Windows Analysis Report
purchaseorder4.exe

Overview

General Information

Sample name:	purchaseorder4.exe
Analysis ID:	1428748
MD5:	5914b824880c616d105867599dac3d76
SHA1:	e55db01b770d5371a83be03f9e4a3f4b4520380e
SHA256:	49c7e194b5876770a6e8e680c8b606ab07ffca891d4921be7a38f9d600347b1b
Infos:

Detection

Python Stealer

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Detected generic credential text file

Found pyInstaller with non standard icon

Initial sample is a PE file and has a suspicious name

Performs DNS queries to domains with low reputation

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Generic Python Stealer

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Classification

Signatures

Source: purchaseorder4.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pythoncom.pdb source: purchaseorder4.exe, 00000002.00000002.2393327241.00007FF8B61CC000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: purchaseorder4.exe, 00000002.00000002.2389528884.00007FF8A82AC000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: ucrtbase.pdb source: purchaseorder4.exe, 00000002.00000002.2395097234.00007FF8B80CC000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbMM source: purchaseorder4.exe, 00000002.00000002.2396996550.00007FF8B90FB000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: tRSA_PRIME_INFOeqdmp1dmq1iqmpprime_infosRSAPrivateKeyRSAPublicKeyhashAlgorithmmaskGenAlgorithmsaltLengthtrailerFieldRSA_PSS_PARAMShashFuncmaskGenFuncpSourceFuncRSA_OAEP_PARAMScompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"3.2.1built on: Fri Feb 23 00:13:44 2024 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availablecrypto\init.cOPENSSL_init_cryptocrypto\bio\bio_lib.cBIO_new_exbio_read_internbio_write_internBIO_sendmmsgBIO_recvmmsgBIO_putsBIO_getsBIO_get_line BIO_ctrlBIO_callback_ctrlBIO_find_type source: purchaseorder4.exe, 00000002.00000002.2388918381.00007FF8A7E68000.00000002.00000001.01000000.00000032.sdmp
Source:	Binary string: D:\a\1\b\libssl-1_1.pdb@@ source: purchaseorder4.exe, 00000002.00000002.2390759212.00007FF8A8AA6000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: purchaseorder4.exe, 00000000.00000003.2286951405.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2396332002.00007FF8B8CB5000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Users\runneradmin\AppData\Local\Temp\pip-req-build-csg7dlje\src\rust\target\release\deps\cryptography_rust.pdb source: purchaseorder4.exe, 00000002.00000002.2388918381.00007FF8A7E68000.00000002.00000001.01000000.00000032.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pythoncom.pdb}},GCTL source: purchaseorder4.exe, 00000002.00000002.2393327241.00007FF8B61CC000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: purchaseorder4.exe, 00000002.00000002.2390218021.00007FF8A8510000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Users\runneradmin\AppData\Local\Temp\pip-req-build-csg7dlje\src\rust\target\release\deps\cryptography_rust.pdbo source: purchaseorder4.exe, 00000002.00000002.2388918381.00007FF8A7E68000.00000002.00000001.01000000.00000032.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: purchaseorder4.exe, 00000002.00000002.2389356129.00007FF8A8151000.00000002.00000001.01000000.0000001E.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pywintypes.pdb source: purchaseorder4.exe, 00000002.00000002.2394435263.00007FF8B78B0000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-1_1.pdb source: purchaseorder4.exe, 00000002.00000002.2390218021.00007FF8A8592000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: purchaseorder4.exe, 00000002.00000002.2388918381.00007FF8A7E68000.00000002.00000001.01000000.00000032.sdmp
Source:	Binary string: D:\a\1\b\libssl-1_1.pdb source: purchaseorder4.exe, 00000002.00000002.2390759212.00007FF8A8AA6000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1t 7 Feb 2023built on: Thu Feb 9 15:27:40 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: purchaseorder4.exe, 00000002.00000002.2390218021.00007FF8A8510000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: purchaseorder4.exe, 00000000.00000003.2286728644.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2398128067.00007FF8BFAD1000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: purchaseorder4.exe, 00000002.00000002.2397697062.00007FF8B9F70000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: purchaseorder4.exe, 00000002.00000002.2393143390.00007FF8B6046000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: crypto\engine\tb_digest.cENGINE_get_digestcrypto\buffer\buffer.cBUF_MEM_growBUF_MEM_grow_cleancrypto\packet.ccompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specific.dllCPUINFO: crypto\initthread.cOPENSSL_ia32cap source: purchaseorder4.exe, 00000002.00000002.2388918381.00007FF8A7E68000.00000002.00000001.01000000.00000032.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32api.pdb!! source: purchaseorder4.exe, 00000002.00000002.2394002737.00007FF8B7833000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: purchaseorder4.exe, 00000000.00000003.2287077073.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2395553131.00007FF8B8257000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32api.pdb source: purchaseorder4.exe, 00000002.00000002.2394002737.00007FF8B7833000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python310.pdb source: purchaseorder4.exe, 00000002.00000002.2391270361.00007FF8A8E1F000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: purchaseorder4.exe, 00000002.00000002.2394839291.00007FF8B8002000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: purchaseorder4.exe, 00000002.00000002.2396567848.00007FF8B8F73000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: purchaseorder4.exe, 00000002.00000002.2396996550.00007FF8B90FB000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: purchaseorder4.exe, 00000000.00000003.2287206065.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2397257835.00007FF8B93CD000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pywintypes.pdb** source: purchaseorder4.exe, 00000002.00000002.2394435263.00007FF8B78B0000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: purchaseorder4.exe, 00000002.00000002.2395097234.00007FF8B80CC000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: purchaseorder4.exe, 00000002.00000002.2396757605.00007FF8B8F88000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python3.pdb source: purchaseorder4.exe, 00000002.00000002.2387746863.000002607FD20000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: purchaseorder4.exe, 00000002.00000002.2393722010.00007FF8B77FD000.00000002.00000001.01000000.00000014.sdmp

Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781708D00 FindFirstFileExW,FindClose,	0_2_00007FF781708D00
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781718670 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF781718670
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF7817226C4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF7817226C4
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781718670 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF781718670

Source: C:\Users\user\Desktop\purchaseorder4.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-datetime-l1-1-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-console-l1-1-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI30602\pywin32_system32	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI30602	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI30602\win32	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI30602\pythonwin	Jump to behavior

Networking

Performs DNS queries to domains with low reputation

Source:

DNS query: mail.dasmake.xyz

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 192.236.232.35 192.236.232.35

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: HOSTWINDSUS HOSTWINDSUS

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: mail.dasmake.xyz

Source: purchaseorder4.exe, 00000002.00000002.2385896663.000002600374C000.00000004.00001000.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2321108231.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2321055713.0000026002D08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://.../back.jpeg
Source: purchaseorder4.exe, 00000002.00000002.2385639108.00000260033A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://aka.ms/vcpython27
Source: purchaseorder4.exe, 00000002.00000002.2385639108.00000260033A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://aka.ms/vcpython27P
Source: purchaseorder4.exe, 00000002.00000003.2362913745.00000260021F7000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370892205.00000260021D1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2373172224.00000260021F8000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365786087.000002600247A000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363347083.0000026002501000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2375092092.00000260023E9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2366999934.000002600247D000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2367178720.00000260023E8000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2376930091.00000260021E5000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.00000260024A9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365615919.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.0000026002389000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2366123429.0000026002504000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2377547206.00000260023E9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.000002600247A000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2378170065.0000026002504000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2377137380.0000026002504000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370892205.00000260021F7000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363847601.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361778148.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364056719.0000026002398000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html
Source: purchaseorder4.exe, 00000002.00000002.2386004860.00000260038F8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://bugs.python.org/issue23606)
Source: purchaseorder4.exe, 00000000.00000003.2287206065.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287588502.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287077073.000001F981848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: purchaseorder4.exe, 00000000.00000003.2287206065.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287588502.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287077073.000001F981848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: purchaseorder4.exe, 00000000.00000003.2287206065.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287588502.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287077073.000001F981848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: purchaseorder4.exe, 00000000.00000003.2287206065.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287588502.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287077073.000001F981848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: purchaseorder4.exe, 00000002.00000002.2386004860.0000026003810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cffi.readthedocs.io/en/latest/cdef.html#ffi-cdef-limitations
Source: purchaseorder4.exe, 00000002.00000003.2362913745.00000260021F7000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370892205.0000026002229000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2314990918.0000026001A0D000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2368804066.0000026002228000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2320193569.00000260024BE000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2312013424.00000260019FF000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362456773.0000026002524000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362263286.000002600250A000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369607616.0000026002530000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2312782863.0000026001A0E000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2320193569.0000026002191000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2371227342.0000026002531000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364800314.0000026001A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: purchaseorder4.exe, 00000002.00000003.2313024105.0000026001DAF000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2372608702.0000026001DB2000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2374030431.0000026001DB6000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364596999.0000026001D7F000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364489827.0000026001CE1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2366325101.0000026001D9E000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363242195.0000026001C91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577916/
Source: purchaseorder4.exe, 00000002.00000003.2379431977.0000026002C9F000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2383700298.0000026002BB4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369708079.0000026002C9B000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369892028.0000026002BB4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362795977.0000026002BA1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2366063143.0000026002BB4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363178642.0000026002BB0000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361778148.0000026002C97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: purchaseorder4.exe, 00000002.00000003.2373782096.0000026002D59000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2373616727.0000026002D51000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361633539.0000026003079000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361673045.0000026002D4A000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2384596162.0000026002DB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: purchaseorder4.exe, 00000002.00000003.2363178642.0000026002BB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl
Source: purchaseorder4.exe, 00000002.00000003.2361633539.0000026003079000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.00000260024A9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363477134.00000260024AD000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2383002229.00000260024AE000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370665649.00000260024AE000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2372968442.00000260024AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: purchaseorder4.exe, 00000002.00000002.2383700298.0000026002BB4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369892028.0000026002BB4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362795977.0000026002BA1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2366063143.0000026002BB4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363178642.0000026002BB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crlZS
Source: purchaseorder4.exe, 00000002.00000002.2383700298.0000026002BB4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369892028.0000026002BB4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362795977.0000026002BA1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2366063143.0000026002BB4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363178642.0000026002BB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crlkrxlsH588249-
Source: purchaseorder4.exe, 00000002.00000003.2363178642.0000026002BB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl
Source: purchaseorder4.exe, 00000002.00000003.2363391268.0000026002BBC000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365615919.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363847601.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361778148.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362795977.0000026002BA1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363178642.0000026002BB0000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362323038.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2376124949.0000026002D04000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2376606966.0000026002D24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: purchaseorder4.exe, 00000002.00000002.2383700298.0000026002BB4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369892028.0000026002BB4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362795977.0000026002BA1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2366063143.0000026002BB4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363178642.0000026002BB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crlFE
Source: purchaseorder4.exe, 00000002.00000002.2383700298.0000026002BB4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369892028.0000026002BB4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362795977.0000026002BA1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2366063143.0000026002BB4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363178642.0000026002BB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crlhhxAyAevrNQn
Source: purchaseorder4.exe, 00000000.00000003.2287206065.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287588502.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287077073.000001F981848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: purchaseorder4.exe, 00000000.00000003.2287206065.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287588502.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287077073.000001F981848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: purchaseorder4.exe, 00000000.00000003.2287206065.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287588502.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287077073.000001F981848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: purchaseorder4.exe, 00000000.00000003.2287077073.000001F981848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: purchaseorder4.exe, 00000000.00000003.2287206065.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287588502.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287077073.000001F981848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: purchaseorder4.exe, 00000002.00000003.2365615919.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363847601.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361778148.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2376865609.0000026002D0C000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2382240128.0000026002190000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362323038.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2376124949.0000026002D04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/eax/eax-spec.pdf
Source: purchaseorder4.exe, 00000002.00000002.2384762588.0000026002E32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publicatio
Source: purchaseorder4.exe, 00000002.00000003.2362913745.00000260021F7000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2373172224.00000260021F8000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365786087.000002600247A000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2366999934.000002600247D000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.000002600247A000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370892205.00000260021F7000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361673045.0000026002DD8000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2373921602.000002600247F000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364056719.000002600247A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf
Source: purchaseorder4.exe, 00000002.00000003.2363347083.0000026002501000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2375092092.00000260023E9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2367178720.00000260023E8000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.00000260024A9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.0000026002389000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2366123429.0000026002504000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2377547206.00000260023E9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2378170065.0000026002504000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2377137380.0000026002504000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364056719.0000026002398000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2377431655.0000026002504000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2372434824.0000026002504000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2382735562.00000260023E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
Source: purchaseorder4.exe, 00000002.00000003.2362913745.00000260021F7000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2381915772.0000026001E18000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2373172224.00000260021F8000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2366965400.0000026001DFB000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2373782096.0000026002D59000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2387831051.000002607FDE0000.00000004.00001000.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2373616727.0000026002D51000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2385896663.000002600374C000.00000004.00001000.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2366859785.0000026001DF4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.00000260024A9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364867749.0000026001DE9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2382391801.00000260021F9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2367145372.0000026001E00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2383616657.0000026002AA0000.00000004.00001000.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2386004860.0000026003810000.00000004.00001000.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2372293412.0000026002240000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2375344906.00000260024BF000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362838082.0000026001DCA000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363477134.00000260024AD000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370892205.00000260021F7000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361673045.0000026002D4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: purchaseorder4.exe, 00000002.00000002.2385896663.000002600374C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: purchaseorder4.exe, 00000002.00000002.2385726797.00000260034A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.kill
Source: purchaseorder4.exe, 00000002.00000002.2385726797.00000260034A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode
Source: purchaseorder4.exe, 00000002.00000002.2383616657.0000026002AA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate
Source: purchaseorder4.exe, 00000002.00000002.2383356804.00000260027A0000.00000004.00001000.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2312782863.00000260019FE000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2382065051.0000026001F90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/library/itertools.html#recipes
Source: purchaseorder4.exe, 00000002.00000003.2362795977.0000026002BA1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363178642.0000026002BB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/library/unittest.html
Source: purchaseorder4.exe, 00000002.00000002.2382065051.0000026001F90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://github.com/ActiveState/appdirs
Source: purchaseorder4.exe, 00000002.00000003.2376472876.0000026002432000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365786087.0000026002408000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.0000026002389000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2320193569.0000026002351000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2382735562.0000026002432000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364056719.0000026002398000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2367721039.0000026002412000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369520511.0000026002432000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2368437865.000002600242F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: purchaseorder4.exe, 00000002.00000003.2375092092.00000260023E9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2367178720.00000260023E8000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.0000026002389000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2320193569.0000026002351000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2377547206.00000260023E9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364056719.0000026002398000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2382735562.00000260023E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: purchaseorder4.exe, 00000002.00000003.2367178720.00000260023E8000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365786087.0000026002408000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.0000026002389000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2320193569.0000026002351000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364056719.0000026002398000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2367721039.0000026002412000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369520511.0000026002413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: purchaseorder4.exe, 00000002.00000003.2372968442.00000260024AE000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364800314.0000026001A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com
Source: purchaseorder4.exe, 00000002.00000003.2363391268.0000026002BBC000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361633539.0000026003079000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365615919.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363847601.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361778148.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362795977.0000026002BA1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363178642.0000026002BB0000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362323038.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2376124949.0000026002D04000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2376606966.0000026002D24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: purchaseorder4.exe, 00000002.00000003.2379431977.0000026002C9F000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369708079.0000026002C9B000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361778148.0000026002C97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.comsnippetV
Source: purchaseorder4.exe, 00000000.00000003.2287206065.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287588502.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287077073.000001F981848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: purchaseorder4.exe, 00000000.00000003.2287206065.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287588502.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287077073.000001F981848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: purchaseorder4.exe, 00000000.00000003.2287206065.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287588502.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287077073.000001F981848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: purchaseorder4.exe, 00000000.00000003.2287206065.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287588502.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287077073.000001F981848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: purchaseorder4.exe, 00000002.00000002.2381972173.0000026001E90000.00000004.00001000.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2380929512.0000026001B90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://opensource.apple.com/source/CF/CF-744.18/CFBinaryPList.c
Source: purchaseorder4.exe, 00000002.00000002.2383356804.00000260027A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://stackoverflow.com/questions/19622133/
Source: purchaseorder4.exe, 00000002.00000003.2377263408.00000260021C1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2375092092.00000260023E9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2367178720.00000260023E8000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.0000026002389000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2377547206.00000260023E9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2372716624.00000260021C2000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364056719.0000026002398000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2382735562.00000260023E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc4880
Source: purchaseorder4.exe, 00000002.00000002.2386004860.0000026003810000.00000004.00001000.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2385813257.00000260035C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5297
Source: purchaseorder4.exe, 00000002.00000003.2373616727.0000026002D51000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361673045.0000026002D4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5869
Source: purchaseorder4.exe, 00000002.00000002.2385813257.00000260035C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: purchaseorder4.exe, 00000002.00000003.2376124949.0000026002D28000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365615919.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363847601.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361778148.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370208370.0000026002D25000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2384296491.0000026002D2A000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362323038.0000026002D00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm
Source: purchaseorder4.exe, 00000002.00000002.2382065051.0000026001F90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: purchaseorder4.exe, 00000002.00000003.2312072659.0000026001DC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: purchaseorder4.exe, 00000002.00000003.2362913745.00000260021F7000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370892205.00000260021D1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2373172224.00000260021F8000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2376930091.00000260021E5000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370892205.00000260021F7000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362913745.00000260021CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf
Source: purchaseorder4.exe, 00000002.00000002.2386114592.0000026003A80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dabeaz.com/ply)
Source: purchaseorder4.exe, 00000002.00000002.2382264597.00000260021A1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2377263408.0000026002191000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.dabeaz.com/ply)F
Source: purchaseorder4.exe, 00000000.00000003.2287206065.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287588502.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287077073.000001F981848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: purchaseorder4.exe, 00000002.00000002.2383856392.0000026002C22000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362383954.0000026002C20000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361568751.0000026002C13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: purchaseorder4.exe, 00000002.00000003.2312072659.0000026001DC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: purchaseorder4.exe, 00000002.00000003.2313024105.0000026001DD1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2312072659.0000026001DC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: purchaseorder4.exe, 00000002.00000003.2376124949.0000026002D28000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365615919.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363847601.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361778148.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370208370.0000026002D25000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2384296491.0000026002D2A000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362323038.0000026002D00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rfc-editor.org/info/rfc7253
Source: purchaseorder4.exe, 00000002.00000003.2373616727.0000026002D51000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361673045.0000026002D4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tarsnap.com/scrypt/scrypt-slides.pdf
Source: purchaseorder4.exe, 00000002.00000003.2375614799.0000026002CC4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2384110948.0000026002CC7000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2321838846.0000026002CC3000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369708079.0000026002C9B000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2372864592.0000026002CB6000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361778148.0000026002C97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwwsearch.sf.net/):
Source: purchaseorder4.exe, 00000002.00000002.2383356804.00000260027A0000.00000004.00001000.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2383445652.00000260028A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugs.python.org/issue44497.
Source: purchaseorder4.exe, 00000002.00000002.2392174415.00007FF8B054C000.00000002.00000001.01000000.00000020.sdmp	String found in binary or memory: https://cffi.readthedocs.io/en/latest/using.html#callbacks
Source: purchaseorder4.exe, 00000002.00000002.2388918381.00007FF8A7E68000.00000002.00000001.01000000.00000032.sdmp	String found in binary or memory: https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file
Source: purchaseorder4.exe, 00000002.00000002.2386201220.0000026003C0C000.00000004.00001000.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2386350724.0000026003D40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.1.4.1
Source: purchaseorder4.exe, 00000002.00000003.2368846916.0000026001D0F000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365786087.0000026002408000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.0000026002389000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2320193569.0000026002351000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364056719.0000026002398000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2367721039.0000026002412000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364489827.0000026001CE1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369520511.0000026002413000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363242195.0000026001C91000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365987293.0000026001CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/pprint.html
Source: purchaseorder4.exe, 00000002.00000003.2368846916.0000026001D0F000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365786087.0000026002408000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.0000026002389000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2320193569.0000026002351000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364056719.0000026002398000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2367721039.0000026002412000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364489827.0000026001CE1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369520511.0000026002413000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363242195.0000026001C91000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365987293.0000026001CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/pprint.html#pprint.pprint
Source: purchaseorder4.exe, 00000002.00000003.2314754444.00000260022A1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2368382323.00000260024C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/re.html
Source: purchaseorder4.exe, 00000002.00000003.2314754444.0000026002241000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2318471205.000002600249B000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2382065051.0000026001F90000.00000004.00001000.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2383268785.00000260026A0000.00000004.00001000.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2314754444.00000260022A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/re.html#re.sub
Source: purchaseorder4.exe, 00000002.00000002.2385639108.00000260033A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/socket.html#socket.socket.connect_ex
Source: purchaseorder4.exe, 00000002.00000002.2383616657.0000026002AA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: purchaseorder4.exe, 00000002.00000002.2383356804.00000260027A0000.00000004.00001000.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2381972173.0000026001E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbca
Source: purchaseorder4.exe, 00000002.00000003.2320193569.00000260024BE000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362456773.0000026002565000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370306983.0000026002585000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: purchaseorder4.exe, 00000002.00000003.2364699469.000002607F7ED000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2387352280.000002607F7F8000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365004051.000002607F7F0000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2377833600.000002607F7F6000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2375776012.000002607F7F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: purchaseorder4.exe, 00000002.00000002.2383445652.00000260028A0000.00000004.00001000.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2381972173.0000026001E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jaraco/jaraco.functools/issues/5
Source: purchaseorder4.exe, 00000000.00000003.2286347176.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2394596696.00007FF8B78C1000.00000002.00000001.01000000.00000010.sdmp, purchaseorder4.exe, 00000002.00000002.2392573903.00007FF8B27CE000.00000002.00000001.01000000.0000001F.sdmp, purchaseorder4.exe, 00000002.00000002.2394149892.00007FF8B7841000.00000002.00000001.01000000.00000013.sdmp, purchaseorder4.exe, 00000002.00000002.2393635056.00007FF8B6214000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: https://github.com/mhammond/pywin32
Source: purchaseorder4.exe, 00000002.00000002.2386458097.0000026003EB4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/issues
Source: purchaseorder4.exe, 00000002.00000002.2388918381.00007FF8A7E68000.00000002.00000001.01000000.00000032.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/issues/8996
Source: purchaseorder4.exe, 00000002.00000002.2388918381.00007FF8A7E68000.00000002.00000001.01000000.00000032.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/issues/9253
Source: purchaseorder4.exe, 00000002.00000003.2378740529.0000026001D45000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361568751.0000026002C53000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2373045518.0000026002CC9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369708079.0000026002C9B000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2372864592.0000026002CB6000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362383954.0000026002C53000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364489827.0000026001CE1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2377372287.0000026002CCF000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2383445652.00000260028A0000.00000004.00001000.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2368225233.0000026001D2D000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2383856392.0000026002C53000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363242195.0000026001C91000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361778148.0000026002C97000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365987293.0000026001CE5000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2383163782.0000026002590000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/packaging
Source: purchaseorder4.exe, 00000002.00000002.2383163782.0000026002590000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/packagingen_py
Source: purchaseorder4.exe, 00000002.00000002.2383268785.00000260026A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/issues/1024.
Source: purchaseorder4.exe, 00000002.00000002.2380929512.0000026001B90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/issues/417#issuecomment-392298401
Source: purchaseorder4.exe, 00000002.00000003.2364306036.000002600236C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyparsing/pyparsing/wiki
Source: purchaseorder4.exe, 00000002.00000002.2387831051.000002607FDE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: purchaseorder4.exe, 00000002.00000003.2375776012.000002607F7F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: purchaseorder4.exe, 00000002.00000003.2364699469.000002607F7ED000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2387352280.000002607F7F8000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365004051.000002607F7F0000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2377833600.000002607F7F6000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2375776012.000002607F7F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: purchaseorder4.exe, 00000002.00000003.2364699469.000002607F7ED000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2387352280.000002607F7F8000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365004051.000002607F7F0000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2377833600.000002607F7F6000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2375776012.000002607F7F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: purchaseorder4.exe, 00000002.00000002.2383616657.0000026002AA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: purchaseorder4.exe, 00000002.00000003.2366859785.0000026001DF4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364867749.0000026001DE9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2376285051.0000026001DF5000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362838082.0000026001DCA000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2372040103.0000026001DF5000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2366243898.0000026001DEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: purchaseorder4.exe, 00000002.00000002.2385896663.00000260036D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: purchaseorder4.exe, 00000002.00000002.2385896663.00000260036D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920c
Source: purchaseorder4.exe, 00000002.00000003.2375614799.0000026002CC4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365786087.0000026002408000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2384110948.0000026002CC7000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.0000026002389000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2321838846.0000026002CC3000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2320193569.0000026002351000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369957335.0000026001CB9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369708079.0000026002C9B000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2372864592.0000026002CB6000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370232117.0000026002426000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364056719.0000026002398000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2367721039.0000026002412000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369520511.0000026002413000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2367676446.0000026001C94000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369428646.0000026001C9D000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363242195.0000026001C91000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361778148.0000026002C97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: purchaseorder4.exe, 00000002.00000003.2365786087.0000026002408000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.0000026002389000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2320193569.0000026002351000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370232117.0000026002426000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364056719.0000026002398000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2367721039.0000026002412000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369520511.0000026002413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: purchaseorder4.exe, 00000002.00000003.2363242195.0000026001C91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: purchaseorder4.exe, 00000002.00000003.2376194535.0000026001CF9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364489827.0000026001CE1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2373747156.0000026001CF8000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363242195.0000026001C91000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2374888809.0000026001CF9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365987293.0000026001CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: purchaseorder4.exe, 00000002.00000003.2361778148.0000026002C97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: purchaseorder4.exe, 00000002.00000003.2361778148.0000026002C97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/get
Source: purchaseorder4.exe, 00000002.00000003.2369319467.0000026001DC5000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2368583100.0000026001DC2000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364596999.0000026001D7F000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365077127.0000026001DC0000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364489827.0000026001CE1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363242195.0000026001C91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/post
Source: purchaseorder4.exe, 00000002.00000003.2368382323.00000260024C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: purchaseorder4.exe, 00000002.00000003.2373045518.0000026002CC9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2321838846.0000026002CC3000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369708079.0000026002C9B000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2372864592.0000026002CB6000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2377372287.0000026002CCF000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2384164813.0000026002CD2000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361778148.0000026002C97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: purchaseorder4.exe, 00000002.00000003.2370415971.0000026001A14000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2372583680.0000026001A4F000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2375672542.0000026001A56000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2380676163.0000026001A58000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364800314.0000026001A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf
Source: purchaseorder4.exe, 00000002.00000003.2365786087.00000260024A9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2368875159.00000260024AA000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.00000260024A9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2320193569.00000260024A9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2382975884.00000260024AB000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2375836031.00000260024AB000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364056719.00000260024A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/declaring-project-metadata/
Source: purchaseorder4.exe, 00000002.00000002.2383445652.00000260028A0000.00000004.00001000.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2383268785.00000260026A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: purchaseorder4.exe, 00000002.00000002.2391270361.00007FF8A8E1F000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://python.org/dev/peps/pep-0263/
Source: purchaseorder4.exe, 00000002.00000002.2383356804.00000260027A0000.00000004.00001000.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2381972173.0000026001E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://refspecs.linuxfoundation.org/elf/gabi4
Source: purchaseorder4.exe, 00000002.00000003.2369319467.0000026001DC5000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2368583100.0000026001DC2000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2386004860.0000026003810000.00000004.00001000.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364596999.0000026001D7F000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365077127.0000026001DC0000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364489827.0000026001CE1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363242195.0000026001C91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.io
Source: purchaseorder4.exe, 00000002.00000002.2383700298.0000026002BB4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363391268.0000026002BBC000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365615919.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369892028.0000026002BB4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363847601.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361778148.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362795977.0000026002BA1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2366063143.0000026002BB4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363178642.0000026002BB0000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362323038.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2376124949.0000026002D04000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2376606966.0000026002D24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: purchaseorder4.exe, 00000002.00000003.2313024105.0000026001DD1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369319467.0000026001DEA000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2368541395.0000026001DEA000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364867749.0000026001DE9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362838082.0000026001DCA000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2312072659.0000026001DC9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2311329097.0000026001DD1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2372356212.0000026001DEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access
Source: purchaseorder4.exe, 00000002.00000002.2383445652.00000260028A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/userguide/declarative_config.html#opt-2
Source: purchaseorder4.exe, 00000002.00000002.2383445652.00000260028A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/userguide/declarative_config.html#opt-2P
Source: purchaseorder4.exe, 00000002.00000003.2314754444.0000026002241000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365095310.00000260019A3000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365786087.0000026002408000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.00000260024A9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.0000026002389000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2367385651.0000026001E6C000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2320193569.0000026002351000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2320193569.00000260024BE000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370624164.0000026001E81000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363477134.00000260024AD000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2318471205.000002600249B000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364056719.0000026002398000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370561505.0000026001E7E000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2367721039.0000026002412000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2366570656.00000260024C6000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369520511.0000026002413000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362838082.0000026001E6A000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364867749.0000026001E6A000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369070072.0000026001E75000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2366044375.0000026001A09000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365517528.0000026001E6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/267399/how-do-you-match-only-valid-roman-numerals-with-a-regular
Source: purchaseorder4.exe, 00000002.00000003.2370773485.0000026001E82000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2367385651.0000026001E6C000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370624164.0000026001E81000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370561505.0000026001E7E000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362838082.0000026001E6A000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364867749.0000026001E6A000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369070072.0000026001E75000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365517528.0000026001E6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: purchaseorder4.exe, 00000002.00000003.2362913745.00000260021F7000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2373172224.00000260021F8000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365786087.000002600247A000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2366999934.000002600247D000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.000002600247A000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370892205.00000260021F7000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2373921602.000002600247F000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364056719.000002600247A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc3610
Source: purchaseorder4.exe, 00000002.00000003.2362913745.00000260021F7000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370892205.00000260021D1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2373172224.00000260021F8000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2376930091.00000260021E5000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370892205.00000260021F7000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362913745.00000260021CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc5297
Source: purchaseorder4.exe, 00000002.00000003.2375614799.0000026002CC4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2384110948.0000026002CC7000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2321838846.0000026002CC3000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369957335.0000026001CB9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369708079.0000026002C9B000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2372864592.0000026002CB6000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2367676446.0000026001C94000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369428646.0000026001C9D000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363242195.0000026001C91000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361778148.0000026002C97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: purchaseorder4.exe, 00000002.00000002.2382065051.0000026001F90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://upload.pypi.org/legacy/
Source: purchaseorder4.exe, 00000002.00000002.2385639108.00000260033A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: purchaseorder4.exe, 00000002.00000002.2385813257.00000260035C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: purchaseorder4.exe, 00000002.00000002.2385813257.00000260035C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings0
Source: purchaseorder4.exe, 00000002.00000003.2365205932.000002607F803000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364699469.000002607F7ED000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365004051.000002607F7F0000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2368295742.000002607F817000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2366482138.000002607F815000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365138324.000002607F801000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wiki.debian.org/XDGBaseDirectorySpecification#state
Source: purchaseorder4.exe, 00000002.00000003.2373782096.0000026002D59000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2373616727.0000026002D51000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361673045.0000026002D4A000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2384596162.0000026002DB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ietf.org/rfc/rfc2898.txt
Source: purchaseorder4.exe, 00000002.00000002.2390496248.00007FF8A8609000.00000002.00000001.01000000.00000015.sdmp, purchaseorder4.exe, 00000002.00000002.2390863465.00007FF8A8ADB000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: purchaseorder4.exe, 00000002.00000003.2369319467.0000026001DC5000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2368583100.0000026001DC2000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364596999.0000026001D7F000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365077127.0000026001DC0000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364489827.0000026001CE1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363242195.0000026001C91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org
Source: purchaseorder4.exe, 00000002.00000003.2373045518.0000026002CC9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2321838846.0000026002CC3000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369708079.0000026002C9B000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2372864592.0000026002CB6000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2377372287.0000026002CCF000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2384164813.0000026002CD2000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361778148.0000026002C97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/
Source: purchaseorder4.exe, 00000002.00000002.2380929512.0000026001B90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/dev/peps/pep-0205/
Source: purchaseorder4.exe, 00000002.00000002.2387831051.000002607FDE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: purchaseorder4.exe, 00000002.00000003.2365786087.0000026002408000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.0000026002389000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2320193569.0000026002351000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370232117.0000026002426000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364056719.0000026002398000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2367721039.0000026002412000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369520511.0000026002413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: purchaseorder4.exe

Detected potential crypto function

Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781727A9C	0_2_00007FF781727A9C
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781707B60	0_2_00007FF781707B60
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781726B50	0_2_00007FF781726B50
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781718670	0_2_00007FF781718670
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781701000	0_2_00007FF781701000
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF7817092D0	0_2_00007FF7817092D0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF7817142D4	0_2_00007FF7817142D4
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781724A60	0_2_00007FF781724A60
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781712274	0_2_00007FF781712274
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781721720	0_2_00007FF781721720
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781712A94	0_2_00007FF781712A94
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF78171ECA0	0_2_00007FF78171ECA0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF7817184BC	0_2_00007FF7817184BC
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF78171AC50	0_2_00007FF78171AC50
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781712480	0_2_00007FF781712480
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF78171F320	0_2_00007FF78171F320
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF7817226C4	0_2_00007FF7817226C4
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781713ED0	0_2_00007FF781713ED0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781718EF4	0_2_00007FF781718EF4
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781724EFC	0_2_00007FF781724EFC
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781712684	0_2_00007FF781712684
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781709D9B	0_2_00007FF781709D9B
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781726DCC	0_2_00007FF781726DCC
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781713540	0_2_00007FF781713540
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781727550	0_2_00007FF781727550
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781712070	0_2_00007FF781712070
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781712890	0_2_00007FF781712890
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781718670	0_2_00007FF781718670
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF78172A7D8	0_2_00007FF78172A7D8
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF78171E80C	0_2_00007FF78171E80C
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781721720	0_2_00007FF781721720
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781709F3B	0_2_00007FF781709F3B
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781716750	0_2_00007FF781716750
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF78170A76D	0_2_00007FF78170A76D
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A802EB60	2_2_00007FF8A802EB60
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80A1F40	2_2_00007FF8A80A1F40
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8040090	2_2_00007FF8A8040090
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8080210	2_2_00007FF8A8080210
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A803B970	2_2_00007FF8A803B970
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80419E0	2_2_00007FF8A80419E0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8084A10	2_2_00007FF8A8084A10
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8054A30	2_2_00007FF8A8054A30
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80E1A40	2_2_00007FF8A80E1A40
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A806EA70	2_2_00007FF8A806EA70
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A802FA90	2_2_00007FF8A802FA90
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A803AAC0	2_2_00007FF8A803AAC0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8026B31	2_2_00007FF8A8026B31
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8036B70	2_2_00007FF8A8036B70
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8028C90	2_2_00007FF8A8028C90
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A807DC90	2_2_00007FF8A807DC90
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A807BCF0	2_2_00007FF8A807BCF0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8023D60	2_2_00007FF8A8023D60
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8078D60	2_2_00007FF8A8078D60
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8065DA0	2_2_00007FF8A8065DA0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A805BDD6	2_2_00007FF8A805BDD6
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8044DF0	2_2_00007FF8A8044DF0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A804AE10	2_2_00007FF8A804AE10
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8045E00	2_2_00007FF8A8045E00
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A804CE00	2_2_00007FF8A804CE00
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A804EE30	2_2_00007FF8A804EE30
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80C2E60	2_2_00007FF8A80C2E60
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80A6EA0	2_2_00007FF8A80A6EA0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8031EC0	2_2_00007FF8A8031EC0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8062F20	2_2_00007FF8A8062F20
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8094F70	2_2_00007FF8A8094F70
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A804BFC0	2_2_00007FF8A804BFC0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80A7FF0	2_2_00007FF8A80A7FF0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8059080	2_2_00007FF8A8059080
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A806D0B0	2_2_00007FF8A806D0B0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80890F0	2_2_00007FF8A80890F0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80350F0	2_2_00007FF8A80350F0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80261C0	2_2_00007FF8A80261C0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8029270	2_2_00007FF8A8029270
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80D0290	2_2_00007FF8A80D0290
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80822A0	2_2_00007FF8A80822A0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A803B310	2_2_00007FF8A803B310
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8052370	2_2_00007FF8A8052370
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80793A0	2_2_00007FF8A80793A0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A807A420	2_2_00007FF8A807A420
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A808E450	2_2_00007FF8A808E450
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8023440	2_2_00007FF8A8023440
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80B54B0	2_2_00007FF8A80B54B0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80904F0	2_2_00007FF8A80904F0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8092520	2_2_00007FF8A8092520
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A802254A	2_2_00007FF8A802254A
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A802E5A0	2_2_00007FF8A802E5A0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A805B5DC	2_2_00007FF8A805B5DC
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8038670	2_2_00007FF8A8038670
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80D26B0	2_2_00007FF8A80D26B0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80476B0	2_2_00007FF8A80476B0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8068710	2_2_00007FF8A8068710
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A808F750	2_2_00007FF8A808F750
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8026743	2_2_00007FF8A8026743
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80BA7D0	2_2_00007FF8A80BA7D0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80A87F0	2_2_00007FF8A80A87F0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A804B7F0	2_2_00007FF8A804B7F0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A802A830	2_2_00007FF8A802A830
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80A9820	2_2_00007FF8A80A9820
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8042840	2_2_00007FF8A8042840
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80B58A0	2_2_00007FF8A80B58A0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80238A0	2_2_00007FF8A80238A0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A81A1860	2_2_00007FF8A81A1860
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C5DA3	2_2_00007FF8A82C5DA3
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C53AD	2_2_00007FF8A82C53AD
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A847A900	2_2_00007FF8A847A900
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C23F6	2_2_00007FF8A82C23F6
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C5F10	2_2_00007FF8A82C5F10
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C4D09	2_2_00007FF8A82C4D09
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C3A94	2_2_00007FF8A82C3A94
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8402C00	2_2_00007FF8A8402C00
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C1B27	2_2_00007FF8A82C1B27
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A83A2CD0	2_2_00007FF8A83A2CD0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C54CF	2_2_00007FF8A82C54CF
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C15C8	2_2_00007FF8A82C15C8
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C1299	2_2_00007FF8A82C1299
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C6564	2_2_00007FF8A82C6564
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C5434	2_2_00007FF8A82C5434
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C213A	2_2_00007FF8A82C213A
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C53C6	2_2_00007FF8A82C53C6
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C4F43	2_2_00007FF8A82C4F43
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82DEF00	2_2_00007FF8A82DEF00
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C2171	2_2_00007FF8A82C2171
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C638E	2_2_00007FF8A82C638E
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8463010	2_2_00007FF8A8463010
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82DF060	2_2_00007FF8A82DF060
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A847B0E0	2_2_00007FF8A847B0E0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8476100	2_2_00007FF8A8476100
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C6D5C	2_2_00007FF8A82C6D5C
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C26EE	2_2_00007FF8A82C26EE
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C2301	2_2_00007FF8A82C2301
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C1A50	2_2_00007FF8A82C1A50
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C3634	2_2_00007FF8A82C3634
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C6EBF	2_2_00007FF8A82C6EBF
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C1217	2_2_00007FF8A82C1217

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: String function: 00007FF8A82C2A09 appears 60 times
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: String function: 00007FF8A80289A0 appears 31 times
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: String function: 00007FF8A82C1EF6 appears 377 times
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: String function: 00007FF8A82C4840 appears 33 times
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: String function: 00007FF8A82C405C appears 146 times
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: String function: 00007FF8A8028B90 appears 124 times
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: String function: 00007FF781702B10 appears 47 times
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: String function: 00007FF8A8029AD0 appears 169 times
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: String function: 00007FF8A82C2739 appears 122 times

PE file contains executable resources (Code or Archives)

Source: ucrtbase.dll.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: _overlapped.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

PE file does not import any functions

Source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-path-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: python3.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: purchaseorder4.exe, 00000000.00000003.2286728644.000001F981848000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000000.00000003.2287206065.000001F981848000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000000.00000003.2286347176.000001F981848000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32ui.pyd0 vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000000.00000003.2286951405.000001F981848000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000000.00000003.2287588502.000001F981848000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000000.00000003.2287077073.000001F981848000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_asyncio.pyd. vs purchaseorder4.exe
Source: purchaseorder4.exe	Binary or memory string: OriginalFilename vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2396658543.00007FF8B8F76000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2390496248.00007FF8A8609000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2390863465.00007FF8A8ADB000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: OriginalFilenamelibsslH vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2397363813.00007FF8B93D2000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2397801698.00007FF8B9F7D000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2394596696.00007FF8B78C1000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: OriginalFilenamepywintypes310.dll0 vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2392573903.00007FF8B27CE000.00000002.00000001.01000000.0000001F.sdmp	Binary or memory string: OriginalFilenamewin32crypt.pyd0 vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2395231987.00007FF8B8107000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2393884714.00007FF8B7815000.00000002.00000001.01000000.00000014.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2396207483.00007FF8B8AFA000.00000002.00000001.01000000.00000018.sdmp	Binary or memory string: OriginalFilename_overlapped.pyd. vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2392979725.00007FF8B6036000.00000002.00000001.01000000.0000001D.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2394149892.00007FF8B7841000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: OriginalFilenamewin32api.pyd0 vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2398222416.00007FF8BFAD7000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2394927686.00007FF8B800D000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: OriginalFilenamepyexpat.pyd. vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2393215592.00007FF8B604E000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2396848915.00007FF8B8F92000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2393635056.00007FF8B6214000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: OriginalFilenamepythoncom310.dll0 vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2397131913.00007FF8B9104000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2395755927.00007FF8B825E000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: OriginalFilename_asyncio.pyd. vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2389428930.00007FF8A8183000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2396417159.00007FF8B8CB9000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2391959123.00007FF8A8F28000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamepython310.dll. vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2389742802.00007FF8A82B1000.00000002.00000001.01000000.0000001C.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2397564631.00007FF8B9846000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2387746863.000002607FD20000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamepython3.dll. vs purchaseorder4.exe

Source: purchaseorder4.exe, 00000002.00000002.2387069015.000002607F770000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: windir=C:\WindowsXE;.BAT;.CMD;.VBp

Source: classification engine

Classification label: mal72.troj.spyw.winEXE@6/141@1/1

Source: C:\Users\user\Desktop\purchaseorder4.exe

Code function: 0_2_00007FF781708770 GetLastError,FormatMessageW,WideCharToMultiByte,

0_2_00007FF781708770

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4368:120:WilError_03

Source: C:\Users\user\Desktop\purchaseorder4.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI30602

Jump to behavior

Source: purchaseorder4.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\purchaseorder4.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: purchaseorder4.exe, 00000002.00000002.2389356129.00007FF8A8151000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: purchaseorder4.exe, 00000002.00000002.2389356129.00007FF8A8151000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: purchaseorder4.exe, 00000002.00000002.2389356129.00007FF8A8151000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: purchaseorder4.exe, 00000002.00000002.2389356129.00007FF8A8151000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: purchaseorder4.exe, purchaseorder4.exe, 00000002.00000002.2389356129.00007FF8A8151000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: purchaseorder4.exe, 00000002.00000002.2389356129.00007FF8A8151000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: purchaseorder4.exe, 00000002.00000002.2389356129.00007FF8A8151000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: C:\Users\user\Desktop\purchaseorder4.exe

File read: C:\Users\user\Desktop\purchaseorder4.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\purchaseorder4.exe "C:\Users\user\Desktop\purchaseorder4.exe"
Source: C:\Users\user\Desktop\purchaseorder4.exe	Process created: C:\Users\user\Desktop\purchaseorder4.exe "C:\Users\user\Desktop\purchaseorder4.exe"
Source: C:\Users\user\Desktop\purchaseorder4.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\purchaseorder4.exe	Process created: C:\Users\user\Desktop\purchaseorder4.exe "C:\Users\user\Desktop\purchaseorder4.exe"	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior

Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: libffi-7.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: libcrypto-1_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: libssl-1_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: winrnr.dll	Jump to behavior

Source: C:\Users\user\Desktop\purchaseorder4.exe

File opened: C:\Users\user\Desktop\pyvenv.cfg

Jump to behavior

Source: purchaseorder4.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: purchaseorder4.exe

Static file information: File size 18813776 > 1048576

Source: purchaseorder4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: purchaseorder4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: purchaseorder4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: purchaseorder4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: purchaseorder4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: purchaseorder4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: purchaseorder4.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: purchaseorder4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pythoncom.pdb source: purchaseorder4.exe, 00000002.00000002.2393327241.00007FF8B61CC000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: purchaseorder4.exe, 00000002.00000002.2389528884.00007FF8A82AC000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: ucrtbase.pdb source: purchaseorder4.exe, 00000002.00000002.2395097234.00007FF8B80CC000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbMM source: purchaseorder4.exe, 00000002.00000002.2396996550.00007FF8B90FB000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: tRSA_PRIME_INFOeqdmp1dmq1iqmpprime_infosRSAPrivateKeyRSAPublicKeyhashAlgorithmmaskGenAlgorithmsaltLengthtrailerFieldRSA_PSS_PARAMShashFuncmaskGenFuncpSourceFuncRSA_OAEP_PARAMScompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"3.2.1built on: Fri Feb 23 00:13:44 2024 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availablecrypto\init.cOPENSSL_init_cryptocrypto\bio\bio_lib.cBIO_new_exbio_read_internbio_write_internBIO_sendmmsgBIO_recvmmsgBIO_putsBIO_getsBIO_get_line BIO_ctrlBIO_callback_ctrlBIO_find_type source: purchaseorder4.exe, 00000002.00000002.2388918381.00007FF8A7E68000.00000002.00000001.01000000.00000032.sdmp
Source:	Binary string: D:\a\1\b\libssl-1_1.pdb@@ source: purchaseorder4.exe, 00000002.00000002.2390759212.00007FF8A8AA6000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: purchaseorder4.exe, 00000000.00000003.2286951405.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2396332002.00007FF8B8CB5000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Users\runneradmin\AppData\Local\Temp\pip-req-build-csg7dlje\src\rust\target\release\deps\cryptography_rust.pdb source: purchaseorder4.exe, 00000002.00000002.2388918381.00007FF8A7E68000.00000002.00000001.01000000.00000032.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pythoncom.pdb}},GCTL source: purchaseorder4.exe, 00000002.00000002.2393327241.00007FF8B61CC000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: purchaseorder4.exe, 00000002.00000002.2390218021.00007FF8A8510000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Users\runneradmin\AppData\Local\Temp\pip-req-build-csg7dlje\src\rust\target\release\deps\cryptography_rust.pdbo source: purchaseorder4.exe, 00000002.00000002.2388918381.00007FF8A7E68000.00000002.00000001.01000000.00000032.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: purchaseorder4.exe, 00000002.00000002.2389356129.00007FF8A8151000.00000002.00000001.01000000.0000001E.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pywintypes.pdb source: purchaseorder4.exe, 00000002.00000002.2394435263.00007FF8B78B0000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-1_1.pdb source: purchaseorder4.exe, 00000002.00000002.2390218021.00007FF8A8592000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: purchaseorder4.exe, 00000002.00000002.2388918381.00007FF8A7E68000.00000002.00000001.01000000.00000032.sdmp
Source:	Binary string: D:\a\1\b\libssl-1_1.pdb source: purchaseorder4.exe, 00000002.00000002.2390759212.00007FF8A8AA6000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1t 7 Feb 2023built on: Thu Feb 9 15:27:40 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: purchaseorder4.exe, 00000002.00000002.2390218021.00007FF8A8510000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: purchaseorder4.exe, 00000000.00000003.2286728644.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2398128067.00007FF8BFAD1000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: purchaseorder4.exe, 00000002.00000002.2397697062.00007FF8B9F70000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: purchaseorder4.exe, 00000002.00000002.2393143390.00007FF8B6046000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: crypto\engine\tb_digest.cENGINE_get_digestcrypto\buffer\buffer.cBUF_MEM_growBUF_MEM_grow_cleancrypto\packet.ccompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specific.dllCPUINFO: crypto\initthread.cOPENSSL_ia32cap source: purchaseorder4.exe, 00000002.00000002.2388918381.00007FF8A7E68000.00000002.00000001.01000000.00000032.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32api.pdb!! source: purchaseorder4.exe, 00000002.00000002.2394002737.00007FF8B7833000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: purchaseorder4.exe, 00000000.00000003.2287077073.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2395553131.00007FF8B8257000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32api.pdb source: purchaseorder4.exe, 00000002.00000002.2394002737.00007FF8B7833000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python310.pdb source: purchaseorder4.exe, 00000002.00000002.2391270361.00007FF8A8E1F000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: purchaseorder4.exe, 00000002.00000002.2394839291.00007FF8B8002000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: purchaseorder4.exe, 00000002.00000002.2396567848.00007FF8B8F73000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: purchaseorder4.exe, 00000002.00000002.2396996550.00007FF8B90FB000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: purchaseorder4.exe, 00000000.00000003.2287206065.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2397257835.00007FF8B93CD000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pywintypes.pdb** source: purchaseorder4.exe, 00000002.00000002.2394435263.00007FF8B78B0000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: purchaseorder4.exe, 00000002.00000002.2395097234.00007FF8B80CC000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: purchaseorder4.exe, 00000002.00000002.2396757605.00007FF8B8F88000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python3.pdb source: purchaseorder4.exe, 00000002.00000002.2387746863.000002607FD20000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: purchaseorder4.exe, 00000002.00000002.2393722010.00007FF8B77FD000.00000002.00000001.01000000.00000014.sdmp

Source: purchaseorder4.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: purchaseorder4.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: purchaseorder4.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: purchaseorder4.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: purchaseorder4.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

PE file contains sections with non-standard names

Source: purchaseorder4.exe	Static PE information: section name: _RDATA
Source: libcrypto-1_1.dll.0.dr	Static PE information: section name: .00cfg
Source: libssl-1_1.dll.0.dr	Static PE information: section name: .00cfg
Source: python310.dll.0.dr	Static PE information: section name: PyRuntim
Source: mfc140u.dll.0.dr	Static PE information: section name: .didat
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA

Persistence and Installation Behavior

Found pyInstaller with non standard icon

Source: C:\Users\user\Desktop\purchaseorder4.exe

Process created: "C:\Users\user\Desktop\purchaseorder4.exe"

Drops PE files

Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\win32\win32crypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Pythonwin\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\win32com\shell\shell.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\pywin32_system32\pywintypes310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\win32\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Pythonwin\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\charset_normalizer\md__mypyc.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\charset_normalizer\md.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\pywin32_system32\pythoncom310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-path-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\win32\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\win32\win32evtlog.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\_cffi_backend.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\python310.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: adobe 12.png

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\purchaseorder4.exe

Code function: 0_2_00007FF7817053F0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF7817053F0

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\win32\win32crypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Pythonwin\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\win32com\shell\shell.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\pywin32_system32\pywintypes310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\win32\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Pythonwin\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\charset_normalizer\md__mypyc.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\charset_normalizer\md.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\pywin32_system32\pythoncom310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-path-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\win32\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\win32\win32evtlog.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\_cffi_backend.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\python310.dll	Jump to dropped file

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\purchaseorder4.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\purchaseorder4.exe

API coverage: 2.1 %

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781708D00 FindFirstFileExW,FindClose,	0_2_00007FF781708D00
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781718670 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF781718670
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF7817226C4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF7817226C4
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781718670 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF781718670

Source: C:\Users\user\Desktop\purchaseorder4.exe

Code function: 2_2_00007FF8A802FEB0 GetSystemInfo,

2_2_00007FF8A802FEB0

Source: C:\Users\user\Desktop\purchaseorder4.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-datetime-l1-1-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-console-l1-1-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI30602\pywin32_system32	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI30602	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI30602\win32	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI30602\pythonwin	Jump to behavior

Source: purchaseorder4.exe, 00000002.00000003.2311109674.0000026001CD8000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369957335.0000026001CCC000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2311526856.0000026001CCE000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2379737936.0000026001CD9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363242195.0000026001C91000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364762480.0000026001CCA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\purchaseorder4.exe

Code function: 0_2_00007FF78171B3CC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF78171B3CC

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\purchaseorder4.exe

Code function: 0_2_00007FF7817242D0 GetProcessHeap,

0_2_00007FF7817242D0

Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF78170CA9C SetUnhandledExceptionFilter,	0_2_00007FF78170CA9C
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF78171B3CC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF78171B3CC
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF78170C8BC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF78170C8BC
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF78170C030 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF78170C030
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A814F0C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF8A814F0C0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A81A2A60 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF8A81A2A60
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A81A3028 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF8A81A3028

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\purchaseorder4.exe	Process created: C:\Users\user\Desktop\purchaseorder4.exe "C:\Users\user\Desktop\purchaseorder4.exe"			Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"			Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\purchaseorder4.exe

Code function: 0_2_00007FF78172A620 cpuid

0_2_00007FF78172A620

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Util VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\cryptography-42.0.5.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\cryptography-42.0.5.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\cryptography-42.0.5.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\cryptography-42.0.5.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\cryptography-42.0.5.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\cryptography-42.0.5.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\cryptography-42.0.5.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\ucrtbase.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-console-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-datetime-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-debug-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-errorhandling-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-file-l1-2-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-file-l2-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-heap-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-interlocked-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-memory-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-path-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-processthreads-l1-1-1.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-string-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-util-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\pyexpat.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\pywin32_system32\pywintypes310.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\pywin32_system32\pythoncom310.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\win32\win32api.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\win32com VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\win32com VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\win32com VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\cryptography-42.0.5.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\cryptography-42.0.5.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\cryptography-42.0.5.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\cryptography-42.0.5.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\cryptography-42.0.5.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\purchaseorder4.exe

Code function: 0_2_00007FF78170C7A0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF78170C7A0

Source: C:\Users\user\Desktop\purchaseorder4.exe

Code function: 0_2_00007FF781726B50 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF781726B50

Source: C:\Users\user\Desktop\purchaseorder4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Detected generic credential text file

Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\Browser\google-chrome\Download_History.txt	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\Browser\microsoft-edge\Autofill_Data.txt	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\Browser\microsoft-edge\Browser_History.txt	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\Browser\microsoft-edge\Download_History.txt	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\Browser\google-chrome\Saved_Passwords.txt	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\Browser\google-chrome\Browser_History.txt	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\Browser\microsoft-edge\Saved_Credit_Cards.txt	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\Browser\google-chrome\Saved_Credit_Cards.txt	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\Browser\google-chrome\Autofill_Data.txt	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\Browser\microsoft-edge\Saved_Passwords.txt	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\purchaseorder4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Yara detected Generic Python Stealer

Source: Yara match

File source: Process Memory Space: purchaseorder4.exe PID: 3224, type: MEMORYSTR

Remote Access Functionality

Yara detected Generic Python Stealer

Source: Yara match

File source: Process Memory Space: purchaseorder4.exe PID: 3224, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\purchaseorder4.exe

Code function: 2_2_00007FF8A82C2B62 bind,WSAGetLastError,

2_2_00007FF8A82C2B62

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.236.232.35	dasmake.xyz	United States		54290	HOSTWINDSUS	true

Contacted Domains

Name	IP	Active
bg.microsoft.map.fastly.net	199.232.210.172	true
fp2e7a.wpc.phicdn.net	192.229.211.108	true
dasmake.xyz	192.236.232.35	true
mail.dasmake.xyz	unknown	unknown

Source: purchaseorder4.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pythoncom.pdb source: purchaseorder4.exe, 00000002.00000002.2393327241.00007FF8B61CC000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: purchaseorder4.exe, 00000002.00000002.2389528884.00007FF8A82AC000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: ucrtbase.pdb source: purchaseorder4.exe, 00000002.00000002.2395097234.00007FF8B80CC000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbMM source: purchaseorder4.exe, 00000002.00000002.2396996550.00007FF8B90FB000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: tRSA_PRIME_INFOeqdmp1dmq1iqmpprime_infosRSAPrivateKeyRSAPublicKeyhashAlgorithmmaskGenAlgorithmsaltLengthtrailerFieldRSA_PSS_PARAMShashFuncmaskGenFuncpSourceFuncRSA_OAEP_PARAMScompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"3.2.1built on: Fri Feb 23 00:13:44 2024 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availablecrypto\init.cOPENSSL_init_cryptocrypto\bio\bio_lib.cBIO_new_exbio_read_internbio_write_internBIO_sendmmsgBIO_recvmmsgBIO_putsBIO_getsBIO_get_line BIO_ctrlBIO_callback_ctrlBIO_find_type source: purchaseorder4.exe, 00000002.00000002.2388918381.00007FF8A7E68000.00000002.00000001.01000000.00000032.sdmp
Source:	Binary string: D:\a\1\b\libssl-1_1.pdb@@ source: purchaseorder4.exe, 00000002.00000002.2390759212.00007FF8A8AA6000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: purchaseorder4.exe, 00000000.00000003.2286951405.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2396332002.00007FF8B8CB5000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Users\runneradmin\AppData\Local\Temp\pip-req-build-csg7dlje\src\rust\target\release\deps\cryptography_rust.pdb source: purchaseorder4.exe, 00000002.00000002.2388918381.00007FF8A7E68000.00000002.00000001.01000000.00000032.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pythoncom.pdb}},GCTL source: purchaseorder4.exe, 00000002.00000002.2393327241.00007FF8B61CC000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: purchaseorder4.exe, 00000002.00000002.2390218021.00007FF8A8510000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Users\runneradmin\AppData\Local\Temp\pip-req-build-csg7dlje\src\rust\target\release\deps\cryptography_rust.pdbo source: purchaseorder4.exe, 00000002.00000002.2388918381.00007FF8A7E68000.00000002.00000001.01000000.00000032.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: purchaseorder4.exe, 00000002.00000002.2389356129.00007FF8A8151000.00000002.00000001.01000000.0000001E.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pywintypes.pdb source: purchaseorder4.exe, 00000002.00000002.2394435263.00007FF8B78B0000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-1_1.pdb source: purchaseorder4.exe, 00000002.00000002.2390218021.00007FF8A8592000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: purchaseorder4.exe, 00000002.00000002.2388918381.00007FF8A7E68000.00000002.00000001.01000000.00000032.sdmp
Source:	Binary string: D:\a\1\b\libssl-1_1.pdb source: purchaseorder4.exe, 00000002.00000002.2390759212.00007FF8A8AA6000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1t 7 Feb 2023built on: Thu Feb 9 15:27:40 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: purchaseorder4.exe, 00000002.00000002.2390218021.00007FF8A8510000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: purchaseorder4.exe, 00000000.00000003.2286728644.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2398128067.00007FF8BFAD1000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: purchaseorder4.exe, 00000002.00000002.2397697062.00007FF8B9F70000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: purchaseorder4.exe, 00000002.00000002.2393143390.00007FF8B6046000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: crypto\engine\tb_digest.cENGINE_get_digestcrypto\buffer\buffer.cBUF_MEM_growBUF_MEM_grow_cleancrypto\packet.ccompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specific.dllCPUINFO: crypto\initthread.cOPENSSL_ia32cap source: purchaseorder4.exe, 00000002.00000002.2388918381.00007FF8A7E68000.00000002.00000001.01000000.00000032.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32api.pdb!! source: purchaseorder4.exe, 00000002.00000002.2394002737.00007FF8B7833000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: purchaseorder4.exe, 00000000.00000003.2287077073.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2395553131.00007FF8B8257000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32api.pdb source: purchaseorder4.exe, 00000002.00000002.2394002737.00007FF8B7833000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python310.pdb source: purchaseorder4.exe, 00000002.00000002.2391270361.00007FF8A8E1F000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: purchaseorder4.exe, 00000002.00000002.2394839291.00007FF8B8002000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: purchaseorder4.exe, 00000002.00000002.2396567848.00007FF8B8F73000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: purchaseorder4.exe, 00000002.00000002.2396996550.00007FF8B90FB000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: purchaseorder4.exe, 00000000.00000003.2287206065.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2397257835.00007FF8B93CD000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pywintypes.pdb** source: purchaseorder4.exe, 00000002.00000002.2394435263.00007FF8B78B0000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: purchaseorder4.exe, 00000002.00000002.2395097234.00007FF8B80CC000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: purchaseorder4.exe, 00000002.00000002.2396757605.00007FF8B8F88000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python3.pdb source: purchaseorder4.exe, 00000002.00000002.2387746863.000002607FD20000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: purchaseorder4.exe, 00000002.00000002.2393722010.00007FF8B77FD000.00000002.00000001.01000000.00000014.sdmp

Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781708D00 FindFirstFileExW,FindClose,	0_2_00007FF781708D00
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781718670 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF781718670
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF7817226C4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF7817226C4
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781718670 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF781718670

Source: C:\Users\user\Desktop\purchaseorder4.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-datetime-l1-1-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-console-l1-1-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI30602\pywin32_system32	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI30602	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI30602\win32	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI30602\pythonwin	Jump to behavior

Networking

Performs DNS queries to domains with low reputation

Source:

DNS query: mail.dasmake.xyz

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 192.236.232.35 192.236.232.35

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: HOSTWINDSUS HOSTWINDSUS

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: mail.dasmake.xyz

Source: purchaseorder4.exe, 00000002.00000002.2385896663.000002600374C000.00000004.00001000.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2321108231.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2321055713.0000026002D08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://.../back.jpeg
Source: purchaseorder4.exe, 00000002.00000002.2385639108.00000260033A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://aka.ms/vcpython27
Source: purchaseorder4.exe, 00000002.00000002.2385639108.00000260033A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://aka.ms/vcpython27P
Source: purchaseorder4.exe, 00000002.00000003.2362913745.00000260021F7000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370892205.00000260021D1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2373172224.00000260021F8000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365786087.000002600247A000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363347083.0000026002501000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2375092092.00000260023E9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2366999934.000002600247D000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2367178720.00000260023E8000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2376930091.00000260021E5000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.00000260024A9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365615919.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.0000026002389000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2366123429.0000026002504000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2377547206.00000260023E9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.000002600247A000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2378170065.0000026002504000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2377137380.0000026002504000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370892205.00000260021F7000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363847601.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361778148.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364056719.0000026002398000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html
Source: purchaseorder4.exe, 00000002.00000002.2386004860.00000260038F8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://bugs.python.org/issue23606)
Source: purchaseorder4.exe, 00000000.00000003.2287206065.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287588502.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287077073.000001F981848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: purchaseorder4.exe, 00000000.00000003.2287206065.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287588502.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287077073.000001F981848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: purchaseorder4.exe, 00000000.00000003.2287206065.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287588502.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287077073.000001F981848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: purchaseorder4.exe, 00000000.00000003.2287206065.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287588502.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287077073.000001F981848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: purchaseorder4.exe, 00000002.00000002.2386004860.0000026003810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cffi.readthedocs.io/en/latest/cdef.html#ffi-cdef-limitations
Source: purchaseorder4.exe, 00000002.00000003.2362913745.00000260021F7000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370892205.0000026002229000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2314990918.0000026001A0D000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2368804066.0000026002228000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2320193569.00000260024BE000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2312013424.00000260019FF000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362456773.0000026002524000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362263286.000002600250A000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369607616.0000026002530000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2312782863.0000026001A0E000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2320193569.0000026002191000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2371227342.0000026002531000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364800314.0000026001A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: purchaseorder4.exe, 00000002.00000003.2313024105.0000026001DAF000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2372608702.0000026001DB2000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2374030431.0000026001DB6000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364596999.0000026001D7F000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364489827.0000026001CE1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2366325101.0000026001D9E000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363242195.0000026001C91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577916/
Source: purchaseorder4.exe, 00000002.00000003.2379431977.0000026002C9F000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2383700298.0000026002BB4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369708079.0000026002C9B000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369892028.0000026002BB4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362795977.0000026002BA1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2366063143.0000026002BB4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363178642.0000026002BB0000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361778148.0000026002C97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: purchaseorder4.exe, 00000002.00000003.2373782096.0000026002D59000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2373616727.0000026002D51000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361633539.0000026003079000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361673045.0000026002D4A000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2384596162.0000026002DB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: purchaseorder4.exe, 00000002.00000003.2363178642.0000026002BB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl
Source: purchaseorder4.exe, 00000002.00000003.2361633539.0000026003079000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.00000260024A9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363477134.00000260024AD000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2383002229.00000260024AE000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370665649.00000260024AE000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2372968442.00000260024AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: purchaseorder4.exe, 00000002.00000002.2383700298.0000026002BB4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369892028.0000026002BB4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362795977.0000026002BA1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2366063143.0000026002BB4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363178642.0000026002BB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crlZS
Source: purchaseorder4.exe, 00000002.00000002.2383700298.0000026002BB4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369892028.0000026002BB4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362795977.0000026002BA1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2366063143.0000026002BB4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363178642.0000026002BB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crlkrxlsH588249-
Source: purchaseorder4.exe, 00000002.00000003.2363178642.0000026002BB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl
Source: purchaseorder4.exe, 00000002.00000003.2363391268.0000026002BBC000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365615919.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363847601.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361778148.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362795977.0000026002BA1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363178642.0000026002BB0000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362323038.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2376124949.0000026002D04000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2376606966.0000026002D24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: purchaseorder4.exe, 00000002.00000002.2383700298.0000026002BB4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369892028.0000026002BB4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362795977.0000026002BA1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2366063143.0000026002BB4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363178642.0000026002BB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crlFE
Source: purchaseorder4.exe, 00000002.00000002.2383700298.0000026002BB4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369892028.0000026002BB4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362795977.0000026002BA1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2366063143.0000026002BB4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363178642.0000026002BB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crlhhxAyAevrNQn
Source: purchaseorder4.exe, 00000000.00000003.2287206065.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287588502.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287077073.000001F981848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: purchaseorder4.exe, 00000000.00000003.2287206065.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287588502.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287077073.000001F981848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: purchaseorder4.exe, 00000000.00000003.2287206065.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287588502.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287077073.000001F981848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: purchaseorder4.exe, 00000000.00000003.2287077073.000001F981848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: purchaseorder4.exe, 00000000.00000003.2287206065.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287588502.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287077073.000001F981848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: purchaseorder4.exe, 00000002.00000003.2365615919.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363847601.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361778148.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2376865609.0000026002D0C000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2382240128.0000026002190000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362323038.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2376124949.0000026002D04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/eax/eax-spec.pdf
Source: purchaseorder4.exe, 00000002.00000002.2384762588.0000026002E32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publicatio
Source: purchaseorder4.exe, 00000002.00000003.2362913745.00000260021F7000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2373172224.00000260021F8000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365786087.000002600247A000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2366999934.000002600247D000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.000002600247A000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370892205.00000260021F7000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361673045.0000026002DD8000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2373921602.000002600247F000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364056719.000002600247A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf
Source: purchaseorder4.exe, 00000002.00000003.2363347083.0000026002501000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2375092092.00000260023E9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2367178720.00000260023E8000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.00000260024A9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.0000026002389000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2366123429.0000026002504000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2377547206.00000260023E9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2378170065.0000026002504000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2377137380.0000026002504000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364056719.0000026002398000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2377431655.0000026002504000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2372434824.0000026002504000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2382735562.00000260023E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
Source: purchaseorder4.exe, 00000002.00000003.2362913745.00000260021F7000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2381915772.0000026001E18000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2373172224.00000260021F8000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2366965400.0000026001DFB000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2373782096.0000026002D59000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2387831051.000002607FDE0000.00000004.00001000.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2373616727.0000026002D51000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2385896663.000002600374C000.00000004.00001000.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2366859785.0000026001DF4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.00000260024A9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364867749.0000026001DE9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2382391801.00000260021F9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2367145372.0000026001E00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2383616657.0000026002AA0000.00000004.00001000.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2386004860.0000026003810000.00000004.00001000.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2372293412.0000026002240000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2375344906.00000260024BF000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362838082.0000026001DCA000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363477134.00000260024AD000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370892205.00000260021F7000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361673045.0000026002D4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: purchaseorder4.exe, 00000002.00000002.2385896663.000002600374C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: purchaseorder4.exe, 00000002.00000002.2385726797.00000260034A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.kill
Source: purchaseorder4.exe, 00000002.00000002.2385726797.00000260034A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode
Source: purchaseorder4.exe, 00000002.00000002.2383616657.0000026002AA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate
Source: purchaseorder4.exe, 00000002.00000002.2383356804.00000260027A0000.00000004.00001000.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2312782863.00000260019FE000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2382065051.0000026001F90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/library/itertools.html#recipes
Source: purchaseorder4.exe, 00000002.00000003.2362795977.0000026002BA1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363178642.0000026002BB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/library/unittest.html
Source: purchaseorder4.exe, 00000002.00000002.2382065051.0000026001F90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://github.com/ActiveState/appdirs
Source: purchaseorder4.exe, 00000002.00000003.2376472876.0000026002432000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365786087.0000026002408000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.0000026002389000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2320193569.0000026002351000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2382735562.0000026002432000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364056719.0000026002398000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2367721039.0000026002412000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369520511.0000026002432000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2368437865.000002600242F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: purchaseorder4.exe, 00000002.00000003.2375092092.00000260023E9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2367178720.00000260023E8000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.0000026002389000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2320193569.0000026002351000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2377547206.00000260023E9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364056719.0000026002398000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2382735562.00000260023E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: purchaseorder4.exe, 00000002.00000003.2367178720.00000260023E8000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365786087.0000026002408000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.0000026002389000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2320193569.0000026002351000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364056719.0000026002398000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2367721039.0000026002412000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369520511.0000026002413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: purchaseorder4.exe, 00000002.00000003.2372968442.00000260024AE000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364800314.0000026001A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com
Source: purchaseorder4.exe, 00000002.00000003.2363391268.0000026002BBC000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361633539.0000026003079000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365615919.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363847601.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361778148.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362795977.0000026002BA1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363178642.0000026002BB0000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362323038.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2376124949.0000026002D04000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2376606966.0000026002D24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: purchaseorder4.exe, 00000002.00000003.2379431977.0000026002C9F000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369708079.0000026002C9B000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361778148.0000026002C97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.comsnippetV
Source: purchaseorder4.exe, 00000000.00000003.2287206065.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287588502.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287077073.000001F981848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: purchaseorder4.exe, 00000000.00000003.2287206065.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287588502.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287077073.000001F981848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: purchaseorder4.exe, 00000000.00000003.2287206065.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287588502.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287077073.000001F981848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: purchaseorder4.exe, 00000000.00000003.2287206065.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287588502.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287077073.000001F981848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: purchaseorder4.exe, 00000002.00000002.2381972173.0000026001E90000.00000004.00001000.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2380929512.0000026001B90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://opensource.apple.com/source/CF/CF-744.18/CFBinaryPList.c
Source: purchaseorder4.exe, 00000002.00000002.2383356804.00000260027A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://stackoverflow.com/questions/19622133/
Source: purchaseorder4.exe, 00000002.00000003.2377263408.00000260021C1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2375092092.00000260023E9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2367178720.00000260023E8000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.0000026002389000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2377547206.00000260023E9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2372716624.00000260021C2000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364056719.0000026002398000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2382735562.00000260023E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc4880
Source: purchaseorder4.exe, 00000002.00000002.2386004860.0000026003810000.00000004.00001000.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2385813257.00000260035C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5297
Source: purchaseorder4.exe, 00000002.00000003.2373616727.0000026002D51000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361673045.0000026002D4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5869
Source: purchaseorder4.exe, 00000002.00000002.2385813257.00000260035C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: purchaseorder4.exe, 00000002.00000003.2376124949.0000026002D28000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365615919.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363847601.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361778148.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370208370.0000026002D25000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2384296491.0000026002D2A000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362323038.0000026002D00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm
Source: purchaseorder4.exe, 00000002.00000002.2382065051.0000026001F90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: purchaseorder4.exe, 00000002.00000003.2312072659.0000026001DC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: purchaseorder4.exe, 00000002.00000003.2362913745.00000260021F7000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370892205.00000260021D1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2373172224.00000260021F8000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2376930091.00000260021E5000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370892205.00000260021F7000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362913745.00000260021CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf
Source: purchaseorder4.exe, 00000002.00000002.2386114592.0000026003A80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dabeaz.com/ply)
Source: purchaseorder4.exe, 00000002.00000002.2382264597.00000260021A1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2377263408.0000026002191000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.dabeaz.com/ply)F
Source: purchaseorder4.exe, 00000000.00000003.2287206065.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287588502.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000000.00000003.2287077073.000001F981848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: purchaseorder4.exe, 00000002.00000002.2383856392.0000026002C22000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362383954.0000026002C20000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361568751.0000026002C13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: purchaseorder4.exe, 00000002.00000003.2312072659.0000026001DC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: purchaseorder4.exe, 00000002.00000003.2313024105.0000026001DD1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2312072659.0000026001DC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: purchaseorder4.exe, 00000002.00000003.2376124949.0000026002D28000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365615919.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363847601.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361778148.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370208370.0000026002D25000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2384296491.0000026002D2A000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362323038.0000026002D00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rfc-editor.org/info/rfc7253
Source: purchaseorder4.exe, 00000002.00000003.2373616727.0000026002D51000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361673045.0000026002D4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tarsnap.com/scrypt/scrypt-slides.pdf
Source: purchaseorder4.exe, 00000002.00000003.2375614799.0000026002CC4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2384110948.0000026002CC7000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2321838846.0000026002CC3000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369708079.0000026002C9B000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2372864592.0000026002CB6000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361778148.0000026002C97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwwsearch.sf.net/):
Source: purchaseorder4.exe, 00000002.00000002.2383356804.00000260027A0000.00000004.00001000.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2383445652.00000260028A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugs.python.org/issue44497.
Source: purchaseorder4.exe, 00000002.00000002.2392174415.00007FF8B054C000.00000002.00000001.01000000.00000020.sdmp	String found in binary or memory: https://cffi.readthedocs.io/en/latest/using.html#callbacks
Source: purchaseorder4.exe, 00000002.00000002.2388918381.00007FF8A7E68000.00000002.00000001.01000000.00000032.sdmp	String found in binary or memory: https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file
Source: purchaseorder4.exe, 00000002.00000002.2386201220.0000026003C0C000.00000004.00001000.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2386350724.0000026003D40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.1.4.1
Source: purchaseorder4.exe, 00000002.00000003.2368846916.0000026001D0F000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365786087.0000026002408000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.0000026002389000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2320193569.0000026002351000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364056719.0000026002398000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2367721039.0000026002412000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364489827.0000026001CE1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369520511.0000026002413000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363242195.0000026001C91000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365987293.0000026001CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/pprint.html
Source: purchaseorder4.exe, 00000002.00000003.2368846916.0000026001D0F000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365786087.0000026002408000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.0000026002389000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2320193569.0000026002351000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364056719.0000026002398000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2367721039.0000026002412000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364489827.0000026001CE1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369520511.0000026002413000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363242195.0000026001C91000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365987293.0000026001CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/pprint.html#pprint.pprint
Source: purchaseorder4.exe, 00000002.00000003.2314754444.00000260022A1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2368382323.00000260024C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/re.html
Source: purchaseorder4.exe, 00000002.00000003.2314754444.0000026002241000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2318471205.000002600249B000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2382065051.0000026001F90000.00000004.00001000.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2383268785.00000260026A0000.00000004.00001000.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2314754444.00000260022A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/re.html#re.sub
Source: purchaseorder4.exe, 00000002.00000002.2385639108.00000260033A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/socket.html#socket.socket.connect_ex
Source: purchaseorder4.exe, 00000002.00000002.2383616657.0000026002AA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: purchaseorder4.exe, 00000002.00000002.2383356804.00000260027A0000.00000004.00001000.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2381972173.0000026001E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbca
Source: purchaseorder4.exe, 00000002.00000003.2320193569.00000260024BE000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362456773.0000026002565000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370306983.0000026002585000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: purchaseorder4.exe, 00000002.00000003.2364699469.000002607F7ED000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2387352280.000002607F7F8000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365004051.000002607F7F0000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2377833600.000002607F7F6000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2375776012.000002607F7F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: purchaseorder4.exe, 00000002.00000002.2383445652.00000260028A0000.00000004.00001000.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2381972173.0000026001E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jaraco/jaraco.functools/issues/5
Source: purchaseorder4.exe, 00000000.00000003.2286347176.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2394596696.00007FF8B78C1000.00000002.00000001.01000000.00000010.sdmp, purchaseorder4.exe, 00000002.00000002.2392573903.00007FF8B27CE000.00000002.00000001.01000000.0000001F.sdmp, purchaseorder4.exe, 00000002.00000002.2394149892.00007FF8B7841000.00000002.00000001.01000000.00000013.sdmp, purchaseorder4.exe, 00000002.00000002.2393635056.00007FF8B6214000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: https://github.com/mhammond/pywin32
Source: purchaseorder4.exe, 00000002.00000002.2386458097.0000026003EB4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/issues
Source: purchaseorder4.exe, 00000002.00000002.2388918381.00007FF8A7E68000.00000002.00000001.01000000.00000032.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/issues/8996
Source: purchaseorder4.exe, 00000002.00000002.2388918381.00007FF8A7E68000.00000002.00000001.01000000.00000032.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/issues/9253
Source: purchaseorder4.exe, 00000002.00000003.2378740529.0000026001D45000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361568751.0000026002C53000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2373045518.0000026002CC9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369708079.0000026002C9B000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2372864592.0000026002CB6000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362383954.0000026002C53000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364489827.0000026001CE1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2377372287.0000026002CCF000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2383445652.00000260028A0000.00000004.00001000.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2368225233.0000026001D2D000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2383856392.0000026002C53000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363242195.0000026001C91000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361778148.0000026002C97000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365987293.0000026001CE5000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2383163782.0000026002590000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/packaging
Source: purchaseorder4.exe, 00000002.00000002.2383163782.0000026002590000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/packagingen_py
Source: purchaseorder4.exe, 00000002.00000002.2383268785.00000260026A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/issues/1024.
Source: purchaseorder4.exe, 00000002.00000002.2380929512.0000026001B90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/issues/417#issuecomment-392298401
Source: purchaseorder4.exe, 00000002.00000003.2364306036.000002600236C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyparsing/pyparsing/wiki
Source: purchaseorder4.exe, 00000002.00000002.2387831051.000002607FDE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: purchaseorder4.exe, 00000002.00000003.2375776012.000002607F7F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: purchaseorder4.exe, 00000002.00000003.2364699469.000002607F7ED000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2387352280.000002607F7F8000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365004051.000002607F7F0000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2377833600.000002607F7F6000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2375776012.000002607F7F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: purchaseorder4.exe, 00000002.00000003.2364699469.000002607F7ED000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2387352280.000002607F7F8000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365004051.000002607F7F0000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2377833600.000002607F7F6000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2375776012.000002607F7F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: purchaseorder4.exe, 00000002.00000002.2383616657.0000026002AA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: purchaseorder4.exe, 00000002.00000003.2366859785.0000026001DF4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364867749.0000026001DE9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2376285051.0000026001DF5000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362838082.0000026001DCA000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2372040103.0000026001DF5000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2366243898.0000026001DEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: purchaseorder4.exe, 00000002.00000002.2385896663.00000260036D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: purchaseorder4.exe, 00000002.00000002.2385896663.00000260036D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920c
Source: purchaseorder4.exe, 00000002.00000003.2375614799.0000026002CC4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365786087.0000026002408000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2384110948.0000026002CC7000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.0000026002389000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2321838846.0000026002CC3000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2320193569.0000026002351000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369957335.0000026001CB9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369708079.0000026002C9B000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2372864592.0000026002CB6000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370232117.0000026002426000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364056719.0000026002398000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2367721039.0000026002412000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369520511.0000026002413000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2367676446.0000026001C94000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369428646.0000026001C9D000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363242195.0000026001C91000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361778148.0000026002C97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: purchaseorder4.exe, 00000002.00000003.2365786087.0000026002408000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.0000026002389000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2320193569.0000026002351000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370232117.0000026002426000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364056719.0000026002398000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2367721039.0000026002412000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369520511.0000026002413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: purchaseorder4.exe, 00000002.00000003.2363242195.0000026001C91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: purchaseorder4.exe, 00000002.00000003.2376194535.0000026001CF9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364489827.0000026001CE1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2373747156.0000026001CF8000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363242195.0000026001C91000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2374888809.0000026001CF9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365987293.0000026001CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: purchaseorder4.exe, 00000002.00000003.2361778148.0000026002C97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: purchaseorder4.exe, 00000002.00000003.2361778148.0000026002C97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/get
Source: purchaseorder4.exe, 00000002.00000003.2369319467.0000026001DC5000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2368583100.0000026001DC2000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364596999.0000026001D7F000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365077127.0000026001DC0000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364489827.0000026001CE1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363242195.0000026001C91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/post
Source: purchaseorder4.exe, 00000002.00000003.2368382323.00000260024C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: purchaseorder4.exe, 00000002.00000003.2373045518.0000026002CC9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2321838846.0000026002CC3000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369708079.0000026002C9B000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2372864592.0000026002CB6000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2377372287.0000026002CCF000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2384164813.0000026002CD2000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361778148.0000026002C97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: purchaseorder4.exe, 00000002.00000003.2370415971.0000026001A14000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2372583680.0000026001A4F000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2375672542.0000026001A56000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2380676163.0000026001A58000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364800314.0000026001A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf
Source: purchaseorder4.exe, 00000002.00000003.2365786087.00000260024A9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2368875159.00000260024AA000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.00000260024A9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2320193569.00000260024A9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2382975884.00000260024AB000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2375836031.00000260024AB000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364056719.00000260024A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/declaring-project-metadata/
Source: purchaseorder4.exe, 00000002.00000002.2383445652.00000260028A0000.00000004.00001000.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2383268785.00000260026A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: purchaseorder4.exe, 00000002.00000002.2391270361.00007FF8A8E1F000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://python.org/dev/peps/pep-0263/
Source: purchaseorder4.exe, 00000002.00000002.2383356804.00000260027A0000.00000004.00001000.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2381972173.0000026001E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://refspecs.linuxfoundation.org/elf/gabi4
Source: purchaseorder4.exe, 00000002.00000003.2369319467.0000026001DC5000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2368583100.0000026001DC2000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2386004860.0000026003810000.00000004.00001000.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364596999.0000026001D7F000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365077127.0000026001DC0000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364489827.0000026001CE1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363242195.0000026001C91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.io
Source: purchaseorder4.exe, 00000002.00000002.2383700298.0000026002BB4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363391268.0000026002BBC000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365615919.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369892028.0000026002BB4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363847601.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361778148.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362795977.0000026002BA1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2366063143.0000026002BB4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363178642.0000026002BB0000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362323038.0000026002D00000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2376124949.0000026002D04000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2376606966.0000026002D24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: purchaseorder4.exe, 00000002.00000003.2313024105.0000026001DD1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369319467.0000026001DEA000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2368541395.0000026001DEA000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364867749.0000026001DE9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362838082.0000026001DCA000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2312072659.0000026001DC9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2311329097.0000026001DD1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2372356212.0000026001DEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access
Source: purchaseorder4.exe, 00000002.00000002.2383445652.00000260028A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/userguide/declarative_config.html#opt-2
Source: purchaseorder4.exe, 00000002.00000002.2383445652.00000260028A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/userguide/declarative_config.html#opt-2P
Source: purchaseorder4.exe, 00000002.00000003.2314754444.0000026002241000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365095310.00000260019A3000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365786087.0000026002408000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.00000260024A9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.0000026002389000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2367385651.0000026001E6C000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2320193569.0000026002351000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2320193569.00000260024BE000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370624164.0000026001E81000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363477134.00000260024AD000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2318471205.000002600249B000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364056719.0000026002398000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370561505.0000026001E7E000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2367721039.0000026002412000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2366570656.00000260024C6000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369520511.0000026002413000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362838082.0000026001E6A000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364867749.0000026001E6A000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369070072.0000026001E75000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2366044375.0000026001A09000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365517528.0000026001E6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/267399/how-do-you-match-only-valid-roman-numerals-with-a-regular
Source: purchaseorder4.exe, 00000002.00000003.2370773485.0000026001E82000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2367385651.0000026001E6C000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370624164.0000026001E81000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370561505.0000026001E7E000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362838082.0000026001E6A000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364867749.0000026001E6A000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369070072.0000026001E75000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365517528.0000026001E6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: purchaseorder4.exe, 00000002.00000003.2362913745.00000260021F7000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2373172224.00000260021F8000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365786087.000002600247A000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2366999934.000002600247D000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.000002600247A000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370892205.00000260021F7000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2373921602.000002600247F000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364056719.000002600247A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc3610
Source: purchaseorder4.exe, 00000002.00000003.2362913745.00000260021F7000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370892205.00000260021D1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2373172224.00000260021F8000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2376930091.00000260021E5000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370892205.00000260021F7000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362913745.00000260021CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc5297
Source: purchaseorder4.exe, 00000002.00000003.2375614799.0000026002CC4000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2384110948.0000026002CC7000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2321838846.0000026002CC3000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369957335.0000026001CB9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369708079.0000026002C9B000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2372864592.0000026002CB6000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2367676446.0000026001C94000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369428646.0000026001C9D000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363242195.0000026001C91000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361778148.0000026002C97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: purchaseorder4.exe, 00000002.00000002.2382065051.0000026001F90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://upload.pypi.org/legacy/
Source: purchaseorder4.exe, 00000002.00000002.2385639108.00000260033A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: purchaseorder4.exe, 00000002.00000002.2385813257.00000260035C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: purchaseorder4.exe, 00000002.00000002.2385813257.00000260035C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings0
Source: purchaseorder4.exe, 00000002.00000003.2365205932.000002607F803000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364699469.000002607F7ED000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365004051.000002607F7F0000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2368295742.000002607F817000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2366482138.000002607F815000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365138324.000002607F801000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wiki.debian.org/XDGBaseDirectorySpecification#state
Source: purchaseorder4.exe, 00000002.00000003.2373782096.0000026002D59000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2373616727.0000026002D51000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361673045.0000026002D4A000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2384596162.0000026002DB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ietf.org/rfc/rfc2898.txt
Source: purchaseorder4.exe, 00000002.00000002.2390496248.00007FF8A8609000.00000002.00000001.01000000.00000015.sdmp, purchaseorder4.exe, 00000002.00000002.2390863465.00007FF8A8ADB000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: purchaseorder4.exe, 00000002.00000003.2369319467.0000026001DC5000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2368583100.0000026001DC2000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364596999.0000026001D7F000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2365077127.0000026001DC0000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364489827.0000026001CE1000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2363242195.0000026001C91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org
Source: purchaseorder4.exe, 00000002.00000003.2373045518.0000026002CC9000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2321838846.0000026002CC3000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369708079.0000026002C9B000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2372864592.0000026002CB6000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2377372287.0000026002CCF000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2384164813.0000026002CD2000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2361778148.0000026002C97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/
Source: purchaseorder4.exe, 00000002.00000002.2380929512.0000026001B90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/dev/peps/pep-0205/
Source: purchaseorder4.exe, 00000002.00000002.2387831051.000002607FDE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: purchaseorder4.exe, 00000002.00000003.2365786087.0000026002408000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2362516738.0000026002389000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2320193569.0000026002351000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2370232117.0000026002426000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2364056719.0000026002398000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2367721039.0000026002412000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000003.2369520511.0000026002413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: purchaseorder4.exe

Detected potential crypto function

Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781727A9C	0_2_00007FF781727A9C
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781707B60	0_2_00007FF781707B60
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781726B50	0_2_00007FF781726B50
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781718670	0_2_00007FF781718670
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781701000	0_2_00007FF781701000
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF7817092D0	0_2_00007FF7817092D0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF7817142D4	0_2_00007FF7817142D4
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781724A60	0_2_00007FF781724A60
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781712274	0_2_00007FF781712274
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781721720	0_2_00007FF781721720
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781712A94	0_2_00007FF781712A94
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF78171ECA0	0_2_00007FF78171ECA0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF7817184BC	0_2_00007FF7817184BC
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF78171AC50	0_2_00007FF78171AC50
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781712480	0_2_00007FF781712480
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF78171F320	0_2_00007FF78171F320
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF7817226C4	0_2_00007FF7817226C4
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781713ED0	0_2_00007FF781713ED0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781718EF4	0_2_00007FF781718EF4
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781724EFC	0_2_00007FF781724EFC
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781712684	0_2_00007FF781712684
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781709D9B	0_2_00007FF781709D9B
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781726DCC	0_2_00007FF781726DCC
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781713540	0_2_00007FF781713540
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781727550	0_2_00007FF781727550
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781712070	0_2_00007FF781712070
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781712890	0_2_00007FF781712890
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781718670	0_2_00007FF781718670
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF78172A7D8	0_2_00007FF78172A7D8
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF78171E80C	0_2_00007FF78171E80C
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781721720	0_2_00007FF781721720
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781709F3B	0_2_00007FF781709F3B
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781716750	0_2_00007FF781716750
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF78170A76D	0_2_00007FF78170A76D
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A802EB60	2_2_00007FF8A802EB60
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80A1F40	2_2_00007FF8A80A1F40
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8040090	2_2_00007FF8A8040090
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8080210	2_2_00007FF8A8080210
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A803B970	2_2_00007FF8A803B970
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80419E0	2_2_00007FF8A80419E0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8084A10	2_2_00007FF8A8084A10
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8054A30	2_2_00007FF8A8054A30
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80E1A40	2_2_00007FF8A80E1A40
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A806EA70	2_2_00007FF8A806EA70
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A802FA90	2_2_00007FF8A802FA90
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A803AAC0	2_2_00007FF8A803AAC0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8026B31	2_2_00007FF8A8026B31
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8036B70	2_2_00007FF8A8036B70
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8028C90	2_2_00007FF8A8028C90
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A807DC90	2_2_00007FF8A807DC90
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A807BCF0	2_2_00007FF8A807BCF0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8023D60	2_2_00007FF8A8023D60
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8078D60	2_2_00007FF8A8078D60
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8065DA0	2_2_00007FF8A8065DA0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A805BDD6	2_2_00007FF8A805BDD6
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8044DF0	2_2_00007FF8A8044DF0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A804AE10	2_2_00007FF8A804AE10
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8045E00	2_2_00007FF8A8045E00
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A804CE00	2_2_00007FF8A804CE00
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A804EE30	2_2_00007FF8A804EE30
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80C2E60	2_2_00007FF8A80C2E60
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80A6EA0	2_2_00007FF8A80A6EA0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8031EC0	2_2_00007FF8A8031EC0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8062F20	2_2_00007FF8A8062F20
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8094F70	2_2_00007FF8A8094F70
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A804BFC0	2_2_00007FF8A804BFC0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80A7FF0	2_2_00007FF8A80A7FF0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8059080	2_2_00007FF8A8059080
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A806D0B0	2_2_00007FF8A806D0B0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80890F0	2_2_00007FF8A80890F0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80350F0	2_2_00007FF8A80350F0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80261C0	2_2_00007FF8A80261C0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8029270	2_2_00007FF8A8029270
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80D0290	2_2_00007FF8A80D0290
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80822A0	2_2_00007FF8A80822A0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A803B310	2_2_00007FF8A803B310
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8052370	2_2_00007FF8A8052370
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80793A0	2_2_00007FF8A80793A0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A807A420	2_2_00007FF8A807A420
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A808E450	2_2_00007FF8A808E450
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8023440	2_2_00007FF8A8023440
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80B54B0	2_2_00007FF8A80B54B0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80904F0	2_2_00007FF8A80904F0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8092520	2_2_00007FF8A8092520
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A802254A	2_2_00007FF8A802254A
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A802E5A0	2_2_00007FF8A802E5A0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A805B5DC	2_2_00007FF8A805B5DC
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8038670	2_2_00007FF8A8038670
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80D26B0	2_2_00007FF8A80D26B0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80476B0	2_2_00007FF8A80476B0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8068710	2_2_00007FF8A8068710
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A808F750	2_2_00007FF8A808F750
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8026743	2_2_00007FF8A8026743
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80BA7D0	2_2_00007FF8A80BA7D0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80A87F0	2_2_00007FF8A80A87F0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A804B7F0	2_2_00007FF8A804B7F0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A802A830	2_2_00007FF8A802A830
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80A9820	2_2_00007FF8A80A9820
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8042840	2_2_00007FF8A8042840
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80B58A0	2_2_00007FF8A80B58A0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A80238A0	2_2_00007FF8A80238A0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A81A1860	2_2_00007FF8A81A1860
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C5DA3	2_2_00007FF8A82C5DA3
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C53AD	2_2_00007FF8A82C53AD
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A847A900	2_2_00007FF8A847A900
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C23F6	2_2_00007FF8A82C23F6
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C5F10	2_2_00007FF8A82C5F10
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C4D09	2_2_00007FF8A82C4D09
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C3A94	2_2_00007FF8A82C3A94
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8402C00	2_2_00007FF8A8402C00
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C1B27	2_2_00007FF8A82C1B27
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A83A2CD0	2_2_00007FF8A83A2CD0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C54CF	2_2_00007FF8A82C54CF
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C15C8	2_2_00007FF8A82C15C8
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C1299	2_2_00007FF8A82C1299
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C6564	2_2_00007FF8A82C6564
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C5434	2_2_00007FF8A82C5434
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C213A	2_2_00007FF8A82C213A
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C53C6	2_2_00007FF8A82C53C6
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C4F43	2_2_00007FF8A82C4F43
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82DEF00	2_2_00007FF8A82DEF00
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C2171	2_2_00007FF8A82C2171
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C638E	2_2_00007FF8A82C638E
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8463010	2_2_00007FF8A8463010
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82DF060	2_2_00007FF8A82DF060
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A847B0E0	2_2_00007FF8A847B0E0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A8476100	2_2_00007FF8A8476100
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C6D5C	2_2_00007FF8A82C6D5C
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C26EE	2_2_00007FF8A82C26EE
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C2301	2_2_00007FF8A82C2301
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C1A50	2_2_00007FF8A82C1A50
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C3634	2_2_00007FF8A82C3634
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C6EBF	2_2_00007FF8A82C6EBF
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A82C1217	2_2_00007FF8A82C1217

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: String function: 00007FF8A82C2A09 appears 60 times
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: String function: 00007FF8A80289A0 appears 31 times
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: String function: 00007FF8A82C1EF6 appears 377 times
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: String function: 00007FF8A82C4840 appears 33 times
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: String function: 00007FF8A82C405C appears 146 times
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: String function: 00007FF8A8028B90 appears 124 times
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: String function: 00007FF781702B10 appears 47 times
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: String function: 00007FF8A8029AD0 appears 169 times
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: String function: 00007FF8A82C2739 appears 122 times

PE file contains executable resources (Code or Archives)

Source: ucrtbase.dll.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: _overlapped.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

PE file does not import any functions

Source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-path-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: python3.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: purchaseorder4.exe, 00000000.00000003.2286728644.000001F981848000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000000.00000003.2287206065.000001F981848000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000000.00000003.2286347176.000001F981848000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32ui.pyd0 vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000000.00000003.2286951405.000001F981848000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000000.00000003.2287588502.000001F981848000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000000.00000003.2287077073.000001F981848000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_asyncio.pyd. vs purchaseorder4.exe
Source: purchaseorder4.exe	Binary or memory string: OriginalFilename vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2396658543.00007FF8B8F76000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2390496248.00007FF8A8609000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2390863465.00007FF8A8ADB000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: OriginalFilenamelibsslH vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2397363813.00007FF8B93D2000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2397801698.00007FF8B9F7D000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2394596696.00007FF8B78C1000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: OriginalFilenamepywintypes310.dll0 vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2392573903.00007FF8B27CE000.00000002.00000001.01000000.0000001F.sdmp	Binary or memory string: OriginalFilenamewin32crypt.pyd0 vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2395231987.00007FF8B8107000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2393884714.00007FF8B7815000.00000002.00000001.01000000.00000014.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2396207483.00007FF8B8AFA000.00000002.00000001.01000000.00000018.sdmp	Binary or memory string: OriginalFilename_overlapped.pyd. vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2392979725.00007FF8B6036000.00000002.00000001.01000000.0000001D.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2394149892.00007FF8B7841000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: OriginalFilenamewin32api.pyd0 vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2398222416.00007FF8BFAD7000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2394927686.00007FF8B800D000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: OriginalFilenamepyexpat.pyd. vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2393215592.00007FF8B604E000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2396848915.00007FF8B8F92000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2393635056.00007FF8B6214000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: OriginalFilenamepythoncom310.dll0 vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2397131913.00007FF8B9104000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2395755927.00007FF8B825E000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: OriginalFilename_asyncio.pyd. vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2389428930.00007FF8A8183000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2396417159.00007FF8B8CB9000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2391959123.00007FF8A8F28000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamepython310.dll. vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2389742802.00007FF8A82B1000.00000002.00000001.01000000.0000001C.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2397564631.00007FF8B9846000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs purchaseorder4.exe
Source: purchaseorder4.exe, 00000002.00000002.2387746863.000002607FD20000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamepython3.dll. vs purchaseorder4.exe

Source: purchaseorder4.exe, 00000002.00000002.2387069015.000002607F770000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: windir=C:\WindowsXE;.BAT;.CMD;.VBp

Source: classification engine

Classification label: mal72.troj.spyw.winEXE@6/141@1/1

Source: C:\Users\user\Desktop\purchaseorder4.exe

Code function: 0_2_00007FF781708770 GetLastError,FormatMessageW,WideCharToMultiByte,

0_2_00007FF781708770

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4368:120:WilError_03

Source: C:\Users\user\Desktop\purchaseorder4.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI30602

Jump to behavior

Source: purchaseorder4.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\purchaseorder4.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: purchaseorder4.exe, 00000002.00000002.2389356129.00007FF8A8151000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: purchaseorder4.exe, 00000002.00000002.2389356129.00007FF8A8151000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: purchaseorder4.exe, 00000002.00000002.2389356129.00007FF8A8151000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: purchaseorder4.exe, 00000002.00000002.2389356129.00007FF8A8151000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: purchaseorder4.exe, purchaseorder4.exe, 00000002.00000002.2389356129.00007FF8A8151000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: purchaseorder4.exe, 00000002.00000002.2389356129.00007FF8A8151000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: purchaseorder4.exe, 00000002.00000002.2389356129.00007FF8A8151000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: C:\Users\user\Desktop\purchaseorder4.exe

File read: C:\Users\user\Desktop\purchaseorder4.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\purchaseorder4.exe "C:\Users\user\Desktop\purchaseorder4.exe"
Source: C:\Users\user\Desktop\purchaseorder4.exe	Process created: C:\Users\user\Desktop\purchaseorder4.exe "C:\Users\user\Desktop\purchaseorder4.exe"
Source: C:\Users\user\Desktop\purchaseorder4.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\purchaseorder4.exe	Process created: C:\Users\user\Desktop\purchaseorder4.exe "C:\Users\user\Desktop\purchaseorder4.exe"	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior

Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: libffi-7.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: libcrypto-1_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: libssl-1_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Section loaded: winrnr.dll	Jump to behavior

Source: C:\Users\user\Desktop\purchaseorder4.exe

File opened: C:\Users\user\Desktop\pyvenv.cfg

Jump to behavior

Source: purchaseorder4.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: purchaseorder4.exe

Static file information: File size 18813776 > 1048576

Source: purchaseorder4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: purchaseorder4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: purchaseorder4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: purchaseorder4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: purchaseorder4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: purchaseorder4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: purchaseorder4.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: purchaseorder4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pythoncom.pdb source: purchaseorder4.exe, 00000002.00000002.2393327241.00007FF8B61CC000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: purchaseorder4.exe, 00000002.00000002.2389528884.00007FF8A82AC000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: ucrtbase.pdb source: purchaseorder4.exe, 00000002.00000002.2395097234.00007FF8B80CC000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbMM source: purchaseorder4.exe, 00000002.00000002.2396996550.00007FF8B90FB000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: tRSA_PRIME_INFOeqdmp1dmq1iqmpprime_infosRSAPrivateKeyRSAPublicKeyhashAlgorithmmaskGenAlgorithmsaltLengthtrailerFieldRSA_PSS_PARAMShashFuncmaskGenFuncpSourceFuncRSA_OAEP_PARAMScompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"3.2.1built on: Fri Feb 23 00:13:44 2024 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availablecrypto\init.cOPENSSL_init_cryptocrypto\bio\bio_lib.cBIO_new_exbio_read_internbio_write_internBIO_sendmmsgBIO_recvmmsgBIO_putsBIO_getsBIO_get_line BIO_ctrlBIO_callback_ctrlBIO_find_type source: purchaseorder4.exe, 00000002.00000002.2388918381.00007FF8A7E68000.00000002.00000001.01000000.00000032.sdmp
Source:	Binary string: D:\a\1\b\libssl-1_1.pdb@@ source: purchaseorder4.exe, 00000002.00000002.2390759212.00007FF8A8AA6000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: purchaseorder4.exe, 00000000.00000003.2286951405.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2396332002.00007FF8B8CB5000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Users\runneradmin\AppData\Local\Temp\pip-req-build-csg7dlje\src\rust\target\release\deps\cryptography_rust.pdb source: purchaseorder4.exe, 00000002.00000002.2388918381.00007FF8A7E68000.00000002.00000001.01000000.00000032.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pythoncom.pdb}},GCTL source: purchaseorder4.exe, 00000002.00000002.2393327241.00007FF8B61CC000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: purchaseorder4.exe, 00000002.00000002.2390218021.00007FF8A8510000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Users\runneradmin\AppData\Local\Temp\pip-req-build-csg7dlje\src\rust\target\release\deps\cryptography_rust.pdbo source: purchaseorder4.exe, 00000002.00000002.2388918381.00007FF8A7E68000.00000002.00000001.01000000.00000032.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: purchaseorder4.exe, 00000002.00000002.2389356129.00007FF8A8151000.00000002.00000001.01000000.0000001E.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pywintypes.pdb source: purchaseorder4.exe, 00000002.00000002.2394435263.00007FF8B78B0000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-1_1.pdb source: purchaseorder4.exe, 00000002.00000002.2390218021.00007FF8A8592000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: purchaseorder4.exe, 00000002.00000002.2388918381.00007FF8A7E68000.00000002.00000001.01000000.00000032.sdmp
Source:	Binary string: D:\a\1\b\libssl-1_1.pdb source: purchaseorder4.exe, 00000002.00000002.2390759212.00007FF8A8AA6000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1t 7 Feb 2023built on: Thu Feb 9 15:27:40 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: purchaseorder4.exe, 00000002.00000002.2390218021.00007FF8A8510000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: purchaseorder4.exe, 00000000.00000003.2286728644.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2398128067.00007FF8BFAD1000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: purchaseorder4.exe, 00000002.00000002.2397697062.00007FF8B9F70000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: purchaseorder4.exe, 00000002.00000002.2393143390.00007FF8B6046000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: crypto\engine\tb_digest.cENGINE_get_digestcrypto\buffer\buffer.cBUF_MEM_growBUF_MEM_grow_cleancrypto\packet.ccompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specific.dllCPUINFO: crypto\initthread.cOPENSSL_ia32cap source: purchaseorder4.exe, 00000002.00000002.2388918381.00007FF8A7E68000.00000002.00000001.01000000.00000032.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32api.pdb!! source: purchaseorder4.exe, 00000002.00000002.2394002737.00007FF8B7833000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: purchaseorder4.exe, 00000000.00000003.2287077073.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2395553131.00007FF8B8257000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32api.pdb source: purchaseorder4.exe, 00000002.00000002.2394002737.00007FF8B7833000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python310.pdb source: purchaseorder4.exe, 00000002.00000002.2391270361.00007FF8A8E1F000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: purchaseorder4.exe, 00000002.00000002.2394839291.00007FF8B8002000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: purchaseorder4.exe, 00000002.00000002.2396567848.00007FF8B8F73000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: purchaseorder4.exe, 00000002.00000002.2396996550.00007FF8B90FB000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: purchaseorder4.exe, 00000000.00000003.2287206065.000001F981848000.00000004.00000020.00020000.00000000.sdmp, purchaseorder4.exe, 00000002.00000002.2397257835.00007FF8B93CD000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pywintypes.pdb** source: purchaseorder4.exe, 00000002.00000002.2394435263.00007FF8B78B0000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: purchaseorder4.exe, 00000002.00000002.2395097234.00007FF8B80CC000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: purchaseorder4.exe, 00000002.00000002.2396757605.00007FF8B8F88000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python3.pdb source: purchaseorder4.exe, 00000002.00000002.2387746863.000002607FD20000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: purchaseorder4.exe, 00000002.00000002.2393722010.00007FF8B77FD000.00000002.00000001.01000000.00000014.sdmp

Source: purchaseorder4.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: purchaseorder4.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: purchaseorder4.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: purchaseorder4.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: purchaseorder4.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

PE file contains sections with non-standard names

Source: purchaseorder4.exe	Static PE information: section name: _RDATA
Source: libcrypto-1_1.dll.0.dr	Static PE information: section name: .00cfg
Source: libssl-1_1.dll.0.dr	Static PE information: section name: .00cfg
Source: python310.dll.0.dr	Static PE information: section name: PyRuntim
Source: mfc140u.dll.0.dr	Static PE information: section name: .didat
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA

Persistence and Installation Behavior

Found pyInstaller with non standard icon

Source: C:\Users\user\Desktop\purchaseorder4.exe

Process created: "C:\Users\user\Desktop\purchaseorder4.exe"

Drops PE files

Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\win32\win32crypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Pythonwin\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\win32com\shell\shell.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\pywin32_system32\pywintypes310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\win32\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Pythonwin\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\charset_normalizer\md__mypyc.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\charset_normalizer\md.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\pywin32_system32\pythoncom310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-path-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\win32\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\win32\win32evtlog.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\_cffi_backend.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI30602\python310.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: adobe 12.png

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\purchaseorder4.exe

0_2_00007FF7817053F0

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\win32\win32crypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Pythonwin\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\win32com\shell\shell.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\pywin32_system32\pywintypes310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\win32\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Pythonwin\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\charset_normalizer\md__mypyc.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\charset_normalizer\md.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\pywin32_system32\pythoncom310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-path-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\win32\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\win32\win32evtlog.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\_cffi_backend.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\purchaseorder4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI30602\python310.dll	Jump to dropped file

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\purchaseorder4.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\purchaseorder4.exe

API coverage: 2.1 %

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781708D00 FindFirstFileExW,FindClose,	0_2_00007FF781708D00
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781718670 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF781718670
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF7817226C4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF7817226C4
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF781718670 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF781718670

Source: C:\Users\user\Desktop\purchaseorder4.exe

Code function: 2_2_00007FF8A802FEB0 GetSystemInfo,

2_2_00007FF8A802FEB0

Source: C:\Users\user\Desktop\purchaseorder4.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-datetime-l1-1-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-console-l1-1-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI30602\pywin32_system32	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI30602	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI30602\win32	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI30602\pythonwin	Jump to behavior

Binary or memory string: Hyper-V RAW

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\purchaseorder4.exe

Code function: 0_2_00007FF78171B3CC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF78171B3CC

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\purchaseorder4.exe

Code function: 0_2_00007FF7817242D0 GetProcessHeap,

0_2_00007FF7817242D0

Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF78170CA9C SetUnhandledExceptionFilter,	0_2_00007FF78170CA9C
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF78171B3CC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF78171B3CC
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF78170C8BC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF78170C8BC
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 0_2_00007FF78170C030 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF78170C030
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A814F0C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF8A814F0C0
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A81A2A60 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF8A81A2A60
Source: C:\Users\user\Desktop\purchaseorder4.exe	Code function: 2_2_00007FF8A81A3028 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF8A81A3028

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\purchaseorder4.exe	Process created: C:\Users\user\Desktop\purchaseorder4.exe "C:\Users\user\Desktop\purchaseorder4.exe"			Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"			Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\purchaseorder4.exe

Code function: 0_2_00007FF78172A620 cpuid

0_2_00007FF78172A620

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Util VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\cryptography-42.0.5.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\cryptography-42.0.5.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\cryptography-42.0.5.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\cryptography-42.0.5.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\cryptography-42.0.5.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\cryptography-42.0.5.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\cryptography-42.0.5.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\ucrtbase.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-console-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-datetime-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-debug-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-errorhandling-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-file-l1-2-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-file-l2-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-heap-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-interlocked-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-memory-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-path-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-processthreads-l1-1-1.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-string-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-util-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\pyexpat.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\pywin32_system32\pywintypes310.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\pywin32_system32\pythoncom310.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\win32\win32api.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\win32com VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\win32com VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\win32com VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\cryptography-42.0.5.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\cryptography-42.0.5.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\cryptography-42.0.5.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\cryptography-42.0.5.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\cryptography-42.0.5.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI30602\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	Queries volume information: C:\Users\user\Desktop\purchaseorder4.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\purchaseorder4.exe

Code function: 0_2_00007FF78170C7A0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF78170C7A0

Source: C:\Users\user\Desktop\purchaseorder4.exe

Code function: 0_2_00007FF781726B50 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF781726B50

Source: C:\Users\user\Desktop\purchaseorder4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Detected generic credential text file

Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\Browser\google-chrome\Download_History.txt	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\Browser\microsoft-edge\Autofill_Data.txt	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\Browser\microsoft-edge\Browser_History.txt	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\Browser\microsoft-edge\Download_History.txt	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\Browser\google-chrome\Saved_Passwords.txt	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\Browser\google-chrome\Browser_History.txt	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\Browser\microsoft-edge\Saved_Credit_Cards.txt	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\Browser\google-chrome\Saved_Credit_Cards.txt	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\Browser\google-chrome\Autofill_Data.txt	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File created: C:\Users\user\AppData\Local\Temp\Browser\microsoft-edge\Saved_Passwords.txt	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\purchaseorder4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\purchaseorder4.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Yara detected Generic Python Stealer

Source: Yara match

File source: Process Memory Space: purchaseorder4.exe PID: 3224, type: MEMORYSTR

Remote Access Functionality

Yara detected Generic Python Stealer

Source: Yara match

File source: Process Memory Space: purchaseorder4.exe PID: 3224, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\purchaseorder4.exe

Code function: 2_2_00007FF8A82C2B62 bind,WSAGetLastError,

2_2_00007FF8A82C2B62

ID:	1428748
Product:	CloudBasic
Start time:	14:56:13
Start date:	19.04.2024
Sample:	purchaseorder4.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	5914b824880c616d105867599dac3d76
SHA1:	e55db01b770d5371a83be03f9e4a3f4b4520380e
SHA256:	49c7e194b5876770a6e8e680c8b606ab07ffca891d4921be7a38f9d600347b1b
Filetype:	Win64 Executable GUI (202006/5) 92.65%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\Browser.zip	Zip archive data, at least v2.0 to extract, compression method=store	72C62D8D2CF46487B0F1C44E54715363	83F135CE3B564B31FD052369A901E0527C32224E	9B986FDC30683CD49D2E97620DCF53A30A3AC035C247B09AE0776E6BB0CBD7CC
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_ARC4.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	6176101B7C377A32C01AE3EDB7FD4DE6	5F1CB443F9D677F313BEC07C5241AEAB57502F5E	EFEA361311923189ECBE3240111EFBA329752D30457E0DBE9628A82905CD4BDB
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_Salsa20.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	371776A7E26BAEB3F75C93A8364C9AE0	BF60B2177171BA1C6B4351E6178529D4B082BDA9	15257E96D1CA8480B8CB98F4C79B6E365FE38A1BA9638FC8C9AB7FFEA79C4762
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_chacha20.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	CB5238E2D4149636377F9A1E2AF6DC57	038253BABC9E652BA4A20116886209E2BCCF35AC	A8D3BB9CD6A78EBDB4F18693E68B659080D08CB537F9630D279EC9F26772EFC7
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_pkcs1_decode.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	D9E7218460AEE693BEA07DA7C2B40177	9264D749748D8C98D35B27BEFE6247DA23FF103D	38E423D3BCC32EE6730941B19B7D5D8872C0D30D3DD8F9AAE1442CB052C599AD
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_aes.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	F751792DF10CDEED391D361E82DAF596	3440738AF3C88A4255506B55A673398838B4CEAC	9524D1DADCD2F2B0190C1B8EDE8E5199706F3D6C19D3FB005809ED4FEBF3E8B5
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_aesni.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	BBEA5FFAE18BF0B5679D5C5BCD762D5A	D7C2721795113370377A1C60E5CEF393473F0CC5	1F4288A098DA3AAC2ADD54E83C8C9F2041EC895263F20576417A92E1E5B421C1
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_arc2.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	D2175300E065347D13211F5BF7581602	3AE92C0B0ECDA1F6B240096A4E68D16D3DB1FFB0	94556934E3F9EE73C77552D2F3FC369C02D62A4C9E7143E472F8E3EE8C00AEE1
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_blowfish.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	45616B10ABE82D5BB18B9C3AB446E113	91B2C0B0F690AE3ABFD9B0B92A9EA6167049B818	F348DB1843B8F38A23AEE09DD52FB50D3771361C0D529C9C9E142A251CC1D1EC
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_cast.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	CF3C2F35C37AA066FA06113839C8A857	39F3B0AEFB771D871A93681B780DA3BD85A6EDD0	1261783F8881642C3466B96FA5879A492EA9E0DAB41284ED9E4A82E8BCF00C80
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_cbc.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	20708935FDD89B3EDDEEA27D4D0EA52A	85A9FE2C7C5D97FD02B47327E431D88A1DC865F7	11DD1B49F70DB23617E84E08E709D4A9C86759D911A24EBDDFB91C414CC7F375
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_cfb.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	43BBE5D04460BD5847000804234321A6	3CAE8C4982BBD73AF26EB8C6413671425828DBB7	FAA41385D0DB8D4EE2EE74EE540BC879CF2E884BEE87655FF3C89C8C517EED45
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_ctr.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	C6B20332B4814799E643BADFFD8DF2CD	E7DA1C1F09F6EC9A84AF0AB0616AFEA55A58E984	61C7A532E108F67874EF2E17244358DF19158F6142680F5B21032BA4889AC5D8
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_des.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	0B538205388FDD99A043EE3AFAA074E4	E0DD9306F1DBE78F7F45A94834783E7E886EB70F	C4769D3E6EB2A2FECB5DEC602D45D3E785C63BB96297268E3ED069CC4A019B1A
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_des3.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	6C3E976AB9F47825A5BD9F73E8DBA74E	4C6EB447FE8F195CF7F4B594CE7EAF928F52B23A	238CDB6B8FB611DB4626E6D202E125E2C174C8F73AE8A3273B45A0FC18DEA70C
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_ecb.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	FEE13D4FB947835DBB62ACA7EAFF44EF	7CC088AB68F90C563D1FE22D5E3C3F9E414EFC04	3E0D07BBF93E0748B42B1C2550F48F0D81597486038C22548224584AE178A543
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_eksblowfish.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	76F88D89643B0E622263AF676A65A8B4	93A365060E98890E06D5C2D61EFBAD12F5D02E06	605C86145B3018A5E751C6D61FD0F85CF4A9EBF2AD1F3009A4E68CF9F1A63E49
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_ocb.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	D48BFFA1AF800F6969CFB356D3F75AA6	2A0D8968D74EBC879A17045EFE86C7FB5C54AEE6	4AA5E9CE7A76B301766D3ECBB06D2E42C2F09D0743605A91BF83069FEFE3A4DE
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Cipher\_raw_ofb.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	4D9182783EF19411EBD9F1F864A2EF2F	DDC9F878B88E7B51B5F68A3F99A0857E362B0361	C9F4C5FFCDD4F8814F8C07CE532A164AB699AE8CDE737DF02D6ECD7B5DD52DBD
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_BLAKE2b.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	F4EDB3207E27D5F1ACBBB45AAFCB6D02	8EAB478CA441B8AD7130881B16E5FAD0B119D3F0	3274F49BE39A996C5E5D27376F46A1039B6333665BB88AF1CA6D37550FA27B29
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_BLAKE2s.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	9D28433EA8FFBFE0C2870FEDA025F519	4CC5CF74114D67934D346BB39CA76F01F7ACC3E2	FC296145AE46A11C472F99C5BE317E77C840C2430FBB955CE3F913408A046284
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_MD2.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	8A92EE2B0D15FFDCBEB7F275154E9286	FA9214C8BBF76A00777DFE177398B5F52C3D972D	8326AE6AD197B5586222AFA581DF5FE0220A86A875A5E116CB3828E785FBF5C2
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_MD4.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	FE16E1D12CF400448E1BE3FCF2D7BB46	81D9F7A2C6540F17E11EFE3920481919965461BA	ADE1735800D9E82B787482CCDB0FBFBA949E1751C2005DCAE43B0C9046FE096F
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_MD5.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	34EBB5D4A90B5A39C5E1D87F61AE96CB	25EE80CC1E647209F658AEBA5841F11F86F23C4E	4FC70CB9280E414855DA2C7E0573096404031987C24CF60822854EAA3757C593
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_RIPEMD160.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	42C2F4F520BA48779BD9D4B33CD586B9	9A1D6FFA30DCA5CE6D70EAC5014739E21A99F6D8	2C6867E88C5D3A83D62692D24F29624063FCE57F600483BAD6A84684FF22F035
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_SHA1.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	AB0BCB36419EA87D827E770A080364F6	6D398F48338FB017AACD00AE188606EB9E99E830	A927548ABEA335E6BCB4A9EE0A949749C9E4AA8F8AAD481CF63E3AC99B25A725
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_SHA224.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	C8FE3FF9C116DB211361FBB3EA092D33	180253462DD59C5132FBCCC8428DEA1980720D26	25771E53CFECB5462C0D4F05F7CAE6A513A6843DB2D798D6937E39BA4B260765
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_SHA256.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	A442EA85E6F9627501D947BE3C48A9DD	D2DEC6E1BE3B221E8D4910546AD84FE7C88A524D	3DBCB4D0070BE355E0406E6B6C3E4CE58647F06E8650E1AB056E1D538B52B3D3
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_SHA384.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	59BA0E05BE85F48688316EE4936421EA	1198893F5916E42143C0B0F85872338E4BE2DA06	C181F30332F87FEECBF930538E5BDBCA09089A2833E8A088C3B9F3304B864968
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_SHA512.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	8194D160FB215498A59F850DC5C9964C	D255E8CCBCE663EE5CFD3E1C35548D93BFBBFCC0	55DEFCD528207D4006D54B656FD4798977BD1AAE6103D4D082A11E0EB6900B08
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_ghash_clmul.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	C89BECC2BECD40934FE78FCC0D74D941	D04680DF546E2D8A86F60F022544DB181F409C50	E5B6E58D6DA8DB36B0673539F0C65C80B071A925D2246C42C54E9FCDD8CA08E3
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_ghash_portable.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	C4CC05D3132FDFB05089F42364FC74D2	DA7A1AE5D93839577BBD25952A1672C831BC4F29	8F3D92DE840ABB5A46015A8FF618FF411C73009CBAA448AC268A5C619CF84721
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_keccak.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	1E201DF4B4C8A8CD9DA1514C6C21D1C4	3DC8A9C20313AF189A3FFA51A2EAA1599586E1B2	A428372185B72C90BE61AC45224133C4AF6AE6682C590B9A3968A757C0ABD6B4
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Hash\_poly1305.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	76C84B62982843367C5F5D41B550825F	B6DE9B9BD0E2C84398EA89365E9F6D744836E03A	EBCD946F1C432F93F396498A05BF07CC77EE8A74CE9C1A283BF9E23CA8618A4C
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Math\_modexp.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	B41160CF884B9E846B890E0645730834	A0F35613839A0F8F4A87506CD59200CCC3C09237	48F296CCACE3878DE1148074510BD8D554A120CAFEF2D52C847E05EF7664FFC6
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Protocol\_scrypt.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	BA46602B59FCF8B01ABB135F1534D618	EFF5608E05639A17B08DCA5F9317E138BEF347B5	B1BAB0E04AC60D1E7917621B03A8C72D1ED1F0251334E9FA12A8A1AC1F516529
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\PublicKey\_ec_ws.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	3F20627FDED2CF90E366B48EDF031178	00CED7CD274EFB217975457906625B1B1DA9EBDF	E36242855879D71AC57FBD42BB4AE29C6D80B056F57B18CEE0B6B1C0E8D2CF57
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\PublicKey\_ed25519.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	290D936C1E0544B6EC98F031C8C2E9A3	CAEEA607F2D9352DD605B6A5B13A0C0CB1EA26EC	8B00C859E36CBCE3EC19F18FA35E3A29B79DE54DA6030AAAD220AD766EDCDF0A
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\PublicKey\_ed448.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	5782081B2A6F0A3C6B200869B89C7F7D	0D4E113FB52FE1923FE05CDF2AB9A4A9ABEFC42E	E72E06C721DD617140EDEBADD866A91CF97F7215CBB732ECBEEA42C208931F49
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\PublicKey\_x25519.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	289EBF8B1A4F3A12614CFA1399250D3A	66C05F77D814424B9509DD828111D93BC9FA9811	79AC6F73C71CA8FDA442A42A116A34C62802F0F7E17729182899327971CFEB23
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Util\_cpuid_c.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	4D9C33AE53B38A9494B6FBFA3491149E	1A069E277B7E90A3AB0DCDEE1FE244632C9C3BE4	0828CAD4D742D97888D3DFCE59E82369317847651BBA0F166023CB8ACA790B2B
C:\Users\user\AppData\Local\Temp\_MEI30602\Crypto\Util\_strxor.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	8F4313755F65509357E281744941BD36	2AAF3F89E56EC6731B2A5FA40A2FE69B751EAFC0	70D90DDF87A9608699BE6BBEDF89AD469632FD0ADC20A69DA07618596D443639
C:\Users\user\AppData\Local\Temp\_MEI30602\Pythonwin\mfc140u.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	03A161718F1D5E41897236D48C91AE3C	32B10EB46BAFB9F81A402CB7EFF4767418956BD4	E06C4BD078F4690AA8874A3DEB38E802B2A16CCB602A7EDC2E077E98C05B5807
C:\Users\user\AppData\Local\Temp\_MEI30602\Pythonwin\win32ui.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	B505E88EB8995C2EC46129FB4B389E6C	CBFA8650730CBF6C07F5ED37B0744D983ABFE50A	BE7918B4F7E7DE53674894A4B8CFADCACB4726CEA39B7DB477A6C70231C41790
C:\Users\user\AppData\Local\Temp\_MEI30602\VCRUNTIME140.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	F34EB034AA4A9735218686590CBA2E8B	2BC20ACDCB201676B77A66FA7EC6B53FA2644713	9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
C:\Users\user\AppData\Local\Temp\_MEI30602\VCRUNTIME140_1.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	135359D350F72AD4BF716B764D39E749	2E59D9BBCCE356F0FECE56C9C4917A5CACEC63D7	34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32
C:\Users\user\AppData\Local\Temp\_MEI30602\_asyncio.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	33D0B6DE555DDBBBD5CA229BFA91C329	03034826675AC93267CE0BF0EAEC9C8499E3FE17	A9A99A2B847E46C0EFCE7FCFEFD27F4BCE58BAF9207277C17BFFD09EF4D274E5
C:\Users\user\AppData\Local\Temp\_MEI30602\_bz2.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	86D1B2A9070CD7D52124126A357FF067	18E30446FE51CED706F62C3544A8C8FDC08DE503	62173A8FADD4BF4DD71AB89EA718754AA31620244372F0C5BBBAE102E641A60E
C:\Users\user\AppData\Local\Temp\_MEI30602\_cffi_backend.cp310-win_amd64.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	EBB660902937073EC9695CE08900B13D	881537ACEAD160E63FE6BA8F2316A2FBBB5CB311	52E5A0C3CA9B0D4FC67243BD8492F5C305FF1653E8D956A2A3D9D36AF0A3E4FD
C:\Users\user\AppData\Local\Temp\_MEI30602\_ctypes.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	1635A0C5A72DF5AE64072CBB0065AEBE	C975865208B3369E71E3464BBCC87B65718B2B1F	1EA3DD3DF393FA9B27BF6595BE4AC859064CD8EF9908A12378A6021BBA1CB177
C:\Users\user\AppData\Local\Temp\_MEI30602\_decimal.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	20C77203DDF9FF2FF96D6D11DEA2EDCF	0D660B8D1161E72C993C6E2AB0292A409F6379A5	9AAC010A424C757C434C460C3C0A6515D7720966AB64BAD667539282A17B4133
C:\Users\user\AppData\Local\Temp\_MEI30602\_hashlib.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	D4674750C732F0DB4C4DD6A83A9124FE	FD8D76817ABC847BB8359A7C268ACADA9D26BFD5	CAA4D2F8795E9A55E128409CC016E2CC5C694CB026D7058FC561E4DD131ED1C9
C:\Users\user\AppData\Local\Temp\_MEI30602\_lzma.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	7447EFD8D71E8A1929BE0FAC722B42DC	6080C1B84C2DCBF03DCC2D95306615FF5FCE49A6	60793C8592193CFBD00FD3E5263BE4315D650BA4F9E4FDA9C45A10642FD998BE
C:\Users\user\AppData\Local\Temp\_MEI30602\_multiprocessing.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	A9A0588711147E01EED59BE23C7944A9	122494F75E8BB083DDB6545740C4FAE1F83970C9	7581EDEA33C1DB0A49B8361E51E6291688601640E57D75909FB2007B2104FA4C
C:\Users\user\AppData\Local\Temp\_MEI30602\_overlapped.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	FDF8663B99959031780583CCE98E10F5	6C0BAFC48646841A91625D74D6B7D1D53656944D	2EBBB0583259528A5178DD37439A64AFFCB1AB28CF323C6DC36A8C30362AA992
C:\Users\user\AppData\Local\Temp\_MEI30602\_queue.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	D8C1B81BBC125B6AD1F48A172181336E	3FF1D8DCEC04CE16E97E12263B9233FBF982340C	925F05255F4AAE0997DC4EC94D900FD15950FD840685D5B8AA755427C7422B14
C:\Users\user\AppData\Local\Temp\_MEI30602\_socket.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	819166054FEC07EFCD1062F13C2147EE	93868EBCD6E013FDA9CD96D8065A1D70A66A2A26	E6DEB751039CD5424A139708475CE83F9C042D43E650765A716CB4A924B07E4F
C:\Users\user\AppData\Local\Temp\_MEI30602\_sqlite3.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	5279D497EEE4CF269D7B4059C72B14C2	AFF2F5DE807AE03E599979A1A5C605FC4BAD986E	B298A44AF162BE7107FD187F04B63FB3827F1374594E22910EC38829DA7A12DC
C:\Users\user\AppData\Local\Temp\_MEI30602\_ssl.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	7910FB2AF40E81BEE211182CFFEC0A06	251482ED44840B3C75426DD8E3280059D2CA06C6	D2A7999E234E33828888AD455BAA6AB101D90323579ABC1095B8C42F0F723B6F
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-console-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	3127E73E09B2F660DBB1B6A3E23159CA	D121DE4D3CC1788317015F61B3ABCEA651830C2C	A3DB4ACA7B1BA6F802DF24916F086E4A803093FFB29F8902C18B8A09AA18DDCB
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-datetime-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	727E82D02106289000923BEF8916771B	5E5EDAD1487E1553D8017F49B54289162ED3A516	93EBCE911997392650AEE0F22B72687787C55C7A4A731724A58C45DC3E1F6CC6
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-debug-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	2882B2BCD74B4D79E21F5349DA2931BC	EBEAFF6F40EA6148193A9CC3368E8D9894FD53D4	DCAFA02C5E11D38C590754EE6A23DC65C3342308BB28435EFB75DE914F2B3652
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-errorhandling-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	94671F5B4C8CBAAA25B6948B9AF8EACD	71AD4F949F80EFCA1BB493F6678C8AFEEB923646	5EB1C0679756B46C57ACAF600246CEFF260B88F602215E4A94231EF0C30B0AF7
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-file-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	AA766B098462EFF6F0F129B5C6EF1C5E	3BE25B0D330586A08C317D97EA139D096B35B0B6	34790E8F47A8F478A4BA4F89695CEA1BE64D16FF416542EC3036ACB5633009ED
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-file-l1-2-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	CB3E0DD38C444938CE1C189AADD29A3F	45B985CCD1D30C67C757580D4E9ABE6CA7BE4DD7	B2D983883AFD758913A7DB54222A2DB4BFEB1051B0C0F92E8FAAE93C0BC90FC4
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-file-l2-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	4A18BEDA5038C5203993191431B98D62	FACBA10698A89A42C0E419BAC056366E809DEDC0	3144BCCC1385EFC1FF204442A5AECC0A990776341A268FAD15AA605449FCA04A
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-handle-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	D525807D6A2D16BD9B8B22FFE99B7C26	2F78DF1D946A2DE936C3F9B6CC88FE401AA74B72	1AB5FE4396F72938193A8CE5E18FCB522F84DD24591F39EC1302FC822F875496
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-heap-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	065DFF75D5E5A28BBF5B2E1B7B3FBF5C	C4DC31EA4888E5E7CA5E8155F0EAFE25AD781073	59D807FE256FC61866EE54DC4F18BB4F8901D902F7E23B15ECBF7B7A4DC6FC5F
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-interlocked-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	D0DA5A427B151F8C524948D13C51CAB4	A51AC6BA7814188B669C7ABBFDEE535D798F05E1	65912B7D8AD3423AD4609B9E2E3C262647D5273706796F043C9B515F1E8C78F2
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-libraryloader-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	465C8CA52D6A5EBB8CDDDADDCC6255C2	D51DB3B2382A0457533350E687489D91A229E5E8	E68FF1811BFE8CD7682C45A1D562C90CCB35A70971CD75D195C7773D668E1DC4
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-localization-l1-2-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	3018F5B28A9E26395B7933EBCFD6F40C	EA38F03430F1A54E9B37E9694EABC7487B6E7201	0C62B8AB1E5F30D4A9EADCD412677E0AB5E4E9304F0870A4EE562F08D09CCC7E
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-memory-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	DB31BDB3725819FC5C5DF30C608673C3	5253F48E153B9C722ACAC8EE558E9A6091F5EE3E	3115632C9BEA1CCDEB7747689AA65FA36291788339793FCE306AFB03CA748A6C
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-namedpipe-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	A8D532500495D617CA1B9F5525494486	9542CCB68FD7E5337953C25FB33589C486D98788	C0D62D6A9350E66FB144E297C49AE2A8EFB997148807A60DBAC1AA95C88FA8F4
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-path-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	2CD77F6E2FA6A502E352369426EAE1C1	ABB54114F3677944AF582AFB6EA1F4A7785537C8	E39CA111D81E6E5D90CF13FA0AEE525D8A2740B84D2C5CD378DD69E4F79F8B0F
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-processenvironment-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	9CE4F24EFDF1A23BD71206B870B2A049	2FAAC945038E108B21C5F9A0C175622F65F30072	F4CAE758D318B23E76DDF50202768F4CBEA9CC16D36114F4CECB15957206E4AF
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-processthreads-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	624033B39B9C5E1EB13D5EDE2D213DDF	055995C888275105E3560F07A2442E28295588F6	83A0079FBF50719B46275F9CC5675A299C987862BA7AD3AD0EE5F6E714400AF5
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-processthreads-l1-1-1.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	004F7F67994DE33959D6480EF4D4F515	76E83DB625D504D1FEEC5DEC918552F9EC51C4C3	053A83B3F8AC76232952BDB8FB5C5067F06BA48F82B474829C25326ADBD26361
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-profile-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	0B786FA5D778E0EA9A2175263320EE8C	83553AC046847AB0C852403E512E748B73BE5DEC	A124C3F8402636219E06BEB708D8BE67F6DBAA7FF4F6D402B50734230FCFBA1B
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-rtlsupport-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	7DB9F8A411F116BA765000E6500FB926	4267018A03D814B8963AB1E256EE9EA8F0A33FED	F8DD900D459335EEDBE3855F1BA7858E19DFC0D348EBD25E6548D4ECB0DA61B1
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-string-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	C8196CD707F4A41C4A763B8E6D2EDE7A	371BE162F04E7742246C0D9C9B2AD31A25043978	B5082680B5CA71FDEA49E8E23EFBDA2B72F6E1B1A48782B4B63530EE7BE19A2C
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-synch-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	4219B20D53C2C6B533AE93ED45876351	8973762E7C4ACE85A1D9AAA1DD35FAC6BD48C0ED	C75A838FF92199678DF2AD04A31F609309967CF6B66D34C58D26EB3909E6DAA5
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-synch-l1-2-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	BC03011A527274767EFFD05F90D26011	56659C88000FF70422E818AD827FDCB01F036DE2	7F840E721C8CD073631F03159565219D24128EACA905668CFC7394889B908B9E
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-sysinfo-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	705476AAA1EF452E50C61FA56F84D919	F86ADA80B5C2C528FB328D1AAACC817E538CCC85	1D7A5A3CD3185D839D31C83DCB2192A08A80C4A7EC17EAE550AB5A4D84B189D9
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-timezone-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	A84F802749AE5A0AA522F203ECE20B7F	3C631CE4107B2FFC9A4A06C16D41D7D0EA0A9B2F	E4D28023ECA5BD147AC645048B18BD7272735DA10C30C2DBC83CD1C96703D869
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-core-util-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	2D8249636011CF1467BE41C8BDF7C765	C7EDAF6444690DB617F58B0506DD979E1F2314A4	84CE120AAE88DD77A71C30630D409382F2AD22B11BE4CCEDD1800C4BB2CA4937
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-conio-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	ED14B64C94F543974B7FDC592FA0594B	DC66CA3DE44C021D89EBD5160C447AAEDC565514	9165248996814B72F6A334750E65994B39F971267FFC95F759E529356FA3125C
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-convert-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	1908861649E67CDC20C563C234A89914	471AE3B9A3B40E63C880362892865ECF8BD80F67	4AEA1CEDD976EF15A47A3433F3A2E176B1C5E495A54497DBA27247B35A1B8449
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-environment-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	AF851DFD0D9FECB76FF2B403F3C30F5B	30F79FB4D4C91AF847963C46882D095D1F42EFBE	6A3FD4B050F19EC5C53C15544B1F1B1540AC84F6061C0EC353983EB891330FDA
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-filesystem-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	0F143310FADE4DE116070A3917A79C18	B9A092E885C73CB6D33C9E17D429EDE950CF3A26	2DEF5140C289B89C9A27A2112A2CC01AD1A902944C597D6204BED4EFBC09FF7A
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-heap-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	F97E7878A2B372291B1269D80327BBF6	CEE6F776FE0AA5A6D4854058F20F675253F48998	C4E195D297D163A49514847EF166DA614499404D28BC9419E3E6A28A8E03E9B6
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-locale-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	761DDD8669A661D57D9CF9C335949C06	251BBCAD15771D80492F1DEB001491A7ABB6C563	FE51064E0728D553D0F3E96967671F7E6AE4EBD35D821679292014DD4C3BB8E3
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-math-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	56556659C691DD043DBE24B0A195D64C	117B9A201D1E8BB9E5FADEAE808141D3FA41FB60	2E1664E05C238D529393162F23640A51DEF436279184D2E2C16CFBF92AB736C1
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-multibyte-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	E9F6D776545843A9817D8ACF38D06D09	5277698E6C9C4FD3E16757D86E1669A5FC64A6F4	C136E09DECF068B5F33041753C6FE9D4AF7429E00BDBD8D2CB8D2A4D503E755A
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-process-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	6631C212F79350458589A5281374B38B	88BE6865AAC123FFBDAFEC32A6FBA34A26428875	52CC325A4C2158B687C95F9702F4BE2E3EC41C80207E50F252F5620BA1784649
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-runtime-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	BBAE7B5436D6D1B0FC967FF67E35415F	F67BC165CEFB119AD767B6BEC27A1102C0FD2BAC	8150A238851D7DA74BC8F6F13262A8D6568373DC509F67544AB6A62398F20C4F
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-stdio-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	53E9526AF1FDCE39F799BFE9217397A8	F4A7FBD2D9384873F708F1EEAEB041A3FBE2C144	DE44561E4587C588BC140502FD6CD52E5955ABEEC63D415BE38A6D03F35F808F
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-string-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	ECCF5973B80D771A79643732017CEA9A	E7A28AA17E81965CA2D43F906ED5AB51AC34EE7C	038B93E611704CC5B9F70A91EBF06E9DB62EF40180EC536D9E5AB68EB4BB1333
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-time-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	090DD0BB2BDDEE3EAAE5B6FF15FAE209	DDC5AC01227970A4925A08F29BA65EB10344EDB1	957177C4FE21AE182DFE3A2A13A1FF020F143048FC14499AE9856E523605083E
C:\Users\user\AppData\Local\Temp\_MEI30602\api-ms-win-crt-utility-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	CC337898E64D9078CB697AC19F995C7F	2EBCFA0CDF865FE40CBAF4FFCE6D3903AEA47E3C	E7EF5D714FC21DD1AA9DB0C4EEFE634463EEFBD5AA4454A568BFC52E04FDDF18
C:\Users\user\AppData\Local\Temp\_MEI30602\base_library.zip	Zip archive data, at least v2.0 to extract, compression method=store	01BD4F502A3CED4678E93CBB528DEBBB	2C23D0D6699C3358875E3C9B3F810096384446CB	A69368C96CF351B44B7E709B431AE4691580E241FD2367541D2361F348949AF2
C:\Users\user\AppData\Local\Temp\_MEI30602\certifi\cacert.pem	ASCII text	D3E74C9D33719C8AB162BAA4AE743B27	EE32F2CCD4BC56CA68441A02BF33E32DC6205C2B	7A347CA8FEF6E29F82B6E4785355A6635C17FA755E0940F65F15AA8FC7BD7F92
C:\Users\user\AppData\Local\Temp\_MEI30602\charset_normalizer\md.cp310-win_amd64.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	F33CA57D413E6B5313272FA54DBC8BAA	4E0CABE7D38FE8D649A0A497ED18D4D1CA5F4C44	9B3D70922DCFAEB02812AFA9030A40433B9D2B58BCF088781F9AB68A74D20664
C:\Users\user\AppData\Local\Temp\_MEI30602\charset_normalizer\md__mypyc.cp310-win_amd64.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	494F5B9ADC1CFB7FDB919C9B1AF346E1	4A5FDDD47812D19948585390F76D5435C4220E6B	AD9BCC0DE6815516DFDE91BB2E477F8FB5F099D7F5511D0F54B50FA77B721051
C:\Users\user\AppData\Local\Temp\_MEI30602\cryptography-42.0.5.dist-info\INSTALLER	ASCII text	365C9BFEB7D89244F2CE01C1DE44CB85	D7A03141D5D6B1E88B6B59EF08B6681DF212C599	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
C:\Users\user\AppData\Local\Temp\_MEI30602\cryptography-42.0.5.dist-info\LICENSE	ASCII text	8C3617DB4FB6FAE01F1D253AB91511E4	E442040C26CD76D1B946822CAF29011A51F75D6D	3E0C7C091A948B82533BA98FD7CBB40432D6F1A9ACBF85F5922D2F99A93AE6BB
C:\Users\user\AppData\Local\Temp\_MEI30602\cryptography-42.0.5.dist-info\LICENSE.APACHE	ASCII text	4E168CCE331E5C827D4C2B68A6200E1B	DE33EAD2BEE64352544CE0AA9E410C0C44FDF7D9	AAC73B3148F6D1D7111DBCA32099F68D26C644C6813AE1E4F05F6579AA2663FE
C:\Users\user\AppData\Local\Temp\_MEI30602\cryptography-42.0.5.dist-info\LICENSE.BSD	ASCII text	5AE30BA4123BC4F2FA49AA0B0DCE887B	EA5B412C09F3B29BA1D81A61B878C5C16FFE69D8	602C4C7482DE6479DD2E9793CDA275E5E63D773DACD1ECA689232AB7008FB4FB
C:\Users\user\AppData\Local\Temp\_MEI30602\cryptography-42.0.5.dist-info\METADATA	ASCII text, with CRLF line terminators	AD313397AABF8AF5D234DF73C901CB4D	B213A420B73EACF37409BC428812B3E17F1C12C9	65479522961A5B9B1C4811232C4133DDC8BDA9BBBC7562B81EF76857A2A2475A
C:\Users\user\AppData\Local\Temp\_MEI30602\cryptography-42.0.5.dist-info\RECORD	CSV text	63C3E2671FC695972FAC7F7FA26CA3DB	58A52CA7E0B6F9DE0E89E1DA799EBBD7898D635E	A443A65BFFDE342F60CA1267DAB2229514073F64AB1BCC08CCCEF42FC015C16D
C:\Users\user\AppData\Local\Temp\_MEI30602\cryptography-42.0.5.dist-info\WHEEL	ASCII text	C48772FF6F9F408D7160FE9537E150E0	79D4978B413F7051C3721164812885381DE2FDF5	67325F22D7654F051B7A1D92BD644F6EBAA00DF5BF7638A48219F07D19AA1484
C:\Users\user\AppData\Local\Temp\_MEI30602\cryptography-42.0.5.dist-info\top_level.txt	ASCII text	E7274BD06FF93210298E7117D11EA631	7132C9EC1FD99924D658CC672F3AFE98AFEFAB8A	28D693F929F62B8BB135A11B7BA9987439F7A960CC969E32F8CB567C1EF79C97
C:\Users\user\AppData\Local\Temp\_MEI30602\cryptography\hazmat\bindings\_rust.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	12A7C0D35CCBD002150BB29DDD7E8440	F16D9A4654DC76B3CFADA387FF7BDDDB0B18B79A	7E22D579AC503B959268964102C03D4E96C8A9B74186158B8C82FDC8CF9D9522
C:\Users\user\AppData\Local\Temp\_MEI30602\libcrypto-1_1.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	9D7A0C99256C50AFD5B0560BA2548930	76BD9F13597A46F5283AA35C30B53C21976D0824	9B7B4A0AD212095A8C2E35C71694D8A1764CD72A829E8E17C8AFE3A55F147939
C:\Users\user\AppData\Local\Temp\_MEI30602\libffi-7.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	EEF7981412BE8EA459064D3090F4B3AA	C60DA4830CE27AFC234B3C3014C583F7F0A5A925	F60DD9F2FCBD495674DFC1555EFFB710EB081FC7D4CAE5FA58C438AB50405081
C:\Users\user\AppData\Local\Temp\_MEI30602\libssl-1_1.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	BEC0F86F9DA765E2A02C9237259A7898	3CAA604C3FFF88E71F489977E4293A488FB5671C	D74CE01319AE6F54483A19375524AA39D9F5FD91F06CF7DF238CA25E043130FD
C:\Users\user\AppData\Local\Temp\_MEI30602\pyexpat.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	1118C1329F82CE9072D908CBD87E197C	C59382178FE695C2C5576DCA47C96B6DE4BBCFFD	4A2D59993BCE76790C6D923AF81BF404F8E2CB73552E320113663B14CF78748C
C:\Users\user\AppData\Local\Temp\_MEI30602\python3.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	FD4A39E7C1F7F07CF635145A2AF0DC3A	05292BA14ACC978BB195818499A294028AB644BD	DC909EB798A23BA8EE9F8E3F307D97755BC0D2DC0CB342CEDAE81FBBAD32A8A9
C:\Users\user\AppData\Local\Temp\_MEI30602\python310.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	63A1FA9259A35EAEAC04174CECB90048	0DC0C91BCD6F69B80DCDD7E4020365DD7853885A	14B06796F288BC6599E458FB23A944AB0C843E9868058F02A91D4606533505ED
C:\Users\user\AppData\Local\Temp\_MEI30602\pywin32_system32\pythoncom310.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	65DD753F51CD492211986E7B700983EF	F5B469EC29A4BE76BC479B2219202F7D25A261E2	C3B33BA6C4F646151AED4172562309D9F44A83858DDFD84B2D894A8B7DA72B1E
C:\Users\user\AppData\Local\Temp\_MEI30602\pywin32_system32\pywintypes310.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	CEB06A956B276CEA73098D145FA64712	6F0BA21F0325ACC7CF6BF9F099D9A86470A786BF	C8EC6429D243AEF1F78969863BE23D59273FA6303760A173AB36AB71D5676005
C:\Users\user\AppData\Local\Temp\_MEI30602\select.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	A653F35D05D2F6DEBC5D34DADDD3DFA1	1A2CEEC28EA44388F412420425665C3781AF2435	DB85F2F94D4994283E1055057372594538AE11020389D966E45607413851D9E9
C:\Users\user\AppData\Local\Temp\_MEI30602\setuptools-65.5.0.dist-info\INSTALLER	ASCII text	365C9BFEB7D89244F2CE01C1DE44CB85	D7A03141D5D6B1E88B6B59EF08B6681DF212C599	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
C:\Users\user\AppData\Local\Temp\_MEI30602\setuptools-65.5.0.dist-info\LICENSE	ASCII text	7A7126E068206290F3FE9F8D6C713EA6	8E6689D37F82D5617B7F7F7232C94024D41066D1	DB3F0246B1F9278F15845B99FEC478B8B506EB76487993722F8C6E254285FAF8
C:\Users\user\AppData\Local\Temp\_MEI30602\setuptools-65.5.0.dist-info\METADATA	ASCII text	9E59BD13BB75B38EB7962BF64AC30D6F	70F6A68B42695D1BFA55ACB63D8D3351352B2AAC	80C7A3B78EA0DFF1F57855EE795E7D33842A0827AA1EF4EE17EC97172A80C892
C:\Users\user\AppData\Local\Temp\_MEI30602\setuptools-65.5.0.dist-info\RECORD	CSV text	E30355B5F7466BEE1691929B05EED672	B9F1275EF04F2D36DD1F801DE116AC12AA68722E	CEBD9639E6923A470E818350691053C3CC846A72426A9BFCB70F092868FA0D5B
C:\Users\user\AppData\Local\Temp\_MEI30602\setuptools-65.5.0.dist-info\WHEEL	ASCII text	4D57030133E279CEB6A8236264823DFD	0FDC3988857C560E55D6C36DCC56EE21A51C196D	1B5E87E00DC87A84269CEAD8578B9E6462928E18A95F1F3373C9EEF451A5BCC0
C:\Users\user\AppData\Local\Temp\_MEI30602\setuptools-65.5.0.dist-info\entry_points.txt	ASCII text	D3262B65DB35BFFAAC248075345A266C	93AD6FE5A696252B9DEF334D182432CDA2237D1D	DEC880BB89189B5C9B1491C9EE8A2AA57E53016EF41A2B69F5D71D1C2FBB0453
C:\Users\user\AppData\Local\Temp\_MEI30602\setuptools-65.5.0.dist-info\top_level.txt	ASCII text	789A691C859DEA4BB010D18728BAD148	AEF2CBCCC6A9A8F43E4E150E7FCF1D7B03F0E249	77DC8BDFDBFF5BBAA62830D21FAB13E1B1348FF2ECD4CDCFD7AD4E1A076C9B88
C:\Users\user\AppData\Local\Temp\_MEI30602\sqlite3.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	914925249A488BD62D16455D156BD30D	7E66BA53F3512F81C9014D322FCB7DD895F62C55	FBD8832B5BC7E5C9ADCF7320C051A67EE1C33FD198105283058533D132785AB4
C:\Users\user\AppData\Local\Temp\_MEI30602\ucrtbase.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	D6181DE1FCD6289D22022B83EF2BF09D	155151A0F5C060F15B963021027606876AD396F2	EC5B538752AA0890CFD94639F394EF9919A53BDADD671D15E96B8216464E2EC7
C:\Users\user\AppData\Local\Temp\_MEI30602\unicodedata.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	81D62AD36CBDDB4E57A91018F3C0816E	FE4A4FC35DF240B50DB22B35824E4826059A807B	1FB2D66C056F69E8BBDD8C6C910E72697874DAE680264F8FB4B4DF19AF98AA2E
C:\Users\user\AppData\Local\Temp\_MEI30602\win32\_win32sysloader.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	F9C9445BE13026F8DB777E2BBC26651D	E1D58C30E94B00B32AD1E9B806465643F4AFE980	C953DB1F67BBD92114531FF44EE4D76492FDD3CF608DA57D5C04E4FE4FDD1B96
C:\Users\user\AppData\Local\Temp\_MEI30602\win32\win32api.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	00E5DA545C6A4979A6577F8F091E85E1	A31A2C85E272234584DACF36F405D102D9C43C05	AC483D60A565CC9CBF91A6F37EA516B2162A45D255888D50FBBB7E5FF12086EE
C:\Users\user\AppData\Local\Temp\_MEI30602\win32\win32crypt.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	ACC2C2A7DD9BA8603AC192D886FF2ACE	EAE213D0B86A7730161D8CC9568D91663948C638	4805C4903E098F0AE3C3CBEBD02B44DF4D73AB19013784F49A223F501DA3C853
C:\Users\user\AppData\Local\Temp\_MEI30602\win32\win32evtlog.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	20CA43E99D008452833394B4AB4D9239	97E6DC871483540551CBF44B7727CE91ADCDA844	28783A9111E539BD0EDBB97C9204C983E1D15DC7A0E7A6D4DE02DF1A3D5E3566
C:\Users\user\AppData\Local\Temp\_MEI30602\win32\win32trace.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	B291ADAB2446DA62F93369A0DD662076	A6B6C1054C1F511C64AEFB5F6C031AFE553E70F0	C5AD56E205530780326BD1081E94B212C65082B58E0F69788E3DC60EFFBD6410
C:\Users\user\AppData\Local\Temp\_MEI30602\win32com\shell\shell.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	C2E1B245D4221BDA4C198CF18D9CA6AF	9682B6E966495F7B58255348563A86C63FBD488C	89A8651DAD701DCE6B42B0E20C18B07DF6D08A341123659E05381EE796D23858
C:\Users\user\AppData\Local\Temp\cards_db	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8	D87270D0039ED3A5A72E7082EA71E305	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
C:\Users\user\AppData\Local\Temp\downloads_db	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1	7B955D976803304F2C0505431A0CF1CF	E29070081B18DA0EF9D98D4389091962E3D37216	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
C:\Users\user\AppData\Local\Temp\login_db	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1	9E68EA772705B5EC0C83C2A97BB26324	243128040256A9112CEAC269D56AD6B21061FF80	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
C:\Users\user\AppData\Local\Temp\web_history_db	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1	7B955D976803304F2C0505431A0CF1CF	E29070081B18DA0EF9D98D4389091962E3D37216	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC

Windows Analysis Report
purchaseorder4.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report purchaseorder4.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
purchaseorder4.exe