:bdist_wheel..

C:\Users\user\AppData\Local\Temp\_MEI59122\win32\_win32sysloader.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	6.763938186711424
Encrypted:	false
SSDEEP:	192:lbadimkU6KnFt4Zdcpbd8m5OonxCe4W7Oj5a5RkYj273QJXhc7o/UQ0D:I4KFtycpbd8EOonxCeZOFa5RZa7gJX+/
MD5:	35D31B31CABA2BFB17F7830084EF5457
SHA1:	22DB0C16B06A6DECD41F19C24FB9C4AE1CEFEEA3
SHA-256:	5EA82777477433280BF86768C924D08B80AFCCCD34CED3FCF8CFEE97E43567C0
SHA-512:	B8D36D734AA9C9FC3A3872F5145480517294A2D6253BF5A903607AC8EE39616E068626FC90981188C07BA726224EDC48FF0D59661D5A39951AD999BE313E630B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......tSf.02..02..02..9J..22..bG..22..$Y..22..bG..;2..bG..82..bG..32..[..32..02...2...G..12...G..12...G..12..Rich02..................PE..d......d.........." .....0.......... .....................................................`.............................................`...x...P.......x....`..............(....................................... ...8...........................................UPX0....................................UPX1.....0.......$..................@....rsrc................(..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\win32\win32api.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49664
Entropy (8bit):	7.83316826018071
Encrypted:	false
SSDEEP:	768:lBHqNUpP9700eM3qeU4NWAXcnLim2sp94osOk7OPBBho8rzspYJP0Upyle:lBzrSeUGQLi+5sOt5Bbzs2ole
MD5:	1151DC5D219FC1D5A2504484D416C64E
SHA1:	E253E8CD01A6729927D6E2E391B2582214FADE56
SHA-256:	BF3EAD408174E1107396BFC989428DB75DC11BB22CC464C886BC3BD42D1D6D94
SHA-512:	A8862D878B26339BC24AADAA979E0F289F26EADB83C39420EF1D16ABF2607E648AA4C17E82FE18926246D90002FC6FDA4492BCF7796D5115A69CF12DA33B13BB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.uV....................N.......N.......N.......................N...................J...........................Rich............PE..d......d.........." ................@.....................................................`.........................................(.......`...........`...........................................................@...8.......................@...................UPX0....................................UPX1................................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\win32\win32crypt.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	52736
Entropy (8bit):	7.732239372843403
Encrypted:	false
SSDEEP:	1536:E/uTkXr2LgA+Q0/W25PVt9sjTQaFoJ7e3eDdJabM:yXXr2ga0BVtmFyJiuDDa
MD5:	4A81CC314EB7A7E6268BC9972A75BF90
SHA1:	FADEA11E9387D42B5A0FD53D6F71BD8F3F1A7874
SHA-256:	C47E972165BF6B7D9A6683D7284AE8173AA8FAF41E1E61AE253230CA01F4747E
SHA-512:	2414854D98FD9B437EFF0B348B13FD237A376E3CD80AB8B2C63A805C0EE912163008DBAFD74AB5EECB434D329B2396996840AFF3C5E6643CEBFADA08A3699F6E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................J.........................................`..............................................Rich............PE..d......d.........." .........0.......G....................................................`.........................................hf......hc.......`..h...................$........................................S..8...........................................UPX0....................................UPX1................................@....rsrc....0...`...$..................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\win32\win32trace.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	7.075583352925283
Encrypted:	false
SSDEEP:	384:26KwMJFoeBJ4qCKU7xe+16ufjISGhZa7gJXfO1B1r:27wMJFoenUk/ufapvwBN
MD5:	D2F8515B8453EE630895BFE02BA9B9F5
SHA1:	69C67EE4838C3B9CCC5F381634ECF4D20353A646
SHA-256:	427B7516C3C6095DB49AD6E4B3436CA78C63551A882EE87685FAC30E10A56596
SHA-512:	35951C9CFFECEB5F1101215B59D2F0A612FBD14D6AE707CB51DF3723430064F07601590C80602FB3FC95DDDF9F47171F60F6A67A60F3ED2044BCF59D854CEB8C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........*U@qD.@qD.@qD.I...DqD...E.BqD...A.JqD...@.HqD...G.CqD...E.BqD...E.BqD.T.E.EqD.@qE..qD...M.AqD...D.AqD...F.AqD.Rich@qD.................PE..d......d.........." .....0..........`.....................................................`.............................................T...h...8.......h....p......................................................`...8...........................................UPX0....................................UPX1.....0..........................@....rsrc................2..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI59122\win32com\shell\shell.pyd

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	152576
Entropy (8bit):	7.97184573578702
Encrypted:	false
SSDEEP:	3072:zA+IckcVeE911B9PROpB23W4Ukx0xluxTZ/7cpltdYwT7VbbteHH:05cv91jtROLH4n0xluxIlT7e
MD5:	9106C16A016FC0D195421ACE7835B412
SHA1:	1F989739A3D1D2FC4569ADD145A4AF13F8614F5C
SHA-256:	749F726459B2A0300A8CCD19904EC39A4651538D7B2C66D3FB90A18090BC73FD
SHA-512:	F8F3A52BC7092B80C969692B720356ADB4A17D05FFB16E869BD7B51E520EAC6A030161E784DE2870BDFF18AA26611964122BD8701EA70A3D7FA5EDC9D314FCE4
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......M................).....[......[......[......[...................................................O.................Rich............................PE..d...(..d.........." .....P...................................................0............`..........................................&..L...P#..t.... ..P.......xx...........'...................................... ...8...........................................UPX0....................................UPX1.....P.......H..................@....rsrc........ .......L..............@..............................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\dd_setup.txt

Download File

Process:	C:\Users\user\Desktop\Colby Dupe Script.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	18
Entropy (8bit):	3.3082708345352603
Encrypted:	false
SSDEEP:	3:LAD6Tsn:UeTs
MD5:	D6C25D0035D976FBE55C8210BA9E7891
SHA1:	83261B7821592830352892A4E13F1EF91B8F7822
SHA-256:	7D3449E921914DBB3BD92CDBB3BA4B3E6FCA01BC5BABB94A89EF21DFD58D17B8
SHA-512:	F13BAEEB475C24BC3C47477D47F168B28D4CA54E8471AF950EFDDF02AC80E7A85DD3D0D0452FFEF462FACEF011846DE40CF4898A1A75E7B5574A0DF0F724FAA4
Malicious:	false
Preview:	1715732695.7405698

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	5.911050878613387
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Colby Dupe Script.exe
File size:	27'886'092 bytes
MD5:	67bd09879e6fe66763074091f57f3150
SHA1:	43825d37d0821a6a21aee73e30ecb71c04b14119
SHA256:	5604246ead9eb4b6ddd749a285e1bb3296f186988c3eb298964a3138cece1446
SHA512:	668d8048608bf31795fd743d34b8210d2a8b75b3e5c119acfa5d790e06aba0c06cc3f95f2b219879f80ea4201de89d04e99255cda30d6ae0d3c7de3578fb3e88
SSDEEP:	393216:Io9D7E9QdXG45L1V8dJKFqy4gst0BPeiz+xy446iU:19cQPR4hveGYv4P
TLSH:	BF5733605B654092E4FAD23F441A89BC8570FC0217E4EACE9278A6AD5FE33545D3BFB0
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................................-.....................,.............................................................Rich...........

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x14000c540
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x66438029 [Tue May 14 15:15:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	f4f2e2b03fe5666a721620fcea3aea9b

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F43BCCC8B0Ch
dec eax
add esp, 28h
jmp 00007F43BCCC872Fh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007F43BCCC9084h
test eax, eax
je 00007F43BCCC88D3h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F43BCCC88B7h
dec eax
cmp ecx, eax
je 00007F43BCCC88C6h
xor eax, eax
dec eax
cmpxchg dword ptr [00034FACh], ecx
jne 00007F43BCCC88A0h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F43BCCC88A9h
int3
int3
int3
dec eax
sub esp, 28h
test ecx, ecx
jne 00007F43BCCC88B9h
mov byte ptr [00034F95h], 00000001h
call 00007F43BCCC8E91h
call 00007F43BCCC9498h
test al, al
jne 00007F43BCCC88B6h
xor al, al
jmp 00007F43BCCC88C6h
call 00007F43BCCD742Fh
test al, al
jne 00007F43BCCC88BBh
xor ecx, ecx
call 00007F43BCCC94A8h
jmp 00007F43BCCC889Ch
mov al, 01h
dec eax
add esp, 28h
ret
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [00034F5Ch], 00000000h
mov ebx, ecx
jne 00007F43BCCC8919h
cmp ecx, 01h
jnbe 00007F43BCCC891Ch
call 00007F43BCCC8FFAh
test eax, eax
je 00007F43BCCC88DAh
test ebx, ebx
jne 00007F43BCCC88D6h
dec eax
lea ecx, dword ptr [00034F46h]
call 00007F43BCCD7222h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3e0bc	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x47000	0x568	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x43000	0x231c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x48000	0x758	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3b460	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3b320	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2c000	0x438	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2afb0	0x2b000	40bf1edebd1304ce1b08c50cb556d4db	False	0.5458416606104651	data	6.5002315273868	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2c000	0x12f36	0x13000	7a96e255248c804335f945bda41cfe3a	False	0.5160747327302632	data	5.827936865401172	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3f000	0x33b8	0xe00	ae0f42b168987b17129506ccc4960b21	False	0.13392857142857142	firmware 32a2 vdf2d (revision 2569732096) \377\377\377\377 , version 256.0.512, 0 bytes or less, at 0xcd5d20d2 1725235199 bytes , at 0 0 bytes , at 0xffffffff 16777216 bytes	1.8264700601019173	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x43000	0x231c	0x2400	ffc5390666982cab67e3c9bf8e263bc3	False	0.4784071180555556	data	5.382434020909434	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x46000	0x1f4	0x200	771f0b097891d31289bb68f0eb426e66	False	0.529296875	data	3.713242247775091	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x47000	0x568	0x600	1f909f1505d4aac403fc692b4e3c4933	False	0.4375	data	5.515698942150982	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x48000	0x758	0x800	7ecf18b15822e1aa4c79b9a361f07c79	False	0.546875	data	5.250941834312499	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x47058	0x50d	XML 1.0 document, ASCII text			0.4694508894044857

Imports

DLL	Import
USER32.dll	CreateWindowExW, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
COMCTL32.dll
KERNEL32.dll	IsValidCodePage, GetStringTypeW, GetFileAttributesExW, HeapReAlloc, FlushFileBuffers, GetCurrentDirectoryW, GetACP, GetOEMCP, GetModuleHandleW, MulDiv, GetLastError, SetDllDirectoryW, CreateFileW, GetFinalPathNameByHandleW, CloseHandle, GetModuleFileNameW, CreateSymbolicLinkW, GetCPInfo, GetCommandLineW, GetEnvironmentVariableW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, CreateDirectoryW, GetTempPathW, WaitForSingleObject, Sleep, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LoadLibraryExW, SetConsoleCtrlHandler, FindClose, FindFirstFileExW, GetCurrentProcess, LocalFree, FormatMessageW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, WriteConsoleW, SetEndOfFile, GetProcAddress, GetSystemTimeAsFileTime, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetDriveTypeW, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetFullPathNameW, RemoveDirectoryW, FindNextFileW, SetStdHandle, DeleteFileW, ReadFile, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
GDI32.dll	SelectObject, DeleteObject, CreateFontIndirectW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 15, 2024 02:24:57.082135916 CEST	49731	443	192.168.2.4	172.67.74.152
May 15, 2024 02:24:57.082165956 CEST	443	49731	172.67.74.152	192.168.2.4
May 15, 2024 02:24:57.084391117 CEST	49731	443	192.168.2.4	172.67.74.152
May 15, 2024 02:24:57.096703053 CEST	49731	443	192.168.2.4	172.67.74.152
May 15, 2024 02:24:57.096719980 CEST	443	49731	172.67.74.152	192.168.2.4
May 15, 2024 02:24:57.327374935 CEST	443	49731	172.67.74.152	192.168.2.4
May 15, 2024 02:24:57.327717066 CEST	49731	443	192.168.2.4	172.67.74.152
May 15, 2024 02:24:57.327735901 CEST	443	49731	172.67.74.152	192.168.2.4
May 15, 2024 02:24:57.328915119 CEST	443	49731	172.67.74.152	192.168.2.4
May 15, 2024 02:24:57.328969955 CEST	49731	443	192.168.2.4	172.67.74.152
May 15, 2024 02:24:57.329458952 CEST	49731	443	192.168.2.4	172.67.74.152
May 15, 2024 02:24:57.329596996 CEST	49731	443	192.168.2.4	172.67.74.152
May 15, 2024 02:24:57.329598904 CEST	443	49731	172.67.74.152	192.168.2.4
May 15, 2024 02:24:57.329644918 CEST	49731	443	192.168.2.4	172.67.74.152

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 15, 2024 02:24:56.964124918 CEST	59436	53	192.168.2.4	1.1.1.1
May 15, 2024 02:24:57.074465990 CEST	53	59436	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 15, 2024 02:24:56.964124918 CEST	192.168.2.4	1.1.1.1	0x6327	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
May 15, 2024 02:24:57.074465990 CEST	1.1.1.1	192.168.2.4	0x6327	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
May 15, 2024 02:24:57.074465990 CEST	1.1.1.1	192.168.2.4	0x6327	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
May 15, 2024 02:24:57.074465990 CEST	1.1.1.1	192.168.2.4	0x6327	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	02:24:52
Start date:	15/05/2024
Path:	C:\Users\user\Desktop\Colby Dupe Script.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Colby Dupe Script.exe"
Imagebase:	0x7ff698ee0000
File size:	27'886'092 bytes
MD5 hash:	67BD09879E6FE66763074091F57F3150
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:24:54
Start date:	15/05/2024
Path:	C:\Users\user\Desktop\Colby Dupe Script.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Colby Dupe Script.exe"
Imagebase:	0x7ff698ee0000
File size:	27'886'092 bytes
MD5 hash:	67BD09879E6FE66763074091F57F3150
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1711175421.0000012E33430000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LunaLogger, Description: Yara detected Luna Logger, Source: 00000001.00000003.1711175421.0000012E33430000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1706757137.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LunaLogger, Description: Yara detected Luna Logger, Source: 00000001.00000003.1706757137.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1715762119.0000012E33431000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LunaLogger, Description: Yara detected Luna Logger, Source: 00000001.00000003.1715762119.0000012E33431000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1704964886.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LunaLogger, Description: Yara detected Luna Logger, Source: 00000001.00000003.1704964886.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1707046871.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LunaLogger, Description: Yara detected Luna Logger, Source: 00000001.00000003.1707046871.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1706862797.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LunaLogger, Description: Yara detected Luna Logger, Source: 00000001.00000003.1706862797.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1706447898.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LunaLogger, Description: Yara detected Luna Logger, Source: 00000001.00000003.1706447898.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1708877182.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LunaLogger, Description: Yara detected Luna Logger, Source: 00000001.00000003.1708877182.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1720480190.0000012E33431000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LunaLogger, Description: Yara detected Luna Logger, Source: 00000001.00000002.1720480190.0000012E33431000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1709214739.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LunaLogger, Description: Yara detected Luna Logger, Source: 00000001.00000003.1709214739.0000012E33412000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1724839216.0000012E34540000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LunaLogger, Description: Yara detected Luna Logger, Source: 00000001.00000002.1724839216.0000012E34540000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1709585773.0000012E3341D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LunaLogger, Description: Yara detected Luna Logger, Source: 00000001.00000003.1709585773.0000012E3341D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:24:54
Start date:	15/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "ver"
Imagebase:	0x7ff6a4180000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:24:54
Start date:	15/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	23%
Total number of Nodes:	2000
Total number of Limit Nodes:	75

Executed Functions

Function 00007FF698EE1000 Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 293
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF698EE3F00: GetModuleFileNameW.KERNEL32(?,00007FF698EE39CA), ref: 00007FF698EE3F34

SetDllDirectoryW.KERNEL32 ref: 00007FF698EE3BD5
PostMessageW.USER32 ref: 00007FF698EE3CC3
GetMessageW.USER32 ref: 00007FF698EE3CD6
PostMessageW.USER32 ref: 00007FF698EE3D61
GetMessageW.USER32 ref: 00007FF698EE3D74

Part of subcall function 00007FF698EE7D70: GetEnvironmentVariableW.KERNEL32(00007FF698EE39FF), ref: 00007FF698EE7DAA
Part of subcall function 00007FF698EE7D70: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF698EE7DC7

Strings

_MEIPASS2, xrefs: 00007FF698EE39EB, 00007FF698EE3A54, 00007FF698EE3D32, 00007FF698EE3D3E
Cannot open PyInstaller archive from executable (%s) or external archive (%s), xrefs: 00007FF698EE3AA6
MEI, xrefs: 00007FF698EE3ADA
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF698EE3B53
Failed to convert DLL search path!, xrefs: 00007FF698EE3BC5
Cannot side-load external archive %s (code %d)!, xrefs: 00007FF698EE3B1F
_PYI_ONEDIR_MODE, xrefs: 00007FF698EE3A14, 00007FF698EE3A3F

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: Message$EnvironmentPost$DirectoryExpandFileModuleNameStringsVariable
String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
API String ID: 2647325126-1544818733
Opcode ID: 7e818fdf10d144ebf1a2c27805d4b093fd68b8386923d87f4e33e82801278a2a
Instruction ID: 898c3329715b69f9a5a5ea30610a6874fac5ecdc68dfb4bc7f281172baa81bcf
Opcode Fuzzy Hash: 7e818fdf10d144ebf1a2c27805d4b093fd68b8386923d87f4e33e82801278a2a
Instruction Fuzzy Hash: 58C18121B0CA4695EA35EB31A4712BE6291FF94784FC041B5EA4EC7697DF3CE905C708

Function 00007FF698F06B50 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF698F06B95

Part of subcall function 00007FF698F064E8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF698F064FC

Part of subcall function 00007FF698EFB700: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF698F03B72,?,?,?,00007FF698F03BAF,?,?,00000000,00007FF698F04075,?,?,00000000,00007FF698F03FA7), ref: 00007FF698EFB716
Part of subcall function 00007FF698EFB700: GetLastError.KERNEL32(?,?,?,00007FF698F03B72,?,?,?,00007FF698F03BAF,?,?,00000000,00007FF698F04075,?,?,00000000,00007FF698F03FA7), ref: 00007FF698EFB720

Part of subcall function 00007FF698EFB6B8: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF698EFB697,?,?,?,?,?,00007FF698EF38BC), ref: 00007FF698EFB6C1
Part of subcall function 00007FF698EFB6B8: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF698EFB697,?,?,?,?,?,00007FF698EF38BC), ref: 00007FF698EFB6E6

_get_daylight.LIBCMT ref: 00007FF698F06B84

Part of subcall function 00007FF698F06548: _invalid_parameter_noinfo.LIBCMT ref: 00007FF698F0655C

_get_daylight.LIBCMT ref: 00007FF698F06DFA
_get_daylight.LIBCMT ref: 00007FF698F06E0B
_get_daylight.LIBCMT ref: 00007FF698F06E1C
GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF698F0705C), ref: 00007FF698F06E43

Strings

W. Europe Standard Time, xrefs: 00007FF698F06EE9
W. Europe Summer Time, xrefs: 00007FF698F06F01

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureInformationLanguagesLastPreferredPresentProcessProcessorRestoreThreadTimeZone
String ID: W. Europe Standard Time$W. Europe Summer Time
API String ID: 1458651798-690618308
Opcode ID: 011d4974f3e124412289dc327b2b40947a146d65b03f6d5f747eb19bebd0a963
Instruction ID: 7d8243830a05fedea73d249ddf59e1a24a6596b6af1dc6bb1526b984b71c0aa7
Opcode Fuzzy Hash: 011d4974f3e124412289dc327b2b40947a146d65b03f6d5f747eb19bebd0a963
Instruction Fuzzy Hash: 0BD1BE76A08B528AEB30AF31D8501B96761EF84BD4FC4A1B5EA4DC7AC5DF3CE4418748

Function 00007FF698F07A9C Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF698F077D0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF698F07811
Part of subcall function 00007FF698F077D0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF698F0788F
Part of subcall function 00007FF698F077D0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF698F078E0

CreateFileW.KERNELBASE ref: 00007FF698F07BA2
CreateFileW.KERNEL32 ref: 00007FF698F07BF2
GetLastError.KERNEL32 ref: 00007FF698F07C22
GetFileType.KERNELBASE ref: 00007FF698F07C37
GetLastError.KERNEL32 ref: 00007FF698F07C41
CloseHandle.KERNEL32 ref: 00007FF698F07C74
CloseHandle.KERNEL32 ref: 00007FF698F07DD7
CreateFileW.KERNEL32 ref: 00007FF698F07E0C
GetLastError.KERNEL32 ref: 00007FF698F07E1B

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 8482aad9305a30c551bfc572177b6762c68ebfb4afe3bdfce811c5be068ed5ba
Instruction ID: 46398c913e90ff35207547463af1165b14da97a8359c5609c66541f6e6f5db68
Opcode Fuzzy Hash: 8482aad9305a30c551bfc572177b6762c68ebfb4afe3bdfce811c5be068ed5ba
Instruction Fuzzy Hash: 8FC1CE36B28A4689EB20CF74D4906BC3761EB58BD8B9162A5DA1FDB3D4CF39E451C304

Function 00007FF698EE7B60 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(00000000,?,00000000,00000000,?,00007FF698EE153F), ref: 00007FF698EE7BF7

Part of subcall function 00007FF698EE7D70: GetEnvironmentVariableW.KERNEL32(00007FF698EE39FF), ref: 00007FF698EE7DAA
Part of subcall function 00007FF698EE7D70: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF698EE7DC7

Part of subcall function 00007FF698EF8610: _invalid_parameter_noinfo.LIBCMT ref: 00007FF698EF8629

SetEnvironmentVariableW.KERNEL32 ref: 00007FF698EE7CB1

Part of subcall function 00007FF698EE2B10: MessageBoxW.USER32 ref: 00007FF698EE2BE5

Strings

LOADER: Failed to set the TMP environment variable., xrefs: 00007FF698EE7BDA
TMP, xrefs: 00007FF698EE7BC0
_MEI%d, xrefs: 00007FF698EE7C05
TMP, xrefs: 00007FF698EE7B9A, 00007FF698EE7C59, 00007FF698EE7CE7

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: Environment$Variable$ExpandMessagePathStringsTemp_invalid_parameter_noinfo
String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
API String ID: 3752271684-1116378104
Opcode ID: 26c14f5d2d519ab3f82a273994a24441e39aec3c57247172eafc601634a0f726
Instruction ID: 0cb167a2975fd5176a96af056dd84e05f9603e000882ed03276318ed2849d819
Opcode Fuzzy Hash: 26c14f5d2d519ab3f82a273994a24441e39aec3c57247172eafc601634a0f726
Instruction Fuzzy Hash: C6515C21B0965741FA34AB32A9252BA5245DF99BC0FC854B1ED4ECB7D7ED3CE401930C

Function 00007FF698F06DCC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF698F06DFA

Part of subcall function 00007FF698F06548: _invalid_parameter_noinfo.LIBCMT ref: 00007FF698F0655C

_get_daylight.LIBCMT ref: 00007FF698F06E0B

Part of subcall function 00007FF698F064E8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF698F064FC

_get_daylight.LIBCMT ref: 00007FF698F06E1C

Part of subcall function 00007FF698F06518: _invalid_parameter_noinfo.LIBCMT ref: 00007FF698F0652C

Part of subcall function 00007FF698EFB700: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF698F03B72,?,?,?,00007FF698F03BAF,?,?,00000000,00007FF698F04075,?,?,00000000,00007FF698F03FA7), ref: 00007FF698EFB716
Part of subcall function 00007FF698EFB700: GetLastError.KERNEL32(?,?,?,00007FF698F03B72,?,?,?,00007FF698F03BAF,?,?,00000000,00007FF698F04075,?,?,00000000,00007FF698F03FA7), ref: 00007FF698EFB720

GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF698F0705C), ref: 00007FF698F06E43

Strings

W. Europe Standard Time, xrefs: 00007FF698F06EE9
W. Europe Summer Time, xrefs: 00007FF698F06F01

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorInformationLanguagesLastPreferredRestoreThreadTimeZone
String ID: W. Europe Standard Time$W. Europe Summer Time
API String ID: 2248164782-690618308
Opcode ID: 3ce9ff365909c35cfda0cd92fd9b5c2b6ab9c6a7c0cfccc6144e1dd1acbf6dd4
Instruction ID: 63771072bbd06c7a03345364d8c8ddb66ae9fd3a3923d687863c37f15a8c71f9
Opcode Fuzzy Hash: 3ce9ff365909c35cfda0cd92fd9b5c2b6ab9c6a7c0cfccc6144e1dd1acbf6dd4
Instruction Fuzzy Hash: 12516F32A187428AE730DF31E8911B9A760FB487C4FC461B5EA5DC7A96DF3CE4418758

Function 00007FF698EE8D00 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF698EE8D31
FindClose.KERNELBASE ref: 00007FF698EE8D40

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: ecdf086f063d1ff4b022191a002e9e17b8509f6d6c47db3a09a7631b022981ea
Instruction ID: ab4a604d109df968d04f9554d38617508d9c838115a717fbf823ea2ba6fc93f0
Opcode Fuzzy Hash: ecdf086f063d1ff4b022191a002e9e17b8509f6d6c47db3a09a7631b022981ea
Instruction Fuzzy Hash: 0CF08132A186858AEBB08F70F4987667350EB44764F840676D6AD466E5DF3CD0088B04

Function 00007FF698F01720 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: b07a4aa98c3ea62428db7ff75e9c78d2acc70f0ed8e8990dbcc6d64e325556f5
Instruction ID: 40a45768dec7b2f2742ddd94a6fb71e1e9b8973ad48da7fd8c96bdcce258fd7b
Opcode Fuzzy Hash: b07a4aa98c3ea62428db7ff75e9c78d2acc70f0ed8e8990dbcc6d64e325556f5
Instruction Fuzzy Hash: E0028B31E1E68A44FA74AF31A4102792694EF52BE0FD466B5DD5DC73D2EE3CA482930C

Function 00007FF698EE1700 Relevance: 24.6, APIs: 1, Strings: 13, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to open target file!, xrefs: 00007FF698EE1780
pyi_arch_extract2fs was called before temporary directory was initialized!, xrefs: 00007FF698EE1716
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF698EE17F6
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF698EE1856
Failed to extract %s: failed to open archive file!, xrefs: 00007FF698EE17C9
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF698EE18E5
malloc, xrefs: 00007FF698EE185D
fread, xrefs: 00007FF698EE18EC
fwrite, xrefs: 00007FF698EE18DC
fseek, xrefs: 00007FF698EE17FD
fopen, xrefs: 00007FF698EE1787
Failed to create symbolic link %s!, xrefs: 00007FF698EE1743
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF698EE18D5

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: Message
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc$pyi_arch_extract2fs was called before temporary directory was initialized!
API String ID: 2030045667-3833288071
Opcode ID: b1d00c3954f2c13fa2643aa237036c27d4f55f603d17907fb94cf2a77ef172c7
Instruction ID: f02d678291d3fcf555c0e0284f78d90048d1a508c3ad83ac38541a5b8b05bbd3
Opcode Fuzzy Hash: b1d00c3954f2c13fa2643aa237036c27d4f55f603d17907fb94cf2a77ef172c7
Instruction Fuzzy Hash: 35518B61B0864286EB309B35E8602B96391FF45BD5FC440B1EE4DC7696EF7CE684D308

Function 00007FF698EE1A90 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF698EE84C0: _fread_nolock.LIBCMT ref: 00007FF698EE856A

_fread_nolock.LIBCMT ref: 00007FF698EE1B44

Part of subcall function 00007FF698EE2870: MessageBoxW.USER32 ref: 00007FF698EE297B

Strings

fread, xrefs: 00007FF698EE1B56, 00007FF698EE1C00
MEI, xrefs: 00007FF698EE1AD2
Failed to seek to cookie position!, xrefs: 00007FF698EE1B1C
Could not read full TOC!, xrefs: 00007FF698EE1BF9
fseek, xrefs: 00007FF698EE1B23
Could not allocate buffer for TOC!, xrefs: 00007FF698EE1BC6
Failed to read cookie!, xrefs: 00007FF698EE1B4F
Error on file., xrefs: 00007FF698EE1C26
malloc, xrefs: 00007FF698EE1BCD

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: _fread_nolock$Message
String ID: Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
API String ID: 677216364-1384898525
Opcode ID: 310852eaf13cf17407021eeddddfe5748f0126c135f8f8dbff28962d08b7d14d
Instruction ID: fa34e26f9be4e56ca191bb83e31e525ffc1da8b126581734f1b1885cd790cda7
Opcode Fuzzy Hash: 310852eaf13cf17407021eeddddfe5748f0126c135f8f8dbff28962d08b7d14d
Instruction Fuzzy Hash: 25516B71A0964286EB38DF38E4A017833A0EF48B85BD581B6DA0DC7796DE3CE840C74C

Function 00007FF698EE8290 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF698EE8DE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF698EE2A9B), ref: 00007FF698EE8E1A

SetConsoleCtrlHandler.KERNEL32(00000000,00007FF698EE3D8D), ref: 00007FF698EE82DF
GetStartupInfoW.KERNEL32 ref: 00007FF698EE82FE

Part of subcall function 00007FF698EFB234: _invalid_parameter_noinfo.LIBCMT ref: 00007FF698EFB248

Part of subcall function 00007FF698EF8E54: _invalid_parameter_noinfo.LIBCMT ref: 00007FF698EF8EBB

GetCommandLineW.KERNEL32 ref: 00007FF698EE839E
CreateProcessW.KERNELBASE ref: 00007FF698EE83E0
WaitForSingleObject.KERNEL32 ref: 00007FF698EE83F4
GetExitCodeProcess.KERNELBASE ref: 00007FF698EE8404

Strings

CreateProcessW, xrefs: 00007FF698EE8417
Error creating child process!, xrefs: 00007FF698EE8410

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
String ID: CreateProcessW$Error creating child process!
API String ID: 2895956056-3524285272
Opcode ID: b7abaf37a347f063a3628d3e0586489636cc93df3d8b7db5f5a9dd5ff1266243
Instruction ID: 7887cc6eccdbe386a1baaa1c8b3a31bfdcc65ac3d189f8be861a3d707c098356
Opcode Fuzzy Hash: b7abaf37a347f063a3628d3e0586489636cc93df3d8b7db5f5a9dd5ff1266243
Instruction Fuzzy Hash: BB414632A0878285DA309B74F4552AAB390FF947A4F900775E6AD87BD5DF7CD054CB04

Function 00007FF698EE1050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF698EE111F
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF698EE1249
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF698EE10F1
1.3.1, xrefs: 00007FF698EE107E
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF698EE10B4
malloc, xrefs: 00007FF698EE10F8, 00007FF698EE1126

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: Message
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2030045667-2813020118
Opcode ID: 31fe241a8b15a525b43ee0d367c6a1aae85d9a9d8a6ec3eab0b03c1893c49f29
Instruction ID: 15346aca38c77929a28809479f0d886917bc7283a198c39968e28d658c027144
Opcode Fuzzy Hash: 31fe241a8b15a525b43ee0d367c6a1aae85d9a9d8a6ec3eab0b03c1893c49f29
Instruction Fuzzy Hash: 7351CF32A0968285EB309B21E8603BA6291FB84794FC441B5EE4DC77D6EF3CE585D708

Function 00007FF698EFF9C0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF698EFFD5A,?,?,-00000018,00007FF698EFBB0B,?,?,?,00007FF698EFBA02,?,?,?,00007FF698EF698E), ref: 00007FF698EFFB3C
GetProcAddress.KERNEL32(?,?,?,00007FF698EFFD5A,?,?,-00000018,00007FF698EFBB0B,?,?,?,00007FF698EFBA02,?,?,?,00007FF698EF698E), ref: 00007FF698EFFB48

Strings

ext-ms-, xrefs: 00007FF698EFFA99
api-ms-, xrefs: 00007FF698EFFA86

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 92e1c6cccb7ec25b4476ca22e51d2624e921c13e1215ab17a1d429f3080250c2
Instruction ID: 2ac2e717d16d30debc4ea12df36ea65c69329deccf4dc7fcbb6370b0c8916cd0
Opcode Fuzzy Hash: 92e1c6cccb7ec25b4476ca22e51d2624e921c13e1215ab17a1d429f3080250c2
Instruction Fuzzy Hash: 4C41EF72B19A0281FA36CB36B8205B52396FF59BE0F8955B5DD0DC7784EE3CE4459308

Function 00007FF698EFC80C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF698EFCC39

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: a6b3ac16ea139d0eba2342f9c6540c26576aaa7a7e0ca2cda94d9f3d90bbf969
Instruction ID: dddbb025b7a739793585647e16098b11f4b1b02ba7eab343c639e890ba726557
Opcode Fuzzy Hash: a6b3ac16ea139d0eba2342f9c6540c26576aaa7a7e0ca2cda94d9f3d90bbf969
Instruction Fuzzy Hash: ABC1C532A0CA9791E671DB35A4602BD3B55FBA0BC0FE541B1DA4E87391DE7CE845E308

Function 00007FF698EE8860 Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF698EE8880
OpenProcessToken.ADVAPI32 ref: 00007FF698EE8891
GetTokenInformation.KERNELBASE ref: 00007FF698EE88B6
GetLastError.KERNEL32 ref: 00007FF698EE88C0
GetTokenInformation.KERNELBASE ref: 00007FF698EE8900
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF698EE891C
CloseHandle.KERNEL32 ref: 00007FF698EE8934

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: 0a78fddd52e4a4b47c0abd3b9ff92470e3f80b7b026c685fad37238cb9e723cb
Instruction ID: 6f8e47f76731acc35396c2b3753c6e1fbe5d58b869657ec76a2819df367eb94c
Opcode Fuzzy Hash: 0a78fddd52e4a4b47c0abd3b9ff92470e3f80b7b026c685fad37238cb9e723cb
Instruction Fuzzy Hash: 1B216531A0CA4686EB209F75F45013AA3A0EF857A0F904275DAADC3BE5DF7DE454C704

Function 00007FF698EE8B80 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF698EE8860: GetCurrentProcess.KERNEL32 ref: 00007FF698EE8880
Part of subcall function 00007FF698EE8860: OpenProcessToken.ADVAPI32 ref: 00007FF698EE8891
Part of subcall function 00007FF698EE8860: GetTokenInformation.KERNELBASE ref: 00007FF698EE88B6
Part of subcall function 00007FF698EE8860: GetLastError.KERNEL32 ref: 00007FF698EE88C0
Part of subcall function 00007FF698EE8860: GetTokenInformation.KERNELBASE ref: 00007FF698EE8900
Part of subcall function 00007FF698EE8860: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF698EE891C
Part of subcall function 00007FF698EE8860: CloseHandle.KERNEL32 ref: 00007FF698EE8934

LocalFree.KERNEL32(00000000,00007FF698EE3B4E), ref: 00007FF698EE8C0C
LocalFree.KERNEL32 ref: 00007FF698EE8C15

Strings

S-1-3-4, xrefs: 00007FF698EE8BC1
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF698EE8BE2
Security descriptor string length exceeds PATH_MAX!, xrefs: 00007FF698EE8C23
D:(A;;FA;;;%s), xrefs: 00007FF698EE8BF7

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PATH_MAX!
API String ID: 6828938-1817031585
Opcode ID: b6111afcc3eeb0b408ea35522252114c0c7814765020da058c7306c730e1b11f
Instruction ID: 374e7e43f899cfc7db31c379dcac05a92ff4b993d8840096d7814337bdc13cae
Opcode Fuzzy Hash: b6111afcc3eeb0b408ea35522252114c0c7814765020da058c7306c730e1b11f
Instruction Fuzzy Hash: 23215E32A1868A85F6309B30F8256F96260EF48780FC415B2E94DD3797DE3CE5058748

Function 00007FF698EE3F00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF698EE39CA), ref: 00007FF698EE3F34

Part of subcall function 00007FF698EE29C0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF698EE8AF2,?,?,?,?,?,?,?,?,?,?,?,00007FF698EE101D), ref: 00007FF698EE29F4
Part of subcall function 00007FF698EE29C0: MessageBoxW.USER32 ref: 00007FF698EE2AD0

Strings

Failed to convert executable path to UTF-8., xrefs: 00007FF698EE3F70
GetModuleFileNameW, xrefs: 00007FF698EE3F45
Failed to get executable path., xrefs: 00007FF698EE3F3E

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: ErrorFileLastMessageModuleName
String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
API String ID: 2581892565-1977442011
Opcode ID: 7ef307d93855c796adb502a26685baad3249a75f128fd8c4618b636fbd62cd4f
Instruction ID: cc0eb11f490d7bd4962ff752512ee1486d8db7bacd7589c399883ed59936cd1c
Opcode Fuzzy Hash: 7ef307d93855c796adb502a26685baad3249a75f128fd8c4618b636fbd62cd4f
Instruction Fuzzy Hash: EB115E21B1C54345FA319B31E8213FA5264EF487C5FC014B6E84EC769AEE3CE644C708

Function 00007FF698EFDD10 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF698EFDCFB), ref: 00007FF698EFDE2C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF698EFDCFB), ref: 00007FF698EFDEB7

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: e5bc4118b78d7803f2849d3b40dbb6165d02ed41efd1a206ffcb3739746c0941
Instruction ID: 2998d0b0efe9b65e8dcc6814d818eb37cfcf137c253e891b34e88dc38430ae70
Opcode Fuzzy Hash: e5bc4118b78d7803f2849d3b40dbb6165d02ed41efd1a206ffcb3739746c0941
Instruction Fuzzy Hash: C891C232F1865285F7709F35A4506BD2BA1FB64B88F9441B9DE0E97A84CF38E441D708

Function 00007FF698F004DC Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF698F005CC
_get_daylight.LIBCMT ref: 00007FF698F005DD
_get_daylight.LIBCMT ref: 00007FF698F005EE
_isindst.LIBCMT ref: 00007FF698F006B9

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: a806384fd3dbc637569f566945d79e9d0f9a49a7dde5cce1babac435a7d8ed95
Instruction ID: 656006e2405775b3620b4b16a3c21311575e2855426cef2e2f92a7fa2ed24751
Opcode Fuzzy Hash: a806384fd3dbc637569f566945d79e9d0f9a49a7dde5cce1babac435a7d8ed95
Instruction Fuzzy Hash: 3751E273F056118AEB34CF349955ABC2662EB90398F902175ED1ED3AE5EF38A4428704

Function 00007FF698EF6044 Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE ref: 00007FF698EF6077
GetFileInformationByHandle.KERNELBASE ref: 00007FF698EF60D9
GetLastError.KERNEL32 ref: 00007FF698EF616A
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,?,00007FF698EF5F7C), ref: 00007FF698EF61B6

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: bf9e299d8a19087a057b397dc8e4afdf64a098b67ef913149ee4b49067ca2483
Instruction ID: 265ef130fb041e058aa8c3471c23531044eba5da17966d7ca0da8b038f1393ad
Opcode Fuzzy Hash: bf9e299d8a19087a057b397dc8e4afdf64a098b67ef913149ee4b49067ca2483
Instruction Fuzzy Hash: A3519122E086418AF720DFB0E9603BD33B1EF64B98F509575EE0D8769ADF38D5449748

Function 00007FF698EF5EF0 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF698EF5F1D
CreateFileW.KERNELBASE ref: 00007FF698EF5F5C
CloseHandle.KERNEL32 ref: 00007FF698EF5F91

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: 83590a85ef91dfeaaf5391bcb7c84269641a6271a066e8b030d9dbe54c1e2ad9
Instruction ID: 1a838a03b15c29cc154825c9d886dcb59d6ab6642d8bf967f15f665e1a5c5187
Opcode Fuzzy Hash: 83590a85ef91dfeaaf5391bcb7c84269641a6271a066e8b030d9dbe54c1e2ad9
Instruction Fuzzy Hash: C541A122D1C78283E7648B30A5603796760FFB57A4F509374EA9C83AD1DF7CA5E09708

Function 00007FF698EEC3CC Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF698EEC59C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF698EEC5B0

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF698EEC3F0
__scrt_release_startup_lock.LIBCMT ref: 00007FF698EEC45E
__scrt_get_show_window_mode.LIBCMT ref: 00007FF698EEC4B1

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: 9d2a249925c3744b7bdec991b642967cea5aa1e4eae3f82ffa02bbb969e0fbb5
Instruction ID: e31c16c133721b1e6f580c228fcb2821e4a28b01b038f54017ec6650dd574f77
Opcode Fuzzy Hash: 9d2a249925c3744b7bdec991b642967cea5aa1e4eae3f82ffa02bbb969e0fbb5
Instruction Fuzzy Hash: ED313821E2824745FA34EB74A4723B92291EF51784FC410B5EA0ECB6D7DE3CB949834C

Function 00007FF698EFA7E4 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF698EFA7E0), ref: 00007FF698EFA7F5
TerminateProcess.KERNEL32(?,?,?,00007FF698EFA7E0), ref: 00007FF698EFA800
ExitProcess.KERNEL32 ref: 00007FF698EFA80F

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: a9ca9fd944998b9103efb0079ab816177775b60747cbceda43ee2d2e97830e0f
Instruction ID: 273347b0b4836f70b6795b1d441c1115ef2f410b15cd9f2475b1d80cc94776ed
Opcode Fuzzy Hash: a9ca9fd944998b9103efb0079ab816177775b60747cbceda43ee2d2e97830e0f
Instruction Fuzzy Hash: A2D09E20F1874246FA342F707CA95791211DF58B85F9064B8C84B8B393CD7CA44ED349

Function 00007FF698EE8D80 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE ref: 00007FF698EE8DC0

Part of subcall function 00007FF698EE2C30: MessageBoxW.USER32 ref: 00007FF698EE2D05

Strings

Security descriptor is not initialized!, xrefs: 00007FF698EE8D90

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: CreateDirectoryMessage
String ID: Security descriptor is not initialized!
API String ID: 73271072-986317556
Opcode ID: cb4d7abd45f9f406bb8e9fa743bd3ea339ce9ab77a45f8f760c2574a3479da4c
Instruction ID: 12925406973279f532a6594a05641aea5ce0245bd885aedb08619f53c4f21d00
Opcode Fuzzy Hash: cb4d7abd45f9f406bb8e9fa743bd3ea339ce9ab77a45f8f760c2574a3479da4c
Instruction Fuzzy Hash: 83E06D72A1878A86EA609F34E8142692290FBA5394FD013B4E14CC77E4DF7CD1098B04

Function 00007FF698EF0A6C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF698EF0AB0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698EF0BA7

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: cf177395047abfa4e851662a110b86e3e3c378c626585af56caf23d5c147307d
Instruction ID: 1fcc6b6e72ea56b1b2dcaf03e2902da33e673ebf9eb5fb1bef09b8f39d7ac4b4
Opcode Fuzzy Hash: cf177395047abfa4e851662a110b86e3e3c378c626585af56caf23d5c147307d
Instruction Fuzzy Hash: 7451E871B0964146FA389F35B42067A6291EF64BA8F948770DE6DC77C5CF3CD800A708

Function 00007FF698EFB910 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF698EFB78D,?,?,00000000,00007FF698EFB842), ref: 00007FF698EFB97E
GetLastError.KERNEL32(?,?,?,00007FF698EFB78D,?,?,00000000,00007FF698EFB842), ref: 00007FF698EFB988

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: 3fd0f83af0628cda6e58ba1b17cfc613668cd8d43ebee099ac9aff2e4f27651a
Instruction ID: 60a7e6b17bb0e9b62b7fb031197b7d26337b4cd85792017fb74b2bb07cd0b2cc
Opcode Fuzzy Hash: 3fd0f83af0628cda6e58ba1b17cfc613668cd8d43ebee099ac9aff2e4f27651a
Instruction Fuzzy Hash: 0E21D865B0868341FEB05735B5A027D2681DFA4BA4FD853B5DA6EC73C2CE7CE449A308

Function 00007FF698EFCEE4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF698EFD07D), ref: 00007FF698EFCF30
GetLastError.KERNEL32(?,?,?,?,?,00007FF698EFD07D), ref: 00007FF698EFCF3A

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 5a688e03e61d2ba522e05303caa220c229835d3c67e189c94220df843fa187e3
Instruction ID: ff12687a55b1ef8e83ceae66213daf3de9aebd419723f236d8d22885550f01c0
Opcode Fuzzy Hash: 5a688e03e61d2ba522e05303caa220c229835d3c67e189c94220df843fa187e3
Instruction Fuzzy Hash: 0011BF62618A9181DA208B35B414069B7A1EB54BF4FA85371EA7D8B7E9CF3CD0548708

Function 00007FF698EF61EC Relevance: 3.0, APIs: 2, Instructions: 40timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF698EF6101), ref: 00007FF698EF621F
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF698EF6101), ref: 00007FF698EF6235

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 94d9743ddc59f1ec6d0c8066f19f46560215df41a9b86dc953b2c7251607b198
Instruction ID: 6b442e93934886c79553a83a35d5505b3684a8b34f6b7d61bd5313d8ce5cf6aa
Opcode Fuzzy Hash: 94d9743ddc59f1ec6d0c8066f19f46560215df41a9b86dc953b2c7251607b198
Instruction Fuzzy Hash: 1711917260C60282EB748F64B41117AB770FB947A1FD01275E69DC69E8EF3CD044DB04

Function 00007FF698EF88E0 Relevance: 3.0, APIs: 2, Instructions: 35timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF698EF875D), ref: 00007FF698EF8903
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF698EF875D), ref: 00007FF698EF8919

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 4ed2e9fa1167940cfa5aca87292fc65ce3ac60374052c1fe1dcdfc496945e827
Instruction ID: 6bbda3886781e609f10ffc014452857adafe2c771e0e522555bd9ead69f9a8dd
Opcode Fuzzy Hash: 4ed2e9fa1167940cfa5aca87292fc65ce3ac60374052c1fe1dcdfc496945e827
Instruction Fuzzy Hash: F201A13250C26686E7708F24F41523AB3B1FB81B61FA01276E7AD869D8DF3CD000EB14

Function 00007FF698EFB700 Relevance: 3.0, APIs: 2, Instructions: 19threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF698F03B72,?,?,?,00007FF698F03BAF,?,?,00000000,00007FF698F04075,?,?,00000000,00007FF698F03FA7), ref: 00007FF698EFB716
GetLastError.KERNEL32(?,?,?,00007FF698F03B72,?,?,?,00007FF698F03BAF,?,?,00000000,00007FF698F04075,?,?,00000000,00007FF698F03FA7), ref: 00007FF698EFB720

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: ErrorLanguagesLastPreferredRestoreThread
String ID:
API String ID: 588628887-0
Opcode ID: c0904582055235206b637bb6fb630becad907d152bf6a94a3ba36ee294329771
Instruction ID: f37a6ac7d2756dc69fdc546f51668ddb4b6c5a1bdddfb4be653957e88851a7bc
Opcode Fuzzy Hash: c0904582055235206b637bb6fb630becad907d152bf6a94a3ba36ee294329771
Instruction Fuzzy Hash: 19E08C25F0D60246FF386FB268A40351651CFA8B90BC851B0CD0DCB3D1DE3CA895A318

Function 00007FF698EF8ECC Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE ref: 00007FF698EF8ED0
GetLastError.KERNEL32 ref: 00007FF698EF8EDA

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: b1319888d58344e1d146038dbe51c945b0a95c66f9246088a0a26429922302e0
Instruction ID: 2c02c7619f69e87d0f63086245d859ce053a677b017e56a913b9d16f4104c169
Opcode Fuzzy Hash: b1319888d58344e1d146038dbe51c945b0a95c66f9246088a0a26429922302e0
Instruction Fuzzy Hash: FDD01224F2850785E6342BB12C950381294EF64760FE10BF0C02EC21D0DE7CA085671D

Function 00007FF698EF8648 Relevance: 3.0, APIs: 2, Instructions: 12COMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNELBASE ref: 00007FF698EF864C
GetLastError.KERNEL32 ref: 00007FF698EF8656

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: 37b4a7e4d00d01a0eafeac234b577e395ecf372998b901b949fd5718f631df3e
Instruction ID: 144105c83698d4cbd90c35b52007a258318ea5cb6857dfe7e4ab96162deb8d9c
Opcode Fuzzy Hash: 37b4a7e4d00d01a0eafeac234b577e395ecf372998b901b949fd5718f631df3e
Instruction Fuzzy Hash: 24D01220F1954389E6342BB52C554382190EFA4771FD10AB4C03EC21D0DE7CA045671A

Function 00007FF698EE7F50 Relevance: 1.6, APIs: 1, Instructions: 141COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF698EE8DE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF698EE2A9B), ref: 00007FF698EE8E1A

_findclose.LIBCMT ref: 00007FF698EE81A9

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: ByteCharMultiWide_findclose
String ID:
API String ID: 2772937645-0
Opcode ID: aa2a36deec39c3a11ec2b62d31fe43dc86d3decf01d493f1b5c8a3539a39b282
Instruction ID: e9719dc47cd07581190a2f5a6f89c77d73f6d4e70257ff7b80cc2c5f97266063
Opcode Fuzzy Hash: aa2a36deec39c3a11ec2b62d31fe43dc86d3decf01d493f1b5c8a3539a39b282
Instruction Fuzzy Hash: 20717B52E18AC981EA21CB2CD5152FD6360F7A9B4CF94E321DB9C52593EF38E2D9C704

Function 00007FF698EFCC5C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF698EFCC84

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 1d9ce192a3da46ea8a65def934b56c452277ca90c934615c4cd3a21602e95038
Instruction ID: 0abf4e2e43875aa476be151ccedd6c46b56bd51c34857367b6753d8dbc757380
Opcode Fuzzy Hash: 1d9ce192a3da46ea8a65def934b56c452277ca90c934615c4cd3a21602e95038
Instruction Fuzzy Hash: F8411432A0921183EA34CB38F06027D77A0EB66B80FA411B1D68EC36D1CF3DE502D749

Function 00007FF698EE84C0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF698EE856A

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 1d5c224ee41389395c85bf280a5ef420999a42d25b7edcdbd34f59e3fba015ff
Instruction ID: 69ef961535764336492bf9865bb60e5bff8502e4e9a96f71420b4c0fc9d0572b
Opcode Fuzzy Hash: 1d5c224ee41389395c85bf280a5ef420999a42d25b7edcdbd34f59e3fba015ff
Instruction Fuzzy Hash: 41217E21B096AA45FA609B32B9247FAA651FF55BD4FC84470EE0D877C6DE3CE045C708

Function 00007FF698EFC6EC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF698EFC772

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 9d46e4dc1c7706e1baa247f93764384ede75e9bcf433252d370e5f4900f7c3d5
Instruction ID: 8fa8dd3716a844c81d4ddb617dd3f1a785476b2f4d49175322cd980680cc81bb
Opcode Fuzzy Hash: 9d46e4dc1c7706e1baa247f93764384ede75e9bcf433252d370e5f4900f7c3d5
Instruction Fuzzy Hash: CA31C122E08A6291FB219B35A8613782A50EF70B91FE102B5DE1D873D2CF7CE441E759

Function 00007FF698EFA715 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF698EFA743

Part of subcall function 00007FF698EFA83C: GetModuleHandleExW.KERNEL32 ref: 00007FF698EFA861
Part of subcall function 00007FF698EFA83C: GetProcAddress.KERNEL32 ref: 00007FF698EFA877
Part of subcall function 00007FF698EFA83C: FreeLibrary.KERNEL32 ref: 00007FF698EFA89E

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 9c0127de50016242ddc74074b6af7f5d0c7ecdfc40d630aae62ff1a96a90ed2f
Instruction ID: 5f2b659b501e41559d72077d5a3e8eb613e2079712d924ad0cdb162135bca7ad
Opcode Fuzzy Hash: 9c0127de50016242ddc74074b6af7f5d0c7ecdfc40d630aae62ff1a96a90ed2f
Instruction Fuzzy Hash: 3B21AE36E04B0689EB248F74E490AEC37B0EB5471CF94067ADA1D8AAC5DF38D585D784

Function 00007FF698EF69E4 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF698EF6949

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: a12511eb413a20500788068782fa49ddb1fe92b02a1e7189881bce5d81ea64e9
Instruction ID: 9dd7ae537abbf566c0da9a69b228d581b5500e8dcd87e913f05668b153b5cb4f
Opcode Fuzzy Hash: a12511eb413a20500788068782fa49ddb1fe92b02a1e7189881bce5d81ea64e9
Instruction Fuzzy Hash: F711A821A1D68142EAB09F31B421279A3A4FFA5B80FD440B1EA8DD77A5CF3DD510A748

Function 00007FF698F0748C Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF698F074AF

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 14b88cdde8f100e0c11df9c25968cfa6048feb9caeb9ba24198eb79990a08c61
Instruction ID: 4863c7ba6b7ef59ed66d4f559c90d5e9323ab220c517a92b074db75f8a9107e2
Opcode Fuzzy Hash: 14b88cdde8f100e0c11df9c25968cfa6048feb9caeb9ba24198eb79990a08c61
Instruction Fuzzy Hash: 9C21D732A18A418ADB718F38E44037977A0EB94BD4FA45274E65EC76D5DF3DD8108B04

Function 00007FF698EF0CEC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF698EF0D40

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: cb4a28c9cfe68d4bf5caf65282be0dfe2d74942f75b7edef78e8fd4dc80d0569
Instruction ID: 06907588467b0b8bd90490d1c129cc5f58feb57e79fea73cc11b9fc7d2ca3618
Opcode Fuzzy Hash: cb4a28c9cfe68d4bf5caf65282be0dfe2d74942f75b7edef78e8fd4dc80d0569
Instruction Fuzzy Hash: 8001A921A0874542E9249F7264100796695EB65FE0F8845B1DE5CD77DADF3DE5015304

Function 00007FF698EF82D4 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF698EF8312

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 429e4ff91632884dbfd59807356ed260fa29108cd8906d3b6e9196ad5ea12367
Instruction ID: 601d04f9d7c6b94f6d79d19ab81c81bec3231f8f8bf0efb57eb0b1f055111eae
Opcode Fuzzy Hash: 429e4ff91632884dbfd59807356ed260fa29108cd8906d3b6e9196ad5ea12367
Instruction Fuzzy Hash: 2C018020E0E66680FE706B7176611396690EF687D4FD852B5E91DC36D6CF3CB482630D

Function 00007FF698EFF948 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,00007FF698EFC196,?,?,?,00007FF698EFB35B,?,?,00000000,00007FF698EFB5F6), ref: 00007FF698EFF99D

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 83da86fcac40c5efe6be46efa8cccb7ed61db28345aee0e9c2556edc7e0339ef
Instruction ID: fd511dc6b862e647b3fe03f6c59d8ec80ef3c414f72971f1c8c6bf0d560d67a2
Opcode Fuzzy Hash: 83da86fcac40c5efe6be46efa8cccb7ed61db28345aee0e9c2556edc7e0339ef
Instruction Fuzzy Hash: E5F04F16B09202A1FE755BB164743B55291DFA8B80FCC50B0C90EC63D5DE3CE481A319

Function 00007FF698EFE3AC Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,?,00007FF698EF1514,?,?,?,00007FF698EF2A26,?,?,?,?,?,00007FF698EF4019), ref: 00007FF698EFE3EA

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d8b55510c5610d80ab4c44b86d687719a9e038cf882b555fd49ed5282eff217e
Instruction ID: c85624301c7fbc05bfa789c669a5258f313f3b57263a7eddca0e7fdacfbe16bc
Opcode Fuzzy Hash: d8b55510c5610d80ab4c44b86d687719a9e038cf882b555fd49ed5282eff217e
Instruction Fuzzy Hash: EDF05E14F1F28745FE386B7268656755290CFA87A0F8812B0E92ECA2C1DE7CF441A319

Function 00007FF698EF8610 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF698EF8629

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5d337e270712d004679ba659ef610f4cb2fc78abe2ab3a8c8a6757f66acf180b
Instruction ID: ff9dbff2c946c454758826da4cb1b959f5b92cfae04c81302f1da109feacb1ad
Opcode Fuzzy Hash: 5d337e270712d004679ba659ef610f4cb2fc78abe2ab3a8c8a6757f66acf180b
Instruction Fuzzy Hash: EAE0EC50E0961A52FE747BB066E25792121CF78340F9150B0DA298A383ED3C6844BB2A

Function 00007FF698EE85F0 Relevance: 1.3, APIs: 1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: b081b867af62e1502bd09a952f28b23a6342cded27452249318bab44c8c263ba
Instruction ID: 855b797b7481e8d4ee5e748ff65b6bc37b9ee0492f7d7fd141ec2a6ce02bb35b
Opcode Fuzzy Hash: b081b867af62e1502bd09a952f28b23a6342cded27452249318bab44c8c263ba
Instruction Fuzzy Hash: CE419816D1CB9A81E7219B34E5212FD6360FBA5744F84A672DF8D821A3EF38A5D8C304

Non-executed Functions

Function 00007FF698EE53F0 Relevance: 233.1, APIs: 44, Strings: 89, Instructions: 363libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,00000000,00007FF698EE344E), ref: 00007FF698EE5400
GetProcAddress.KERNEL32(?,?,00000000,00007FF698EE344E), ref: 00007FF698EE543A
GetProcAddress.KERNEL32(?,?,00000000,00007FF698EE344E), ref: 00007FF698EE545F
GetProcAddress.KERNEL32(?,?,00000000,00007FF698EE344E), ref: 00007FF698EE5484
GetProcAddress.KERNEL32(?,?,00000000,00007FF698EE344E), ref: 00007FF698EE54AC
GetProcAddress.KERNEL32(?,?,00000000,00007FF698EE344E), ref: 00007FF698EE54D4
GetProcAddress.KERNEL32(?,?,00000000,00007FF698EE344E), ref: 00007FF698EE54FC
GetProcAddress.KERNEL32(?,?,00000000,00007FF698EE344E), ref: 00007FF698EE5524
GetProcAddress.KERNEL32(?,?,00000000,00007FF698EE344E), ref: 00007FF698EE554C
GetProcAddress.KERNEL32(?,?,00000000,00007FF698EE344E), ref: 00007FF698EE5574

Strings

Failed to get address for PyConfig_SetBytesString, xrefs: 00007FF698EE55AE
PyErr_Restore, xrefs: 00007FF698EE56D2
Failed to get address for PyObject_SetAttrString, xrefs: 00007FF698EE58CE
Failed to get address for PyConfig_SetString, xrefs: 00007FF698EE55D6
Failed to get address for PyErr_Clear, xrefs: 00007FF698EE5626
PyStatus_Exception, xrefs: 00007FF698EE5952
Py_Finalize, xrefs: 00007FF698EE547A
PyObject_Str, xrefs: 00007FF698EE58DA
PyMarshal_ReadObjectFromString, xrefs: 00007FF698EE57C2
PyErr_Clear, xrefs: 00007FF698EE560A
Py_IsInitialized, xrefs: 00007FF698EE54CA
PyObject_GetAttrString, xrefs: 00007FF698EE588A
Failed to get address for PyPreConfig_InitIsolatedConfig, xrefs: 00007FF698EE591E
Failed to get address for PyUnicode_DecodeFSDefault, xrefs: 00007FF698EE5A36
Failed to get address for PyConfig_InitIsolatedConfig, xrefs: 00007FF698EE555E
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF698EE5902
PyUnicode_DecodeFSDefault, xrefs: 00007FF698EE5A1A
PyImport_ExecCodeModule, xrefs: 00007FF698EE574A
Failed to get address for PyStatus_Exception, xrefs: 00007FF698EE596E
Failed to get address for PyUnicode_AsUTF8, xrefs: 00007FF698EE59E6
Failed to get address for PyUnicode_FromFormat, xrefs: 00007FF698EE5A5E
Failed to get address for Py_Finalize, xrefs: 00007FF698EE5496
PyRun_SimpleStringFlags, xrefs: 00007FF698EE592A
Failed to get address for PySys_GetObject, xrefs: 00007FF698EE5996
Failed to get address for PyObject_Str, xrefs: 00007FF698EE58F6
PyUnicode_Decode, xrefs: 00007FF698EE59F2
Py_InitializeFromConfig, xrefs: 00007FF698EE54A2
PyObject_SetAttrString, xrefs: 00007FF698EE58B2
PyErr_Fetch, xrefs: 00007FF698EE5632
Failed to get address for PyObject_CallFunctionObjArgs, xrefs: 00007FF698EE587E
Py_ExitStatusException, xrefs: 00007FF698EE5455
PyConfig_SetBytesString, xrefs: 00007FF698EE5592
PySys_SetObject, xrefs: 00007FF698EE59A2
Failed to get address for PyUnicode_Join, xrefs: 00007FF698EE5AAE
Py_PreInitialize, xrefs: 00007FF698EE54F2
PySys_GetObject, xrefs: 00007FF698EE597A
PyUnicode_Replace, xrefs: 00007FF698EE5ABA
PyUnicode_FromString, xrefs: 00007FF698EE5A6A
Failed to get address for Py_DecodeLocale, xrefs: 00007FF698EE544C
PyImport_AddModule, xrefs: 00007FF698EE5722
Failed to get address for PyConfig_Clear, xrefs: 00007FF698EE5536
PyErr_NormalizeException, xrefs: 00007FF698EE565A
Failed to get address for PyMarshal_ReadObjectFromString, xrefs: 00007FF698EE57DE
Failed to get address for PyImport_ImportModule, xrefs: 00007FF698EE578E
PyConfig_SetString, xrefs: 00007FF698EE55BA
Failed to get address for Py_IsInitialized, xrefs: 00007FF698EE54E6
PyErr_Print, xrefs: 00007FF698EE56AA
PyConfig_SetWideStringList, xrefs: 00007FF698EE55E2
Failed to get address for Py_DecRef, xrefs: 00007FF698EE5412
PyConfig_Clear, xrefs: 00007FF698EE551A
PyList_Append, xrefs: 00007FF698EE579A
PyUnicode_Join, xrefs: 00007FF698EE5A92
PyEval_EvalCode, xrefs: 00007FF698EE56FA
Failed to get address for PyModule_GetDict, xrefs: 00007FF698EE582E
Failed to get address for PyErr_NormalizeException, xrefs: 00007FF698EE5676
Failed to get address for PyRun_SimpleStringFlags, xrefs: 00007FF698EE5946
Failed to get address for PyConfig_Read, xrefs: 00007FF698EE5586
Failed to get address for PyList_Append, xrefs: 00007FF698EE57B6
Failed to get address for PyObject_CallFunction, xrefs: 00007FF698EE5856
Failed to get address for PyUnicode_Replace, xrefs: 00007FF698EE5AD6
Failed to get address for PyEval_EvalCode, xrefs: 00007FF698EE5716
Failed to get address for PyMem_RawFree, xrefs: 00007FF698EE5806
GetProcAddress, xrefs: 00007FF698EE5419
PyConfig_InitIsolatedConfig, xrefs: 00007FF698EE5542
Py_DecRef, xrefs: 00007FF698EE53F6
Failed to get address for PyImport_AddModule, xrefs: 00007FF698EE573E
Failed to get address for PyErr_Restore, xrefs: 00007FF698EE56EE
Failed to get address for PyUnicode_Decode, xrefs: 00007FF698EE5A0E
PyObject_CallFunctionObjArgs, xrefs: 00007FF698EE5862
PyModule_GetDict, xrefs: 00007FF698EE5812
PyMem_RawFree, xrefs: 00007FF698EE57EA
Failed to get address for PySys_SetObject, xrefs: 00007FF698EE59BE
PyErr_Occurred, xrefs: 00007FF698EE5682
Failed to get address for Py_InitializeFromConfig, xrefs: 00007FF698EE54BE
Failed to get address for Py_ExitStatusException, xrefs: 00007FF698EE5471
PyConfig_Read, xrefs: 00007FF698EE556A
PyUnicode_AsUTF8, xrefs: 00007FF698EE59CA
Failed to get address for PyImport_ExecCodeModule, xrefs: 00007FF698EE5766
Failed to get address for PyUnicode_FromString, xrefs: 00007FF698EE5A86
Failed to get address for PyErr_Print, xrefs: 00007FF698EE56C6
Failed to get address for Py_PreInitialize, xrefs: 00007FF698EE550E
Py_DecodeLocale, xrefs: 00007FF698EE5430
PyObject_CallFunction, xrefs: 00007FF698EE583A
PyUnicode_FromFormat, xrefs: 00007FF698EE5A42
Failed to get address for PyConfig_SetWideStringList, xrefs: 00007FF698EE55FE
Failed to get address for PyErr_Occurred, xrefs: 00007FF698EE569E
Failed to get address for PyErr_Fetch, xrefs: 00007FF698EE564E
PyImport_ImportModule, xrefs: 00007FF698EE5772
Failed to get address for PyObject_GetAttrString, xrefs: 00007FF698EE58A6

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for PyConfig_Clear$Failed to get address for PyConfig_InitIsolatedConfig$Failed to get address for PyConfig_Read$Failed to get address for PyConfig_SetBytesString$Failed to get address for PyConfig_SetString$Failed to get address for PyConfig_SetWideStringList$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyPreConfig_InitIsolatedConfig$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PyStatus_Exception$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetObject$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_ExitStatusException$Failed to get address for Py_Finalize$Failed to get address for Py_InitializeFromConfig$Failed to get address for Py_IsInitialized$Failed to get address for Py_PreInitialize$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 190572456-4266016200
Opcode ID: 849092ee313d90182648ac5091f6841dd271f5938a0293141bcf3cafd9cdb4f6
Instruction ID: 116d25581bebdab2d158ae1bb0fba49ae3798e6126832b7a29efc7948845db1c
Opcode Fuzzy Hash: 849092ee313d90182648ac5091f6841dd271f5938a0293141bcf3cafd9cdb4f6
Instruction Fuzzy Hash: F212A1B5A0EB0394FA75EF34A8A017423A1EF047D5FD465B5D80E87AA5EF7CB5488308

Function 00007FF698F04EFC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF698F04F4A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698F055B6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698F0572C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698F059EA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698F05C0A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698F05E47
memcpy_s.LIBCPMT ref: 00007FF698F05F22
memcpy_s.LIBCPMT ref: 00007FF698F05FCD
memcpy_s.LIBCPMT ref: 00007FF698F0609C

Strings

1#IND, xrefs: 00007FF698F05037
1#INF, xrefs: 00007FF698F05073
1#QNAN, xrefs: 00007FF698F05063
1#SNAN, xrefs: 00007FF698F0505A

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: c804c22466df2b92b362f5d1d066b057dea08e8c29dc99d8cb90910c2247e431
Instruction ID: 476b32889579b24b341997531ecc20b047112cc2c5b4540e9a7ece7d09cd29e1
Opcode Fuzzy Hash: c804c22466df2b92b362f5d1d066b057dea08e8c29dc99d8cb90910c2247e431
Instruction Fuzzy Hash: 3EB2C072A182828FE7748F74D4407FD77A1FB587C8F906175DA0AA7A85DFB8A900CB44

Function 00007FF698EE8770 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00007FF698EE2A3E,?,?,?,?,?,?,?,?,?,?,?,00007FF698EE101D), ref: 00007FF698EE8797
FormatMessageW.KERNEL32 ref: 00007FF698EE87C6
WideCharToMultiByte.KERNEL32 ref: 00007FF698EE881C

Part of subcall function 00007FF698EE29C0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF698EE8AF2,?,?,?,?,?,?,?,?,?,?,?,00007FF698EE101D), ref: 00007FF698EE29F4
Part of subcall function 00007FF698EE29C0: MessageBoxW.USER32 ref: 00007FF698EE2AD0

Strings

PyInstaller: pyi_win32_utils_to_utf8 failed., xrefs: 00007FF698EE8839
PyInstaller: FormatMessageW failed., xrefs: 00007FF698EE87E3
WideCharToMultiByte, xrefs: 00007FF698EE882D
No error messages generated., xrefs: 00007FF698EE87D0
Failed to encode wchar_t as UTF-8., xrefs: 00007FF698EE8826
FormatMessageW, xrefs: 00007FF698EE87D7

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: ErrorLastMessage$ByteCharFormatMultiWide
String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
API String ID: 2920928814-2573406579
Opcode ID: 71548051bea7547f5d5b972cb2661fdb12455c7e02de19cea235076eba1ea75f
Instruction ID: a80cf723a83cfe902f8ea8095aa4b3e6b2e17ae7e418149d9a6e698576977518
Opcode Fuzzy Hash: 71548051bea7547f5d5b972cb2661fdb12455c7e02de19cea235076eba1ea75f
Instruction Fuzzy Hash: A2211D72A18A4685F7749F31E85427A6265FB88384FC42175EA8DC36A5EF3CE145C708

Function 00007FF698EEA76D Relevance: 12.0, Strings: 9, Instructions: 745COMMON

Download Yara Rule

Strings

invalid distance code, xrefs: 00007FF698EEB074
invalid literal/lengths set, xrefs: 00007FF698EEABF3
invalid literal/length code, xrefs: 00007FF698EEAEA2
too many length or distance symbols, xrefs: 00007FF698EEA906
invalid distance too far back, xrefs: 00007FF698EEB130
invalid bit length repeat, xrefs: 00007FF698EEAB59
invalid distances set, xrefs: 00007FF698EEAC60
invalid code -- missing end-of-block, xrefs: 00007FF698EEAB86
invalid code lengths set, xrefs: 00007FF698EEA8ED

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-2665694366
Opcode ID: 63f3ffa9379e1e3dea1ad36e367ec88dcfea323b25a29ef61fa4fbcfb838a92b
Instruction ID: bdc79ad1ac29be011ae46a8baeb5df8ec452c84db81143207d50b0f77a11e2b9
Opcode Fuzzy Hash: 63f3ffa9379e1e3dea1ad36e367ec88dcfea323b25a29ef61fa4fbcfb838a92b
Instruction Fuzzy Hash: B252F572A146A68BE7748F24D468B7E3BA9FB94340F41417DE64A97781DF3CD844CB04

Function 00007FF698EEC8BC Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF698EEC8D8
RtlCaptureContext.KERNEL32 ref: 00007FF698EEC905
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF698EEC91F
RtlVirtualUnwind.KERNEL32 ref: 00007FF698EEC960
IsDebuggerPresent.KERNEL32 ref: 00007FF698EEC9B4
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF698EEC9D1
UnhandledExceptionFilter.KERNEL32 ref: 00007FF698EEC9DC

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 4f1605a870b3ab58307638b90f69401c730c876d9dfa7ce500e329c816792819
Instruction ID: 96efebdb89f6b57e0698e1212634eb3515971443cce953b95cb8adbd33b75aff
Opcode Fuzzy Hash: 4f1605a870b3ab58307638b90f69401c730c876d9dfa7ce500e329c816792819
Instruction Fuzzy Hash: FF313A72619A818AEB709F60E8503FD7364FB84744F84407ADA4E97B99EF3CD648C718

Function 00007FF698EFB3CC Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF698EFB445
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF698EFB45D
RtlVirtualUnwind.KERNEL32 ref: 00007FF698EFB498
IsDebuggerPresent.KERNEL32 ref: 00007FF698EFB4D1
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF698EFB4DB
UnhandledExceptionFilter.KERNEL32 ref: 00007FF698EFB4E6

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: f3d77d60e417bce1f0fe908812719be64cab24703666754eed0168e01bd0a785
Instruction ID: f7cfdfd048bac9ac867fda138885139008dc04067050743411a2e6303417871f
Opcode Fuzzy Hash: f3d77d60e417bce1f0fe908812719be64cab24703666754eed0168e01bd0a785
Instruction Fuzzy Hash: 3E317336618B8185EB70CF35E8502AE73A4FB88794F940176EA9D83B99EF3CD545CB04

Function 00007FF698F026C4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF698F02710
FindFirstFileExW.KERNEL32 ref: 00007FF698F0281A

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: b3715d4618dde4abce6a703dfc2b0a62f6c41887aa9418885becb382e3094c85
Instruction ID: 89ab5adca9dbfd37ed46da3c1588ea1f1c98f4347fc7f8ca16a491d1cecdd803
Opcode Fuzzy Hash: b3715d4618dde4abce6a703dfc2b0a62f6c41887aa9418885becb382e3094c85
Instruction Fuzzy Hash: 4FB11636B1868645EE72DF71A4102B96391EB84BE4F942172ED4D87BC9DF3CE440D318

Function 00007FF698EEC7A0 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF698EEC7CC
GetCurrentThreadId.KERNEL32 ref: 00007FF698EEC7DA
GetCurrentProcessId.KERNEL32 ref: 00007FF698EEC7E6
QueryPerformanceCounter.KERNEL32 ref: 00007FF698EEC7F6

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 9121cd0992376079c28b7b15cfb2bb882a77f2b3c78bb4ce64e2c22522254d02
Instruction ID: f44df3be2e84430748b041035b17d6d0d0c583f17d8f7e78d1f5fdf963201775
Opcode Fuzzy Hash: 9121cd0992376079c28b7b15cfb2bb882a77f2b3c78bb4ce64e2c22522254d02
Instruction Fuzzy Hash: CF111832B14B058AEB10CF70E8542B833A4FB19B98F842E71DA6D87BA4DF7CE1548344

Function 00007FF698F04A60 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF698F04AC6
memcpy_s.LIBCPMT ref: 00007FF698F04AF1

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction ID: 7adff605e2ab36af146ed9c5e41c33510cc5c439a40bd700bdabfd438250cd63
Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction Fuzzy Hash: BAC1F572B196858BD734CF26A04467AB791F7A4BC8F849135DB4A83744DF3DE841CB44

Function 00007FF698EE9F3B Relevance: 4.1, Strings: 3, Instructions: 397COMMON

Download Yara Rule

Strings

, xrefs: 00007FF698EEA01B
header crc mismatch, xrefs: 00007FF698EEA3E1
unknown header flags set, xrefs: 00007FF698EE9F85

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID:
String ID: $header crc mismatch$unknown header flags set
API String ID: 0-1127688429
Opcode ID: a8b055446104684f1ad95e328151202d31fdc591d47a14639da6131c49358b20
Instruction ID: 574a2868b3640597188ce4d10f0b53e77557e5f67ab1d4dc4170101ccbc3862c
Opcode Fuzzy Hash: a8b055446104684f1ad95e328151202d31fdc591d47a14639da6131c49358b20
Instruction Fuzzy Hash: 73F1A172A183C54BEBB59B24C0A8E3E3AE9FF54740F4545B8DA4A97392CF38E940C744

Function 00007FF698F0A7D8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF698F0AA27
RaiseException.KERNEL32 ref: 00007FF698F0AA38

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 107d115b060fbd35a116a220a90c3f58689526778be32960ff8b0eb29206904d
Instruction ID: 0dad3c5aace2a12d60e44c4875ff3c3ad087fccb4dfd78dd8a34f5c0d8788df7
Opcode Fuzzy Hash: 107d115b060fbd35a116a220a90c3f58689526778be32960ff8b0eb29206904d
Instruction Fuzzy Hash: 25B16973A04B89CEEB25CF39C8463687BA0F784B88F559961DA5D837A4CF39D451C704

Function 00007FF698EF42D4 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF698EF4442
, xrefs: 00007FF698EF4684

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: a4155c6fffaecf52a824239c2b6f37dbc1b24f1087258a4a4fa2a9ab421e67c4
Instruction ID: 719367292244496f3739b876c90562e11c82ae40982d5c80f901f4a3d5a0b9a4
Opcode Fuzzy Hash: a4155c6fffaecf52a824239c2b6f37dbc1b24f1087258a4a4fa2a9ab421e67c4
Instruction Fuzzy Hash: 16E1D272A0964683EB788F3AA06013D33A0FF65B4CF944275CA1E83794DF39E951E748

Function 00007FF698EE9D9B Relevance: 2.7, Strings: 2, Instructions: 218COMMON

Download Yara Rule

Strings

incorrect header check, xrefs: 00007FF698EE9F22
invalid window size, xrefs: 00007FF698EE9F09

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID:
String ID: incorrect header check$invalid window size
API String ID: 0-900081337
Opcode ID: 7b159ed6ab11f424a85810e34fe73a423a8b15e185d016247a9cbb34ea0f7710
Instruction ID: ecfb6e2dac582393f819c9ee4359e88624551f4a93629569129afdfada0c88ed
Opcode Fuzzy Hash: 7b159ed6ab11f424a85810e34fe73a423a8b15e185d016247a9cbb34ea0f7710
Instruction Fuzzy Hash: C991D372A182C687E7B58F24D4ACB3E3AE9FB84344F514179DA4A96791DF3CE940CB04

Function 00007FF698EFECA0 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

e+000, xrefs: 00007FF698EFEDAD
gfff, xrefs: 00007FF698EFEE2A

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: b0eb00ec9cc72bcbd25ebaa9050c7cd18c6ed420f4824bc0d073d86035fcaeec
Instruction ID: e3ea02cc76acd2b1ef082068dabc864d90cea77449bd0434fc85e6873315b27a
Opcode Fuzzy Hash: b0eb00ec9cc72bcbd25ebaa9050c7cd18c6ed420f4824bc0d073d86035fcaeec
Instruction Fuzzy Hash: C1517966B183C246E7308F35B8207697B91E7A8B94F88D271DB5C8BAC5CF7EE4448704

Function 00007FF698EFE80C Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF698EFEB4E

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: ce984bed762576d5ac079d260fe98dbb5d2c0c9497d8241e3c95b971abe0b5e7
Instruction ID: 491503d5ecb4aa9fa3a6d4ade9dffaf29a7e3ca6261898b4a5b6767ab3584497
Opcode Fuzzy Hash: ce984bed762576d5ac079d260fe98dbb5d2c0c9497d8241e3c95b971abe0b5e7
Instruction Fuzzy Hash: DBA14763B087C686EB31CF35A4207A97B91EB68B84F448071EE8D8B795DE3DE501D705

Function 00007FF698EF8EF4 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF698EF8F13

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: 227a240b370b15b1266a0cc9d4416acc6519c25bf7b5095cb295345a6af5b08f
Instruction ID: 9cbeb88b825f871e44fa827f296e36a5daa5cbf4c8ad6d12ef6e09f8065ac96e
Opcode Fuzzy Hash: 227a240b370b15b1266a0cc9d4416acc6519c25bf7b5095cb295345a6af5b08f
Instruction Fuzzy Hash: 5951E515F0C31A45FA74AB36AA2117A5291EFA5BC4F8850B5DE4DC77C6EE3CE442A308

Function 00007FF698F042D0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF698F042D4

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: ed995d9d252c3e0c61107ed1ba5c48f1392176915e7fcf845d28b2722b2e2d45
Instruction ID: 75f2e6aa123a9006adbe2a4b275ff86b5e1f5649e917a7a90528ea31b767018d
Opcode Fuzzy Hash: ed995d9d252c3e0c61107ed1ba5c48f1392176915e7fcf845d28b2722b2e2d45
Instruction Fuzzy Hash: 12B09230E07A42CAFA182B216CC221462A4BF48751FD450B9C00D83320DE3C20A68715

Function 00007FF698EF3ED0 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9df69fd1c27fd416770dca946a20fccf44885df857cf64186a4c680355c85b
Instruction ID: c12e87a5da148dc586f4b74a99728a8d28a8c90ec0f91aff206a143dcefcdcc8
Opcode Fuzzy Hash: ca9df69fd1c27fd416770dca946a20fccf44885df857cf64186a4c680355c85b
Instruction Fuzzy Hash: DDD1E222A0860283FB38CF36A16027D27A0FF65B4CF9442B5CE0D87695CF39E841E349

Function 00007FF698EE92D0 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6d76246942c46f132312ebc4a4bc27c309f6729675ee6fb805fd22939f347a0
Instruction ID: abde6fd49c716c468d8526fc1ef0ebb38d2d1ce7024bdf90f95ad366d685d954
Opcode Fuzzy Hash: a6d76246942c46f132312ebc4a4bc27c309f6729675ee6fb805fd22939f347a0
Instruction Fuzzy Hash: 9EC1B4722141E14BD2D9EB29E46957E77E1F78934DBC4403AEB8B47B8ACA3CE114D710

Function 00007FF698EF3540 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa501f5897fa8170c1c3089a9165536d111e8d2735d862654f88cabfcab8bd87
Instruction ID: 0aa4d745397ad95b9caf066b8cbd59dc50e67ba7f725805893eae25bf4833a92
Opcode Fuzzy Hash: fa501f5897fa8170c1c3089a9165536d111e8d2735d862654f88cabfcab8bd87
Instruction Fuzzy Hash: 6CB1AE72A0878585E7768F39E06023D3BA0E769F48FA541B9CE4E87395CF39D841E748

Function 00007FF698EFF320 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde3b387bb0edac5d3a7572aaf71fcdce3ba0ac9d1c4353072e234eccf42a557
Instruction ID: 552d98ebd36b45e7667107bb21e08d30c64e9277b0d4a0827cb2845d61dea914
Opcode Fuzzy Hash: dde3b387bb0edac5d3a7572aaf71fcdce3ba0ac9d1c4353072e234eccf42a557
Instruction Fuzzy Hash: 9581F073A0C38146EB74CF29B06037AAA91FBA5794F844275DB9D83B99CE3CE4009B04

Function 00007FF698F07550 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 0545a2559c330c3b8b837ff60ad1fca552f4247d75f95da319e64bf11632f5cd
Instruction ID: 100bb9b6f6ac27b442da6e725b8988889c096bcaac1eb458be53b0d50017f962
Opcode Fuzzy Hash: 0545a2559c330c3b8b837ff60ad1fca552f4247d75f95da319e64bf11632f5cd
Instruction Fuzzy Hash: FA61E732F192824AFB748E3894546796681EF903E0FD516F5D61FC76D2EE7EE8008708

Function 00007FF698EF2A94 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 431273df7c005eff8b086499786a7f8af66af839407972891033f6f8b32510fa
Instruction ID: de5e594a30eb7bd9efd38513cc39bc561595db3fe9243b892dbb742ff70b2401
Opcode Fuzzy Hash: 431273df7c005eff8b086499786a7f8af66af839407972891033f6f8b32510fa
Instruction Fuzzy Hash: 12518376A18A5286E7348F39E06423837A0EB64F68FA44171CE4D977D4CF3AE843E744

Function 00007FF698EF2274 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3986d2e28db3ad4c814196551e744b7f12e089580c78501851383343d29f5119
Instruction ID: 111a2cd8f97d95375d21972f720f045e52643b4aaf7a91511b66cacb4d7d6a55
Opcode Fuzzy Hash: 3986d2e28db3ad4c814196551e744b7f12e089580c78501851383343d29f5119
Instruction Fuzzy Hash: 2251A376A1965282E7348B39E06023837A0FB65F68FE44171CE4D87794CF3AE843E748

Function 00007FF698EF2684 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a7def00a57181835e1b5755574f212d41c435eb46ac8bcc91c00ca4f50edce3
Instruction ID: f80f87ed23b6c9fb07e4d1283bbafe209046df9f5805269ff6b2c699107b9aa6
Opcode Fuzzy Hash: 0a7def00a57181835e1b5755574f212d41c435eb46ac8bcc91c00ca4f50edce3
Instruction Fuzzy Hash: C4518476A18A5186E7348B39E06023837A1EB64B68FE44171CE4D877E4CF3AEC43E744

Function 00007FF698EF2480 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b37b721d2520797c932084b48cf8e5c5b4bbfd8b4955e3aae9fbd8879836657
Instruction ID: b07446ca45f1e14970ecf032625cbbf709993fe19967d04651c14493bbf7e9b0
Opcode Fuzzy Hash: 5b37b721d2520797c932084b48cf8e5c5b4bbfd8b4955e3aae9fbd8879836657
Instruction Fuzzy Hash: DD51A376A1865186E7348B39E06023837A1EBA4F59FE44171CE4C977A4CF3AEC43E748

Function 00007FF698EF2890 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56eab1984f79c1160248cb97b5e30aec2666dd062f10dae5dc3084fdbc1595d5
Instruction ID: 92f39030ce8fb3f55a9500ec5ebf0ca50f3a8199717351d3898363d0e317cea7
Opcode Fuzzy Hash: 56eab1984f79c1160248cb97b5e30aec2666dd062f10dae5dc3084fdbc1595d5
Instruction Fuzzy Hash: 69519636A18A5585E7358B39E06027837A1EBA4F58FE44171CE8C97798CF3AE843E744

Function 00007FF698EF2070 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4a792dd5f357ba9ab053cb868b8428acf2d0115ad083e523ed5123ef832f09c
Instruction ID: 94fab6436c24160424a4ccd282af38c3c039a2b8d1b1d6487f1c513d1c0eb73d
Opcode Fuzzy Hash: e4a792dd5f357ba9ab053cb868b8428acf2d0115ad083e523ed5123ef832f09c
Instruction Fuzzy Hash: 4E51C537A18A5186E7348B38E46023837A0EB65B58FE441B1DE4C97795CF3AEC43D748

Function 00007FF698EF6750 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction ID: 49e43aa6d13fc07c46cc74850a963ea16167d1c936995a34f61263f76da2f9c2
Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction Fuzzy Hash: 3741C892C0D7CA07E9754B3855206B45A80EF327A0DD852F8CC9AD73E3ED2D6587E309

Function 00007FF698EFAC50 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: ErrorLanguagesLastPreferredRestoreThread
String ID:
API String ID: 588628887-0
Opcode ID: f111dc0bb75c4fd458f0a84966b8cb0fe478d08570652a426d7f95957c6d4c4f
Instruction ID: 4a766397a8f6b5e9adbd4fc63b50898a2c6a4a741952eae250ca1a7654c9e488
Opcode Fuzzy Hash: f111dc0bb75c4fd458f0a84966b8cb0fe478d08570652a426d7f95957c6d4c4f
Instruction Fuzzy Hash: AD410372714A5582EF14CF3AE964569B3A1FB58FD4B88A032DE0DD7B58DE3DD0428304

Function 00007FF698EF84BC Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0b9409b015bea46d2036294c0136b3200ade656a83a3c77deb383565566a918
Instruction ID: 8f88e3dff7ef77188c6fb8876058670de6887be74d7ff357d4e3332959f73f61
Opcode Fuzzy Hash: e0b9409b015bea46d2036294c0136b3200ade656a83a3c77deb383565566a918
Instruction Fuzzy Hash: 4D31E232B08B9282E7349F35795017E6695EF85BE0F544278EA8E97BD6DF3CD0129308

Function 00007FF698F0A620 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3f3f1020485e8a41a296fc930dbc96221e618d45f39aaa63d951921bdf06b5a
Instruction ID: bc3d36d35816fef6b6302a105c11ad8a7d69b5819a6e20d4a79c3978baf1fb35
Opcode Fuzzy Hash: c3f3f1020485e8a41a296fc930dbc96221e618d45f39aaa63d951921bdf06b5a
Instruction Fuzzy Hash: DEF06271B192968ADBA88F39A80262977E0F7083C0F809579E68DC7B04DA3D94619F08

Function 00007FF698EECA9C Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b04046989d87c8dc885ed01c2b3f2aaa9c0b13633c97905e42662c4d2108a614
Instruction ID: f53530b787b423c2becb632d2b3bae26f921cc0f4084022d4f2f6a0d561491c7
Opcode Fuzzy Hash: b04046989d87c8dc885ed01c2b3f2aaa9c0b13633c97905e42662c4d2108a614
Instruction Fuzzy Hash: A9A00161A18842D4E674CB20A8610302220EB51389B8110B2D12E924A1EE3CA4418308

Function 00007FF698EE7100 Relevance: 164.8, APIs: 31, Strings: 63, Instructions: 263libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF698EE7117
GetProcAddress.KERNEL32 ref: 00007FF698EE7156
GetProcAddress.KERNEL32 ref: 00007FF698EE717B
GetProcAddress.KERNEL32 ref: 00007FF698EE71A0
GetProcAddress.KERNEL32 ref: 00007FF698EE71C8
GetProcAddress.KERNEL32 ref: 00007FF698EE71F0
GetProcAddress.KERNEL32 ref: 00007FF698EE7218
GetProcAddress.KERNEL32 ref: 00007FF698EE7240
GetProcAddress.KERNEL32 ref: 00007FF698EE7268

Strings

Tcl_EvalEx, xrefs: 00007FF698EE7506
Failed to get address for Tcl_SetVar2, xrefs: 00007FF698EE73E2
Tcl_ConditionWait, xrefs: 00007FF698EE7326
Tcl_ThreadAlert, xrefs: 00007FF698EE7376
Failed to get address for Tcl_CreateThread, xrefs: 00007FF698EE7252
Failed to get address for Tcl_FindExecutable, xrefs: 00007FF698EE718D
Tcl_GetString, xrefs: 00007FF698EE7416
Failed to get address for Tcl_ConditionNotify, xrefs: 00007FF698EE731A
Tcl_FinalizeThread, xrefs: 00007FF698EE71E6
Failed to get address for Tk_GetNumMainWindows, xrefs: 00007FF698EE75EA
Tcl_NewByteArrayObj, xrefs: 00007FF698EE7466
Failed to get address for Tcl_GetObjResult, xrefs: 00007FF698EE74D2
Tcl_Free, xrefs: 00007FF698EE757E
Failed to get address for Tcl_SetVar2Ex, xrefs: 00007FF698EE74AA
Tk_Init, xrefs: 00007FF698EE75A6
Tcl_CreateInterp, xrefs: 00007FF698EE714C
Tcl_CreateObjCommand, xrefs: 00007FF698EE73EE
Failed to get address for Tcl_ConditionWait, xrefs: 00007FF698EE7342
Tcl_CreateThread, xrefs: 00007FF698EE7236
Failed to get address for Tcl_ThreadAlert, xrefs: 00007FF698EE7392
Tcl_SetVar2, xrefs: 00007FF698EE73C6
Tcl_Init, xrefs: 00007FF698EE7110
Failed to get address for Tcl_MutexLock, xrefs: 00007FF698EE72A2
Tcl_Alloc, xrefs: 00007FF698EE7556
Tk_GetNumMainWindows, xrefs: 00007FF698EE75CE
Failed to get address for Tcl_GetString, xrefs: 00007FF698EE7432
Failed to get address for Tcl_GetVar2, xrefs: 00007FF698EE73BA
Failed to get address for Tcl_NewStringObj, xrefs: 00007FF698EE745A
Tcl_SetVar2Ex, xrefs: 00007FF698EE748E
Tcl_GetObjResult, xrefs: 00007FF698EE74B6
Failed to get address for Tcl_DeleteInterp, xrefs: 00007FF698EE722A
Failed to get address for Tcl_ConditionFinalize, xrefs: 00007FF698EE72F2
Failed to get address for Tcl_ThreadQueueEvent, xrefs: 00007FF698EE736A
Tcl_ConditionFinalize, xrefs: 00007FF698EE72D6
Failed to get address for Tcl_GetCurrentThread, xrefs: 00007FF698EE727A
Failed to get address for Tk_Init, xrefs: 00007FF698EE75C2
Failed to get address for Tcl_Init, xrefs: 00007FF698EE7129
Failed to get address for Tcl_Alloc, xrefs: 00007FF698EE7572
Tcl_NewStringObj, xrefs: 00007FF698EE743E
Tcl_GetVar2, xrefs: 00007FF698EE739E
Tcl_GetCurrentThread, xrefs: 00007FF698EE725E
Failed to get address for Tcl_DoOneEvent, xrefs: 00007FF698EE71B2
GetProcAddress, xrefs: 00007FF698EE7130
Tcl_FindExecutable, xrefs: 00007FF698EE7171
Tcl_EvalObjv, xrefs: 00007FF698EE752E
Tcl_MutexLock, xrefs: 00007FF698EE7286
Failed to get address for Tcl_EvalEx, xrefs: 00007FF698EE7522
Failed to get address for Tcl_MutexUnlock, xrefs: 00007FF698EE72CA
Failed to get address for Tcl_EvalObjv, xrefs: 00007FF698EE754A
Failed to get address for Tcl_CreateObjCommand, xrefs: 00007FF698EE740A
Failed to get address for Tcl_EvalFile, xrefs: 00007FF698EE74FA
Failed to get address for Tcl_Finalize, xrefs: 00007FF698EE71DA
Tcl_ThreadQueueEvent, xrefs: 00007FF698EE734E
Failed to get address for Tcl_FinalizeThread, xrefs: 00007FF698EE7202
Tcl_DeleteInterp, xrefs: 00007FF698EE720E
Failed to get address for Tcl_CreateInterp, xrefs: 00007FF698EE7168
Failed to get address for Tcl_NewByteArrayObj, xrefs: 00007FF698EE7482
Tcl_EvalFile, xrefs: 00007FF698EE74DE
Tcl_ConditionNotify, xrefs: 00007FF698EE72FE
Failed to get address for Tcl_Free, xrefs: 00007FF698EE759A
Tcl_Finalize, xrefs: 00007FF698EE71BE
Tcl_DoOneEvent, xrefs: 00007FF698EE7196
Tcl_MutexUnlock, xrefs: 00007FF698EE72AE

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 190572456-2208601799
Opcode ID: e7edea845a9f5d5bc22b5b56991a1be592abbf01ed24a972618679d5ebca8c04
Instruction ID: d6341f16d24b2c6ee12dc0972350fa64fc1072eec29b3b621100108910958a9d
Opcode Fuzzy Hash: e7edea845a9f5d5bc22b5b56991a1be592abbf01ed24a972618679d5ebca8c04
Instruction Fuzzy Hash: 6AE1B0B5A1DB0395FA798F24B8A417423A6EF08790BD464F5D80E872A5EFBCF544830C

Function 00007FF698EE12A0 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF698EE2B10: MessageBoxW.USER32 ref: 00007FF698EE2BE5

_fread_nolock.LIBCMT ref: 00007FF698EE1489

Strings

fread, xrefs: 00007FF698EE14B6
%s%c%s, xrefs: 00007FF698EE13DE
fseek, xrefs: 00007FF698EE1322
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF698EE131B
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF698EE1360
Failed to extract %s: failed to open archive file!, xrefs: 00007FF698EE12EE
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF698EE14AF
\, xrefs: 00007FF698EE13E5
malloc, xrefs: 00007FF698EE1367

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: Message_fread_nolock
String ID: %s%c%s$Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$\$fread$fseek$malloc
API String ID: 3065259568-2316137593
Opcode ID: ae90d1d2cc2d25e3c28b24c58b246aacc49f8053e7d38ab1b4092be4bbb44153
Instruction ID: 30c3fa56b5f901b347a795a5a3cdf7a3437415b9bca27a1607c7e418b888c348
Opcode Fuzzy Hash: ae90d1d2cc2d25e3c28b24c58b246aacc49f8053e7d38ab1b4092be4bbb44153
Instruction Fuzzy Hash: 16517E61B0968286EB30AB31A8616FA6294EF547C4FD040B1EE4DC7B96EE7CE5459308

Function 00007FF698EE23D0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF698EE23FB
SelectObject.GDI32 ref: 00007FF698EE2442
DrawTextW.USER32 ref: 00007FF698EE2465
SelectObject.GDI32 ref: 00007FF698EE247B
ReleaseDC.USER32 ref: 00007FF698EE248B
MoveWindow.USER32 ref: 00007FF698EE24DB
MoveWindow.USER32 ref: 00007FF698EE251B
MoveWindow.USER32 ref: 00007FF698EE256E
MoveWindow.USER32 ref: 00007FF698EE25B6

Strings

P%, xrefs: 00007FF698EE244F

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 5b6577cad5280a8981d528861e2ae7c646745b175b361903b18278a3a03fe9da
Instruction ID: d09dc577853093fa7ecb453c0639675002b43036722e6ad7cecc61bc20d829eb
Opcode Fuzzy Hash: 5b6577cad5280a8981d528861e2ae7c646745b175b361903b18278a3a03fe9da
Instruction Fuzzy Hash: 93511436618BA186D6389F32E4181BAB7A1FB98BA5F404121EFCF83685DF3CD045DB14

Function 00007FF698EF6CE0 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF698EF6D23
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698EF7110
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698EF73AC

Strings

:, xrefs: 00007FF698EF6EDC
p, xrefs: 00007FF698EF6DD5
f, xrefs: 00007FF698EF6E45
p, xrefs: 00007FF698EF6E4D
-, xrefs: 00007FF698EF6DB9

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: d41d3ed49e0df0b37e7753a00fe59ce424ede8ed11cb6504f669504b003b63f2
Instruction ID: 7eba1b5b52a46e5834ed77a0b597d7a877398f12dfa6da33531fb7a8f7ae641d
Opcode Fuzzy Hash: d41d3ed49e0df0b37e7753a00fe59ce424ede8ed11cb6504f669504b003b63f2
Instruction Fuzzy Hash: B212A422A0D18386FB309B34F8646797662FB60754FD48075E68B876C4DF3DE984AB1C

Function 00007FF698EF18F8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF698EF1938
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698EF1D00
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698EF1F9F

Strings

p, xrefs: 00007FF698EF19DD
f, xrefs: 00007FF698EF1A3A
f, xrefs: 00007FF698EF1B85
p, xrefs: 00007FF698EF1A42
f, xrefs: 00007FF698EF19D0

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: d738f100ea2c585e80d131aafbe2a69e2e0acbd3b76fe5cf90b2b638373c2978
Instruction ID: 4ae4bae047d24d561e978f6018fe2ae8b31824b565f2e8e1440883be87ec0d9b
Opcode Fuzzy Hash: d738f100ea2c585e80d131aafbe2a69e2e0acbd3b76fe5cf90b2b638373c2978
Instruction Fuzzy Hash: C912D672E0C18B86FB359B35F0642797661FBA0750FD44176E69A87AC4DF3CE480AB08

Function 00007FF698EE1590 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 99COMMON

Download Yara Rule

Strings

fread, xrefs: 00007FF698EE16B9
fseek, xrefs: 00007FF698EE1600
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF698EE15F9
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF698EE1629
Failed to extract %s: failed to open archive file!, xrefs: 00007FF698EE15C3
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF698EE16B2
malloc, xrefs: 00007FF698EE1630

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: Message
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2030045667-3659356012
Opcode ID: 0deee378f0e0dbbcba27be8de59613c71a3704f45a05304d8fde90f21704b714
Instruction ID: 958d0c6c80350bbdda32d5cab131ad9b46a08c7e6f84d47102b16b6aa5e55d1e
Opcode Fuzzy Hash: 0deee378f0e0dbbcba27be8de59613c71a3704f45a05304d8fde90f21704b714
Instruction Fuzzy Hash: EB31A021B0864386FF31AF22E4201BA6390EF54BC4FD85471DE4D87A96EE3CE5459308

Function 00007FF698EEF330 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 312COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF698EEF38C

Part of subcall function 00007FF698EF02EC: __GetUnwindTryBlock.LIBCMT ref: 00007FF698EF032F
Part of subcall function 00007FF698EF02EC: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF698EF0354

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF698EEF464
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF698EEF6B3
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF698EEF7BF

Strings

csm, xrefs: 00007FF698EEF3A6
csm, xrefs: 00007FF698EEF487
csm, xrefs: 00007FF698EEF40D

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 0e2dbf0607b23b863384daf6af73d36f13a88af7ca772ada99fba3557138c94c
Instruction ID: fc05f835dea5a377e61cc3c6e8b5e71bb371c019acab78e942dd27813b031bb0
Opcode Fuzzy Hash: 0e2dbf0607b23b863384daf6af73d36f13a88af7ca772ada99fba3557138c94c
Instruction Fuzzy Hash: 2DD17D33A08B4286EB309F7594902BD37A0FB55798F9001B5EE8D97B9ADF38E590C744

Function 00007FF698EE89B0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 104COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF698EE101D), ref: 00007FF698EE8A47
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF698EE101D), ref: 00007FF698EE8A9E

Strings

Out of memory., xrefs: 00007FF698EE8ACF
WideCharToMultiByte, xrefs: 00007FF698EE8AE6
Failed to get UTF-8 buffer size., xrefs: 00007FF698EE8ADF
Failed to encode wchar_t as UTF-8., xrefs: 00007FF698EE8AC6
win32_utils_to_utf8, xrefs: 00007FF698EE8AD6

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 626452242-27947307
Opcode ID: 400f0bdcbd62a4a5536486c2f7426be13d95d078f8c38135e0fc09a91e7db9c0
Instruction ID: d8727e01b32dfe3de6323581b9b03cdf1aa2053b5a52f47eafa69774ad469ed8
Opcode Fuzzy Hash: 400f0bdcbd62a4a5536486c2f7426be13d95d078f8c38135e0fc09a91e7db9c0
Instruction Fuzzy Hash: 0541DD32A0CB9A82E670CF21B85017AB7A1FB84B90F985575EE8D87B95DF3CD441C708

Function 00007FF698EE8EF0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00007FF698EE39CA), ref: 00007FF698EE8F31

Part of subcall function 00007FF698EE29C0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF698EE8AF2,?,?,?,?,?,?,?,?,?,?,?,00007FF698EE101D), ref: 00007FF698EE29F4
Part of subcall function 00007FF698EE29C0: MessageBoxW.USER32 ref: 00007FF698EE2AD0

WideCharToMultiByte.KERNEL32(?,00007FF698EE39CA), ref: 00007FF698EE8FA5

Strings

Out of memory., xrefs: 00007FF698EE8F6B
WideCharToMultiByte, xrefs: 00007FF698EE8F45, 00007FF698EE8FB6
Failed to get UTF-8 buffer size., xrefs: 00007FF698EE8F3E
Failed to encode wchar_t as UTF-8., xrefs: 00007FF698EE8FAF
win32_utils_to_utf8, xrefs: 00007FF698EE8F72

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastMessage
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 3723044601-27947307
Opcode ID: 4b8f80f614b111e99d886447c0377d3fa2ad0085ce50da6436ff273b72e0facb
Instruction ID: 3b68fd6943473d1bfb43a890704ea309be85965fd78a28039d434be42a3af37a
Opcode Fuzzy Hash: 4b8f80f614b111e99d886447c0377d3fa2ad0085ce50da6436ff273b72e0facb
Instruction Fuzzy Hash: 9F215C31B0DB4A99EB209F36A850079B662EB84BD0F985575DA4D83795EF3CE541C308

Function 00007FF698EE77B0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 136COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF698EE7926

Part of subcall function 00007FF698EF0A40: _invalid_parameter_noinfo.LIBCMT ref: 00007FF698EF0A54

Part of subcall function 00007FF698EF0A14: _invalid_parameter_noinfo.LIBCMT ref: 00007FF698EF0A28

Strings

%s%c%s, xrefs: 00007FF698EE77F5
ERROR: file already exists but should not: %s, xrefs: 00007FF698EE788C
\, xrefs: 00007FF698EE77FC
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF698EE7842
WARNING: file already exists but should not: %s, xrefs: 00007FF698EE78A8

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: _invalid_parameter_noinfo$_fread_nolock
String ID: %s%c%s$ERROR: file already exists but should not: %s$PYINSTALLER_STRICT_UNPACK_MODE$WARNING: file already exists but should not: %s$\
API String ID: 3231891352-3501660386
Opcode ID: 2be27f9cd969ff962ba60c53aa7374ee1e35d43e53d67819a9def324665be43e
Instruction ID: a2bd8a739801d310f72a9c25870afc20cd9f257e5118985ac1cf8791b586eb97
Opcode Fuzzy Hash: 2be27f9cd969ff962ba60c53aa7374ee1e35d43e53d67819a9def324665be43e
Instruction Fuzzy Hash: FE51AC21A0D64245FB30AB35A9642B96291DF95BC0FC540B1EA8EC77DBEE3DE900830C

Function 00007FF698EEE3C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF698EEE67A,?,?,?,00007FF698EED5AC,?,?,?,00007FF698EED1A1), ref: 00007FF698EEE44D
GetLastError.KERNEL32(?,?,?,00007FF698EEE67A,?,?,?,00007FF698EED5AC,?,?,?,00007FF698EED1A1), ref: 00007FF698EEE45B
LoadLibraryExW.KERNEL32(?,?,?,00007FF698EEE67A,?,?,?,00007FF698EED5AC,?,?,?,00007FF698EED1A1), ref: 00007FF698EEE485
FreeLibrary.KERNEL32(?,?,?,00007FF698EEE67A,?,?,?,00007FF698EED5AC,?,?,?,00007FF698EED1A1), ref: 00007FF698EEE4F3
GetProcAddress.KERNEL32(?,?,?,00007FF698EEE67A,?,?,?,00007FF698EED5AC,?,?,?,00007FF698EED1A1), ref: 00007FF698EEE4FF

Strings

api-ms-, xrefs: 00007FF698EEE46D

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 5cef7e97cf10635b7adbe76254dad29ae16abfe91812266f9aed7336451ff82a
Instruction ID: 383c7a69ae0c24d1739d4676d2dc9c7dd7aff4a0881d81f1374b284b9b687685
Opcode Fuzzy Hash: 5cef7e97cf10635b7adbe76254dad29ae16abfe91812266f9aed7336451ff82a
Instruction Fuzzy Hash: B131C231B1AA4395EE31DB66A4105B523D4FF44BA0F990575EE1DC7B95EF3CE4808308

Function 00007FF698EE7630 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF698EE8DE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF698EE2A9B), ref: 00007FF698EE8E1A

ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF698EE7BB1,00000000,?,00000000,00000000,?,00007FF698EE153F), ref: 00007FF698EE768F

Part of subcall function 00007FF698EE2B10: MessageBoxW.USER32 ref: 00007FF698EE2BE5

Strings

LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF698EE7666
LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF698EE76EA
LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF698EE76A3

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
API String ID: 1662231829-3498232454
Opcode ID: 9bfcf0b62ea921097bc7abb589b6718567d9e6fafddd2668cb98e057143b44d0
Instruction ID: e8c8167c1ead9f031aa7cb57afeed106df52a7a428562a2f39f9f296a59fc38e
Opcode Fuzzy Hash: 9bfcf0b62ea921097bc7abb589b6718567d9e6fafddd2668cb98e057143b44d0
Instruction Fuzzy Hash: 67313E51B2D68241FB34AB35A9652BA5291EF987C1FC404B2DA4EC36D7EE7CE5048708

Function 00007FF698EE8DE0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF698EE2A9B), ref: 00007FF698EE8E1A

Part of subcall function 00007FF698EE29C0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF698EE8AF2,?,?,?,?,?,?,?,?,?,?,?,00007FF698EE101D), ref: 00007FF698EE29F4
Part of subcall function 00007FF698EE29C0: MessageBoxW.USER32 ref: 00007FF698EE2AD0

MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF698EE2A9B), ref: 00007FF698EE8EA0

Strings

Out of memory., xrefs: 00007FF698EE8E62
Failed to decode wchar_t from UTF-8, xrefs: 00007FF698EE8EAA
Failed to get wchar_t buffer size., xrefs: 00007FF698EE8E27
MultiByteToWideChar, xrefs: 00007FF698EE8E2E, 00007FF698EE8EB1
win32_utils_from_utf8, xrefs: 00007FF698EE8E69

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastMessage
String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 3723044601-876015163
Opcode ID: 7f97f1849ec178b0ff8ea583991b98c80d8c160445cd7602e716bcd8403426a8
Instruction ID: 8c2b8157d9f834f7466e3cb74ffb692dbb09fbd564f0f95fd4a9a5f3cbb3ae19
Opcode Fuzzy Hash: 7f97f1849ec178b0ff8ea583991b98c80d8c160445cd7602e716bcd8403426a8
Instruction Fuzzy Hash: 1F216032B08A5681EB60CF39F851179A3A1FB887C4F984571DB4CC3BAAEE3DD5518708

Function 00007FF698EFBF00 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF698EFBF0F
FlsGetValue.KERNEL32 ref: 00007FF698EFBF24
FlsSetValue.KERNEL32 ref: 00007FF698EFBF45
FlsSetValue.KERNEL32 ref: 00007FF698EFBF72
FlsSetValue.KERNEL32 ref: 00007FF698EFBF83
FlsSetValue.KERNEL32 ref: 00007FF698EFBF94
SetLastError.KERNEL32 ref: 00007FF698EFBFAF

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: df2ded1ae2d12cacab90ddcd018bee7069951accd7a28f59ea2aa6442bb7c29d
Instruction ID: 93f31097af87d38047b888ebfebe626b3be97499b71fd1696eddb6aa6f523475
Opcode Fuzzy Hash: df2ded1ae2d12cacab90ddcd018bee7069951accd7a28f59ea2aa6442bb7c29d
Instruction Fuzzy Hash: C7217F2AB0C24242FA786331B9751796562DFA47F0FA447B4E87EC7AC6DE3CB4006708

Function 00007FF698F08D9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF698F08DCD
GetLastError.KERNEL32 ref: 00007FF698F08DD9
CloseHandle.KERNEL32 ref: 00007FF698F08DF1
CreateFileW.KERNEL32 ref: 00007FF698F08E1C
WriteConsoleW.KERNEL32 ref: 00007FF698F08E3B

Strings

CONOUT$, xrefs: 00007FF698F08DFD

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 56c47cfc8464f7969a639e7ce3d60490623cf8b9b00151c5924cedcf2ef07519
Instruction ID: 87674746b86b8ff1a498ece0058aca10e0c71688539d30bea08c033e5bc56472
Opcode Fuzzy Hash: 56c47cfc8464f7969a639e7ce3d60490623cf8b9b00151c5924cedcf2ef07519
Instruction Fuzzy Hash: EF119032B18A418AE3608F62E84432962A4FB88FE4F906274EE1DC7794CF3CD544C748

Function 00007FF698EFC078 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF698EF5CBD,?,?,?,?,00007FF698EFF9AF,?,?,00000000,00007FF698EFC196,?,?,?), ref: 00007FF698EFC087
FlsSetValue.KERNEL32(?,?,?,00007FF698EF5CBD,?,?,?,?,00007FF698EFF9AF,?,?,00000000,00007FF698EFC196,?,?,?), ref: 00007FF698EFC0BD
FlsSetValue.KERNEL32(?,?,?,00007FF698EF5CBD,?,?,?,?,00007FF698EFF9AF,?,?,00000000,00007FF698EFC196,?,?,?), ref: 00007FF698EFC0EA
FlsSetValue.KERNEL32(?,?,?,00007FF698EF5CBD,?,?,?,?,00007FF698EFF9AF,?,?,00000000,00007FF698EFC196,?,?,?), ref: 00007FF698EFC0FB
FlsSetValue.KERNEL32(?,?,?,00007FF698EF5CBD,?,?,?,?,00007FF698EFF9AF,?,?,00000000,00007FF698EFC196,?,?,?), ref: 00007FF698EFC10C
SetLastError.KERNEL32(?,?,?,00007FF698EF5CBD,?,?,?,?,00007FF698EFF9AF,?,?,00000000,00007FF698EFC196,?,?,?), ref: 00007FF698EFC127

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: da8c6ca16c8b883ebc71625bfe0f28af63b483cac13b62078f3c5bdeda11927e
Instruction ID: a6877ca0e3b1eeccf4e7def68fd8691f4a678fc32406d000f3777cbf5485bd2b
Opcode Fuzzy Hash: da8c6ca16c8b883ebc71625bfe0f28af63b483cac13b62078f3c5bdeda11927e
Instruction Fuzzy Hash: F5119025F0C25242FA749731B6711796162DFA57F0FA447B4E92EC76C6DE3CB4416308

Function 00007FF698EE25E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00007FF698EE27CF), ref: 00007FF698EE2618
DialogBoxIndirectParamW.USER32 ref: 00007FF698EE26DC
DeleteObject.GDI32 ref: 00007FF698EE270F
DestroyIcon.USER32 ref: 00007FF698EE2721

Strings

Unhandled exception in script, xrefs: 00007FF698EE2648

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 035139a28c932b525dc7cac8fcdac5569ee169202821a797d5d04823a4addf63
Instruction ID: edcc2d46d83579e4a369adee235a737e98a16e558fc8706947bc44d8db542c66
Opcode Fuzzy Hash: 035139a28c932b525dc7cac8fcdac5569ee169202821a797d5d04823a4addf63
Instruction Fuzzy Hash: 53313C76A08A8289EB20DF31E8551F96360FF89784F840176EA4D87A9ADF3CD105C704

Function 00007FF698EE29C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000,00000000,00007FF698EE8AF2,?,?,?,?,?,?,?,?,?,?,?,00007FF698EE101D), ref: 00007FF698EE29F4

Part of subcall function 00007FF698EE8770: GetLastError.KERNEL32(00000000,00007FF698EE2A3E,?,?,?,?,?,?,?,?,?,?,?,00007FF698EE101D), ref: 00007FF698EE8797
Part of subcall function 00007FF698EE8770: FormatMessageW.KERNEL32 ref: 00007FF698EE87C6

Part of subcall function 00007FF698EE8DE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF698EE2A9B), ref: 00007FF698EE8E1A

MessageBoxW.USER32 ref: 00007FF698EE2AD0
MessageBoxA.USER32 ref: 00007FF698EE2AEC

Strings

Fatal error detected, xrefs: 00007FF698EE2AA6, 00007FF698EE2ADE
%s%s: %s, xrefs: 00007FF698EE2A4B

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: Message$ErrorLast$ByteCharFormatMultiWide
String ID: %s%s: %s$Fatal error detected
API String ID: 2806210788-2410924014
Opcode ID: e540fe95cbcf3c4f9a9ac735379b1c9e9ae60ded60aea03e9d716fb219e4d584
Instruction ID: 0094a595ae72ed15eabf35298cfd787f21d31a600ed4eaef01791551514a9d66
Opcode Fuzzy Hash: e540fe95cbcf3c4f9a9ac735379b1c9e9ae60ded60aea03e9d716fb219e4d584
Instruction Fuzzy Hash: 1F318372628A8681E730DB20F4516EA6364FF847C4FC05176E6CD83A99DF3CD605CB44

Function 00007FF698EFA83C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF698EFA861
GetProcAddress.KERNEL32 ref: 00007FF698EFA877
FreeLibrary.KERNEL32 ref: 00007FF698EFA89E

Strings

mscoree.dll, xrefs: 00007FF698EFA858
CorExitProcess, xrefs: 00007FF698EFA870

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 2230a043baf354bfbc53885d3c0454218b923bdff90d2529a0827c645eda448d
Instruction ID: c2cf715c47f131d2bc49e47a3a2e133dfb9c210e158fd4fd9ca4cbd2e49c40d9
Opcode Fuzzy Hash: 2230a043baf354bfbc53885d3c0454218b923bdff90d2529a0827c645eda448d
Instruction Fuzzy Hash: 7CF0AF71A09A4281FA348F34B4987392320EF48BA5FD41279D66D8A2E0DF3CD049D304

Function 00007FF698F0A420 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF698F0A448
_set_statfp.LIBCMT ref: 00007FF698F0A463
_set_statfp.LIBCMT ref: 00007FF698F0A47F
_set_statfp.LIBCMT ref: 00007FF698F0A4BB

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
Instruction ID: 6fe64cd653828962d7fe4e9ec23a6101c0f03e14e2120e3013e848cf9231f43a
Opcode Fuzzy Hash: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
Instruction Fuzzy Hash: AC11C47EE1CA0309FA741974E44AB796141EF653F0ED426B5E56ECF2F79E2C6850410C

Function 00007FF698EFC140 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF698EFB35B,?,?,00000000,00007FF698EFB5F6,?,?,?,?,?,00007FF698EF38BC), ref: 00007FF698EFC15F
FlsSetValue.KERNEL32(?,?,?,00007FF698EFB35B,?,?,00000000,00007FF698EFB5F6,?,?,?,?,?,00007FF698EF38BC), ref: 00007FF698EFC17E
FlsSetValue.KERNEL32(?,?,?,00007FF698EFB35B,?,?,00000000,00007FF698EFB5F6,?,?,?,?,?,00007FF698EF38BC), ref: 00007FF698EFC1A6
FlsSetValue.KERNEL32(?,?,?,00007FF698EFB35B,?,?,00000000,00007FF698EFB5F6,?,?,?,?,?,00007FF698EF38BC), ref: 00007FF698EFC1B7
FlsSetValue.KERNEL32(?,?,?,00007FF698EFB35B,?,?,00000000,00007FF698EFB5F6,?,?,?,?,?,00007FF698EF38BC), ref: 00007FF698EFC1C8

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 10ef7b20446d589d7543043f1c539080fe2d32c680aee76621b2f3de37225325
Instruction ID: 5725633b156ec2ed66147b676f70a399377d615c00aabc21c33e58e57070adb3
Opcode Fuzzy Hash: 10ef7b20446d589d7543043f1c539080fe2d32c680aee76621b2f3de37225325
Instruction Fuzzy Hash: 45116D61F0825202FA789331B9612795161DFA43F0FA453B4E83EC76C6DE3CB411A308

Function 00007FF698EFBFD4 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF698EFBFE5
FlsSetValue.KERNEL32 ref: 00007FF698EFC004
FlsSetValue.KERNEL32 ref: 00007FF698EFC02C
FlsSetValue.KERNEL32 ref: 00007FF698EFC03D
FlsSetValue.KERNEL32 ref: 00007FF698EFC04E

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 1cbfbab29873deef46e90a648d7a1f8795c58f1c293a930122e54ca216580eab
Instruction ID: fdb3f6897ada0f986fe87ccef70b17f341d35f3f3907740916d65233b9555edd
Opcode Fuzzy Hash: 1cbfbab29873deef46e90a648d7a1f8795c58f1c293a930122e54ca216580eab
Instruction Fuzzy Hash: 0211E825E4821742F978A335B4712B91152CFA63B4EE857B4D93ECA2D6DD3DB442630C

Function 00007FF698EF69F0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF698EF6A2C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698EF6B56
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698EF6C0C

Strings

verbose, xrefs: 00007FF698EF6A00

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 0e1375701995164762774767e6acc307974a31e0cd050619d1c211530d762839
Instruction ID: 15c9d1b855b15cf5b603444a435b9e6f8475cbb6294046625ed6038daece4cc8
Opcode Fuzzy Hash: 0e1375701995164762774767e6acc307974a31e0cd050619d1c211530d762839
Instruction Fuzzy Hash: 5691C122A08A4642F7719F35E86037D37A1EB60B54FC442B6DA9D873E5DE3CE445A348

Function 00007FF698F00AA0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF698F00D7F

Part of subcall function 00007FF698F071A4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF698F071C1

Strings

ccs, xrefs: 00007FF698F00CBA
UTF-8, xrefs: 00007FF698F00CFE
UTF-16LEUNICODE, xrefs: 00007FF698F00D1D

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: de4b53a7bd72cc9a75fc72bdb9aa8b7520de62a16ef0f4afa2e89dc7587c8b22
Instruction ID: 169f17a21440eaf9fe00520cecb813aeb358ebf9de00b81aa0b660025b7082dd
Opcode Fuzzy Hash: de4b53a7bd72cc9a75fc72bdb9aa8b7520de62a16ef0f4afa2e89dc7587c8b22
Instruction Fuzzy Hash: C9818D73E0C6428DFB758E39815027836A0EB91BC8FD5A0B5DA0ED7295DF3DE801970A

Function 00007FF698EECF80 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF698EECFAB
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF698EED042
RtlUnwindEx.KERNEL32 ref: 00007FF698EED09C

Strings

csm, xrefs: 00007FF698EED029

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 81dbbe3a269521ccb6618414f5b7d9ba6a400a48ab9a514a04d3b64c82b69e43
Instruction ID: 11a8b0237d93586d4a3249663d2af6a646d12897451ea99ebdab8f7d83cfee94
Opcode Fuzzy Hash: 81dbbe3a269521ccb6618414f5b7d9ba6a400a48ab9a514a04d3b64c82b69e43
Instruction Fuzzy Hash: F451D432F196028ADB24CF29E464A7D3392EB45B98F948171DA4D87786DF7DE841C704

Function 00007FF698EEF800 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF698EEF85F
_CallSETranslator.LIBVCRUNTIME ref: 00007FF698EEF8AB

Strings

MOC, xrefs: 00007FF698EEF873
RCC, xrefs: 00007FF698EEF87B

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 93010d95ed42164ec617659bf15c462d53d81a38e330ec23f798dc78275aa1b2
Instruction ID: 145f762f54b6f3683ebf9cd5ee0dbcb4101f88344f20fa7c755f62e6b1a50abe
Opcode Fuzzy Hash: 93010d95ed42164ec617659bf15c462d53d81a38e330ec23f798dc78275aa1b2
Instruction Fuzzy Hash: 7C619133908BC582E7719B25E4507BAB7A0FB84794F844265EB9D87B96DF3CE190CB04

Function 00007FF698EEFBB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF698EEFBD8
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF698EEFCC0

Strings

csm, xrefs: 00007FF698EEFD12
csm, xrefs: 00007FF698EEFBFA

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 7fe73a2a5521307b3718a11731218a5d657cd704d90c9c291f237acf2a87c54e
Instruction ID: fb99559fc253c3c7010a50fe7d3f7d4719447cf69347065bee2a53fa19026a5d
Opcode Fuzzy Hash: 7fe73a2a5521307b3718a11731218a5d657cd704d90c9c291f237acf2a87c54e
Instruction Fuzzy Hash: 00518E3390828286EB748B3594643787BA0FB54B84FA441B6DE8D87BC6CF3CE461C709

Function 00007FF698EE2870 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF698EE8DE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF698EE2A9B), ref: 00007FF698EE8E1A

MessageBoxW.USER32 ref: 00007FF698EE297B
MessageBoxA.USER32 ref: 00007FF698EE2997

Strings

Fatal error detected, xrefs: 00007FF698EE2951, 00007FF698EE2989
%s%s: %s, xrefs: 00007FF698EE28F6

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: %s%s: %s$Fatal error detected
API String ID: 1878133881-2410924014
Opcode ID: bd3b1ec170c9362c6821fd135409a0077202d763314442d1f4ebee1409f7e8bb
Instruction ID: 62fa77d0d53680e5ccc1f263ec31fcede68b386243945fd87a128e695959b242
Opcode Fuzzy Hash: bd3b1ec170c9362c6821fd135409a0077202d763314442d1f4ebee1409f7e8bb
Instruction Fuzzy Hash: 4A319272628A8291E630DB20F4516EAA364FF947C4FC05176E7CD87A9ADF3CD605CB44

Function 00007FF698EE4340 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF698EE8DE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF698EE2A9B), ref: 00007FF698EE8E1A

CreateFileW.KERNEL32(00000000,?,?,00007FF698EE3FB9,?,00007FF698EE39CA), ref: 00007FF698EE43A8
GetFinalPathNameByHandleW.KERNEL32(?,?,00007FF698EE3FB9,?,00007FF698EE39CA), ref: 00007FF698EE43C8
CloseHandle.KERNEL32(?,?,00007FF698EE3FB9,?,00007FF698EE39CA), ref: 00007FF698EE43D3

Strings

\\?\, xrefs: 00007FF698EE43F7

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: Handle$ByteCharCloseCreateFileFinalMultiNamePathWide
String ID: \\?\
API String ID: 2226452419-4282027825
Opcode ID: 73aa29fffb20bf18054ec36f2ff632c499c886adceaf3567ccea49c9f56a016a
Instruction ID: 07bafdd8c524fcf0be2720b4687a7c279d07bdad914b4d33355714bc607432ad
Opcode Fuzzy Hash: 73aa29fffb20bf18054ec36f2ff632c499c886adceaf3567ccea49c9f56a016a
Instruction Fuzzy Hash: C221A072B18A5146E730DB31F8543A96251EB887D4F841271DF4D83B99DE3CD548CB08

Function 00007FF698EFD350 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF698EFD3CF
WriteFile.KERNEL32 ref: 00007FF698EFD697
WriteFile.KERNEL32 ref: 00007FF698EFD6DD
GetLastError.KERNEL32 ref: 00007FF698EFD793

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: f3307fa9b22cd1c245fea77c51432e5876b76cda8032067fabe2ab74fde9908f
Instruction ID: b1b9a0230e0893b97ebe2254686d2366ffebac9a06d082eae5ae3d7273034921
Opcode Fuzzy Hash: f3307fa9b22cd1c245fea77c51432e5876b76cda8032067fabe2ab74fde9908f
Instruction Fuzzy Hash: B8D10E72F08A8189E721CF75E4502AC3BA6FB657D8B844275DE5DDBB89DE38E406C304

Function 00007FF698EE2310 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF698EE2344
SetWindowLongPtrW.USER32 ref: 00007FF698EE2366
GetWindowLongPtrW.USER32 ref: 00007FF698EE2390
InvalidateRect.USER32 ref: 00007FF698EE23B0

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: c8ffd58409c2a817e2eafc26a907e7367a815fa90807bfabd45e1aee5e5800ec
Instruction ID: aa995d459bb2826520fb9be44a127ce8e015bb0dfd12f56d16067c4a9e908ad6
Opcode Fuzzy Hash: c8ffd58409c2a817e2eafc26a907e7367a815fa90807bfabd45e1aee5e5800ec
Instruction Fuzzy Hash: E7118231E1854342FB649F79F5542BD1292EB88BC0FC89071EA4987B9ACE7CD8C54B08

Function 00007FF698F06A6C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF698F025B0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF698F025E3

_get_daylight.LIBCMT ref: 00007FF698F06B84
_get_daylight.LIBCMT ref: 00007FF698F06B95

Strings

?, xrefs: 00007FF698F06B15

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 8b6f824ce68226522039b5681d667a4258c25c0b371a8f4ef00d3752ae492e10
Instruction ID: 8247375657127631a2309b7b5fba93cdbebb8f8c1b75e3cc415d082f6ebb0db1
Opcode Fuzzy Hash: 8b6f824ce68226522039b5681d667a4258c25c0b371a8f4ef00d3752ae492e10
Instruction Fuzzy Hash: 2C411672A08B828AFB349F35A41137A6690EB90BE4F945275EE5C87AD9DF3CD441C704

Function 00007FF698EF9DC8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF698EF9DFA

Part of subcall function 00007FF698EFB700: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF698F03B72,?,?,?,00007FF698F03BAF,?,?,00000000,00007FF698F04075,?,?,00000000,00007FF698F03FA7), ref: 00007FF698EFB716
Part of subcall function 00007FF698EFB700: GetLastError.KERNEL32(?,?,?,00007FF698F03B72,?,?,?,00007FF698F03BAF,?,?,00000000,00007FF698F04075,?,?,00000000,00007FF698F03FA7), ref: 00007FF698EFB720

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF698EEC335), ref: 00007FF698EF9E18

Strings

C:\Users\user\Desktop\Colby Dupe Script.exe, xrefs: 00007FF698EF9E06

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: ErrorFileLanguagesLastModuleNamePreferredRestoreThread_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\Colby Dupe Script.exe
API String ID: 2553983749-1448296548
Opcode ID: 2dc50b8d6a573f30b306f0085b97da4955317f93722b68647fdb996873f18b46
Instruction ID: cdaa79a0d48274c380c88c03630cfa0fe8e662d4790006c7bac7636ecaf90dda
Opcode Fuzzy Hash: 2dc50b8d6a573f30b306f0085b97da4955317f93722b68647fdb996873f18b46
Instruction Fuzzy Hash: F1419F36A08B4286EB34EF35E4A00B82794EB947D4F945076E98EC7B85DF3CE4819308

Function 00007FF698EFD9E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF698EFDAFF
GetLastError.KERNEL32 ref: 00007FF698EFDB21

Strings

U, xrefs: 00007FF698EFDAAB

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 76bc1a38fdffd9ebe3e6e71a83b0ba687688a06d9a48e83c019cb8b3d6fff0c8
Instruction ID: 9279bdd8b6b7fe6dcdb11d56e7698792c9b74dd2763a2eac9d9483f350154b7b
Opcode Fuzzy Hash: 76bc1a38fdffd9ebe3e6e71a83b0ba687688a06d9a48e83c019cb8b3d6fff0c8
Instruction Fuzzy Hash: 24418E72B18A8286DB208F25E8543AAA7A0FB987D4F844131EE4DC7798EF3CD541D748

Function 00007FF698F00108 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF698F00148
GetCurrentDirectoryW.KERNEL32 ref: 00007FF698F0019A

Strings

:, xrefs: 00007FF698F0015E

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 5f6034cdb323e25da13304688bcfaa40664c8172194540dca50913ba3db948d1
Instruction ID: 4fadb4c9e65e64559f4eecfbea5c541156bf53f55bfad8b1ba9e7dfbe32885c6
Opcode Fuzzy Hash: 5f6034cdb323e25da13304688bcfaa40664c8172194540dca50913ba3db948d1
Instruction Fuzzy Hash: D121CE33A08681C5EB308F21D45426D63A2FBC4B84FD58076DA8DC3284DF7CE9458744

Function 00007FF698EE2B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF698EE8DE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF698EE2A9B), ref: 00007FF698EE8E1A

MessageBoxW.USER32 ref: 00007FF698EE2BE5
MessageBoxA.USER32 ref: 00007FF698EE2C01

Strings

Fatal error detected, xrefs: 00007FF698EE2BBB, 00007FF698EE2BF3

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Fatal error detected
API String ID: 1878133881-4025702859
Opcode ID: cc7983d7ddd1ca4fe6b0e820e7fb498cdab092a0274b8afa64f738c4e3f04b3b
Instruction ID: 5cdbc7f32943079288ed3d4607fd1da8fb956121e91f5809d7e0d1bbde49b00c
Opcode Fuzzy Hash: cc7983d7ddd1ca4fe6b0e820e7fb498cdab092a0274b8afa64f738c4e3f04b3b
Instruction Fuzzy Hash: B421837262868691E730DB20F4516EAA364FF947C8FC05176E68D87AA9DF3CD205CB04

Function 00007FF698EE2C30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF698EE8DE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF698EE2A9B), ref: 00007FF698EE8E1A

MessageBoxW.USER32 ref: 00007FF698EE2D05
MessageBoxA.USER32 ref: 00007FF698EE2D21

Strings

Error detected, xrefs: 00007FF698EE2CDB, 00007FF698EE2D13

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Error detected
API String ID: 1878133881-3513342764
Opcode ID: 339977713d7da472da6bf6cde3ee098e7c711e0ac5788cc03ff0aed866900f2e
Instruction ID: 491a51c2d63ef54f1388146027734d9bf0390f32d2bd80be6c6dd95ae1e89909
Opcode Fuzzy Hash: 339977713d7da472da6bf6cde3ee098e7c711e0ac5788cc03ff0aed866900f2e
Instruction Fuzzy Hash: BD21957262868691E730DB20F4516EAA364FF947C4FC05176EB8D87A99DF3CD205CB04

Function 00007FF698EF0678 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF698EF06C8
RaiseException.KERNEL32 ref: 00007FF698EF0709

Strings

csm, xrefs: 00007FF698EF06F6

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: fd7208e01f832ae2c3cc6aa9bb96c2aefef2cc6e58d8a602234d9daac72df826
Instruction ID: b5adc37d5f50080df14731bd2c3551892795555e9665d51acc19356470a43547
Opcode Fuzzy Hash: fd7208e01f832ae2c3cc6aa9bb96c2aefef2cc6e58d8a602234d9daac72df826
Instruction Fuzzy Hash: 62116D32608B8182EB20CF25F41026977E1FB98B88F994270DE8D87B68DF3CC951CB04

Function 00007FF698F01594 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF698F015C4
GetDriveTypeW.KERNEL32 ref: 00007FF698F01604

Strings

:, xrefs: 00007FF698F015ED

Memory Dump Source

Source File: 00000000.00000002.1733704667.00007FF698EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698EE0000, based on PE: true

Associated: 00000000.00000002.1733686102.00007FF698EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733730182.00007FF698F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733754159.00007FF698F21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733790962.00007FF698F23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff698ee0000_Colby Dupe Script.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: b3a001ff98c302286219bbad5be65c90682500455353c0d2fccc423422cbb122
Instruction ID: 71594e727111cbd969db4ee1286cd4c6eee5e7fa52ba4bef0d24aa2ab7eba811
Opcode Fuzzy Hash: b3a001ff98c302286219bbad5be65c90682500455353c0d2fccc423422cbb122
Instruction Fuzzy Hash: 2D01847291C6428AF7309F70A46127E63A0EF55788FC02475D58ECB695EF3CE544D718

Analysis Process: Colby Dupe Script.exePID: 7052, Parent PID: 5912COMMON

Execution Graph

Execution Coverage:	0.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	50%
Total number of Nodes:	16
Total number of Limit Nodes:	2

Executed Functions

Function 00007FFDFAE12340 Relevance: 6.9, APIs: 4, Instructions: 896librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFDFAE12E69
GetProcAddress.KERNEL32 ref: 00007FFDFAE12E87
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 00007FFDFAE12F11
VirtualProtect.KERNEL32 ref: 00007FFDFAE12F2F

Memory Dump Source

Source File: 00000001.00000002.1726427603.00007FFDFAE12000.00000080.00000001.01000000.00000031.sdmp, Offset: 00007FFDFABD0000, based on PE: true

Associated: 00000001.00000002.1726006615.00007FFDFABD0000.00000002.00000001.01000000.00000031.sdmpDownload File
Associated: 00000001.00000002.1726025426.00007FFDFABD1000.00000040.00000001.01000000.00000031.sdmpDownload File
Associated: 00000001.00000002.1726025426.00007FFDFADAA000.00000040.00000001.01000000.00000031.sdmpDownload File
Associated: 00000001.00000002.1726025426.00007FFDFADBA000.00000040.00000001.01000000.00000031.sdmpDownload File
Associated: 00000001.00000002.1726025426.00007FFDFADCF000.00000040.00000001.01000000.00000031.sdmpDownload File
Associated: 00000001.00000002.1726025426.00007FFDFADF3000.00000040.00000001.01000000.00000031.sdmpDownload File
Associated: 00000001.00000002.1726025426.00007FFDFADFB000.00000040.00000001.01000000.00000031.sdmpDownload File
Associated: 00000001.00000002.1726025426.00007FFDFADFD000.00000040.00000001.01000000.00000031.sdmpDownload File
Associated: 00000001.00000002.1726025426.00007FFDFAE10000.00000040.00000001.01000000.00000031.sdmpDownload File
Associated: 00000001.00000002.1726446480.00007FFDFAE14000.00000004.00000001.01000000.00000031.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfabd0000_Colby Dupe Script.jbxd

Similarity

API ID: ProtectVirtual$AddressLibraryLoadProc
String ID:
API String ID: 3300690313-0
Opcode ID: cafc77c72beb4bd53c6e3c8a1b7038cc46def87aa34a7a02fca3f610377cff5a
Instruction ID: 88fc8fbdca579bf21ee20750015ff91f8a3c2c0454d307c232f38b0219575337
Opcode Fuzzy Hash: cafc77c72beb4bd53c6e3c8a1b7038cc46def87aa34a7a02fca3f610377cff5a
Instruction Fuzzy Hash: DA6258227281A29BE7199F38D8106BD7790FB58785F445531EAAFC37C8EA3DEA45C700

Function 00007FFDFB413230 Relevance: 6.8, APIs: 4, Instructions: 850librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFDFB413CF0
GetProcAddress.KERNEL32 ref: 00007FFDFB413D1A
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 00007FFDFB413DA4
VirtualProtect.KERNEL32 ref: 00007FFDFB413DC2

Memory Dump Source

Source File: 00000001.00000002.1727411729.00007FFDFB413000.00000080.00000001.01000000.00000014.sdmp, Offset: 00007FFDFB0C0000, based on PE: true

Associated: 00000001.00000002.1726907514.00007FFDFB0C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB0C1000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB0CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB15D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB36A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB40F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727429814.00007FFDFB414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb0c0000_Colby Dupe Script.jbxd

Similarity

API ID: ProtectVirtual$AddressLibraryLoadProc
String ID:
API String ID: 3300690313-0
Opcode ID: 6912a145b092a435b2690e8e050799ca64382d8315b3fc9a28e3f91c66e0900d
Instruction ID: c4aaa606c348c303bad07f9b25fbb7857e2d8b64cc30abfdf889492f023678e5
Opcode Fuzzy Hash: 6912a145b092a435b2690e8e050799ca64382d8315b3fc9a28e3f91c66e0900d
Instruction Fuzzy Hash: C7622962B29192A6E716CF38D61077D77A0F748789F046531EAAEC37D8E63CEA45C700

Function 00007FFDFAF4F820 Relevance: 1.7, APIs: 1, Instructions: 213
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32(?,?,?,?,00007FFDFAFF890C,?,?,?,?,00007FFDFAF485DD,?,?,?,?,00007FFDFAF74567), ref: 00007FFDFAF4F848

Memory Dump Source

Source File: 00000001.00000002.1726716991.00007FFDFAF41000.00000040.00000001.01000000.00000019.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1726698067.00007FFDFAF40000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB093000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB095000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB0AA000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726870011.00007FFDFB0AC000.00000080.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726888688.00007FFDFB0AE000.00000004.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_Colby Dupe Script.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 75f1db212b269ba8466c8530d3d4b3f45e34fba6d528fb4c6e7acba09ac25192
Instruction ID: eb35c47fc932750ad572add09c2ef7e20b4d50d28f396748ae658b732b849397
Opcode Fuzzy Hash: 75f1db212b269ba8466c8530d3d4b3f45e34fba6d528fb4c6e7acba09ac25192
Instruction Fuzzy Hash: 43A10721F0AB4381FF588B56E830A7522A0BF46BA8F440675DD6E4A3E8DF7CE6559310

Function 00007FFDFAFF8620 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 320
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

00007FFE146319C0.VCRUNTIME140(?,?,?,?,00007FFDFAF485DD,?,?,?,?,00007FFDFAF74567,?,?,?,?,?,00007FFDFAF4207B), ref: 00007FFDFAFF87B8

Strings

gfff, xrefs: 00007FFDFAFF8ACA

Memory Dump Source

Source File: 00000001.00000002.1726716991.00007FFDFAF41000.00000040.00000001.01000000.00000019.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1726698067.00007FFDFAF40000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB093000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB095000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB0AA000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726870011.00007FFDFB0AC000.00000080.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726888688.00007FFDFB0AE000.00000004.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_Colby Dupe Script.jbxd

Similarity

API ID: 00007E146319
String ID: gfff
API String ID: 1776107623-1553575800
Opcode ID: fc0083de08274c5edd80eb5e96a5d3d50a5f3cba4e7f9cce6d4ea1fa2268eea6
Instruction ID: bad0a15cde912caca23fe29870c805cca57fa377915067240e9e2b3f45170494
Opcode Fuzzy Hash: fc0083de08274c5edd80eb5e96a5d3d50a5f3cba4e7f9cce6d4ea1fa2268eea6
Instruction Fuzzy Hash: 62F1E960F1EB8795FB588B12A870E7423A0BF46B98F444275E92D4A3F9DF7CB441A740

Non-executed Functions

Function 00007FFDFB0C266C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 168COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FFDFB28DCB1
GetEnvironmentVariableW.KERNEL32 ref: 00007FFDFB28DCD2
GetEnvironmentVariableW.KERNEL32 ref: 00007FFDFB28DCED
GetEnvironmentVariableW.KERNEL32 ref: 00007FFDFB28DD08
GetEnvironmentVariableW.KERNEL32 ref: 00007FFDFB28DD50
WideCharToMultiByte.KERNEL32 ref: 00007FFDFB28DD86
WideCharToMultiByte.KERNEL32 ref: 00007FFDFB28DDDB

Strings

RANDFILE, xrefs: 00007FFDFB28DC99
SYSTEMROOT, xrefs: 00007FFDFB28DCF9
USERPROFILE, xrefs: 00007FFDFB28DCDE
.rnd, xrefs: 00007FFDFB28DE8A
HOME, xrefs: 00007FFDFB28DCC0

Memory Dump Source

Source File: 00000001.00000002.1726926360.00007FFDFB0C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDFB0C0000, based on PE: true

Associated: 00000001.00000002.1726907514.00007FFDFB0C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB0CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB15D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB36A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB40F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727411729.00007FFDFB413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727429814.00007FFDFB414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb0c0000_Colby Dupe Script.jbxd

Similarity

API ID: EnvironmentVariable$ByteCharMultiWide
String ID: .rnd$HOME$RANDFILE$SYSTEMROOT$USERPROFILE
API String ID: 2184640988-1666712896
Opcode ID: 419c88fdedd40b7a4bd6282dbefca93637e627fdfe4ba8766129e23dca955196
Instruction ID: 3a6ba0fea00e21028ae4292584a7c3d4ea65823d984237f00e1361d2f291d93b
Opcode Fuzzy Hash: 419c88fdedd40b7a4bd6282dbefca93637e627fdfe4ba8766129e23dca955196
Instruction Fuzzy Hash: E661E72670AB8346EB109F21A56097967A1FF55BE4B588236DE7D837E8DF3DD00A8300

Function 00007FFDFAF6B910 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 427COMMON

Download Yara Rule

APIs

00007FFE146319C0.VCRUNTIME140 ref: 00007FFDFAF6BA16

Strings

Main freelist: , xrefs: 00007FFDFAF6BA67
Pointer map page %d is referenced, xrefs: 00007FFDFAF6BD28
max rootpage (%d) disagrees with header (%d), xrefs: 00007FFDFAF6BAE9
Page %d is never used, xrefs: 00007FFDFAF6BCBB
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d), xrefs: 00007FFDFAF6BBCD
incremental_vacuum enabled with a max rootpage of zero, xrefs: 00007FFDFAF6BB0D
Failed to read ptrmap key=%d, xrefs: 00007FFDFAF6BBA6

Memory Dump Source

Source File: 00000001.00000002.1726716991.00007FFDFAF41000.00000040.00000001.01000000.00000019.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1726698067.00007FFDFAF40000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB093000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB095000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB0AA000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726870011.00007FFDFB0AC000.00000080.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726888688.00007FFDFB0AE000.00000004.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_Colby Dupe Script.jbxd

Similarity

API ID: 00007E146319
String ID: Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)$Failed to read ptrmap key=%d$Main freelist: $Page %d is never used$Pointer map page %d is referenced$incremental_vacuum enabled with a max rootpage of zero$max rootpage (%d) disagrees with header (%d)
API String ID: 1776107623-2103957143
Opcode ID: 1b56883e94786a4ef89848aa5daf97c28cb12df8ac01aa6718e35593c8ad7888
Instruction ID: 6b31eba10bc7d19f9aeb6a758b524cd136f6139bb8326bb58f3a038ac4bfb0ef
Opcode Fuzzy Hash: 1b56883e94786a4ef89848aa5daf97c28cb12df8ac01aa6718e35593c8ad7888
Instruction Fuzzy Hash: 82129E32B097428AEB28CB65D464AA973A1FF45768F540275EE6D4BBE8CF3CE445C700

Function 00007FFDFAF4E040 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 399COMMON

Download Yara Rule

APIs

00007FFE146319C0.VCRUNTIME140 ref: 00007FFDFAF4E0AB
00007FFE146319C0.VCRUNTIME140 ref: 00007FFDFAF4E133

Part of subcall function 00007FFDFAF4B640: 00007FFE146319C0.VCRUNTIME140 ref: 00007FFDFAF4B6A2

Strings

winGetTempname1, xrefs: 00007FFDFAF4E234
winGetTempname2, xrefs: 00007FFDFAF4E166
etilqs_, xrefs: 00007FFDFAF4E062, 00007FFDFAF4E31A
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789, xrefs: 00007FFDFAF4E353
winGetTempname4, xrefs: 00007FFDFAF4E5DE
winGetTempname5, xrefs: 00007FFDFAF4E30C

Memory Dump Source

Source File: 00000001.00000002.1726716991.00007FFDFAF41000.00000040.00000001.01000000.00000019.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1726698067.00007FFDFAF40000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB093000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB095000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB0AA000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726870011.00007FFDFB0AC000.00000080.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726888688.00007FFDFB0AE000.00000004.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_Colby Dupe Script.jbxd

Similarity

API ID: 00007E146319
String ID: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789$etilqs_$winGetTempname1$winGetTempname2$winGetTempname4$winGetTempname5
API String ID: 1776107623-463513059
Opcode ID: 47cd6acc09cb97cf6b0c7df549a53dd8525139ec74fec1c94a40a24148967e6a
Instruction ID: 42891d9ad0bc8f93b16c0826d697cabba0e21ed0874246555606906aaa6b1a2d
Opcode Fuzzy Hash: 47cd6acc09cb97cf6b0c7df549a53dd8525139ec74fec1c94a40a24148967e6a
Instruction Fuzzy Hash: 48E11351B1D3C707EF0C8B39A4219B86A919F5A790F484276EEBE4B7D5DE2CB612C700

Function 00007FFDFAE23048 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFDFAE23064
00007FFE146319C0.VCRUNTIME140 ref: 00007FFDFAE23088
RtlCaptureContext.KERNEL32 ref: 00007FFDFAE23091
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFDFAE230AB
RtlVirtualUnwind.KERNEL32 ref: 00007FFDFAE230EC
00007FFE146319C0.VCRUNTIME140 ref: 00007FFDFAE2311F
IsDebuggerPresent.KERNEL32 ref: 00007FFDFAE23140
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFDFAE23161
UnhandledExceptionFilter.KERNEL32 ref: 00007FFDFAE2316C

Memory Dump Source

Source File: 00000001.00000002.1726484532.00007FFDFAE21000.00000040.00000001.01000000.0000001E.sdmp, Offset: 00007FFDFAE20000, based on PE: true

Associated: 00000001.00000002.1726465722.00007FFDFAE20000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000001.00000002.1726484532.00007FFDFAE84000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000001.00000002.1726484532.00007FFDFAED3000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000001.00000002.1726484532.00007FFDFAF2C000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000001.00000002.1726484532.00007FFDFAF31000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000001.00000002.1726484532.00007FFDFAF34000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000001.00000002.1726661849.00007FFDFAF35000.00000080.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000001.00000002.1726679942.00007FFDFAF37000.00000004.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae20000_Colby Dupe Script.jbxd

Similarity

API ID: 00007E146319ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 2350663779-0
Opcode ID: d8a6e0e72b6848609e29a44b0cba3310e6ec791779f206a0b46e58d07e77914d
Instruction ID: 8ff86c469f87c212e8d0e74d1bb1bb4bfb9bd68f68878a42da4db9b35c9f03a0
Opcode Fuzzy Hash: d8a6e0e72b6848609e29a44b0cba3310e6ec791779f206a0b46e58d07e77914d
Instruction Fuzzy Hash: 0B318F72B08A8285EB649F60E860BED73A0FB94744F440079DA5E47AD8DF3DC648CB10

Function 00007FFDFAF469A2 Relevance: 12.7, APIs: 2, Strings: 5, Instructions: 488COMMON

Download Yara Rule

APIs

00007FFE146319C0.VCRUNTIME140 ref: 00007FFDFAF46D46

Strings

VUUU, xrefs: 00007FFDFAF46AA8
0123456789ABCDEF0123456789abcdef, xrefs: 00007FFDFAF46DE8
NaN, xrefs: 00007FFDFAF46B0F
gfff, xrefs: 00007FFDFAF46E34
Inf, xrefs: 00007FFDFAF46C01

Memory Dump Source

Source File: 00000001.00000002.1726716991.00007FFDFAF41000.00000040.00000001.01000000.00000019.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1726698067.00007FFDFAF40000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB093000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB095000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB0AA000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726870011.00007FFDFB0AC000.00000080.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726888688.00007FFDFB0AE000.00000004.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_Colby Dupe Script.jbxd

Similarity

API ID: 00007E146319
String ID: 0123456789ABCDEF0123456789abcdef$Inf$NaN$VUUU$gfff
API String ID: 1776107623-2941899328
Opcode ID: e0fc8c7b0d882bf01384680dcc055da3b179f8e9c85d86452f87d38abd0181c3
Instruction ID: f9a7d24c23019371067e86217c1509f51bf65b5fe0332d11cfc74219a3f59f55
Opcode Fuzzy Hash: e0fc8c7b0d882bf01384680dcc055da3b179f8e9c85d86452f87d38abd0181c3
Instruction Fuzzy Hash: 68128D22F0CA8785E7AA8A35D060B7A6BA0FF55394F054371FE9D5B6D9DF2CE6418300

Function 00007FFDFB0C3229 Relevance: 12.3, APIs: 8, Instructions: 251fileCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FFDFB26400F
GetLastError.KERNEL32 ref: 00007FFDFB26401C
MultiByteToWideChar.KERNEL32 ref: 00007FFDFB264043
MultiByteToWideChar.KERNEL32 ref: 00007FFDFB264098
00007FFE1FF9F020.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFB2640A9
FindFirstFileW.KERNEL32 ref: 00007FFDFB26421C
FindNextFileW.KERNEL32 ref: 00007FFDFB264259
WideCharToMultiByte.KERNEL32 ref: 00007FFDFB2642B7

Memory Dump Source

Source File: 00000001.00000002.1726926360.00007FFDFB0C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDFB0C0000, based on PE: true

Associated: 00000001.00000002.1726907514.00007FFDFB0C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB0CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB15D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB36A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB40F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727411729.00007FFDFB413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727429814.00007FFDFB414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb0c0000_Colby Dupe Script.jbxd

Similarity

API ID: ByteCharMultiWide$FileFind$00007ErrorF020FirstLastNext
String ID:
API String ID: 1171239525-0
Opcode ID: b84a2f744cee5a13916b1079a4c81b9897484e08d179ab741295abe408a7cb8c
Instruction ID: af6b11d83ed5c022018b7dc72375ddca3dbe63484b552f889b2742244120df3c
Opcode Fuzzy Hash: b84a2f744cee5a13916b1079a4c81b9897484e08d179ab741295abe408a7cb8c
Instruction Fuzzy Hash: AAB1B522B06A8389EB109F65D464A7967A1FF49BA4F544335DABD837F8EF3CD0458300

Function 00007FFDFB0C5A1F Relevance: 10.6, APIs: 7, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFDFB305BBC
RtlCaptureContext.KERNEL32 ref: 00007FFDFB305BE9
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFDFB305C03
RtlVirtualUnwind.KERNEL32 ref: 00007FFDFB305C44
IsDebuggerPresent.KERNEL32 ref: 00007FFDFB305C98
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFDFB305CB9
UnhandledExceptionFilter.KERNEL32 ref: 00007FFDFB305CC4

Memory Dump Source

Source File: 00000001.00000002.1726926360.00007FFDFB0C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDFB0C0000, based on PE: true

Associated: 00000001.00000002.1726907514.00007FFDFB0C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB0CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB15D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB36A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB40F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727411729.00007FFDFB413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727429814.00007FFDFB414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb0c0000_Colby Dupe Script.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 836932d6aed314119f7ddbe256598baef3b0bd20caf5fb751809a6c17d89e7ea
Instruction ID: 04bbda177e0011a795172c32cb071bcd9f68aafe085389367c1b42d9692f4a66
Opcode Fuzzy Hash: 836932d6aed314119f7ddbe256598baef3b0bd20caf5fb751809a6c17d89e7ea
Instruction Fuzzy Hash: 4731417270AB8286EB609F60E8607ED7761FB84748F484039DB9D47AE9DF38D548C710

Function 00007FFDFAFBED10 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 358COMMON

Download Yara Rule

APIs

00007FFE146319C0.VCRUNTIME140 ref: 00007FFDFAFBED7A

Strings

database schema is locked: %s, xrefs: 00007FFDFAFBEEC7
statement too long, xrefs: 00007FFDFAFBEF1D
out of memory, xrefs: 00007FFDFAFBEDE3

Memory Dump Source

Source File: 00000001.00000002.1726716991.00007FFDFAF41000.00000040.00000001.01000000.00000019.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1726698067.00007FFDFAF40000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB093000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB095000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB0AA000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726870011.00007FFDFB0AC000.00000080.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726888688.00007FFDFB0AE000.00000004.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_Colby Dupe Script.jbxd

Similarity

API ID: 00007E146319
String ID: database schema is locked: %s$out of memory$statement too long
API String ID: 1776107623-1046679716
Opcode ID: e232070af0714be8bfd0a6078d049f8658ffead47aa7b1c63900081b75c8633c
Instruction ID: 14aa28eae24a10a29476a51461f55c75bece790c0fdc20e0bc97e3bea498c991
Opcode Fuzzy Hash: e232070af0714be8bfd0a6078d049f8658ffead47aa7b1c63900081b75c8633c
Instruction Fuzzy Hash: 22F16122B0868345FB289B21D464BBA67A0FF45BA4F044276EF6E4B6D9DF7CE541C310

Function 00007FFDFB0C2B5D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57networkCOMMON

Download Yara Rule

APIs

bind.WS2_32 ref: 00007FFDFB18A319
WSAGetLastError.WS2_32 ref: 00007FFDFB18A328

Strings

..\s\crypto\bio\b_sock2.c, xrefs: 00007FFDFB18A2CE, 00007FFDFB18A33E, 00007FFDFB18A35A

Memory Dump Source

Source File: 00000001.00000002.1726926360.00007FFDFB0C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDFB0C0000, based on PE: true

Associated: 00000001.00000002.1726907514.00007FFDFB0C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB0CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB15D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB36A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB40F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727411729.00007FFDFB413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727429814.00007FFDFB414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb0c0000_Colby Dupe Script.jbxd

Similarity

API ID: ErrorLastbind
String ID: ..\s\crypto\bio\b_sock2.c
API String ID: 2328862993-3200932406
Opcode ID: c767e834a84740a79c233dcad0d39ea44b2e2a28cfc1136448b175a4500b188a
Instruction ID: 7ad7c1d1ef18cbda39718e7c2c809ef688490bf9bd85b5938ae50c2b56690b9a
Opcode Fuzzy Hash: c767e834a84740a79c233dcad0d39ea44b2e2a28cfc1136448b175a4500b188a
Instruction Fuzzy Hash: 0421BE62F1A55382E710DB21E810ABD6760FB82B88F400231EA6D03BEDDF3DE5469B00

Function 00007FFDFB0C572C Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1726926360.00007FFDFB0C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDFB0C0000, based on PE: true

Associated: 00000001.00000002.1726907514.00007FFDFB0C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB0CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB15D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB36A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB40F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727411729.00007FFDFB413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727429814.00007FFDFB414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb0c0000_Colby Dupe Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b647e036b0e5ae8a118200442eb522906dc17efbe743a2891263b2f3e414abb
Instruction ID: 611943784eb2208ffa2207ade6cde1b1b9e13f1c30f7f017d8fb8777f6b39f32
Opcode Fuzzy Hash: 8b647e036b0e5ae8a118200442eb522906dc17efbe743a2891263b2f3e414abb
Instruction Fuzzy Hash: B3E0DF73B193A505CB56CA336218E792A90A714BCDF43C030990DC3F99EF2EEA01CB40

Function 00007FFDFB273F10 Relevance: 58.0, APIs: 19, Strings: 14, Instructions: 223COMMON

Download Yara Rule

APIs

00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB274B53,?,?,?,?,?,?,?,?,00007FFDFB272B8B), ref: 00007FFDFB273F61
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB274B53,?,?,?,?,?,?,?,?,00007FFDFB272B8B), ref: 00007FFDFB273F78
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB274B53,?,?,?,?,?,?,?,?,00007FFDFB272B8B), ref: 00007FFDFB273F8F
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB274B53,?,?,?,?,?,?,?,?,00007FFDFB272B8B), ref: 00007FFDFB273FC2
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB274B53,?,?,?,?,?,?,?,?,00007FFDFB272B8B), ref: 00007FFDFB27400B
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB274B53,?,?,?,?,?,?,?,?,00007FFDFB272B8B), ref: 00007FFDFB27403F
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB274B53,?,?,?,?,?,?,?,?,00007FFDFB272B8B), ref: 00007FFDFB274091
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB274B53,?,?,?,?,?,?,?,?,00007FFDFB272B8B), ref: 00007FFDFB2740A4
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB274B53,?,?,?,?,?,?,?,?,00007FFDFB272B8B), ref: 00007FFDFB2740BB
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB274B53,?,?,?,?,?,?,?,?,00007FFDFB272B8B), ref: 00007FFDFB2740CE
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB274B53,?,?,?,?,?,?,?,?,00007FFDFB272B8B), ref: 00007FFDFB2740E5
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB274B53,?,?,?,?,?,?,?,?,00007FFDFB272B8B), ref: 00007FFDFB2740F8
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB274B53,?,?,?,?,?,?,?,?,00007FFDFB272B8B), ref: 00007FFDFB27410F
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB274B53,?,?,?,?,?,?,?,?,00007FFDFB272B8B), ref: 00007FFDFB274122
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB274B53,?,?,?,?,?,?,?,?,00007FFDFB272B8B), ref: 00007FFDFB274135
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB274B53,?,?,?,?,?,?,?,?,00007FFDFB272B8B), ref: 00007FFDFB274148
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB274B53,?,?,?,?,?,?,?,?,00007FFDFB272B8B), ref: 00007FFDFB27415B
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB274B53,?,?,?,?,?,?,?,?,00007FFDFB272B8B), ref: 00007FFDFB2741A7
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB274B53,?,?,?,?,?,?,?,?,00007FFDFB272B8B), ref: 00007FFDFB2741D2

Strings

DH PARAMETERS, xrefs: 00007FFDFB27409A
ANY PRIVATE KEY, xrefs: 00007FFDFB273F57
TRUSTED CERTIFICATE, xrefs: 00007FFDFB274118, 00007FFDFB27413E
PKCS #7 SIGNED DATA, xrefs: 00007FFDFB27419D
PKCS7, xrefs: 00007FFDFB274162
ENCRYPTED PRIVATE KEY, xrefs: 00007FFDFB273F6E
PRIVATE KEY, xrefs: 00007FFDFB273F85, 00007FFDFB273FB4
X509 CERTIFICATE, xrefs: 00007FFDFB2740B1, 00007FFDFB27412B
NEW CERTIFICATE REQUEST, xrefs: 00007FFDFB2740DB
CERTIFICATE REQUEST, xrefs: 00007FFDFB2740EE
CMS, xrefs: 00007FFDFB2741D7
PARAMETERS, xrefs: 00007FFDFB274001, 00007FFDFB274031
X9.42 DH PARAMETERS, xrefs: 00007FFDFB274087
CERTIFICATE, xrefs: 00007FFDFB2740C4, 00007FFDFB274105, 00007FFDFB274151, 00007FFDFB2741C8

Memory Dump Source

Source File: 00000001.00000002.1726926360.00007FFDFB15D000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDFB0C0000, based on PE: true

Associated: 00000001.00000002.1726907514.00007FFDFB0C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB0C1000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB0CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB36A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB40F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727411729.00007FFDFB413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727429814.00007FFDFB414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb0c0000_Colby Dupe Script.jbxd

Similarity

API ID: 00007B5630
String ID: ANY PRIVATE KEY$CERTIFICATE$CERTIFICATE REQUEST$CMS$DH PARAMETERS$ENCRYPTED PRIVATE KEY$NEW CERTIFICATE REQUEST$PARAMETERS$PKCS #7 SIGNED DATA$PKCS7$PRIVATE KEY$TRUSTED CERTIFICATE$X509 CERTIFICATE$X9.42 DH PARAMETERS
API String ID: 2248877218-1119032718
Opcode ID: 53791607f956101f911f03bce5df1fcc48f1ca8588c3d50ca4fb3c9ab6ede07a
Instruction ID: 28b7de9c39eb919dd072d08f0239557a20dfdd7f222d59207967c111bf77a32c
Opcode Fuzzy Hash: 53791607f956101f911f03bce5df1fcc48f1ca8588c3d50ca4fb3c9ab6ede07a
Instruction Fuzzy Hash: 6B91DE10B8E65392FF50AB25A972A7827D1DF567E4F682130DC7EC22FDEE2CE4418204

Function 00007FFDFB0C4E3F Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 205registryfileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FFDFB1CDC24
GetFileType.KERNEL32 ref: 00007FFDFB1CDC35
WriteFile.KERNEL32 ref: 00007FFDFB1CDC99
MultiByteToWideChar.KERNEL32 ref: 00007FFDFB1CDD06
RegisterEventSourceW.ADVAPI32 ref: 00007FFDFB1CDEB4
ReportEventW.ADVAPI32 ref: 00007FFDFB1CDEF6
DeregisterEventSource.ADVAPI32 ref: 00007FFDFB1CDEFF

Strings

OpenSSL: FATAL, xrefs: 00007FFDFB1CDF0D
OpenSSL, xrefs: 00007FFDFB1CDEAD
no stack?, xrefs: 00007FFDFB1CDCEC
, xrefs: 00007FFDFB1CDD20

Memory Dump Source

Source File: 00000001.00000002.1726926360.00007FFDFB0C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDFB0C0000, based on PE: true

Associated: 00000001.00000002.1726907514.00007FFDFB0C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB0CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB15D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB36A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB40F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727411729.00007FFDFB413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727429814.00007FFDFB414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb0c0000_Colby Dupe Script.jbxd

Similarity

API ID: Event$FileSource$ByteCharDeregisterHandleMultiRegisterReportTypeWideWrite
String ID: $OpenSSL$OpenSSL: FATAL$no stack?
API String ID: 1270133462-2963566556
Opcode ID: 4334f370b7a482bd35c4ecd3ae7f0d910e81077902a64c89114c2b2096981407
Instruction ID: b436bdafdd630c2a3b8eec7c2d2c3013e3a7bef472abb8440c660461e6890879
Opcode Fuzzy Hash: 4334f370b7a482bd35c4ecd3ae7f0d910e81077902a64c89114c2b2096981407
Instruction Fuzzy Hash: CA91E373B09B8782EB209F24D8609F93760FB45B98F444235EA6D47AE9EF38D255C300

Function 00007FFDFB0C32AB Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 127COMMON

Download Yara Rule

APIs

00007FFE1FFA1370.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FFDFB2BAB7C
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB2BAB91
00007FFE1FFA1370.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FFDFB2BABA3

Strings

accuracy, xrefs: 00007FFDFB2BAAB3, 00007FFDFB2BAB03, 00007FFDFB2BAC54
..\s\crypto\ts\ts_conf.c, xrefs: 00007FFDFB2BAAF0, 00007FFDFB2BAC3C
p, xrefs: 00007FFDFB2BAC34
secs, xrefs: 00007FFDFB2BAB4D
millisecs, xrefs: 00007FFDFB2BAB87
microsecs, xrefs: 00007FFDFB2BABAE

Memory Dump Source

Source File: 00000001.00000002.1726926360.00007FFDFB0C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDFB0C0000, based on PE: true

Associated: 00000001.00000002.1726907514.00007FFDFB0C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB0CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB15D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB36A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB40F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727411729.00007FFDFB413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727429814.00007FFDFB414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb0c0000_Colby Dupe Script.jbxd

Similarity

API ID: 00007$A1370$B5630
String ID: ..\s\crypto\ts\ts_conf.c$accuracy$microsecs$millisecs$p$secs
API String ID: 751195488-1596076588
Opcode ID: 8e1608afc237cc655a59732373ba8e0b1afa52b80ee81b2eea672c0bd8193b25
Instruction ID: 3dd54a642d34cfaa9859b598a765d4d83d7cdb2805a92865691d97f2e42fac35
Opcode Fuzzy Hash: 8e1608afc237cc655a59732373ba8e0b1afa52b80ee81b2eea672c0bd8193b25
Instruction Fuzzy Hash: 6251C362B0AA079AEB11AB56A830EB97391BF45B84F448031ED6E437FDDF3CE445D600

Function 00007FFDFAFB8320 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 382COMMON

Download Yara Rule

Strings

not authorized, xrefs: 00007FFDFAFB8385
%s.%s, xrefs: 00007FFDFAFB83DC
sqlite3_extension_init, xrefs: 00007FFDFAFB839D
lib, xrefs: 00007FFDFAFB853F
_init, xrefs: 00007FFDFAFB85DE
error during initialization: %s, xrefs: 00007FFDFAFB8698
sqlite3_, xrefs: 00007FFDFAFB84FA
unable to open shared library [%.*s], xrefs: 00007FFDFAFB8935
no entry point [%s] in shared library [%s], xrefs: 00007FFDFAFB87A5

Memory Dump Source

Source File: 00000001.00000002.1726716991.00007FFDFAF41000.00000040.00000001.01000000.00000019.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1726698067.00007FFDFAF40000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB093000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB095000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB0AA000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726870011.00007FFDFB0AC000.00000080.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726888688.00007FFDFB0AE000.00000004.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_Colby Dupe Script.jbxd

Similarity

API ID:
String ID: %s.%s$_init$error during initialization: %s$lib$no entry point [%s] in shared library [%s]$not authorized$sqlite3_$sqlite3_extension_init$unable to open shared library [%.*s]
API String ID: 0-3733955532
Opcode ID: b6d5a7562ca74dbbd21e233fc160e28895668a26162358da1cfac9be2dbcc32d
Instruction ID: aaa4aad27349054167738cba004330048f079d023f107ee26686fde8e3582c1d
Opcode Fuzzy Hash: b6d5a7562ca74dbbd21e233fc160e28895668a26162358da1cfac9be2dbcc32d
Instruction Fuzzy Hash: B8027821B1A78385EF589F11D474AB92361EF86BE4F044276EE6E0A7E8DF2CF4459340

Function 00007FFDFAE22720 Relevance: 16.7, APIs: 11, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFDFAE22748
__scrt_initialize_crt.LIBCMT ref: 00007FFDFAE2278D
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFDFAE2279A
_RTC_Initialize.LIBCMT ref: 00007FFDFAE227C8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFDFAE227EE
__scrt_release_startup_lock.LIBCMT ref: 00007FFDFAE22819

Memory Dump Source

Source File: 00000001.00000002.1726484532.00007FFDFAE21000.00000040.00000001.01000000.0000001E.sdmp, Offset: 00007FFDFAE20000, based on PE: true

Associated: 00000001.00000002.1726465722.00007FFDFAE20000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000001.00000002.1726484532.00007FFDFAE84000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000001.00000002.1726484532.00007FFDFAED3000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000001.00000002.1726484532.00007FFDFAF2C000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000001.00000002.1726484532.00007FFDFAF31000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000001.00000002.1726484532.00007FFDFAF34000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000001.00000002.1726661849.00007FFDFAF35000.00000080.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000001.00000002.1726679942.00007FFDFAF37000.00000004.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae20000_Colby Dupe Script.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: 2c919d68a485a940d5d0ad5c103bd88b2e133b3e89e7b4880588334ffb64ee24
Instruction ID: 0ae2b9c069bf07f84f120459723d166124cb25746a545bf04a3422a30a8d4bd8
Opcode Fuzzy Hash: 2c919d68a485a940d5d0ad5c103bd88b2e133b3e89e7b4880588334ffb64ee24
Instruction Fuzzy Hash: 5D81CF61F0C24346F75CBB259871A7962D0AF85780F0441B5ED6E477EEDE3EE8458700

Function 00007FFDFAF7F160 Relevance: 16.2, APIs: 1, Strings: 8, Instructions: 487COMMON

Download Yara Rule

APIs

00007FFE146319C0.VCRUNTIME140 ref: 00007FFDFAF7F22C

Strings

cannot open virtual table: %s, xrefs: 00007FFDFAF7F7CF
cannot open table without rowid: %s, xrefs: 00007FFDFAF7F7C6
cannot open %s column for writing, xrefs: 00007FFDFAF7F78B
foreign key, xrefs: 00007FFDFAF7F403
out of memory, xrefs: 00007FFDFAF7F298
no such column: "%s", xrefs: 00007FFDFAF7F7A9
indexed, xrefs: 00007FFDFAF7F450
cannot open view: %s, xrefs: 00007FFDFAF7F7BD

Memory Dump Source

Source File: 00000001.00000002.1726716991.00007FFDFAF41000.00000040.00000001.01000000.00000019.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1726698067.00007FFDFAF40000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB093000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB095000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB0AA000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726870011.00007FFDFB0AC000.00000080.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726888688.00007FFDFB0AE000.00000004.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_Colby Dupe Script.jbxd

Similarity

API ID: 00007E146319
String ID: cannot open %s column for writing$cannot open table without rowid: %s$cannot open view: %s$cannot open virtual table: %s$foreign key$indexed$no such column: "%s"$out of memory
API String ID: 1776107623-554953066
Opcode ID: 9a62253b59d75b062b5d8a2c7842bff6b3b59b05ab2fdc856a70bbc8fcb750df
Instruction ID: f61b4285a99dc5ced0aa3b51df1ed9cb2d74c8535f7bc9a48e2dafec6885dc5f
Opcode Fuzzy Hash: 9a62253b59d75b062b5d8a2c7842bff6b3b59b05ab2fdc856a70bbc8fcb750df
Instruction Fuzzy Hash: 8932BD72B0878186EB68CF25E460ABC37A4FF45BA4F404276EA6D4B798DF38E451C710

Function 00007FFDFAF4F070 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 135COMMON

Download Yara Rule

APIs

new[].MSPDB140-MSVCRT ref: 00007FFDFAF4F187

Strings

?, xrefs: 00007FFDFAF4F0B1
%s%c%s, xrefs: 00007FFDFAF4F0E6
winFullPathname1, xrefs: 00007FFDFAF4F16C
:, xrefs: 00007FFDFAF4F0DC
winFullPathname2, xrefs: 00007FFDFAF4F1F5
:, xrefs: 00007FFDFAF4F0A1
\, xrefs: 00007FFDFAF4F0F8

Memory Dump Source

Source File: 00000001.00000002.1726716991.00007FFDFAF41000.00000040.00000001.01000000.00000019.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1726698067.00007FFDFAF40000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB093000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB095000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB0AA000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726870011.00007FFDFB0AC000.00000080.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726888688.00007FFDFB0AE000.00000004.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_Colby Dupe Script.jbxd

Similarity

API ID: new[]
String ID: %s%c%s$:$:$?$\$winFullPathname1$winFullPathname2
API String ID: 4059295235-3840279414
Opcode ID: b101e88f1affa16b041cfc1e2f1eca4e78ffadcba296a8941160182071edcd3a
Instruction ID: 455fd76d28fb28cfecd82d9bafeab3e691c25870d3fbdda759eca86f3b15feb6
Opcode Fuzzy Hash: b101e88f1affa16b041cfc1e2f1eca4e78ffadcba296a8941160182071edcd3a
Instruction Fuzzy Hash: 49512612F0D28344FB19AB61E821E756791AF85FB8F480271FD6D0B6DADE3CEA418310

Function 00007FFDFB0C41D8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 117networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFDFB18A48E
WSAGetLastError.WS2_32 ref: 00007FFDFB18A498

Strings

o, xrefs: 00007FFDFB18A5BF
..\s\crypto\bio\b_sock2.c, xrefs: 00007FFDFB18A41E, 00007FFDFB18A4AE, 00007FFDFB18A4CA, 00007FFDFB18A533, 00007FFDFB18A54F, 00007FFDFB18A5AB, 00007FFDFB18A5C7

Memory Dump Source

Source File: 00000001.00000002.1726926360.00007FFDFB0C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDFB0C0000, based on PE: true

Associated: 00000001.00000002.1726907514.00007FFDFB0C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB0CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB15D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB36A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB40F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727411729.00007FFDFB413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727429814.00007FFDFB414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb0c0000_Colby Dupe Script.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: ..\s\crypto\bio\b_sock2.c$o
API String ID: 1729277954-1872632005
Opcode ID: 55b9dc58d84091389097999520ee8ef412c939128f98883080a21d6a8e2db22d
Instruction ID: 2f18789a2ae9219c61d614ea4a27693a3aadc647689c46f970064c428ac4938d
Opcode Fuzzy Hash: 55b9dc58d84091389097999520ee8ef412c939128f98883080a21d6a8e2db22d
Instruction Fuzzy Hash: E2519E62B1A54387E720DB21E824ABD7360FB82748F544235EAAD03AEDCF3DE545DB40

Function 00007FFDFB0C23D3 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 94libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FFDFB1CDA48
GetProcAddress.KERNEL32 ref: 00007FFDFB1CDA5D
GetProcessWindowStation.USER32 ref: 00007FFDFB1CDA87
GetUserObjectInformationW.USER32 ref: 00007FFDFB1CDAAF
GetLastError.KERNEL32 ref: 00007FFDFB1CDABD
GetUserObjectInformationW.USER32 ref: 00007FFDFB1CDB28

Strings

Service-0x, xrefs: 00007FFDFB1CDB49
_OPENSSL_isservice, xrefs: 00007FFDFB1CDA53

Memory Dump Source

Source File: 00000001.00000002.1726926360.00007FFDFB0C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDFB0C0000, based on PE: true

Associated: 00000001.00000002.1726907514.00007FFDFB0C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB0CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB15D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB36A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB40F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727411729.00007FFDFB413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727429814.00007FFDFB414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb0c0000_Colby Dupe Script.jbxd

Similarity

API ID: InformationObjectUser$AddressErrorHandleLastModuleProcProcessStationWindow
String ID: Service-0x$_OPENSSL_isservice
API String ID: 1944374717-1672312481
Opcode ID: bc225b995bbff2d3b119e7081b5c779a5c3234c2f77d3222796a288c2c9d01dd
Instruction ID: b5c0ec8e656080bb49d09a2276b21c2f9695e88b9b95b2a100962db270d0a169
Opcode Fuzzy Hash: bc225b995bbff2d3b119e7081b5c779a5c3234c2f77d3222796a288c2c9d01dd
Instruction Fuzzy Hash: 73416262B0AB8786EB509F24D861AB92390EF497B8B484735E97D477F9DF3CE5058300

Function 00007FFDFB0C60CD Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 227COMMON

Download Yara Rule

APIs

SwitchToFiber.KERNEL32 ref: 00007FFDFB183534
CreateFiber.KERNEL32 ref: 00007FFDFB1835AC
SwitchToFiber.KERNEL32 ref: 00007FFDFB183628
DeleteFiber.KERNEL32 ref: 00007FFDFB18370B

Strings

..\s\crypto\async\async.c, xrefs: 00007FFDFB183451, 00007FFDFB183468, 00007FFDFB1834B0, 00007FFDFB1835D9, 00007FFDFB183640, 00007FFDFB1836C0, 00007FFDFB1836F6, 00007FFDFB183717, 00007FFDFB183744
*, xrefs: 00007FFDFB18346F

Memory Dump Source

Source File: 00000001.00000002.1726926360.00007FFDFB0C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDFB0C0000, based on PE: true

Associated: 00000001.00000002.1726907514.00007FFDFB0C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB0CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB15D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB36A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB40F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727411729.00007FFDFB413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727429814.00007FFDFB414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb0c0000_Colby Dupe Script.jbxd

Similarity

API ID: Fiber$Switch$CreateDelete
String ID: *$..\s\crypto\async\async.c
API String ID: 2050058302-1471988776
Opcode ID: c719461031cd02e8d3460bfb015ac940308ff04098e5674ea97173e8f31946a0
Instruction ID: b56e4e1c3034899d5cfc42b229a33fa8f167074f0f57291d55c75fb1cc2e8b48
Opcode Fuzzy Hash: c719461031cd02e8d3460bfb015ac940308ff04098e5674ea97173e8f31946a0
Instruction Fuzzy Hash: E9A17F72B0AA4386EB20DF15E460A7963A0BB45B88F588431EAAD477F9DF3CE545D700

Function 00007FFDFB0C3779 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 85COMMON

Download Yara Rule

APIs

00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB169C16

Strings

utf8only, xrefs: 00007FFDFB169C0C
nombstr, xrefs: 00007FFDFB169B8F
default, xrefs: 00007FFDFB169C3A
MASK:, xrefs: 00007FFDFB169B4A
pkix, xrefs: 00007FFDFB169BCF

Memory Dump Source

Source File: 00000001.00000002.1726926360.00007FFDFB0C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDFB0C0000, based on PE: true

Associated: 00000001.00000002.1726907514.00007FFDFB0C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB0CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB15D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB36A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB40F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727411729.00007FFDFB413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727429814.00007FFDFB414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb0c0000_Colby Dupe Script.jbxd

Similarity

API ID: 00007B5630
String ID: MASK:$default$nombstr$pkix$utf8only
API String ID: 2248877218-3483942737
Opcode ID: 56a8b705b4d859711014d430f94cbbc3222095bc84f144be5c70752352c183a7
Instruction ID: a66ce8fdf330311db216f11e2a1263a33e53c3b00c71f8759e1285742aafdf54
Opcode Fuzzy Hash: 56a8b705b4d859711014d430f94cbbc3222095bc84f144be5c70752352c183a7
Instruction Fuzzy Hash: 7B314A23F1E5838BEB415B18E460BB93790EB49794F445132EB6E436F9EE2CE491C700

Function 00007FFDFAF65150 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 311COMMON

Download Yara Rule

APIs

00007FFE146319C0.VCRUNTIME140 ref: 00007FFDFAF65263
00007FFE146319C0.VCRUNTIME140 ref: 00007FFDFAF653F6

Strings

a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309, xrefs: 00007FFDFAF65590
%s at line %d of [%.10s], xrefs: 00007FFDFAF655A9
database corruption, xrefs: 00007FFDFAF6559D

Memory Dump Source

Source File: 00000001.00000002.1726716991.00007FFDFAF41000.00000040.00000001.01000000.00000019.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1726698067.00007FFDFAF40000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB093000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB095000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB0AA000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726870011.00007FFDFB0AC000.00000080.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726888688.00007FFDFB0AE000.00000004.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_Colby Dupe Script.jbxd

Similarity

API ID: 00007E146319
String ID: %s at line %d of [%.10s]$a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309$database corruption
API String ID: 1776107623-481979681
Opcode ID: 84c27e4c2749e9f505d00220f28ed30d545ba1ce016b3ff8357f52d0c83b85b1
Instruction ID: 3a9f73686e17ca23b4bf487ef3d1ace355b0d5e31c4150e7ecc65f5560276c77
Opcode Fuzzy Hash: 84c27e4c2749e9f505d00220f28ed30d545ba1ce016b3ff8357f52d0c83b85b1
Instruction Fuzzy Hash: 48D1CC7270878286D768CF25E024AA977A9FF88BA8F154176EE5D4B798DF39D841C300

Function 00007FFDFB0C158C Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 131COMMON

Download Yara Rule

APIs

00007FFE14631170.VCRUNTIME140 ref: 00007FFDFB30443F

Strings

..\s\crypto\x509v3\v3_utl.c, xrefs: 00007FFDFB304414, 00007FFDFB304450, 00007FFDFB30446D, 00007FFDFB3044C9, 00007FFDFB3044F4, 00007FFDFB304509, 00007FFDFB30451E
E, xrefs: 00007FFDFB3044C1
TRUE, xrefs: 00007FFDFB3011B9, 00007FFDFB3011D2
FALSE, xrefs: 00007FFDFB3011DB, 00007FFDFB3011F3

Memory Dump Source

Source File: 00000001.00000002.1726926360.00007FFDFB0C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDFB0C0000, based on PE: true

Associated: 00000001.00000002.1726907514.00007FFDFB0C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB0CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB15D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB36A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB40F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727411729.00007FFDFB413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727429814.00007FFDFB414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb0c0000_Colby Dupe Script.jbxd

Similarity

API ID: 00007E14631170
String ID: ..\s\crypto\x509v3\v3_utl.c$E$FALSE$TRUE
API String ID: 2775844594-1433594941
Opcode ID: 04e22798ec487ff3aa34a088d2b38383e963ba2359178234cc0d99ed44e9a228
Instruction ID: e636b6f03200873f36e6eabdac4792def20e239ad07c3467df8e8a4f0445bdaf
Opcode Fuzzy Hash: 04e22798ec487ff3aa34a088d2b38383e963ba2359178234cc0d99ed44e9a228
Instruction Fuzzy Hash: EF519B61B8BA4386EB14EB519470BB823E0AF45784F885434EDAD47BEEDF3CE6418300

Function 00007FFDFAFA1850 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 329COMMON

Download Yara Rule

APIs

00007FFE146319C0.VCRUNTIME140 ref: 00007FFDFAFA199B

Strings

foreign key on %s should reference only one column of table %T, xrefs: 00007FFDFAFA18D5
number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00007FFDFAFA18FE
unknown column "%s" in foreign key definition, xrefs: 00007FFDFAFA1BEC

Memory Dump Source

Source File: 00000001.00000002.1726716991.00007FFDFAF41000.00000040.00000001.01000000.00000019.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1726698067.00007FFDFAF40000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB093000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB095000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB0AA000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726870011.00007FFDFB0AC000.00000080.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726888688.00007FFDFB0AE000.00000004.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_Colby Dupe Script.jbxd

Similarity

API ID: 00007E146319
String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
API String ID: 1776107623-272990098
Opcode ID: 1c355eb9446cff6f822322527a86fcfd9949d33051e4918b10a73cc2629c8281
Instruction ID: 9a9389ec9734f9978e1d85421d888821ad2db35d8a1b7475951138bd34fa2572
Opcode Fuzzy Hash: 1c355eb9446cff6f822322527a86fcfd9949d33051e4918b10a73cc2629c8281
Instruction Fuzzy Hash: D7D1C262F0978281EB288B159064AB977A1FF85BE4F0642B5EEAD0F7D9DE3CD441C304

Function 00007FFDFAF94450 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 302COMMON

Download Yara Rule

APIs

00007FFE146319C0.VCRUNTIME140 ref: 00007FFDFAF9457F
00007FFE146319C0.VCRUNTIME140 ref: 00007FFDFAF94632

Strings

%Q%s, xrefs: 00007FFDFAF947A4
"%w" , xrefs: 00007FFDFAF94500

Memory Dump Source

Source File: 00000001.00000002.1726716991.00007FFDFAF41000.00000040.00000001.01000000.00000019.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1726698067.00007FFDFAF40000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB093000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB095000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB0AA000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726870011.00007FFDFB0AC000.00000080.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726888688.00007FFDFB0AE000.00000004.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_Colby Dupe Script.jbxd

Similarity

API ID: 00007E146319
String ID: "%w" $%Q%s
API String ID: 1776107623-1987291987
Opcode ID: d8d8e109483670c4cff443289ac888ee3e835be99f50561d44341cd267616109
Instruction ID: eb26528ea21ba437bbdf7f68451e5bc6b599fb7963638d579427bfb4695de758
Opcode Fuzzy Hash: d8d8e109483670c4cff443289ac888ee3e835be99f50561d44341cd267616109
Instruction Fuzzy Hash: D2C1C461B09A8285EB18DF15A860A796791FF5ABA9F544375EE7E0B7D8DF3CE400C300

Function 00007FFDFAFC35C0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 273COMMON

Download Yara Rule

APIs

00007FFE146319C0.VCRUNTIME140 ref: 00007FFDFAFC3635

Strings

column%d, xrefs: 00007FFDFAFC377E
%.*z:%u, xrefs: 00007FFDFAFC383B
rowid, xrefs: 00007FFDFAFC3708

Memory Dump Source

Source File: 00000001.00000002.1726716991.00007FFDFAF41000.00000040.00000001.01000000.00000019.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1726698067.00007FFDFAF40000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB093000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB095000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB0AA000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726870011.00007FFDFB0AC000.00000080.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726888688.00007FFDFB0AE000.00000004.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_Colby Dupe Script.jbxd

Similarity

API ID: 00007E146319
String ID: %.*z:%u$column%d$rowid
API String ID: 1776107623-2903559916
Opcode ID: addee16be27ba12a2e9a3c901d93d62b0e89119f9c027a5b1171d251488e692e
Instruction ID: 7b8d3560a4918a7273b8103701b99326a73f4a19a5026747a9a54d383f54267d
Opcode Fuzzy Hash: addee16be27ba12a2e9a3c901d93d62b0e89119f9c027a5b1171d251488e692e
Instruction Fuzzy Hash: CBB1B562B0969242EB699B169420E79A791EF41BE4F4A4375EE6D0F7C9DF3CE601C300

Function 00007FFDFAF5ECC0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 270COMMON

Download Yara Rule

Strings

a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309, xrefs: 00007FFDFAF5ED4B
%s at line %d of [%.10s], xrefs: 00007FFDFAF5ED63
database corruption, xrefs: 00007FFDFAF5ED57

Memory Dump Source

Source File: 00000001.00000002.1726716991.00007FFDFAF41000.00000040.00000001.01000000.00000019.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1726698067.00007FFDFAF40000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB093000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB095000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB0AA000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726870011.00007FFDFB0AC000.00000080.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726888688.00007FFDFB0AE000.00000004.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_Colby Dupe Script.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309$database corruption
API String ID: 0-481979681
Opcode ID: 782611c81ddf8bf212e515f4a750447ce47c21e2b716e242f0c6ec6302aff568
Instruction ID: 60fe9bfd31a61d4b1238cf1378419df3843431fc5c0836472f56f5a4bcbd0ff7
Opcode Fuzzy Hash: 782611c81ddf8bf212e515f4a750447ce47c21e2b716e242f0c6ec6302aff568
Instruction Fuzzy Hash: 44B1F622B0C2D14AD7288B15D4A0A7EBBA2FF81794F044275EB9B4B7C9CE3CE955D710

Function 00007FFDFAF63270 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 260COMMON

Download Yara Rule

APIs

00007FFE146319C0.VCRUNTIME140 ref: 00007FFDFAF6341E

Strings

a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309, xrefs: 00007FFDFAF632B5
%s at line %d of [%.10s], xrefs: 00007FFDFAF632CD
database corruption, xrefs: 00007FFDFAF632C1

Memory Dump Source

Source File: 00000001.00000002.1726716991.00007FFDFAF41000.00000040.00000001.01000000.00000019.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1726698067.00007FFDFAF40000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB093000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB095000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB0AA000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726870011.00007FFDFB0AC000.00000080.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726888688.00007FFDFB0AE000.00000004.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_Colby Dupe Script.jbxd

Similarity

API ID: 00007E146319
String ID: %s at line %d of [%.10s]$a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309$database corruption
API String ID: 1776107623-481979681
Opcode ID: 069fffe95d4fc24e2ab5e0d4fadc81e916aad1032b61017090729a1139b25d08
Instruction ID: e2ba30cc533db65b9c176e302b72e520f6b4d8b7e83dd9753c083d4d86eef328
Opcode Fuzzy Hash: 069fffe95d4fc24e2ab5e0d4fadc81e916aad1032b61017090729a1139b25d08
Instruction Fuzzy Hash: 16B1C032B0869687E768CB16A064F7AB7A4FF44794F014275EE5D4BB89DF39E840C700

Function 00007FFDFAF4D250 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 256COMMON

Download Yara Rule

APIs

00007FFE146319C0.VCRUNTIME140 ref: 00007FFDFAF4D2DC

Strings

readonly_shm, xrefs: 00007FFDFAF4D494
%s-shm, xrefs: 00007FFDFAF4D2F3
winOpenShm, xrefs: 00007FFDFAF4D503

Memory Dump Source

Source File: 00000001.00000002.1726716991.00007FFDFAF41000.00000040.00000001.01000000.00000019.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1726698067.00007FFDFAF40000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB093000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB095000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB0AA000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726870011.00007FFDFB0AC000.00000080.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726888688.00007FFDFB0AE000.00000004.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_Colby Dupe Script.jbxd

Similarity

API ID: 00007E146319
String ID: %s-shm$readonly_shm$winOpenShm
API String ID: 1776107623-2815843928
Opcode ID: 625f219681cb963a81eed21fe677e17c746c28b803c4722ea517b21750a01de8
Instruction ID: 2c6177fd7282c48dc3e92f3f860e1f33bab3879bab96d381fcece97d25eb8dd1
Opcode Fuzzy Hash: 625f219681cb963a81eed21fe677e17c746c28b803c4722ea517b21750a01de8
Instruction Fuzzy Hash: 5DC12D21B0AB4386FB689B61E460E793360BF46B68F444275EE6E477E8DF3CE5459300

Function 00007FFDFAF665D0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 244COMMON

Download Yara Rule

Strings

a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309, xrefs: 00007FFDFAF66774
%s at line %d of [%.10s], xrefs: 00007FFDFAF6678C
database corruption, xrefs: 00007FFDFAF66780

Memory Dump Source

Source File: 00000001.00000002.1726716991.00007FFDFAF41000.00000040.00000001.01000000.00000019.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1726698067.00007FFDFAF40000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB093000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB095000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB0AA000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726870011.00007FFDFB0AC000.00000080.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726888688.00007FFDFB0AE000.00000004.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_Colby Dupe Script.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309$database corruption
API String ID: 0-481979681
Opcode ID: 15e0f3433fb5b3e08eddd5557e9703fcd33e106e159bed805e8690dbf31db93a
Instruction ID: 54e2d8c451d32fce093666d0c146bc531718590bbe152791acaf4bb6586ba66e
Opcode Fuzzy Hash: 15e0f3433fb5b3e08eddd5557e9703fcd33e106e159bed805e8690dbf31db93a
Instruction Fuzzy Hash: 56914522B0C1E246D3AC9B26A160CBD7E91EB50354F0443B6EEEA4B7C9DE2DE554DB10

Function 00007FFDFAF934F0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 215COMMON

Download Yara Rule

APIs

00007FFE146319C0.VCRUNTIME140 ref: 00007FFDFAF936B3

Strings

sqlite_altertab_%s, xrefs: 00007FFDFAF936BC
virtual tables may not be altered, xrefs: 00007FFDFAF93587
Cannot add a column to a view, xrefs: 00007FFDFAF935A3

Memory Dump Source

Source File: 00000001.00000002.1726716991.00007FFDFAF41000.00000040.00000001.01000000.00000019.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1726698067.00007FFDFAF40000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB093000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB095000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB0AA000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726870011.00007FFDFB0AC000.00000080.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726888688.00007FFDFB0AE000.00000004.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_Colby Dupe Script.jbxd

Similarity

API ID: 00007E146319
String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
API String ID: 1776107623-2063813899
Opcode ID: eaa7cd8bef1883cd6141f69f537d598f30ad47c29c4a0dc6b25f57603f70d3a3
Instruction ID: da1e173fa6c596fcbc468ae146a055e022c5165d422b048c93f0127a2bc896bc
Opcode Fuzzy Hash: eaa7cd8bef1883cd6141f69f537d598f30ad47c29c4a0dc6b25f57603f70d3a3
Instruction Fuzzy Hash: 6791D266B09B8283EB14CF019464AB977A5FF49B94F458379EE6D0B799DF38E040C700

Function 00007FFDFAF5F220 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 187COMMON

Download Yara Rule

APIs

00007FFE146319C0.VCRUNTIME140 ref: 00007FFDFAF5F48A

Strings

a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309, xrefs: 00007FFDFAF5F2F2
%s at line %d of [%.10s], xrefs: 00007FFDFAF5F30A
database corruption, xrefs: 00007FFDFAF5F2FE

Memory Dump Source

Source File: 00000001.00000002.1726716991.00007FFDFAF41000.00000040.00000001.01000000.00000019.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1726698067.00007FFDFAF40000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB093000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB095000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB0AA000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726870011.00007FFDFB0AC000.00000080.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726888688.00007FFDFB0AE000.00000004.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_Colby Dupe Script.jbxd

Similarity

API ID: 00007E146319
String ID: %s at line %d of [%.10s]$a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309$database corruption
API String ID: 1776107623-481979681
Opcode ID: bb331690382cd9aba51fbf9192c4a8343009a09fab82c0642137ec25885589cc
Instruction ID: b863b456021af3ebe3483ad1b1960e2099e4781a01c37b905a63d77e3c3f9351
Opcode Fuzzy Hash: bb331690382cd9aba51fbf9192c4a8343009a09fab82c0642137ec25885589cc
Instruction Fuzzy Hash: 6A715A22A0C1E24AE32D9625E0A08BDBE91DB51325B5483F2FFF64B6C9CD2CE545D760

Function 00007FFDFAE21FC0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 173COMMON

Download Yara Rule

APIs

00007FFE1FFB6570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAE21FF8
00007FFE1FFB6570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAE22016

Strings

CJK UNIFIED IDEOGRAPH-, xrefs: 00007FFDFAE2200C
HANGUL SYLLABLE , xrefs: 00007FFDFAE21FE5

Memory Dump Source

Source File: 00000001.00000002.1726484532.00007FFDFAE21000.00000040.00000001.01000000.0000001E.sdmp, Offset: 00007FFDFAE20000, based on PE: true

Associated: 00000001.00000002.1726465722.00007FFDFAE20000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000001.00000002.1726484532.00007FFDFAE84000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000001.00000002.1726484532.00007FFDFAED3000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000001.00000002.1726484532.00007FFDFAF2C000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000001.00000002.1726484532.00007FFDFAF31000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000001.00000002.1726484532.00007FFDFAF34000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000001.00000002.1726661849.00007FFDFAF35000.00000080.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000001.00000002.1726679942.00007FFDFAF37000.00000004.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae20000_Colby Dupe Script.jbxd

Similarity

API ID: 00007B6570
String ID: CJK UNIFIED IDEOGRAPH-$HANGUL SYLLABLE
API String ID: 4069847057-87138338
Opcode ID: dd12be397e2784a3b9b42d5ec1b23b2ed281038ba6f510f7d5b8d27382faff68
Instruction ID: 7b1cb2b6770bd308d0375287859e302753c74928130b340016d190c310ad9d95
Opcode Fuzzy Hash: dd12be397e2784a3b9b42d5ec1b23b2ed281038ba6f510f7d5b8d27382faff68
Instruction Fuzzy Hash: 2461F832F1864246E768AA19A420EBA72D2FB90790F444275EE7F47ADDEF7DD405CB00

Function 00007FFDFAF58670 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 172COMMON

Download Yara Rule

Strings

a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309, xrefs: 00007FFDFAF58692, 00007FFDFAF587ED
%s at line %d of [%.10s], xrefs: 00007FFDFAF586B2, 00007FFDFAF5880D
database corruption, xrefs: 00007FFDFAF586AB, 00007FFDFAF58806

Memory Dump Source

Source File: 00000001.00000002.1726716991.00007FFDFAF41000.00000040.00000001.01000000.00000019.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1726698067.00007FFDFAF40000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB093000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB095000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB0AA000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726870011.00007FFDFB0AC000.00000080.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726888688.00007FFDFB0AE000.00000004.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_Colby Dupe Script.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309$database corruption
API String ID: 0-481979681
Opcode ID: f99b0b572c4dd53c2481063b49c418f8dd713a95c4d3cec2ed11dc8c8c6a5ea2
Instruction ID: 4d73d4d80272f23356c00e159fa94b70886597f7dc727a21a2a74dedec32d264
Opcode Fuzzy Hash: f99b0b572c4dd53c2481063b49c418f8dd713a95c4d3cec2ed11dc8c8c6a5ea2
Instruction Fuzzy Hash: 07718322B1C64289FB688B11E460B7967A1FF44B94F144275EE6D0B7E9DF3CF4419380

Function 00007FFDFAF588F0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138COMMON

Download Yara Rule

APIs

00007FFE146319C0.VCRUNTIME140 ref: 00007FFDFAF58A18

Strings

a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309, xrefs: 00007FFDFAF58ACB
%s at line %d of [%.10s], xrefs: 00007FFDFAF58AE4
database corruption, xrefs: 00007FFDFAF58AD8

Memory Dump Source

Source File: 00000001.00000002.1726716991.00007FFDFAF41000.00000040.00000001.01000000.00000019.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1726698067.00007FFDFAF40000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB093000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB095000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB0AA000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726870011.00007FFDFB0AC000.00000080.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726888688.00007FFDFB0AE000.00000004.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_Colby Dupe Script.jbxd

Similarity

API ID: 00007E146319
String ID: %s at line %d of [%.10s]$a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309$database corruption
API String ID: 1776107623-481979681
Opcode ID: e46cf6a756d8e439f7bf39b0c578f90e143a7744ae175120d6a15517b8f2a346
Instruction ID: c557319b381411fc50e97ae532a8259d16f3685c7cb16601c1365d24f95647d5
Opcode Fuzzy Hash: e46cf6a756d8e439f7bf39b0c578f90e143a7744ae175120d6a15517b8f2a346
Instruction Fuzzy Hash: 4A51DF32718B829AEB58CF26D460AA973A4FF48B94F044172EF6D47798DF38E450D380

Function 00007FFDFB0C2833 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 137COMMON

Download Yara Rule

Strings

T, xrefs: 00007FFDFB183253
..\s\crypto\async\async.c, xrefs: 00007FFDFB1830DF, 00007FFDFB18312D, 00007FFDFB183146, 00007FFDFB18317C, 00007FFDFB1831C6, 00007FFDFB18321C, 00007FFDFB18323D, 00007FFDFB18325B, 00007FFDFB183295, 00007FFDFB1832BA

Memory Dump Source

Source File: 00000001.00000002.1726926360.00007FFDFB0C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDFB0C0000, based on PE: true

Associated: 00000001.00000002.1726907514.00007FFDFB0C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB0CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB15D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB36A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB40F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727411729.00007FFDFB413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727429814.00007FFDFB414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb0c0000_Colby Dupe Script.jbxd

Similarity

API ID:
String ID: ..\s\crypto\async\async.c$T
API String ID: 0-2182492907
Opcode ID: ced47efd6854a0b1ee8219945b029c3d75fc0d777b4b3386fd7b97e9d7cf6361
Instruction ID: ccb24121ab47f38c26f25e04d4ef1cbd033e8e3f076b1c820b00d51ca530e829
Opcode Fuzzy Hash: ced47efd6854a0b1ee8219945b029c3d75fc0d777b4b3386fd7b97e9d7cf6361
Instruction Fuzzy Hash: DB517F32B0BA4392E720EB11E4209B96761FF45B88F484435EA6D07BEDDF3DE5099B00

Function 00007FFDFB186D50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 129networkCOMMON

Download Yara Rule

APIs

getnameinfo.WS2_32 ref: 00007FFDFB186DEB
htons.WS2_32 ref: 00007FFDFB186E5B

Strings

..\s\crypto\bio\b_addr.c, xrefs: 00007FFDFB186E04, 00007FFDFB186E86, 00007FFDFB186EA5, 00007FFDFB186ED5, 00007FFDFB186EF2, 00007FFDFB186F14
, xrefs: 00007FFDFB186DD1

Memory Dump Source

Source File: 00000001.00000002.1726926360.00007FFDFB15D000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDFB0C0000, based on PE: true

Associated: 00000001.00000002.1726907514.00007FFDFB0C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB0C1000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB0CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB36A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB40F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727411729.00007FFDFB413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727429814.00007FFDFB414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb0c0000_Colby Dupe Script.jbxd

Similarity

API ID: getnameinfohtons
String ID: $..\s\crypto\bio\b_addr.c
API String ID: 1503050688-1606403076
Opcode ID: 5625fd2cd7728f7219475ff4565046832ace99646516da0e608f003e7bc6e737
Instruction ID: d69866f485026d4d6a90f9d2fbcb10998102f0f26b19f3d3b93ef0bdc07d2ba2
Opcode Fuzzy Hash: 5625fd2cd7728f7219475ff4565046832ace99646516da0e608f003e7bc6e737
Instruction Fuzzy Hash: D951C362F1AA4386FB209B11D960AB973A0FF41748F448135EBAD476EDEF3DE4458700

Function 00007FFDFAF5A600 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 113COMMON

Download Yara Rule

APIs

00007FFE146319C0.VCRUNTIME140 ref: 00007FFDFAF5A6D6

Strings

a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309, xrefs: 00007FFDFAF5A770
%s at line %d of [%.10s], xrefs: 00007FFDFAF5A789
database corruption, xrefs: 00007FFDFAF5A77D

Memory Dump Source

Source File: 00000001.00000002.1726716991.00007FFDFAF41000.00000040.00000001.01000000.00000019.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1726698067.00007FFDFAF40000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB093000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB095000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB0AA000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726870011.00007FFDFB0AC000.00000080.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726888688.00007FFDFB0AE000.00000004.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_Colby Dupe Script.jbxd

Similarity

API ID: 00007E146319
String ID: %s at line %d of [%.10s]$a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309$database corruption
API String ID: 1776107623-481979681
Opcode ID: b2bd962ca4d533c51114e8662621ced1fd23e52fad8a1fcbe5e1e3e5f6701a96
Instruction ID: b302ff5a0e6cd2e1cc2e091b6589e0c7b6344b8ea8bea1aa19625618456a5a8a
Opcode Fuzzy Hash: b2bd962ca4d533c51114e8662621ced1fd23e52fad8a1fcbe5e1e3e5f6701a96
Instruction Fuzzy Hash: 2241C122B2CB468AE764AF15E464AA973A4FF84BA0F540235FE5D0B7D8DF3CD8518740

Function 00007FFDFB0C3841 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 82COMMON

Download Yara Rule

Strings

..\s\crypto\bio\b_sock.c, xrefs: 00007FFDFB189C1A, 00007FFDFB189C9D
host=, xrefs: 00007FFDFB189D0E
J, xrefs: 00007FFDFB189C95

Memory Dump Source

Source File: 00000001.00000002.1726926360.00007FFDFB0C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDFB0C0000, based on PE: true

Associated: 00000001.00000002.1726907514.00007FFDFB0C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB0CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB15D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB36A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB40F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727411729.00007FFDFB413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727429814.00007FFDFB414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb0c0000_Colby Dupe Script.jbxd

Similarity

API ID:
String ID: ..\s\crypto\bio\b_sock.c$J$host=
API String ID: 0-1729655730
Opcode ID: 31c7aae0c6204fcaae541c015ea13e20bcfa82d779c5bb0f8b846d03ff15bf19
Instruction ID: b24b6258fcc4ec241e720e4a16dd8d663d052ca498ebfc8846f16ce6e17e4b92
Opcode Fuzzy Hash: 31c7aae0c6204fcaae541c015ea13e20bcfa82d779c5bb0f8b846d03ff15bf19
Instruction Fuzzy Hash: 49319D72B0958382EB109B55F4619BEA360FB86788F440135EBAC43BEEDF3DD5458B00

Function 00007FFDFB0C1C76 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB27647A

Strings

..\s\crypto\pem\pem_pkey.c, xrefs: 00007FFDFB2764A4, 00007FFDFB2764C9, 00007FFDFB2764E0
DH PARAMETERS, xrefs: 00007FFDFB27642B
X9.42 DH PARAMETERS, xrefs: 00007FFDFB276469

Memory Dump Source

Source File: 00000001.00000002.1726926360.00007FFDFB0C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDFB0C0000, based on PE: true

Associated: 00000001.00000002.1726907514.00007FFDFB0C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB0CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB15D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB36A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB40F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727411729.00007FFDFB413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727429814.00007FFDFB414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb0c0000_Colby Dupe Script.jbxd

Similarity

API ID: 00007B5630
String ID: ..\s\crypto\pem\pem_pkey.c$DH PARAMETERS$X9.42 DH PARAMETERS
API String ID: 2248877218-3633731555
Opcode ID: ea9dbb28cfd143c8dfcb19cf07e193ff5b0562c8a9ccb7e415cce9e69b2824d1
Instruction ID: 9111c505ae6bd5022ba42ae83ab3e689a36470806d931280e6bed7fb4d9dfc43
Opcode Fuzzy Hash: ea9dbb28cfd143c8dfcb19cf07e193ff5b0562c8a9ccb7e415cce9e69b2824d1
Instruction Fuzzy Hash: D1219161B0EA8382EF20DB55F4209A9A3A0FB85794F604031EA9C43BEDDF7DE144DB00

Function 00007FFDFB0C139D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FFDFB18AA50
WSAGetLastError.WS2_32 ref: 00007FFDFB18AA5B

Strings

..\s\crypto\bio\b_sock2.c, xrefs: 00007FFDFB18AA71, 00007FFDFB18AA8D
2, xrefs: 00007FFDFB18AA85

Memory Dump Source

Source File: 00000001.00000002.1726926360.00007FFDFB0C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDFB0C0000, based on PE: true

Associated: 00000001.00000002.1726907514.00007FFDFB0C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB0CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB15D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB36A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB40F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727411729.00007FFDFB413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727429814.00007FFDFB414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb0c0000_Colby Dupe Script.jbxd

Similarity

API ID: ErrorLastsocket
String ID: ..\s\crypto\bio\b_sock2.c$2
API String ID: 1120909799-2051290508
Opcode ID: 2ef5472a3713315c0ebdeb3789e1964bedc6f77517e54092a2e54a431cd722de
Instruction ID: 5a6f8f021c501f8520a02d72af793d57f87244ab8987f819cd6d4c80bead0787
Opcode Fuzzy Hash: 2ef5472a3713315c0ebdeb3789e1964bedc6f77517e54092a2e54a431cd722de
Instruction Fuzzy Hash: 16018B72F1A55383E3109B25E4209AD6264BB82758F604235E67D43AEDCF3DE9468B40

Function 00007FFDFB0C2DEC Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 173COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FFDFB22A380

Strings

unknown, xrefs: 00007FFDFB22A3B3, 00007FFDFB22A47A
Operation not permitted, xrefs: 00007FFDFB22A374

Memory Dump Source

Source File: 00000001.00000002.1726926360.00007FFDFB0C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDFB0C0000, based on PE: true

Associated: 00000001.00000002.1726907514.00007FFDFB0C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB0CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB15D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB36A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB40F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727411729.00007FFDFB413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727429814.00007FFDFB414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb0c0000_Colby Dupe Script.jbxd

Similarity

API ID: ErrorLast
String ID: Operation not permitted$unknown
API String ID: 1452528299-31098287
Opcode ID: 98fd99213be571fb8821e332285a7a3172dfad59924788fedf6360fac81b26b1
Instruction ID: dc469d405f2e78207dd88a3bfdda9d22126f5686f5c93fa5564b9ebc0cd38a04
Opcode Fuzzy Hash: 98fd99213be571fb8821e332285a7a3172dfad59924788fedf6360fac81b26b1
Instruction Fuzzy Hash: DF813661B4A65386FB50AB50E875BB923A0FB86B84F840032D96E876FDDF3CE455C700

Function 00007FFDFAFE6630 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 382COMMON

Download Yara Rule

APIs

00007FFE146319C0.VCRUNTIME140 ref: 00007FFDFAFE6712
00007FFE146319C0.VCRUNTIME140 ref: 00007FFDFAFE684F

Strings

%s.xBestIndex malfunction, xrefs: 00007FFDFAFE6A94

Memory Dump Source

Source File: 00000001.00000002.1726716991.00007FFDFAF41000.00000040.00000001.01000000.00000019.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1726698067.00007FFDFAF40000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB093000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB095000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB0AA000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726870011.00007FFDFB0AC000.00000080.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726888688.00007FFDFB0AE000.00000004.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_Colby Dupe Script.jbxd

Similarity

API ID: 00007E146319
String ID: %s.xBestIndex malfunction
API String ID: 1776107623-3856629991
Opcode ID: eb63e3c6b4dea9960043a8abc5a7aa58b04cc13933313bbf261c8a8e2dab8fb5
Instruction ID: 188681daf1776f43f5c0e1e2f1f0c4fef91a94cd64d780e11319cc37c7ef4d3a
Opcode Fuzzy Hash: eb63e3c6b4dea9960043a8abc5a7aa58b04cc13933313bbf261c8a8e2dab8fb5
Instruction Fuzzy Hash: F702A672B0974686EB988F25D4A0A7837A1FF45B94F044675DA6D477E8CF3CE8A0D700

Function 00007FFDFAFE4290 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 365COMMON

Download Yara Rule

APIs

00007FFE146319C0.VCRUNTIME140(00007FFDFAFE6DCB), ref: 00007FFDFAFE45B7

Strings

out of memory, xrefs: 00007FFDFAFE47C5
BINARY, xrefs: 00007FFDFAFE4481

Memory Dump Source

Source File: 00000001.00000002.1726716991.00007FFDFAF41000.00000040.00000001.01000000.00000019.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1726698067.00007FFDFAF40000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB093000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB095000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB0AA000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726870011.00007FFDFB0AC000.00000080.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726888688.00007FFDFB0AE000.00000004.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_Colby Dupe Script.jbxd

Similarity

API ID: 00007E146319
String ID: BINARY$out of memory
API String ID: 1776107623-3971123528
Opcode ID: 1799d1d9a8c80a14ad7925e8d4d29a046007d3c9d19382aa409d76e507f2d946
Instruction ID: 6f9d1221f99e36b66b982b1601bc5d4f108ade4ea1ea82ec96cf2aeae44ee1b2
Opcode Fuzzy Hash: 1799d1d9a8c80a14ad7925e8d4d29a046007d3c9d19382aa409d76e507f2d946
Instruction Fuzzy Hash: ABF11372B0868786E7288F15D090A7977A1FF44B95F44827AEAAD4B7D8DF3ED841C700

Function 00007FFDFAF75EC0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 157COMMON

Download Yara Rule

APIs

00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAF75F19

Strings

ValueList, xrefs: 00007FFDFAF75F12
p, xrefs: 00007FFDFAF75F05

Memory Dump Source

Source File: 00000001.00000002.1726716991.00007FFDFAF41000.00000040.00000001.01000000.00000019.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1726698067.00007FFDFAF40000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB093000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB095000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB0AA000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726870011.00007FFDFB0AC000.00000080.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726888688.00007FFDFB0AE000.00000004.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_Colby Dupe Script.jbxd

Similarity

API ID: 00007B5630
String ID: ValueList$p
API String ID: 2248877218-635946892
Opcode ID: ec54ab2dcaf1dbcc276f08fffb0a91cf1cefc7b65af78ff2562e2f8050cd1ace
Instruction ID: 05893d9f42b5d7cf142a327708155a38bf87ef58ea00323f5c5738c31ac7f835
Opcode Fuzzy Hash: ec54ab2dcaf1dbcc276f08fffb0a91cf1cefc7b65af78ff2562e2f8050cd1ace
Instruction Fuzzy Hash: 1C61C522B0C78286EBA8DB25A1609B963A1FF55790F444275FF994B7DADF3CE851C300

Function 00007FFDFB0C2743 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118COMMON

Download Yara Rule

APIs

00007FFE1FFB08A0.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFDFB16A592

Strings

%02d%02d%02d%02d%02d%02dZ, xrefs: 00007FFDFB16A6A5
%04d%02d%02d%02d%02d%02dZ, xrefs: 00007FFDFB16A698

Memory Dump Source

Source File: 00000001.00000002.1726926360.00007FFDFB0C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDFB0C0000, based on PE: true

Associated: 00000001.00000002.1726907514.00007FFDFB0C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB0CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB15D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB36A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB40F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727411729.00007FFDFB413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727429814.00007FFDFB414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb0c0000_Colby Dupe Script.jbxd

Similarity

API ID: 00007
String ID: %02d%02d%02d%02d%02d%02dZ$%04d%02d%02d%02d%02d%02dZ
API String ID: 3568877910-2648760357
Opcode ID: 2a3bc1689ddc0f887af3b9ff0742d7664fa732a47decfc4233859a34b1d629f8
Instruction ID: 50330087b0c24aa2ad37f4eb74882890153a6b3d0384dbec3e67df2013ee7ef1
Opcode Fuzzy Hash: 2a3bc1689ddc0f887af3b9ff0742d7664fa732a47decfc4233859a34b1d629f8
Instruction Fuzzy Hash: D2518F72F196828AE760DF19E450A6AB7A1FB99744F045131EA9D87BA9DF3CE4408B00

Function 00007FFDFB0C1613 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 00007FFDFB18685E
getaddrinfo.WS2_32 ref: 00007FFDFB18689F

Strings

..\s\crypto\bio\b_addr.c, xrefs: 00007FFDFB1868CC, 00007FFDFB186913, 00007FFDFB18693F

Memory Dump Source

Source File: 00000001.00000002.1726926360.00007FFDFB0C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDFB0C0000, based on PE: true

Associated: 00000001.00000002.1726907514.00007FFDFB0C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB0CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB15D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB36A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB40F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727411729.00007FFDFB413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727429814.00007FFDFB414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb0c0000_Colby Dupe Script.jbxd

Similarity

API ID: getaddrinfo
String ID: ..\s\crypto\bio\b_addr.c
API String ID: 300660673-2547254400
Opcode ID: a0b5319feac94952a1432a4b762969270d9d630226e0b1293bfa37404cbb0f4b
Instruction ID: 08b596f01f0aea2af9e48a82e20578545dcb9084cea614d0e56ce3219df1f698
Opcode Fuzzy Hash: a0b5319feac94952a1432a4b762969270d9d630226e0b1293bfa37404cbb0f4b
Instruction Fuzzy Hash: 4241C272F19A8387E7509B12A860ABE7390FB85748F104135FA9E43BE9DF3CD8458B40

Function 00007FFDFAF4C000 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 110COMMON

Download Yara Rule

APIs

00007FFE146319C0.VCRUNTIME140 ref: 00007FFDFAF4C184

Strings

winRead, xrefs: 00007FFDFAF4C118
delayed %dms for lock/sharing conflict at line %d, xrefs: 00007FFDFAF4C159

Memory Dump Source

Source File: 00000001.00000002.1726716991.00007FFDFAF41000.00000040.00000001.01000000.00000019.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1726698067.00007FFDFAF40000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB093000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB095000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB0AA000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726870011.00007FFDFB0AC000.00000080.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726888688.00007FFDFB0AE000.00000004.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_Colby Dupe Script.jbxd

Similarity

API ID: 00007E146319
String ID: delayed %dms for lock/sharing conflict at line %d$winRead
API String ID: 1776107623-1843600136
Opcode ID: c42462ee678e96c825723e9381acb87a1b22cd2c90639cf46ca189585d33ef91
Instruction ID: 79a329310c3235ea853a88ac9d7743b4592d81d3047165d71e714e7e148b1e39
Opcode Fuzzy Hash: c42462ee678e96c825723e9381acb87a1b22cd2c90639cf46ca189585d33ef91
Instruction Fuzzy Hash: 82410432B09A0346E3149F29E850DA97765FF85B94F445232EE6D877E8DF3CEA468340

Function 00007FFDFAF9DBC0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

00007FFE146319C0.VCRUNTIME140 ref: 00007FFDFAF9DC9E

Strings

sqlite_returning, xrefs: 00007FFDFAF9DCD7
cannot use RETURNING in a trigger, xrefs: 00007FFDFAF9DBE7

Memory Dump Source

Source File: 00000001.00000002.1726716991.00007FFDFAF41000.00000040.00000001.01000000.00000019.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1726698067.00007FFDFAF40000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB093000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB095000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726716991.00007FFDFB0AA000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726870011.00007FFDFB0AC000.00000080.00000001.01000000.00000019.sdmpDownload File
Associated: 00000001.00000002.1726888688.00007FFDFB0AE000.00000004.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_Colby Dupe Script.jbxd

Similarity

API ID: 00007E146319
String ID: cannot use RETURNING in a trigger$sqlite_returning
API String ID: 1776107623-753984552
Opcode ID: f5230fc9e4cf321162a8627f211f83dfe1f344e37eb606a3a44f2b7169fa9843
Instruction ID: a5cbf1ddb8d6a365a84400b60d6ec5b1bec1d6f4d1f822b5391f36a80b289fc9
Opcode Fuzzy Hash: f5230fc9e4cf321162a8627f211f83dfe1f344e37eb606a3a44f2b7169fa9843
Instruction Fuzzy Hash: 5F416031B09B4286E76C9B11E560BB973A0FF49B94F544271EBAE0B7D9CF68E451C300

Function 00007FFDFB0C39B8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

00007FFE2002EFC0.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FFDFB28E30D

Strings

..\s\crypto\rand\randfile.c, xrefs: 00007FFDFB28E26C, 00007FFDFB28E2D0
Filename=, xrefs: 00007FFDFB28E282, 00007FFDFB28E2F1

Memory Dump Source

Source File: 00000001.00000002.1726926360.00007FFDFB0C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDFB0C0000, based on PE: true

Associated: 00000001.00000002.1726907514.00007FFDFB0C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB0CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB15D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB36A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB40F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727411729.00007FFDFB413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727429814.00007FFDFB414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb0c0000_Colby Dupe Script.jbxd

Similarity

API ID: 00007E2002
String ID: ..\s\crypto\rand\randfile.c$Filename=
API String ID: 1750240854-2201148535
Opcode ID: 6b3b0f7a3795f012e9ff1fc1ebc767fdf81fc92d56402ad81cac52365df12dad
Instruction ID: c6554591b3dd516db30bee98ec1b9ee4a2c0f3d45a4ba099ca387b8cdc1ab64d
Opcode Fuzzy Hash: 6b3b0f7a3795f012e9ff1fc1ebc767fdf81fc92d56402ad81cac52365df12dad
Instruction Fuzzy Hash: B5316CA1B0AA4782EB20AB55E464AB963A0FB45788F404136DA6D476E9EF3CE508C705

Function 00007FFDFB0C3387 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

getsockname.WS2_32 ref: 00007FFDFB189E87
WSAGetLastError.WS2_32 ref: 00007FFDFB189E92

Strings

..\s\crypto\bio\b_sock.c, xrefs: 00007FFDFB189E46, 00007FFDFB189EA8, 00007FFDFB189EC4, 00007FFDFB189EF7

Memory Dump Source

Source File: 00000001.00000002.1726926360.00007FFDFB0C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDFB0C0000, based on PE: true

Associated: 00000001.00000002.1726907514.00007FFDFB0C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB0CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB15D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB36A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB40F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727411729.00007FFDFB413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727429814.00007FFDFB414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb0c0000_Colby Dupe Script.jbxd

Similarity

API ID: ErrorLastgetsockname
String ID: ..\s\crypto\bio\b_sock.c
API String ID: 566540725-540685895
Opcode ID: a7a9d23270d94e37348a85efb9068d8d5f36d2912cc69f144dbe1a5ed76ec5ab
Instruction ID: f0166eac873558f8ae81d2a81412e7e80b7e02082c9087882707f6fde9d2bc57
Opcode Fuzzy Hash: a7a9d23270d94e37348a85efb9068d8d5f36d2912cc69f144dbe1a5ed76ec5ab
Instruction Fuzzy Hash: 6C217FB2F4550786E710DB60E815AEE6760FB81309F904135E66C026F9DF3DE589DB40

Function 00007FFDFB0C6BE5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FFDFB18A042
WSAGetLastError.WS2_32 ref: 00007FFDFB18A04E

Strings

..\s\crypto\bio\b_sock.c, xrefs: 00007FFDFB18A064

Memory Dump Source

Source File: 00000001.00000002.1726926360.00007FFDFB0C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDFB0C0000, based on PE: true

Associated: 00000001.00000002.1726907514.00007FFDFB0C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB0CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB15D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB30E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB36A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB3E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1726926360.00007FFDFB40F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727411729.00007FFDFB413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.1727429814.00007FFDFB414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb0c0000_Colby Dupe Script.jbxd

Similarity

API ID: ErrorLastioctlsocket
String ID: ..\s\crypto\bio\b_sock.c
API String ID: 1021210092-540685895
Opcode ID: 4b3498a1bc9275628b4fed3f0116b26741c55f820a8da06fdf06bba4b20f0e59
Instruction ID: 61d8e436d252d507d086eb86e58a7d97e78905ca672e627975e5cc589c83c5b0
Opcode Fuzzy Hash: 4b3498a1bc9275628b4fed3f0116b26741c55f820a8da06fdf06bba4b20f0e59
Instruction Fuzzy Hash: B0E09AA1F2B91347F3106BA0D824FBA2250BF4534DF004230E97D826F9DF3DE2498A00

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Colby Dupe Script.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_ARC4.pyd

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_Salsa20.pyd

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_chacha20.pyd

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_pkcs1_decode.pyd

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_aes.pyd

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_aesni.pyd

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_arc2.pyd

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_blowfish.pyd

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_cast.pyd

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_cbc.pyd

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_cfb.pyd

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_ctr.pyd

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_des.pyd

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_des3.pyd

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_ecb.pyd

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_eksblowfish.pyd

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_ocb.pyd

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Cipher\_raw_ofb.pyd

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_BLAKE2b.pyd

C:\Users\user\AppData\Local\Temp\_MEI59122\Cryptodome\Hash\_BLAKE2s.pyd

Windows Analysis Report
Colby Dupe Script.exe