Play interactive tour

Edit tour

Analysis Report PURCHASE ORDER.com

Overview

General Information

Sample Name:	PURCHASE ORDER.com (renamed file extension from com to exe)
Analysis ID:	385280
MD5:	9d71011e0ef3208145dd434e229ab0e2
SHA1:	ecb4b62327a724ab00bd42bf98a51db3a3977079
SHA256:	8dccc7a8d24c010a59d807148c7a6779a7f2eac86868e1cf083235d0bcce3414
Tags:	FormBook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected FormBook malware

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Steal Google chrome login data

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

PE file has a writeable .text section

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

PURCHASE ORDER.exe (PID: 5676 cmdline: 'C:\Users\user\Desktop\PURCHASE ORDER.exe' MD5: 9D71011E0EF3208145DD434E229AB0E2)

MySqlAssemblyConsole.exe (PID: 5444 cmdline: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe MD5: 9C503420EE9E1F93D2B3C069B42FB899)

explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

raserver.exe (PID: 3904 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)

cmd.exe (PID: 7072 cmdline: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

MySqlAssemblyConsole.exe (PID: 5632 cmdline: 'C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe' MD5: 9C503420EE9E1F93D2B3C069B42FB899)

MySqlAssemblyConsole.exe (PID: 988 cmdline: 'C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe' MD5: 9C503420EE9E1F93D2B3C069B42FB899)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.hollandhousedesigns.design/vns/"], "decoy": ["sparkspressworld.com", "everydayresidency.com", "thebosscollectionn.com", "milkweedmagic.com", "worklesshours.com", "romeosfurnituremadera.com", "unclepetesproduce.com", "athleticamackay.com", "9nhl.com", "powellassetmanagement.com", "jxlamp.com", "onpointpetproducts.com", "buymysoft.com", "nazertrader.com", "goprj.com", "keeptalkservice.com", "aolei1688.com", "donstackl.com", "almasorchids.com", "pj5bwn.com", "featuredshop2020.com", "connectmheduaction.com", "kcastleint.com", "quintessentialmiss.com", "forenvid.com", "vetementsbd.com", "fabrizioamadori.net", "remaxplatinumva.com", "drivecart.net", "ordertds.com", "huayuanjiajiao.com", "islamiportal.com", "innergardenhealing.space", "wlwmwntor.com", "wiitendo.com", "ceschandigarh.com", "mitchellche.com", "levaporz.com", "eraophthalmica.com", "gnzywyht.com", "bobbinsbroider.com", "pollygen.com", "xn--kbrsotocheckup-5fcc.com", "theunprofessionalpodcast.com", "lendini.site", "digitalpardis.com", "meenaveen.com", "yihuafence.com", "mercadoaria.com", "domennyarendi44.net", "juandiegopalacio.com", "meltdownfitnesstulsa.com", "xn--laclnicadelvnculo-gvbi.com", "paripartners378.com", "valadecia.com", "womenring.com", "ocarlosresolve.com", "vedicherbsindia.com", "nonnearrapate.com", "viplending.net", "angelbeatsgamingclan.com", "rigmodisc.com", "page-id-78613.com", "yapadaihindi.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.431726955.00000000005D0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.431726955.00000000005D0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.431726955.00000000005D0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.431752828.0000000000600000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.431752828.0000000000600000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.431752828.0000000000600000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000017.00000002.503999453.00000000004A0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000017.00000002.503999453.00000000004A0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000017.00000002.503999453.00000000004A0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.432758571.00000000027EC000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.432758571.00000000027EC000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8f8f:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x91f9:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14d1c:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14808:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14e1e:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14f96:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x9c11:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x13a83:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa90a:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a9be:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b9c1:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.432758571.00000000027EC000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17aa0:$sqlite3step: 68 34 1C 7B E1 0x17bb3:$sqlite3step: 68 34 1C 7B E1 0x17acf:$sqlite3text: 68 38 2A 90 C5 0x17bf4:$sqlite3text: 68 38 2A 90 C5 0x17ae2:$sqlite3blob: 68 53 D8 7F 8C 0x17c0a:$sqlite3blob: 68 53 D8 7F 8C
00000017.00000002.505688448.0000000002730000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000017.00000002.505688448.0000000002730000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000017.00000002.505688448.0000000002730000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.432137722.0000000000BB1000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.432137722.0000000000BB1000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x88e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x956a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.432137722.0000000000BB1000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x173f9:$sqlite3step: 68 34 1C 7B E1 0x1750c:$sqlite3step: 68 34 1C 7B E1 0x17428:$sqlite3text: 68 38 2A 90 C5 0x1754d:$sqlite3text: 68 38 2A 90 C5 0x1743b:$sqlite3blob: 68 53 D8 7F 8C 0x17563:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.MySqlAssemblyConsole.exe.bb0000.2.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.MySqlAssemblyConsole.exe.bb0000.2.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ce8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8f52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14a75:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14561:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14b77:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14cef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x996a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x137dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa663:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a717:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b71a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.MySqlAssemblyConsole.exe.bb0000.2.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x177f9:$sqlite3step: 68 34 1C 7B E1 0x1790c:$sqlite3step: 68 34 1C 7B E1 0x17828:$sqlite3text: 68 38 2A 90 C5 0x1794d:$sqlite3text: 68 38 2A 90 C5 0x1783b:$sqlite3blob: 68 53 D8 7F 8C 0x17963:$sqlite3blob: 68 53 D8 7F 8C

Sigma Overview

System Summary:

Sigma detected: Steal Google chrome login data

Show sources

Source: Process started

Author: Joe Security: Data: Command: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\raserver.exe, ParentImage: C:\Windows\SysWOW64\raserver.exe, ParentProcessId: 3904, ProcessCommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, ProcessId: 7072

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000002.00000002.431726955.00000000005D0000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.hollandhousedesigns.design/vns/"], "decoy": ["sparkspressworld.com", "everydayresidency.com", "thebosscollectionn.com", "milkweedmagic.com", "worklesshours.com", "romeosfurnituremadera.com", "unclepetesproduce.com", "athleticamackay.com", "9nhl.com", "powellassetmanagement.com", "jxlamp.com", "onpointpetproducts.com", "buymysoft.com", "nazertrader.com", "goprj.com", "keeptalkservice.com", "aolei1688.com", "donstackl.com", "almasorchids.com", "pj5bwn.com", "featuredshop2020.com", "connectmheduaction.com", "kcastleint.com", "quintessentialmiss.com", "forenvid.com", "vetementsbd.com", "fabrizioamadori.net", "remaxplatinumva.com", "drivecart.net", "ordertds.com", "huayuanjiajiao.com", "islamiportal.com", "innergardenhealing.space", "wlwmwntor.com", "wiitendo.com", "ceschandigarh.com", "mitchellche.com", "levaporz.com", "eraophthalmica.com", "gnzywyht.com", "bobbinsbroider.com", "pollygen.com", "xn--kbrsotocheckup-5fcc.com", "theunprofessionalpodcast.com", "lendini.site", "digitalpardis.com", "meenaveen.com", "yihuafence.com", "mercadoaria.com", "domennyarendi44.net", "juandiegopalacio.com", "meltdownfitnesstulsa.com", "xn--laclnicadelvnculo-gvbi.com", "paripartners378.com", "valadecia.com", "womenring.com", "ocarlosresolve.com", "vedicherbsindia.com", "nonnearrapate.com", "viplending.net", "angelbeatsgamingclan.com", "rigmodisc.com", "page-id-78613.com", "yapadaihindi.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: PURCHASE ORDER.exe

Virustotal: Detection: 11%

Perma Link

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.431726955.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.431752828.0000000000600000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.503999453.00000000004A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.432758571.00000000027EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.505688448.0000000002730000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.432137722.0000000000BB1000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.MySqlAssemblyConsole.exe.bb0000.2.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe

Joe Sandbox ML: detected

Source: PURCHASE ORDER.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe

File created: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\INSTALL.txt

Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	File created: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\README.txt	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	File created: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\FAQ.txt	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	File created: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\README.txt	Jump to behavior

Source: PURCHASE ORDER.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000012.00000000.417250705.000000000ED20000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: MySqlAssemblyConsole.exe, 00000002.00000002.432815804.0000000002E20000.00000040.00000001.sdmp, raserver.exe, 00000017.00000002.508514426.000000000467F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: MySqlAssemblyConsole.exe, 00000002.00000002.432815804.0000000002E20000.00000040.00000001.sdmp, raserver.exe
Source:	Binary string: RAServer.pdb source: MySqlAssemblyConsole.exe, 00000002.00000002.431950003.0000000000828000.00000004.00000020.sdmp
Source:	Binary string: X:\sborka\12217271353800656069\workdll\release\Lib1.pdb source: MySqlAssemblyConsole.exe, 00000002.00000002.434645004.000000006DE84000.00000002.00020000.sdmp, MySqlAssemblyConsole.exe, 0000001B.00000002.506646098.000000006E064000.00000002.00020000.sdmp, MySqlAssemblyConsole.exe, 0000001C.00000002.506218878.000000006E064000.00000002.00020000.sdmp
Source:	Binary string: C:\output\ZPSTray\pl\vc\obj\x64\mysql_ssl_rsa_setup\AutoUpda.pdb source: MySqlAssemblyConsole.exe, 00000002.00000002.432391924.0000000000D34000.00000002.00020000.sdmp, raserver.exe, 00000017.00000002.507081713.00000000043B1000.00000004.00000001.sdmp, MySqlAssemblyConsole.exe, 0000001B.00000000.474192177.0000000000D34000.00000002.00020000.sdmp, MySqlAssemblyConsole.exe, 0000001C.00000000.494289920.0000000000D34000.00000002.00020000.sdmp, MySqlAssemblyConsole.exe.0.dr
Source:	Binary string: RAServer.pdbGCTL source: MySqlAssemblyConsole.exe, 00000002.00000002.431950003.0000000000828000.00000004.00000020.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000012.00000000.417250705.000000000ED20000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_0040646B FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_004027A1 FindFirstFileA,
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,

Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 4x nop then pop esi
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4x nop then pop esi

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 66.235.200.146:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 66.235.200.146:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 66.235.200.146:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.hollandhousedesigns.design/vns/

Source: explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: PURCHASE ORDER.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: PURCHASE ORDER.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp/
Source: raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp=
Source: raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehpA7Ef
Source: raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehpwsLMEM
Source: raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpLMEMh
Source: raserver.exe, 00000017.00000002.503366099.00000000002A7000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/de-ch/ocid=iehp
Source: raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/ocid=iehp&
Source: explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp, raserver.exe, 00000017.00000003.446068610.00000000002E0000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;g
Source: raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp, raserver.exe, 00000017.00000003.446068610.00000000002E0000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779
Source: raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp, raserver.exe, 00000017.00000003.446068610.00000000002E0000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852
Source: raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt
Source: raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=
Source: raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C
Source: raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1LMEM
Source: raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1LMEM
Source: raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.phpcid=8CU157172&crid=722878611&size=306x271&https=1
Source: raserver.exe, 00000017.00000003.446068610.00000000002E0000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.phpcid=8CU157172&crid=858412214&size=306x271&https=1
Source: raserver.exe, 00000017.00000003.449186115.00000000002E0000.00000004.00000001.sdmp	String found in binary or memory: https://go.microc
Source: raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: raserver.exe, 00000017.00000003.446068610.00000000002E0000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/login.srfwa=wsignin1.0&rpsnv=11&ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wrep
Source: raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorizeclient_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e3
Source: raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/
Source: raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/.0
Source: raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/1Q
Source: raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/4
Source: raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/LMEM
Source: raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0LMEM
Source: raserver.exe, 00000017.00000003.446068610.00000000002E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=0br

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe

Code function: 0_2_0040535C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

Source: MySqlAssemblyConsole.exe, 00000002.00000002.431919850.000000000081A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.431726955.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.431752828.0000000000600000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.503999453.00000000004A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.432758571.00000000027EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.505688448.0000000002730000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.432137722.0000000000BB1000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.MySqlAssemblyConsole.exe.bb0000.2.unpack, type: UNPACKEDPE

System Summary:

Detected FormBook malware

Show sources

Source: C:\Windows\SysWOW64\raserver.exe	Dropped file: C:\Users\user\AppData\Roaming\886N85Q4\886logri.ini			Jump to dropped file
Source: C:\Windows\SysWOW64\raserver.exe	Dropped file: C:\Users\user\AppData\Roaming\886N85Q4\886logrv.ini			Jump to dropped file

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000002.00000002.431726955.00000000005D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.431726955.00000000005D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.431752828.0000000000600000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.431752828.0000000000600000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000002.503999453.00000000004A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000017.00000002.503999453.00000000004A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.432758571.00000000027EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.432758571.00000000027EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000002.505688448.0000000002730000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000017.00000002.505688448.0000000002730000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.432137722.0000000000BB1000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.432137722.0000000000BB1000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.MySqlAssemblyConsole.exe.bb0000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.MySqlAssemblyConsole.exe.bb0000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: PURCHASE ORDER.exe

PE file has a writeable .text section

Show sources

Source: MySqlAssemblyConsole.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 2_2_00BC9D50 NtCreateFile,
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 2_2_00BC9E80 NtClose,
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 2_2_00BC9E00 NtReadFile,
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 2_2_00BC9F30 NtAllocateVirtualMemory,
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 2_2_00BC9E7C NtClose,
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 2_2_00BC9F2D NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C9840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C9860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C9540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C9560 NtWriteFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C95D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C99A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C9650 NtQueryValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C9A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C9660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C9610 NtEnumerateValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C96D0 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C96E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C9770 NtSetInformationFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C9710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C9B00 NtSetValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C9FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C9780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045CB040 NtSuspendThread,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C9820 NtEnumerateKey,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C98F0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C98A0 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C9950 NtQueueApcThread,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045CAD30 NtSetContextThread,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C9520 NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C99D0 NtCreateProcessEx,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C95F0 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C9670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C9A10 NtQuerySection,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C9A00 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C9A20 NtResumeThread,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C9A80 NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045CA770 NtOpenThread,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C9760 NtOpenProcess,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045CA710 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C9730 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045CA3B0 NtGetContextThread,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C97A0 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_02749E00 NtReadFile,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_02749E80 NtClose,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_02749F30 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_02749D50 NtCreateFile,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_02749E7C NtClose,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_02749F2D NtAllocateVirtualMemory,

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe

Code function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_00406945
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_0040711C
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 2_2_00BB1030
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 2_2_00BCD986
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 2_2_00BCDAA6
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 2_2_00BCD2D0
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 2_2_00BCE241
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 2_2_00BCDB23
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 2_2_00BCDCEB
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 2_2_00BB2D90
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 2_2_00BB2D87
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 2_2_00BB9E30
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 2_2_00BB9E2B
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 2_2_00BB2FB0
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 2_2_00BE3FA0
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 2_2_00BCCF93
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 2_2_00BCDF20
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0459841F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04641002
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0459B090
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_046520A8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B20A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04651D55
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0458F900
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04652D07
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04580D20
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045A4120
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0459D5E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B2581
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045A6E30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04652EF7
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_046522AE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04652B28
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04651FF1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0464DBD2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045BEBB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0274E241
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_02739E30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_02739E2B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_02732FB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_02732D90
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_02732D87
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 27_2_00CCEF10
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 28_2_6DFBC570
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 28_2_6E05F6EC
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 28_2_6E04B743
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 28_2_6E032DA0
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 28_2_6E05F5CC
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 28_2_6E05A5C8
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 28_2_6E027260
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 28_2_6DFAD030
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 28_2_6E04E3FF
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 28_2_6E0238E0
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 28_2_6E024100
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 28_2_6E05A130

Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 0458B150 appears 35 times
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: String function: 00CA730F appears 49 times
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: String function: 6DFB9480 appears 63 times

Source: PURCHASE ORDER.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MySqlAssemblyConsole.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: PURCHASE ORDER.exe, 00000000.00000002.239529402.0000000000730000.00000002.00000001.sdmp

Binary or memory string: OriginalFilenameuser32j% vs PURCHASE ORDER.exe

Source: PURCHASE ORDER.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000002.00000002.431726955.00000000005D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.431726955.00000000005D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.431752828.0000000000600000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.431752828.0000000000600000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000017.00000002.503999453.00000000004A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000017.00000002.503999453.00000000004A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.432758571.00000000027EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.432758571.00000000027EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000017.00000002.505688448.0000000002730000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000017.00000002.505688448.0000000002730000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.432137722.0000000000BB1000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.432137722.0000000000BB1000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.MySqlAssemblyConsole.exe.bb0000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.MySqlAssemblyConsole.exe.bb0000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@11/169@0/0

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe

Code function: 0_2_0040460D GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe

Code function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe

File created: C:\Users\user\AppData\Roaming\MySqlConsoleComponents

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4612:120:WilError_01

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe

File created: C:\Users\user\AppData\Local\Temp\nsb9F7B.tmp

Jump to behavior

Source: PURCHASE ORDER.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: MySqlAssemblyConsole.exe, 00000002.00000002.432391924.0000000000D34000.00000002.00020000.sdmp, MySqlAssemblyConsole.exe, 0000001B.00000000.474192177.0000000000D34000.00000002.00020000.sdmp, MySqlAssemblyConsole.exe, 0000001C.00000000.494289920.0000000000D34000.00000002.00020000.sdmp, MySqlAssemblyConsole.exe.0.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: MySqlAssemblyConsole.exe, 00000002.00000002.432391924.0000000000D34000.00000002.00020000.sdmp, MySqlAssemblyConsole.exe, 0000001B.00000000.474192177.0000000000D34000.00000002.00020000.sdmp, MySqlAssemblyConsole.exe, 0000001C.00000000.494289920.0000000000D34000.00000002.00020000.sdmp, MySqlAssemblyConsole.exe.0.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: MySqlAssemblyConsole.exe, 00000002.00000002.432391924.0000000000D34000.00000002.00020000.sdmp, MySqlAssemblyConsole.exe, 0000001B.00000000.474192177.0000000000D34000.00000002.00020000.sdmp, MySqlAssemblyConsole.exe, 0000001C.00000000.494289920.0000000000D34000.00000002.00020000.sdmp, MySqlAssemblyConsole.exe.0.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: PURCHASE ORDER.exe

Virustotal: Detection: 11%

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe

File read: C:\Users\user\Desktop\PURCHASE ORDER.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PURCHASE ORDER.exe 'C:\Users\user\Desktop\PURCHASE ORDER.exe'
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process created: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
Source: C:\Windows\SysWOW64\raserver.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe 'C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe 'C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe'
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process created: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe 'C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe 'C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe'
Source: C:\Windows\SysWOW64\raserver.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Windows\SysWOW64\raserver.exe

File written: C:\Users\user\AppData\Roaming\886N85Q4\886logri.ini

Jump to behavior

Source: C:\Windows\SysWOW64\raserver.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source: PURCHASE ORDER.exe

Static file information: File size 3059224 > 1048576

Source: PURCHASE ORDER.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000012.00000000.417250705.000000000ED20000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: MySqlAssemblyConsole.exe, 00000002.00000002.432815804.0000000002E20000.00000040.00000001.sdmp, raserver.exe, 00000017.00000002.508514426.000000000467F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: MySqlAssemblyConsole.exe, 00000002.00000002.432815804.0000000002E20000.00000040.00000001.sdmp, raserver.exe
Source:	Binary string: RAServer.pdb source: MySqlAssemblyConsole.exe, 00000002.00000002.431950003.0000000000828000.00000004.00000020.sdmp
Source:	Binary string: X:\sborka\12217271353800656069\workdll\release\Lib1.pdb source: MySqlAssemblyConsole.exe, 00000002.00000002.434645004.000000006DE84000.00000002.00020000.sdmp, MySqlAssemblyConsole.exe, 0000001B.00000002.506646098.000000006E064000.00000002.00020000.sdmp, MySqlAssemblyConsole.exe, 0000001C.00000002.506218878.000000006E064000.00000002.00020000.sdmp
Source:	Binary string: C:\output\ZPSTray\pl\vc\obj\x64\mysql_ssl_rsa_setup\AutoUpda.pdb source: MySqlAssemblyConsole.exe, 00000002.00000002.432391924.0000000000D34000.00000002.00020000.sdmp, raserver.exe, 00000017.00000002.507081713.00000000043B1000.00000004.00000001.sdmp, MySqlAssemblyConsole.exe, 0000001B.00000000.474192177.0000000000D34000.00000002.00020000.sdmp, MySqlAssemblyConsole.exe, 0000001C.00000000.494289920.0000000000D34000.00000002.00020000.sdmp, MySqlAssemblyConsole.exe.0.dr
Source:	Binary string: RAServer.pdbGCTL source: MySqlAssemblyConsole.exe, 00000002.00000002.431950003.0000000000828000.00000004.00000020.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000012.00000000.417250705.000000000ED20000.00000002.00000001.sdmp

Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe

Code function: 27_2_00BB25EC LoadLibraryA,GetProcAddress,task,task,task,

Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 2_2_00BC68DD push 00000061h; retf
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 2_2_00BC71EC push edx; iretd
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 2_2_00BC69D2 push eax; retf
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 2_2_00BC7AB9 push esp; iretd
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 2_2_00BC7AED push esp; iretd
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 2_2_00BC7A65 push esp; iretd
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 2_2_00BC7A43 push esp; iretd
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 2_2_00BE4D8C push eax; retf
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 2_2_00BC6510 push edx; retf FAF5h
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 2_2_00BC7D42 push edx; ret
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 2_2_00BCCEA5 push eax; ret
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 2_2_00BCCEFB push eax; ret
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 2_2_00BCBE22 push edx; iretd
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045DD0D1 push ecx; ret
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_02747A65 push esp; iretd
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_02747A43 push esp; iretd
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0274DA32 push esp; retf
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_02747AED push esp; iretd
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_02747AB9 push esp; iretd
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0274DBA4 push es; ret
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_027471EC push edx; iretd
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0274BE22 push edx; iretd
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0274CEF2 push eax; ret
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0274CEFB push eax; ret
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0274CEA5 push eax; ret
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0274CF5C push eax; ret
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_02747D42 push edx; ret
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 27_2_00BB4502 pushfd ; iretd
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 27_2_00BB3AEC pushad ; ret
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 27_2_00D08BF9 push ecx; ret

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	File created: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\libffi-7.dll
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	File created: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\libgmodule-2.0-0.dll
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	File created: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\libimpl3.dll
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	File created: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\libSDL_Pango-1.dll
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	File created: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\libwinpthread-1.dll
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	File created: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\SDL_ttf.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	File created: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\libcairo-gobject-2.dll
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	File created: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\libpangocairo-1.0-0.dll
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	File created: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	File created: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\libbrotlidec.dll
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	File created: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\libdatrie-1.dll

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe

File created: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\INSTALL.txt

Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	File created: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\README.txt	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	File created: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\FAQ.txt	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	File created: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\README.txt	Jump to behavior

Source: C:\Windows\SysWOW64\raserver.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SLHH9VSPLX			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SLHH9VSPLX			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x89 0x9E 0xEE

Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe

Code function: 27_2_00BB58C0 wglGetProcAddress,wglGetProcAddress,wglGetProcAddress,wglGetProcAddress,wglGetProcAddress,wglGetProcAddress,wglGetProcAddress,wglGetProcAddress,wglGetProcAddress,wglGetProcAddress,wglGetProcAddress,wglGetProcAddress,wglGetProcAddress,

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\raserver.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\raserver.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\raserver.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\raserver.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\raserver.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	RDTSC instruction interceptor: First address: 0000000000BB98E4 second address: 0000000000BB98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	RDTSC instruction interceptor: First address: 0000000000BB9B4E second address: 0000000000BB9B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe	RDTSC instruction interceptor: First address: 00000000027398E4 second address: 00000000027398EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe	RDTSC instruction interceptor: First address: 0000000002739B4E second address: 0000000002739B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe

Code function: 2_2_00BB9A80 rdtsc

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\libffi-7.dll
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\libgmodule-2.0-0.dll
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\libSDL_Pango-1.dll
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\libwinpthread-1.dll
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\SDL_ttf.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\libcairo-gobject-2.dll
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\libpangocairo-1.0-0.dll
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\libbrotlidec.dll
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\libdatrie-1.dll

Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -65000s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -64888s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -64779s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -64673s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -64561s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -64454s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -64348s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -64238s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -64129s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -64020s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -63871s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -63770s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -63658s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -63551s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -63441s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -63332s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -63223s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -63108s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -63004s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -62894s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -62785s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -62676s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -62567s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -62457s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -62348s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -62235s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -62129s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -62020s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -61909s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -61800s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -61691s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -61582s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -61473s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -61364s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -61254s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -61145s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -61035s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -60925s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -60817s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -60703s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -60598s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -60488s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -60378s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -60270s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -60160s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -60051s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -59942s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -59832s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -59723s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -59613s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -59504s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -59395s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -59285s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -59176s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -59067s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -58957s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -58848s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -58738s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -58629s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -58520s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -58410s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -58301s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -58191s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -58082s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -57971s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -57863s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -57754s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -57641s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -57535s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -57425s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -57317s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -57207s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -57098s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -56988s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -56879s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -56770s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -56660s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -56551s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -56440s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -56332s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -56223s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -56113s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -56004s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -55889s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -55785s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -55676s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -55567s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -55457s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -55348s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -55238s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -55129s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -55020s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -54910s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -54800s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -54691s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -54582s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -54473s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -54363s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -54254s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -54145s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -54035s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -53922s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -53813s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -53662s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -53481s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -53379s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -53265s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -53160s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -53049s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -52887s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -52441s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -52332s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -52223s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -52113s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -51884s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -51064s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -50957s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -50848s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -50737s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -50629s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -50520s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -50411s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -50301s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -50192s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -50082s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -49973s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -49864s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -49753s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -49645s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -49535s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -49426s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -49315s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -49207s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -49098s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -48989s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -48879s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -48770s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -48660s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -48551s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -48442s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -48332s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -48223s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -48113s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -48004s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -47895s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -47785s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -47675s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -47567s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -47457s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -47348s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -47238s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -47128s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -47019s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -46909s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -46800s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -46691s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -46582s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -46473s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -46363s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -46254s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -46144s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -46035s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -45926s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -45817s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -45706s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -45598s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -45488s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -45375s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -45270s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -45159s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -45051s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -44935s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -44832s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -44723s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -44614s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -44504s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -44393s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -44285s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -44174s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -44066s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -43957s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -43848s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -43738s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -43629s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -43520s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -43410s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -43301s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -43191s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -43082s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -42972s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -42864s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -42754s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -42642s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -42535s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -42426s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -42317s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -42207s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -42098s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -41988s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -41879s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -41770s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -41660s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -41551s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -41442s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -41332s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -41223s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -41114s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -41004s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -40895s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -40785s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -40676s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -40566s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -40457s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -40347s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -40237s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -40129s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -40020s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -39910s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -39797s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -39691s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -39582s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -39473s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -39363s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -39238s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -39129s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -39019s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -38910s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -38801s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -38691s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -38582s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -38473s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -38363s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -38254s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -38145s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -38035s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -37926s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -37817s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -37707s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -37598s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -37488s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -37379s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -37270s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -37160s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -37051s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -36941s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -36832s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -36723s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -36613s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -36504s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -36394s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -36285s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -36176s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -36067s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -35957s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -35847s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -35738s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -35629s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -35520s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -35410s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -35253s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -35144s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -35035s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -34923s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -34781s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -34675s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -34565s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -34215s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -34113s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -34004s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -33886s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -33442s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -33332s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -33190s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -32859s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -32689s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -32582s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -32473s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -32364s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -32254s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -32145s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -32035s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -31925s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -31816s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -31707s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -31597s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -31488s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -31379s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -31269s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -31160s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -31051s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -30941s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -30832s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -30723s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -30613s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -30504s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -30395s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -30285s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -30176s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5448	Thread sleep time: -30066s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -65000s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -64885s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -64776s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -64662s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -64510s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -64400s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -64291s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -64182s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -64072s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -63962s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -63853s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -63744s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -63635s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -63525s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -63416s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -63306s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -63197s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -63088s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -62979s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -62869s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -62760s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -62651s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -62541s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -62431s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -62322s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -62213s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -62104s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -61994s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -61885s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -61775s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -61664s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -61556s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -61448s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -61338s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -61229s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -61119s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -61010s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -60901s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -60791s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -60682s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -60572s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -60463s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -60353s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -60244s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -60135s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -60026s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -59916s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -59794s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -59594s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -59478s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -59362s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -59228s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -59118s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -59010s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -58900s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -58504s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -58399s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -58290s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -57032s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -56884s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -56756s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -56643s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -56541s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -56432s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -56322s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -56213s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -56104s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -55994s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -55885s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -55775s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -55666s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -55557s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -55448s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -55337s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -55229s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -55119s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -55010s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -54900s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -54791s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -54682s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -54572s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -54463s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -54354s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -54244s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -54133s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -54021s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -53916s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -53807s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -53697s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -53588s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -53479s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -53369s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -53260s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -53151s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -53041s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -52932s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -52822s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -52713s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -52603s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -52494s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 5668	Thread sleep time: -52385s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 3556	Thread sleep time: -65000s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 3556	Thread sleep time: -64894s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 3556	Thread sleep time: -64785s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 3556	Thread sleep time: -64675s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 3556	Thread sleep time: -64566s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 3556	Thread sleep time: -64457s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 3556	Thread sleep time: -64345s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 3556	Thread sleep time: -64238s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 3556	Thread sleep time: -64129s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 3556	Thread sleep time: -64019s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 3556	Thread sleep time: -63910s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 3556	Thread sleep time: -63800s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 3556	Thread sleep time: -63691s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 3556	Thread sleep time: -63582s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 3556	Thread sleep time: -63472s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 3556	Thread sleep time: -63360s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 3556	Thread sleep time: -63254s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 3556	Thread sleep time: -63144s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 3556	Thread sleep time: -63035s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 3556	Thread sleep time: -62926s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 3556	Thread sleep time: -62816s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 3556	Thread sleep time: -62707s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 3556	Thread sleep time: -62597s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 3556	Thread sleep time: -62488s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 3556	Thread sleep time: -62379s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 3556	Thread sleep time: -62269s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 3556	Thread sleep time: -62160s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 3556	Thread sleep time: -62050s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 3556	Thread sleep time: -61941s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 3556	Thread sleep time: -61831s >= -30000s
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe TID: 3556	Thread sleep time: -61722s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_0040646B FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_004027A1 FindFirstFileA,
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,

Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 65000
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 64888
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 64779
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 64673
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 64561
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 64454
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 64348
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 64238
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 64129
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 64020
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 63871
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 63770
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 63658
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 63551
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 63441
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 63332
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 63223
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 63108
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 63004
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 62894
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 62785
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 62676
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 62567
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 62457
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 62348
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 62235
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 62129
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 62020
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 61909
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 61800
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 61691
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 61582
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 61473
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 61364
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 61254
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 61145
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 61035
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 60925
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 60817
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 60703
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 60598
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 60488
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 60378
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 60270
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 60160
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 60051
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 59942
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 59832
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 59723
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 59613
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 59504
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 59395
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 59285
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 59176
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 59067
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 58957
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 58848
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 58738
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 58629
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 58520
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 58410
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 58301
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 58191
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 58082
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 57971
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 57863
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 57754
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 57641
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 57535
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 57425
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 57317
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 57207
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 57098
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 56988
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 56879
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 56770
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 56660
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 56551
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 56440
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 56332
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 56223
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 56113
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 56004
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 55889
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 55785
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 55676
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 55567
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 55457
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 55348
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 55238
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 55129
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 55020
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 54910
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 54800
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 54691
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 54582
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 54473
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 54363
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 54254
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 54145
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 54035
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 53922
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 53813
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 53662
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 53481
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 53379
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 53265
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 53160
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 53049
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 52887
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 52441
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 52332
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 52223
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 52113
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 51884
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 51064
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 50957
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 50848
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 50737
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 50629
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 50520
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 50411
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 50301
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 50192
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 50082
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 49973
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 49864
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 49753
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 49645
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 49535
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 49426
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 49315
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 49207
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 49098
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 48989
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 48879
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 48770
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 48660
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 48551
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 48442
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 48332
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 48223
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 48113
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 48004
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 47895
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 47785
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 47675
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 47567
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 47457
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 47348
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 47238
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 47128
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 47019
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 46909
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 46800
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 46691
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 46582
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 46473
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 46363
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 46254
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 46144
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 46035
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 45926
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 45817
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 45706
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 45598
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 45488
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 45375
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 45270
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 45159
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 45051
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 44935
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 44832
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 44723
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 44614
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 44504
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 44393
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 44285
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 44174
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 44066
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 43957
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 43848
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 43738
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 43629
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 43520
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 43410
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 43301
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 43191
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 43082
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 42972
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 42864
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 42754
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 42642
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 42535
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 42426
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 42317
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 42207
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 42098
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 41988
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 41879
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 41770
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 41660
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 41551
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 41442
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 41332
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 41223
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 41114
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 41004
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 40895
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 40785
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 40676
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 40566
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 40457
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 40347
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 40237
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 40129
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 40020
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 39910
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 39797
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 39691
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 39582
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 39473
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 39363
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 39238
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 39129
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 39019
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 38910
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 38801
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 38691
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 38582
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 38473
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 38363
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 38254
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 38145
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 38035
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 37926
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 37817
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 37707
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 37598
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 37488
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 37379
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 37270
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 37160
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 37051
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 36941
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 36832
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 36723
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 36613
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 36504
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 36394
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 36285
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 36176
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 36067
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 35957
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 35847
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 35738
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 35629
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 35520
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 35410
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 35253
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 35144
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 35035
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 34923
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 34781
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 34675
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 34565
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 34215
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 34113
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 34004
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 33886
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 33442
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 33332
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 33190
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 32859
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 32689
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 32582
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 32473
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 32364
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 32254
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 32145
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 32035
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 31925
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 31816
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 31707
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 31597
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 31488
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 31379
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 31269
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 31160
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 31051
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 30941
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 30832
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 30723
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 30613
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 30504
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 30395
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 30285
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 30176
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 30066
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 65000
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 64885
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 64776
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 64662
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 64510
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 64400
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 64291
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 64182
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 64072
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 63962
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 63853
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 63744
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 63635
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 63525
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 63416
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 63306
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 63197
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 63088
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 62979
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 62869
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 62760
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 62651
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 62541
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 62431
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 62322
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 62213
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 62104
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 61994
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 61885
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 61775
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 61664
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 61556
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 61448
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 61338
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 61229
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 61119
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 61010
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 60901
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 60791
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 60682
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 60572
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 60463
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 60353
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 60244
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 60135
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 60026
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 59916
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 59794
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 59594
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 59478
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 59362
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 59228
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 59118
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 59010
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 58900
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 58504
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 58399
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 58290
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 57032
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 56884
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 56756
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 56643
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 56541
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 56432
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 56322
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 56213
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 56104
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 55994
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 55885
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 55775
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 55666
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 55557
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 55448
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 55337
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 55229
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 55119
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 55010
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 54900
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 54791
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 54682
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 54572
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 54463
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 54354
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 54244
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 54133
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 54021
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 53916
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 53807
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 53697
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 53588
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 53479
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 53369
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 53260
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 53151
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 53041
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 52932
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 52822
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 52713
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 52603
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 52494
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 52385
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 65000
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 64894
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 64785
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 64675
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 64566
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 64457
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 64345
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 64238
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 64129
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 64019
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 63910
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 63800
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 63691
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 63582
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 63472
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 63360
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 63254
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 63144
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 63035
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 62926
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 62816
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 62707
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 62597
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 62488
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 62379
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 62269
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 62160
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 62050
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 61941
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 61831
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread delayed: delay time: 61722

Source: explorer.exe, 00000012.00000000.412531453.000000000891C000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000012.00000000.412664360.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: Prod_VMware_SATA?6
Source: explorer.exe, 00000012.00000002.509467416.0000000003710000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000012.00000000.411602569.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000012.00000000.392841431.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000012.00000000.412664360.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000012.00000000.411602569.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000012.00000002.515746081.00000000053D7000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000012.00000000.411602569.0000000008270000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000012.00000000.412664360.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: explorer.exe, 00000012.00000002.515884693.00000000054CA000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 00000012.00000000.411602569.0000000008270000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\raserver.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe

Code function: 2_2_00BB9A80 rdtsc

Source: C:\Windows\SysWOW64\raserver.exe

Code function: 23_2_045C9840 NtDelayExecution,LdrInitializeThunk,

Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe

Code function: 2_2_00CB7823 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe

Code function: 27_2_00BB25EC LoadLibraryA,GetProcAddress,task,task,task,

Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045A0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045A0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045BA44B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04651074 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04642073 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0461C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0461C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045A746D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04641C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04641C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04641C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04641C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04641C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04641C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04641C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04641C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04641C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04641C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04641C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04641C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04641C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04641C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0465740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0465740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0465740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04606C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04606C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04606C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04606C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04654015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04654015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0459B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0459B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0459B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0459B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04607016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04607016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04607016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045BBC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04606CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04606CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04606CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_046414FB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0461B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0461B8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0461B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0461B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0461B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0461B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04658CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045858EC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0459849B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04589080 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045BF0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045BF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045BF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04603884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04603884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C90AF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045A7D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045AB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045AB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C3D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04603540 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0458B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0458B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045AC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045AC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0458C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04658D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0460A537 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04589100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04589100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04589100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0458AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04593D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04593D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04593D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04593D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04593D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04593D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04593D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04593D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04593D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04593D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04593D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04593D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04593D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045A4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045A4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045A4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045A4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045A4120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0464FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0464FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0464FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0464FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_046141E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04638DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04606DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04606DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04606DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04606DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04606DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04606DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0458B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0458B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0458B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0459D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0459D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045BFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045BFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_046069A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_046505AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_046505AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B2990 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04582D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04582D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04582D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04582D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04582D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045AC182 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045BA185 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_046051BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_046051BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_046051BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_046051BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B35A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0463B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0463B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04658A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04589240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04589240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04589240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04589240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04597E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04597E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04597E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04597E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04597E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04597E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C927A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045AAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045AAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045AAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045AAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045AAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0464EA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0459766D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04614257 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045A3A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045BA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045BA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04585210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04585210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04585210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04585210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0458AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0458AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04598A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0458C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0458C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0458C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B8E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0463FE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04641608 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C4A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C4A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0458E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B2ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B36CC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C8EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0463FEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04658ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B16E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045976E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B2AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04650EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04650EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04650EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_046046A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045BD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045BD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0461FE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0459AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0459AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045BFAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045852A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045852A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045852A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045852A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045852A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0458F358 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04658F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0458DB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0459EF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0458DB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0459FF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04658B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045AF716 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045BA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045BA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0465070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0465070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045BE730 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0461FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0461FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04584F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04584F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0464131B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045C37F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_046053CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_046053CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045ADBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04655BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045BB390 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B2397 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04598794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04591B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04591B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0463D380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_0464138A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04607794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04607794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_04607794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 23_2_045B4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 28_2_6E04FF14 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 28_2_6E049D71 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\raserver.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 2_2_00CB7823 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 2_2_00CA813B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 27_2_00CB7823 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 27_2_00CA813B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 28_2_6E0467BD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 28_2_6E0475D2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Code function: 28_2_6E04CAF9 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Section loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Section loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	Thread register set: target process: 3472
Source: C:\Windows\SysWOW64\raserver.exe	Thread register set: target process: 3472

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe

Section unmapped: C:\Windows\SysWOW64\raserver.exe base address: 100000

Source: C:\Windows\SysWOW64\raserver.exe

Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V

Source: explorer.exe, 00000012.00000002.504552070.0000000001640000.00000002.00000001.sdmp, raserver.exe, 00000017.00000002.505933519.0000000002E10000.00000002.00000001.sdmp, MySqlAssemblyConsole.exe, 0000001B.00000002.506006329.0000000001170000.00000002.00000001.sdmp, MySqlAssemblyConsole.exe, 0000001C.00000002.505673751.0000000000DE0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000012.00000002.504552070.0000000001640000.00000002.00000001.sdmp, raserver.exe, 00000017.00000002.505933519.0000000002E10000.00000002.00000001.sdmp, MySqlAssemblyConsole.exe, 0000001B.00000002.506006329.0000000001170000.00000002.00000001.sdmp, MySqlAssemblyConsole.exe, 0000001C.00000002.505673751.0000000000DE0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000012.00000002.504552070.0000000001640000.00000002.00000001.sdmp, raserver.exe, 00000017.00000002.505933519.0000000002E10000.00000002.00000001.sdmp, MySqlAssemblyConsole.exe, 0000001B.00000002.506006329.0000000001170000.00000002.00000001.sdmp, MySqlAssemblyConsole.exe, 0000001C.00000002.505673751.0000000000DE0000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000012.00000000.392773721.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000012.00000002.504552070.0000000001640000.00000002.00000001.sdmp, raserver.exe, 00000017.00000002.505933519.0000000002E10000.00000002.00000001.sdmp, MySqlAssemblyConsole.exe, 0000001B.00000002.506006329.0000000001170000.00000002.00000001.sdmp, MySqlAssemblyConsole.exe, 0000001C.00000002.505673751.0000000000DE0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000012.00000002.504552070.0000000001640000.00000002.00000001.sdmp, raserver.exe, 00000017.00000002.505933519.0000000002E10000.00000002.00000001.sdmp, MySqlAssemblyConsole.exe, 0000001B.00000002.506006329.0000000001170000.00000002.00000001.sdmp, MySqlAssemblyConsole.exe, 0000001C.00000002.505673751.0000000000DE0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe

Code function: 28_2_6E046FF1 cpuid

Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe

Code function: GetLocaleInfoW,

Source: C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe

Code function: 2_2_00CA8986 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.431726955.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.431752828.0000000000600000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.503999453.00000000004A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.432758571.00000000027EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.505688448.0000000002730000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.432137722.0000000000BB1000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.MySqlAssemblyConsole.exe.bb0000.2.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\SysWOW64\raserver.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\SysWOW64\raserver.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.431726955.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.431752828.0000000000600000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.503999453.00000000004A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.432758571.00000000027EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.505688448.0000000002730000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.432137722.0000000000BB1000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.MySqlAssemblyConsole.exe.bb0000.2.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Application Shimming1	Application Shimming1	Deobfuscate/Decode Files or Information1	OS Credential Dumping1	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Shared Modules1	Registry Run Keys / Startup Folder1	Access Token Manipulation1	Obfuscated Files or Information3	Credential API Hooking1	File and Directory Discovery3	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection412	Rootkit1	Input Capture1	System Information Discovery125	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Registry Run Keys / Startup Folder1	Masquerading1	NTDS	Security Software Discovery141	Distributed Component Object Model	Credential API Hooking1	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion31	LSA Secrets	Process Discovery2	SSH	Input Capture1	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Access Token Manipulation1	Cached Domain Credentials	Virtualization/Sandbox Evasion31	VNC	Clipboard Data1	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection412	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PURCHASE ORDER.exe	12%	Virustotal		Browse
PURCHASE ORDER.exe	6%	ReversingLabs	Win32.Trojan.Wacatac

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\MySqlConsoleComponents\SDL_ttf.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\MySqlConsoleComponents\libSDL_Pango-1.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\MySqlConsoleComponents\libbrotlidec.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\MySqlConsoleComponents\libcairo-gobject-2.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\MySqlConsoleComponents\libdatrie-1.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\MySqlConsoleComponents\libffi-7.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\MySqlConsoleComponents\libgmodule-2.0-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\MySqlConsoleComponents\libimpl3.dll	2%	ReversingLabs
C:\Users\user\AppData\Roaming\MySqlConsoleComponents\libpangocairo-1.0-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\MySqlConsoleComponents\libwinpthread-1.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.PURCHASE ORDER.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366		Download File
0.0.PURCHASE ORDER.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://go.microc	0%	Avira URL Cloud	safe
https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt	0%	URL Reputation	safe
https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt	0%	URL Reputation	safe
https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt	0%	URL Reputation	safe
https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
www.hollandhousedesigns.design/vns/	5%	Virustotal		Browse
www.hollandhousedesigns.design/vns/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.hollandhousedesigns.design/vns/	true	5%, Virustotal, Browse Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.msn.com/ocid=iehp&	raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	false		high
https://contextual.media.net/medianet.phpcid=8CU157172&crid=858412214&size=306x271&https=1	raserver.exe, 00000017.00000003.446068610.00000000002E0000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.msn.com/?ocid=iehp/	raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	false		high
http://www.msn.com/de-ch/?ocid=iehpLMEMh	raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	false		high
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779	raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp, raserver.exe, 00000017.00000003.446068610.00000000002E0000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers?	explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.msn.com/?ocid=iehpA7Ef	raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	false		high
http://www.msn.com/?ocid=iehpwsLMEM	raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	false		high
http://www.sajatypeworks.com	explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e	raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	false		high
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852	raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp, raserver.exe, 00000017.00000003.446068610.00000000002E0000.00000004.00000001.sdmp	false		high
https://login.microsoftonline.com/common/oauth2/authorizeclient_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e3	raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	false		high
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2	raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	false		high
https://contextual.media.net/medianet.phpcid=8CU157172&crid=722878611&size=306x271&https=1	raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	false		high
http://www.msn.com/?ocid=iehp	raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.com	explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.msn.com/de-ch/ocid=iehp	raserver.exe, 00000017.00000002.503366099.00000000002A7000.00000004.00000020.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	false		high
https://go.microc	raserver.exe, 00000017.00000003.449186115.00000000002E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	PURCHASE ORDER.exe	false		high
https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt	raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://contextual.media.net/checksync.php&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C	raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1LMEM	raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	false		high
http://www.carterandcone.coml	explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1LMEM	raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn	explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	false		high
http://nsis.sf.net/NSIS_Error	PURCHASE ORDER.exe	false		high
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;g	raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp, raserver.exe, 00000017.00000003.446068610.00000000002E0000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000012.00000000.414574884.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.msn.com/?ocid=iehp=	raserver.exe, 00000017.00000003.446049886.00000000002C5000.00000004.00000001.sdmp	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	385280
Start date:	12.04.2021
Start time:	09:33:21
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 11s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	PURCHASE ORDER.com (renamed file extension from com to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@11/169@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 47.9% (good quality ratio 42.2%) Quality average: 73.4% Quality standard deviation: 32.8%
HCA Information:	Successful, ratio: 75% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Created / dropped Files have been reduced to 100 Report creation exceeded maximum time and may have missing disassembly code information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:34:17	API Interceptor	645x Sleep call for process: MySqlAssemblyConsole.exe modified
09:35:57	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SLHH9VSPLX C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe
09:36:06	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SLHH9VSPLX C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\DB1 Download File
Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	true
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\886N85Q4\886logim.jpeg Download File
Process:	C:\Windows\SysWOW64\raserver.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	84784
Entropy (8bit):	7.898551049169293
Encrypted:	false
SSDEEP:	1536:CP6i+K2DzH2wxIQHx8CK9XVkivbJhZujQSnAoLI1R4Wch5NzxMo5Ey7Ha4X03uou:sW3H2wx7Hx8tXVJvbEZASPvxMYEyUu8y
MD5:	05F040D07B1B0AAB02F6A98037020421
SHA1:	F650E99B109D41C989FF6B23C023B145707C1A41
SHA-256:	F3959F1240899E39F64BAA61EFE4A1061C4DD768F1B9048E97E7BFEC3259C2C2
SHA-512:	A71C8F29A844E74F79EAD374EBBA5984A86BBAE9CE2ABE7D1CA8F2F6F54F3FD1102F1B630A70D8B8549F6CCA858A0E5255336338B2ABC56A95C0FFE3935A7532
Malicious:	false
Reputation:	low
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............\|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z......<Z5..........\|.w....v...2\|...v<.......7.....................s...u.....g.W......)ky..N...

C:\Users\user\AppData\Roaming\886N85Q4\886logrg.ini Download File
Process:	C:\Windows\SysWOW64\raserver.exe
File Type:	data
Category:	dropped
Size (bytes):	38
Entropy (8bit):	2.7883088224543333
Encrypted:	false
SSDEEP:	3:rFGQJhIl:RGQPY
MD5:	4AADF49FED30E4C9B3FE4A3DD6445EBE
SHA1:	1E332822167C6F351B99615EADA2C30A538FF037
SHA-256:	75034BEB7BDED9AEAB5748F4592B9E1419256CAEC474065D43E531EC5CC21C56
SHA-512:	EB5B3908D5E7B43BA02165E092F05578F45F15A148B4C3769036AA542C23A0F7CD2BC2770CF4119A7E437DE3F681D9E398511F69F66824C516D9B451BB95F945
Malicious:	false
Reputation:	high, very likely benign file
Preview:	....C.h.r.o.m.e. .R.e.c.o.v.e.r.y.....

C:\Users\user\AppData\Roaming\886N85Q4\886logri.ini Download File
Process:	C:\Windows\SysWOW64\raserver.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	2.8420918598895937
Encrypted:	false
SSDEEP:	3:+slXllAGQJhIl:dlIGQPY
MD5:	D63A82E5D81E02E399090AF26DB0B9CB
SHA1:	91D0014C8F54743BBA141FD60C9D963F869D76C9
SHA-256:	EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
SHA-512:	38AFB05016D8F3C69D246321573997AAAC8A51C34E61749A02BF5E8B2B56B94D9544D65801511044E1495906A86DC2100F2E20FF4FCBED09E01904CC780FDBAD
Malicious:	true
Reputation:	high, very likely benign file
Preview:	....I.e.x.p.l.o.r. .R.e.c.o.v.e.r.y.....

C:\Users\user\AppData\Roaming\886N85Q4\886logrv.ini Download File
Process:	C:\Windows\SysWOW64\raserver.exe
File Type:	data
Category:	dropped
Size (bytes):	210
Entropy (8bit):	3.4644658691795946
Encrypted:	false
SSDEEP:	6:tGQPYlIaExGNlGcQga3Of9y96GO4OlV8F1EoY:MlIaExGNYvOI6x49FzY
MD5:	D2A55B5A0DABE2517AEA6F43085DF974
SHA1:	50B7D96FD31DAD50C6723F5EC9AD7BEAB6D99F0D
SHA-256:	50FD1DAC868B22F3C0FC0A1FBB9C8CA7C4180750D2382C4E444FEF8749EE13AE
SHA-512:	7559CC796FF25D21AC3997DB5FB33F180D5496AA7849EBAE74E40AFBE83308053FBA825B557DA265D5EDE5A28C0B2E2B90EC68D85B998977728EAB307D1EEA9D
Malicious:	true
Reputation:	low
Preview:	...._._.V.a.u.l.t. .R.e.c.o.v.e.r.y.........N.a.m.e.:...M.i.c.r.o.s.o.f.t.A.c.c.o.u.n.t.:.t.a.r.g.e.t.=.S.S.O._.P.O.P._.D.e.v.i.c.e.....I.d.:...0.2.p.y.c.v.q.v.p.b.c.l.i.r.u.u.....A.u.t.:.......P.a.s.s.:.......

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\AUTHORS.txt Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	UTF-8 Unicode text
Category:	dropped
Size (bytes):	33669
Entropy (8bit):	5.0011182915142145
Encrypted:	false
SSDEEP:	768:OmiivFhB/BtfECByHSJ3/LDyT13NHjrBkUd3Yh16R71y:OTUB/BhyHYLDyT1dHjrBkU1By
MD5:	F7DEE392B74ED345C8B6CEBCC1E030B4
SHA1:	F23DF2AE06E466B0630743BC36AD2140A52F607B
SHA-256:	5555CA3579512DCBE89CBC77D23F4182E6D06F9BB22B6D8E35D546C1E3A17E0F
SHA-512:	39AD625F3DF6B009CE5F64C502F2D599249177270983FB41DCA764EAE59226B666006A6C215982B561B84B449A41CBEC94839E6AA1DA82D9B1A84B07F3647BAB
Malicious:	false
Preview:	AUTHORS.txt for Tux Paint..Tux Paint - A simple drawing program for children...Copyright (c) 2002-2020.Various contributors (see below, and CHANGES.txt).http://www.tuxpaint.org/...June 17, 2002 - August 29, 2020..$Id$...* Design and Coding:.. Bill Kendrick <bill@newbreedsoftware.com>. New Breed Software. http://www.newbreedsoftware.com/.. Flood fill code based on Wikipedia example:. http://www.wikipedia.org/wiki/Flood_fill/C_example. by Damian Yerrick - http://www.wikipedia.org/wiki/Damian_Yerrick.. 800x600 resolution support patch by:. TOYAMA Shin-ichi <shin1@wmail.plala.or.jp>.. Arbitrary resolution support, smudge magic tool, grass magic tool,. brick magic tools, improved stamp tinter, and other fixes by:. Albert Cahalan <albert@users.sf.net>.. Bilinear interpolation code based on an example by Christian Graus. ( http://www.codeproject.com/cs/media/imageprocessing4.asp )... Input Method (IM) Framework implemented by:. Mark K. Kim <mkkim214@gmail.com>.. PostScript pri

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\COPYING.txt Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	13
Entropy (8bit):	3.546593564294939
Encrypted:	false
SSDEEP:	3:j4vn:sv
MD5:	59E4C5D5ABB73D37F397A6123516FAF8
SHA1:	D375F0A7AF7183261336E65CB353113A430366CD
SHA-256:	3FDCF89D38B02623ADC48A8639AA4AADB81A3E69AB5F91327B84C4F19B9D7369
SHA-512:	0DF18A8825863EB6D334F2B5292C8FA14F5CD5EC0449BC6903EEE42B13DC96E896A29780A9D0D90207B4BD6053CCFB8B406700AA47A9510F2723B01855AD5906
Malicious:	false
Preview:	See COPYING/.

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2223616
Entropy (8bit):	6.8136782697969
Encrypted:	false
SSDEEP:	49152:yFcg7fVW62gD7IQ3zMX62ILatrQT/R/hqo:o8LUx3zMX6Tat0
MD5:	9C503420EE9E1F93D2B3C069B42FB899
SHA1:	F2A9791D5B394C7C25E31807E1B241FD5021FE58
SHA-256:	3DA0FF15C077F76E57BD5C116E8C85599FC420A4433B19C705F0D437F7368CEC
SHA-512:	E5B971D40F705D7B3911105A25C190C3B193CF93B157F527BE0BBAD90C866521E91D642C476C65DD375221BADE42017136493159524E1B738BD32AAA3BEF3671
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.........@............-......+.m.........k.....k.-....S.+....k.+.A...m./....O./....../...../.....M.'.s...M...........M.,....Rich...Rich............................PE..L....p`............................u.......@....@..........................`"...........@..................................P..P.............................!..I..0...p...............................@............@..L............................text....).......*.................. ....rdata.......@......................@..@.data........`.......L..............@....rsrc................"..............@..@.reloc...I....!..J.... .............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\README.txt Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.317190167834099
Encrypted:	false
SSDEEP:	3:7vg/Kx+twUvEJKhVv:cTvgKP
MD5:	EA8CC6BFC03F4F0C2B9E1A7AA0DFE56B
SHA1:	19264B21CA1BEE51CAAC35B03060E7C52108AE78
SHA-256:	33FCCB7C4736C06F285200BC887C52C750DA8D286301E56F86485E2F12AC0696
SHA-512:	86BF6BBDA10A387364A7ECF17E0EE4AD54772521A946277F88D1AFD2528FD5980A6A2D20374AABBF7481C579703286D67E8C88DC6DD641C23B72284F4660809F
Malicious:	false
Preview:	See [locale]/html/README.html or [locale]/README.txt...

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\RELEASE.txt Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1419
Entropy (8bit):	4.836319013680938
Encrypted:	false
SSDEEP:	24:irABbhOCV3p96sA9/TUEPD+Q9U9i9la9S9LW+GORBzDDQdq9JWtjAELG67t:irABbnp96sWLnPD+QGYHaIx/GORFDcdb
MD5:	3498D3E33BE5D62C42A1C4FE5CA1D7D8
SHA1:	8D061EDAB93903FC21DCF104078393A061EA2399
SHA-256:	06C26688D1631C1E63DC84CB2BA6BDC3BB98E18681E4DBB0C744F95B8EF50C29
SHA-512:	BDC5FEC4FA7494128B2537DE35A73B812BCE09A431B9F9619B203C26859F71344E05ED04B5EE5A828A5376B9903F35C6A662A84DA452C812D7C88EEA472D1617
Malicious:	false
Preview:	Release checklist for Tux Paint.Last updated 2020-07-27 -bjk..Do these things _prior_ to cutting a release -- that is, prior to.tagging in the source code repository, running "make release" to roll.a .tar.gz source tarball, and making the tarball available for download... * Update version # and release dates.. Places to make sure version # and release date gets updated,.. * Makefile. . * Build description files:. * tuxpaint.spec (Linux RPM package). * macos/Info.plist (macOS build). * win32/resources.rc (Windows mingw/msys build). . * Documentation. (For HTML variants, be sure to run "make" in "docs/", to. produce plaintext alternatives!). . * docs/CHANGES.txt. * docs/en/html/README.html. * docs/en/html/FAQ.html. * docs/en/html/OPTIONS.html. * docs/en/html/EXTENDING.html. * docs/en/html/ADVANCED-STAMPS-HOWTO.html. . * Manual page (manpage). * src/manpage/tuxpaint.1.. * Tidy the HTML documentation.. Using . (Be sure to ru

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\SDL_ttf.dll Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.619535491109385
Encrypted:	false
SSDEEP:	384:nlf1xrfskGBW2z1w/6yVjkBFd4EvyH8Cj17+NSYxtK5PsdbCvh3BVKcc:lf1V3KW2z1wECjswCIg64
MD5:	EF451A82499550EB2C784B75B1006C14
SHA1:	E3E7C084875E7946A74E9221A27E2451A7BD45AE
SHA-256:	BC87B344774314014C05C54FBCB9FA0A6F584057906253B24C16ACABDA558AA7
SHA-512:	9111A953820985229C8E6449EC27A75D7A4FB7402239D295AFCE8D29F0193A5657F16953980B17F8197F2EA8A01CCA75AB50ADB2F4B87B7F35BB047170602514
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...#.L...\|......0.........Lo.....................................Z........ .........................................%...............(.......................d........................... q..(.......................0............................text...(J.......L..................`.P`.data........`.......P..............@.P..rdata.......p.......R..............@.`@.pdata...............Z..............@.0@.xdata...............`..............@.0@.bss....@.............................`..edata..%............d..............@.0@.idata...............j..............@.0..CRT....X............v..............@.@..tls.................x..............@.@..rsrc...(............z..............@.0..reloc..d............~..............@.0B................................................................................................................................

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\ADVANCED-STAMPS-HOWTO.txt Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	UTF-8 Unicode text
Category:	dropped
Size (bytes):	14050
Entropy (8bit):	4.4172539306068215
Encrypted:	false
SSDEEP:	192:v8SzKHIHNWLoI2C1I6ipR8PO5v8iPBWMcr+7wY0p/s:v8iKH+WMI4VR8PuvLPBWMcAqp/s
MD5:	10C092537D6842DE53557B17CD53FAF9
SHA1:	15E5A99CF9B13BFC16CC1644508A1C37D62953DA
SHA-256:	A59D3277DA1CA53F20DE626258B11AECB9986173EBBD4BEE0164DEF64D066A49
SHA-512:	93A556B61555D9A21C2CFDB4A3380E87C0864625D6E09D17A4391E69C1A126EC6BEF93745E1B4FAB05E948D011EB461A58B9F0DB515D987DB5D0D24350B85B97
Malicious:	false
Preview:	Tux Paint. version 0.9.25. Advanced Stamps HOWTO.. Copyright 2006-2008 by Albert Cahalan for the Tux Paint project. New Breed Software.. albert@users.sf.net. http://www.tuxpaint.org/..About this HOWTO.. This HOWTO assumes that you want to make an excellent Tux Paint stamp,. in PNG bitmapped format, from a JPEG image (e.g., a digital photograph).. There are easier and faster methods that produce lower quality... This HOWTO assumes you are dealing with normal opaque objects. Dealing. with semi-transparent objects (fire, moving fan blade, kid's baloon) or. light-giving objects (fire, lightbulb, sun) is best done with custom. software. Images with perfect solid-color backgrounds are also best done. with custom software, but are not troublesome to do as follows...Image choic

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\EXTENDING.txt Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	UTF-8 Unicode text
Category:	dropped
Size (bytes):	38716
Entropy (8bit):	4.547324263195886
Encrypted:	false
SSDEEP:	384:MvbU5HJB5gB7qMQYD5PGznxE40Rr3DWgJr6L2dscYQeGczpLhcz/YbVxDqTOKXta:MwFXyBSYDYzim4rWJqUbSS8xa4DyRiS
MD5:	521FBA9DEC62D1CD10A3757E2742CB9C
SHA1:	F3A1B64C5B2D59E1E52EFC9189DAAEB387A198CF
SHA-256:	F716F88B488707FD33445AF8ABCE7DA44E29A73F937A5B74A7B25C74555E32E7
SHA-512:	DC8003DA66C4C2CFC1AE8DA035A0CA1D2A1A824B77E55F1609159C6A14C04AB94BF7CE8EC05A835262A9E25DD3EB26073D1C3F452C48B8F1D6429C88BEA3560C
Malicious:	false
Preview:	Extending. Tux Paint. version 0.9.25.. Copyright (c) 2002-2020 by various contributors; see AUTHORS.txt. http://www.tuxpaint.org/.. June 14, 2002 - December 27, 2020.. ----------------------------------------------------------------------.. +------------------------------------------+. \|Table of Contents \|. \|------------------------------------------\|. \| * Where Files Go \|. \| * Standard Files \|. \| * Personal Files \|. \| * Brushes \|. \| * Brush Options \|. \| * Stamps \|. \| * Images \|. \| * Description Text \|. \| * Sound Effects \|. \| * Descriptiv

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\FAQ.txt Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	UTF-8 Unicode text
Category:	dropped
Size (bytes):	27072
Entropy (8bit):	4.335932319632088
Encrypted:	false
SSDEEP:	384:OWmUY06uukxjifUE9EsBVdUZAG/da0pZ8FVtuV5c8:O4X6lR9zGOG1pZ8T0V5L
MD5:	2AF8CBC55E40D24B00726B88B56897AE
SHA1:	D21F7293907DC66E1657C91469FE4AE0D240A5E4
SHA-256:	189AAB079A180438540DD086C689F03149568522F1527CF6763F80B6EA264A67
SHA-512:	A6516E346595447FC35018759765738AB59569DF1494AB4FA080EC06965AC3EBF4950B4D7A0732E85CAD509D192DFAD277F8979671B2FAD58C00C2107E5C02F9
Malicious:	false
Preview:	Tux Paint. version 0.9.25. Frequently Asked Questions.. Copyright (c) 2002-2020 by various contributors; see AUTHORS.txt. http://www.tuxpaint.org/.. September 14, 2002 - December 27, 2020.. ----------------------------------------------------------------------..Drawing-related.. Fonts I added to Tux Paint only show squares. The TrueType Font you're using might have the wrong encoding. If. it's 'custom' encoded, for example, you can try running it through. FontForge (http://fontforge.sourceforge.net/) to convert it to an. ISO-8859 format. (Email us if you need help with special fonts.).. The Rubber Stamp tool is greyed out!.. This means that Tux Paint either couldn't find any stamp images,. or was asked not to load them... If you installed Tux Paint, but did not ins

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\INSTALL.txt Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	15010
Entropy (8bit):	4.712788861926551
Encrypted:	false
SSDEEP:	384:vYIo3RazsGW1Wtp96AUcTZcXE3leVtaW8iEWwawhPmlbQ:vYbesGW1Wt8cTuX4KEW8hWpwhP2Q
MD5:	567A7BBA8BFB4CDEED891BEF83FC20A1
SHA1:	F06AB758CF2C5640D8C521F45BA68D3865A73E06
SHA-256:	79385656BD4AC2C1B7423219DD958966DBEAFF136986C5469FD47DEA9B089BD4
SHA-512:	4DFBBA40BEC73005F841C0E30B00E28A6FD3C764C25CDB08FE92CD9A8AB9F6EFB6B1D421D5038CBC8462697EC9267DC84E2443617BFA2F3090A8BE6DE4864DAB
Malicious:	false
Preview:	INSTALL.txt for Tux Paint..Tux Paint - A simple drawing program for children...Copyright (c) 2002-2020.Various contributors (see below, and AUTHORS.txt).http://www.tuxpaint.org/..June 27, 2002 - July 25, 2020.$Id$...Requirements:.-------------. Windows Users:. --------------. The Windows version of Tux Paint comes pre-packaged with the. necessary pre-compiled libraries (in ".DLL" form), so no extra. downloading is needed... libSDL. ------. Tux Paint requires the Simple DirectMedia Layer Library (libSDL),. an Open Source multimedia programming library available under the. GNU Lesser General Public License (LGPL)... Along with libSDL, Tux Paint depends on a number of other SDL 'helper'. libraries: SDL_Image (for graphics files), SDL_TTF and (optionally). SDL_Pango (for True Type Font support) and, optionally,. SDL_Mixer (for sound effects)... Linux/Unix Users:. -----------------. The SDL libraries are available as source-code, or as RPM or De

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\OPTIONS.txt Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	UTF-8 Unicode text
Category:	dropped
Size (bytes):	82810
Entropy (8bit):	3.6256528224175812
Encrypted:	false
SSDEEP:	768:8qEjuMVMWfwobnlLibNywFFANTNl3dyCqEN/O6B7gWl:8CMVMWfwokRywkNZl3dyCqEF7Tl
MD5:	40D227FA963D9311B74852DF2FCE8B95
SHA1:	83A4D66FA3BCDB600BB2CD26E2281D11A76C10B2
SHA-256:	BBDFF869AD03351552E51B3E97AFEA2C0C77172647507B6831E19FA83080BF1E
SHA-512:	7D3F2BE3E65AE2C6E07DE552049EEE346CAB522D46396C3CFE24C4E0C5E632639F9A2DDF13C8611A6EC011EBB7942996C4276CF58F398EC941D8CD09E864C656
Malicious:	false
Preview:	Tux Paint. version 0.9.25..Options Documentation.. Copyright (c) 2002-2020 by various contributors; see AUTHORS.txt. http://www.tuxpaint.org/.. December 27, 2020.. ----------------------------------------------------------------------.. Tux Paint Config... As of Tux Paint version 0.9.14, a graphical tool is available that. allows you to change Tux Paint's behavior. However, if you'd rather not. install and use this tool, or want a better understanding of the. available options, please continue reading... ----------------------------------------------------------------------.. Configuration File.. You can create a simple configuration file for Tux Paint, which it will. read each time you start it up... The file is simply a plain text file containing the options yo

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\PNG.txt Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4422
Entropy (8bit):	4.829212627670506
Encrypted:	false
SSDEEP:	96:OeZzbBnh82R+dfsvpt789pwgBx3Msm69+DSndasTAQSqsn:rpydfsx9/gBx3MsmHSddEn
MD5:	FE81DCE9188F49EB18F407A943C345FE
SHA1:	F55D001A9AE7CC3E918916A2CF673D5DCD8F8306
SHA-256:	23E87CE66B40BD98201D51E458E9B0E6D945D49A9DD7D9ECDDB975C11B9A5F29
SHA-512:	CB63A2ECC30FDA42270A671E49F73393969794F7EADC6B7D4BC45781ED12D4892BDEB6A86489BEDD1F553F96D409433C4A570D26AC0963567ECF58A1E0B949A5
Malicious:	false
Preview:	PNG.txt for Tux Paint..Tux Paint - A simple drawing program for children...Copyright 2002-2007 by Bill Kendrick and others.bill@newbreedsoftware.com.http://www.tuxpaint.org/..June 27, 2002 - June 19, 2007.$Id$...About PNGs.----------. PNG is the Portable Network Graphic format. It is an open standard,. not burdened by patents (like GIFs). It is a highly compressed format. (though not "lossy" like JPEGs - lossiness allows files to be much. smaller, but introduces 'mistakes' in the image when saved), and. supports 24-bit color (16.7 million colors) as well as a full. "alpha channel" - that is, each pixel can have a varying degree of. transparency... For more information, visit: http://www.libpng.org/.. These features (openness, losslessness, compression, transparency/alpha). make it the best choice for Tux Paint. (Tux Paint's support for the PNG. format comes from the Open Source SDL_Image library, which in turn gets. it from the libPNG library.).. Support for many color

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\README.txt Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	UTF-8 Unicode text
Category:	dropped
Size (bytes):	43872
Entropy (8bit):	3.9736990477150402
Encrypted:	false
SSDEEP:	384:zEkIRxMAhOwG31xRvXalQy88klD9M8qQ5GkaFqTk+rNZsfvYMuMr/s8XoyFMWJfE:zKAp3HRvPn3RiYqLjG+p7SfD4csP2
MD5:	D0DFB04EE442D61EFA610584DA85A7F9
SHA1:	BCAB94E6246B2993F2A33D0BDC216A7A0C90F492
SHA-256:	4085CC108C9C96AA158ECF0BDDCDC78A69CEC153132C631233FBD14118BF4B61
SHA-512:	344247B41E013C6BE06F17BA1E2F22BB740F48F4FD75D9267EDD9FCBB9A89F0C664FF306ADD440F5B50A2E7EEB29820B83889DEF2A47DE5C397165F566E7EE2B
Malicious:	false
Preview:	Tux Paint. version 0.9.25.. A simple drawing program for children.. Copyright 2002-2020 by various contributors; see AUTHORS.txt. http://www.tuxpaint.org/.. June 14, 2002 - December 27, 2020.. ----------------------------------------------------------------------.. +-------------------------------------------+. \|Table of Contents \|. \|-------------------------------------------\|. \| * About \|. \| * Using Tux Paint \|. \| * Loading Tux Paint \|. \| * Title Screen \|. \| * Main Screen \|. \| * Available Tools \|. \| * Drawing Tools \|. \| * Other Controls \|. \| * Loading Other Pictures into Tux Paint \|. \| * Further R

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\SIGNALS.txt Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1793
Entropy (8bit):	4.766441381870642
Encrypted:	false
SSDEEP:	48:UeZuWgsKSiF+cvgcKhrvS4AEuwdrMOsAHdEWK10h5fqj14:UeZ/gsBKjBIAEuwdI6+W60Tij14
MD5:	A2DC03F6173A8782313502039A0FA648
SHA1:	F40E47A7FEBC3E20EBF7EBDDDE85C5E768E30ADA
SHA-256:	8EAE138633372A60E5D924A22DC8C53CFF3AF6C5F7DBCECC6402F935DA65C967
SHA-512:	F4A5ADF8D2DDD5DC45EA5EEB21D1996CD05C7910154771E2EB4A539B3B85FE61EAA79A4FE649A31A0AA1A228DEAB6927DF5451ED4F9AD523B1DE7D5344C657F8
Malicious:	false
Preview:	SIGNALS.txt for Tux Paint..Tux Paint - A simple drawing program for children...Copyright 2019 by Bill Kendrick and others.bill@newbreedsoftware.com.http://www.tuxpaint.org/..April 3, 2019..Tux Paint responds to the following signals (which can be.sent to the program's process via `kill` or `killall`, for.example)... * SIGTERM (also, [Ctrl]+[C] from a terminal running "tuxpaint").. Tux Paint responds as if the "Quit" button were pressed,. or the desktop environment was told to close Tux Paint. (e.g., by clicking a window close button, or pressing. [Alt]+[F4] on most systems)... From the main interface, Tux Paint will prompt whether or. not you wish to quit, and (unless overridden by "--autosave"). if you'd like to save the current drawing (if unsaved),. and if so, and it's a modified version of an existing drawing. (unless overridden by "--saveover" or "--saveovernew"),. whether or not to overwrite the existing drawing, or save. to a new file... From other parts

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\SVG.txt Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1608
Entropy (8bit):	4.875323602966127
Encrypted:	false
SSDEEP:	48:ZeZ6WFnUXUzWHcX3zY7GvHtwuU3RkiWXAJBPG:ZeZzyUzq6j5Khei9e
MD5:	C44036879F4FA81F30ED5640354C2684
SHA1:	131F39701745FEDFD16B5E37429D31CA21B5B1AB
SHA-256:	D65F8E199358C094B721D717A237B84D3DA9813F9286007E55246069C3B2F040
SHA-512:	94A1746E80B9E5471A57197EF48A1212631FD2F8EF46205906DF08A259B8F3D0EC855F0591F9E76786870490742E82A16C1D1B6EC9AE98772E6AE8351A7BF775
Malicious:	false
Preview:	SVG.txt for Tux Paint..Tux Paint - A simple drawing program for children...Copyright 2002-2007 by Bill Kendrick and others.bill@newbreedsoftware.com.http://www.tuxpaint.org/..June 19, 2007 - June 19, 2007.$Id$...SVG (Scalable Vector Graphics) is an open standard used to describe.two-dimensional vector graphics. It is great for diagrams and shapes,.while PNGs are better for photographs. SVG files are a bit like instructions.on how to make an image. This means that they can be resized without looking.pixelated or blocky...Wikipedia, an online user-driven encyclopedia, has lots more info:.http://en.wikipedia.org/wiki/Scalable_Vector_Graphics..SVGs On the Web.---------------. Web browsers like Mozilla Firefox, Apple's Safari and Opera have some. SVG support. A plugin is available to see SVG images in older versions of. Microsoft Internet Explorer ( http://www.adobe.com/svg/viewer/install/ )...How to make SVGs.----------------. Linux/Unix users. ----------------. A popular Open

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\html\ADVANCED-STAMPS-HOWTO.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, UTF-8 Unicode text
Category:	dropped
Size (bytes):	18017
Entropy (8bit):	4.370197681954086
Encrypted:	false
SSDEEP:	384:MURF0WdjyTE3flUMy/hZxGvP21n4KU2Cc:xR7bt+ZsQ
MD5:	A4F66CD1860AE76A42FAA3C58D332811
SHA1:	30D43B78CE8CCFDF98550507DB3D837916FDE642
SHA-256:	0F694D4D85C71B018E7C8521506E3437B0786862DF0CFD2545DC925FA1C99534
SHA-512:	2BF8AC7360118E63E405C6799791507EE4266C9A09AD5A3AD36129D7163941DEFB1D50ECE7B7885D629EEE95BE04254FBDF2A9901AE2ADE7B8AAE3354BFCD87C
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<html>. <head>. <meta name="generator". content="HTML Tidy for HTML5 for Linux version 5.6.0">. <title>. Tux Paint Advanced Stamps HOWTO. </title>. <meta http-equiv="Content-Type". content="text/html; charset=utf-8">. </head>. <body bgcolor="#FFFFFF". text="#000000". link="#0000FF". vlink="#FF0000". alink="#FF00FF">. <center>. <h1>. <img src="../../html/images/tuxpaint-title.png". width="205". height="210". alt="Tux Paint"><br>. version 0.9.25<br>. Advanced Stamps HOWTO. </h1>.. <p>. Copyright 2006-2008 by Albert Cahalan for the Tux Paint. project<br>. New Breed Software. </p>.. <p>. <a href=. "mailto:albert@users.sf.net">albert@users.sf.net</a><br>. <a href=. "http://www.tuxpaint.org/">http://www.tuxpaint.org/</a>. </p

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\html\EXTENDING.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, UTF-8 Unicode text
Category:	dropped
Size (bytes):	63766
Entropy (8bit):	4.342779757745086
Encrypted:	false
SSDEEP:	768:OkfXgcmcdvHa60igXS5vtP6HQ5TLCSzeUg:YkBNJLJA
MD5:	593792B44FCAFB4E594DD5B91D2C543A
SHA1:	85BE7A1D311C98DD3A8BC016F709AD6AEF278570
SHA-256:	CD341865D6119BB38AC66DD6CFE7AA09093FFD5F98A908FAE55F143C319D6847
SHA-512:	E4340F85547EA6392C69532AB8A6CBFA4420D19C4E372120DF0668C5B26396203653D724F307BCD1524706E980824C36B59532855659D4D76B90ED8B747C75D0
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<html>. <head>. <meta name="generator". content="HTML Tidy for HTML5 for Linux version 5.6.0">. <title>. Extending Tux Paint. </title>. <meta http-equiv="Content-Type". content="text/html; charset=utf-8">. </head>. <body bgcolor="#FFFFFF". text="#000000". link="#0000FF". vlink="#FF0000". alink="#FF00FF">. <center>. <h1>. Extending<br>. <img src="../../html/images/tuxpaint-title.png". width="205". height="210". alt="Tux Paint"><br>. version 0.9.25. </h1>.. <p>. Copyright (c) 2002-2020 by various contributors; see. AUTHORS.txt<br>. <a href=. "http://www.tuxpaint.org/">http://www.tuxpaint.org/</a>. </p>.. <p>. June 14, 2002 - December 27, 2020. </p>. </center>.. <hr size="2". noshade>.. <table border="2". cellspacin

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\html\FAQ.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, UTF-8 Unicode text
Category:	dropped
Size (bytes):	37102
Entropy (8bit):	4.284437751967141
Encrypted:	false
SSDEEP:	384:T/+jfTh6MMqTUnZ8KcTtVewWtHYrlTBPw5eds9dbW:T/+LVM9Zr8IrtWPwgIdbW
MD5:	B877E6282081C4C158893BDE263A70C6
SHA1:	83A617543CC6F66B967D63F903D79A5955367FE4
SHA-256:	4DB3DC4161E6171D7F3F41AC27E18D51771C094D8183853D9446385F09FC68AF
SHA-512:	C34F9E7336A73CC1C4E81259F8143068784FF995593DCF15B56AF8C8DEEAA5C8927BC1855A11EDB2177CA7D5D9B06D9908B1CECD6752FD9B26943C3BD265A9F4
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<html>. <head>. <meta name="generator". content="HTML Tidy for HTML5 for Linux version 5.6.0">. <title>. Tux Paint Frequently Asked Questions. </title>. <meta http-equiv="Content-Type". content="text/html; charset=utf-8">. </head>. <body bgcolor="#FFFFFF". text="#000000". link="#0000FF". vlink="#FF0000". alink="#FF00FF">. <center>. <h1>. <img src="../../html/images/tuxpaint-title.png". width="205". height="210". alt="Tux Paint"><br>. version 0.9.25<br>. Frequently Asked Questions. </h1>.. <p>. Copyright (c) 2002-2020 by various contributors; see. AUTHORS.txt<br>. <a href=. "http://www.tuxpaint.org/">http://www.tuxpaint.org/</a>. </p>.. <p>. September 14, 2002 - December 27, 2020. </p>. </center>.. <hr>.. <h2>. Drawing-r

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\html\OPTIONS.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, UTF-8 Unicode text
Category:	dropped
Size (bytes):	130973
Entropy (8bit):	3.394489021096449
Encrypted:	false
SSDEEP:	768:+d3zQ8iIbBrsScGWZPrMDMN52f0NrDTg1NRp+yPm12xcx:+d3iIbBrreMDi52sNrDU1NRp+yIOcx
MD5:	F4300498979BBAB0266896E7EA301D28
SHA1:	47842CDB94FCBEEA8A99C8B5EDD678D8EF865BF7
SHA-256:	983C2AAFB0B8099B8D29D09AA5CD5BA4D75452D7CC3CF9E786E2C4A72628950F
SHA-512:	FBE1850B27B3C5201C13C707F6C2C5A88911DE376510AC7CF4B1011BE0A11A9034686C8308456536E7864EFFAB7EA1EEEB25EA1EC6D92BEDB7842A2EE3339635
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<html>. <head>. <meta name="generator". content="HTML Tidy for HTML5 for Linux version 5.6.0">. <title>. Tux Paint Options Documentation. </title>. <meta http-equiv="Content-Type". content="text/html; charset=utf-8">. </head>. <body bgcolor="#FFFFFF". text="#000000". link="#0000FF". vlink="#FF0000". alink="#FF00FF">. <center>. <h1>. Tux Paint<br>. version 0.9.25. </h1>.. <h2>. Options Documentation. </h2>.. <p>. Copyright (c) 2002-2020 by various contributors; see. AUTHORS.txt<br>. <a href=. "http://www.tuxpaint.org/">http://www.tuxpaint.org/</a>. </p>.. <p>. December 27, 2020. </p>. </center>.. <hr size="2". noshade>.. <h1>. Tux Paint Config.. </h1>.. <blockquote>. <p>. As of Tux Paint version 0.9.14, a gra

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\html\README.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, UTF-8 Unicode text
Category:	dropped
Size (bytes):	68670
Entropy (8bit):	3.8553895673958403
Encrypted:	false
SSDEEP:	1536:TxWJjpukpp9YxdTKKJqy2XWqVYMWxdv7kB40q2Ohba+6wjnuuA17buY1a7:Tx8Ukz9YX3qsu17buYo7
MD5:	D662EFB27B5C38C9F384DBD5754DE7C1
SHA1:	9D3A260A482CF15BD9F260F50D45F0FB83EB438C
SHA-256:	E6A21D997B1FE50DBFE8F01F5B6E69F466126B65043FBBDDD47691655BE4A5EF
SHA-512:	16C8E1FC829EF518E73BC07B92B9155F67D90CAC346213CEB29288183D9AD643693FAF24B5ACAE7775D56C8F49275A2D4EEAF166537960E9DB61FC0464D390B2
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<html>. <head>. <meta name="generator". content="HTML Tidy for HTML5 for Linux version 5.6.0">. <title>. Tux Paint README. </title>. <meta http-equiv="Content-Type". content="text/html; charset=utf-8">. </head>. <body bgcolor="#FFFFFF". text="#000000". link="#0000FF". vlink="#FF0000". alink="#FF00FF">. <center>. <h1>. <img src="../../html/images/tuxpaint-title.png". width="205". height="210". alt="Tux Paint"><br>. version 0.9.25. </h1>.. <h3>. A simple drawing program for children. </h3>.. <p>. Copyright 2002-2020 by various contributors; see. AUTHORS.txt<br>. <a href=. "http://www.tuxpaint.org/">http://www.tuxpaint.org/</a>. </p>.. <p>. June 14, 2002 - December 27, 2020. </p>. </center>.. <hr size="2". noshade

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\blinds.txt Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	250
Entropy (8bit):	4.153744103651465
Encrypted:	false
SSDEEP:	6:efHMRT0aOCgX2/KcJRSiUJSFVcPBliaUm2RIWFcn:evMRAaOCSqK40dS05YhOWFc
MD5:	C431482A3B893978A247B856893685DD
SHA1:	712D1E377491EC89975CDB7F908D5522AEB9CC7F
SHA-256:	ABCC928FD47F1F83EC0033263BA63973FA1549E724DF87CBAF258BDE654D0844
SHA-512:	4557FCC3402DE0CD22E9B80F5659575EC5EA74F859B034958B9201D8CAF1CC20A77E14E30AE76C9A12161255CFFC85C3F74595928A7FA4EA6945C0EDC7A9A69F
Malicious:	false
Preview:	Tux Paint "Magic" Tool: Blinds.. By Pere Pujal i Carabantes <pere@fornol.no-ip.org>.. Click towards the edge of your picture to pull window blinds over it. Move. perpendicularly to open or close the blinds..

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\blocks.txt Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	267
Entropy (8bit):	4.126791940376243
Encrypted:	false
SSDEEP:	6:efHMRDPFmmJZ1375Nb1Qcj/y/tGR7VfATnZig:evMRD0+L37Tv/kt8NATnV
MD5:	0965BE1E11631569377D0F7674E4831D
SHA1:	2BC841DB1EFBFF446917A3F3DD02F5EB169B6155
SHA-256:	0865C4E2538953DBDAE62257DE9D6790C3F01C2B2C7EC4BFE9B03E7F42AD8385
SHA-512:	C44B51739AF4BF567BED6E53AB48EF5CBFBDC96A889449D0C44CFC8274F756ED84C1515B37DD3130A9BEC37FC482ADE0D33EF428280FFF34BDE53A3F952E942E
Malicious:	false
Preview:	Tux Paint "Magic" Tool: Blocks.. By Bill Kendrick <bill@newbreedsoftware.com>. Albert Cahalan <albert@users.sf.net>.. This makes the picture blocky looking ("pixelated") wherever you drag the. mouse..

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\blur.txt Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	269
Entropy (8bit):	4.092727249149401
Encrypted:	false
SSDEEP:	6:8fHMRtmJZ1375Nb1Qcj/y/bf+GnZYcxSxu:8vMRt+L37Tv/k7Rn2SSxu
MD5:	8EBEABAF8D219698B38C67ABBDF91FFA
SHA1:	8A03ADA1CFF3A2B8A50F9513A16966C1A67F2DD2
SHA-256:	54726951A66ADCA981F4E737BE099B006D6101009FE3A8FEB56FA3A9477F03C2
SHA-512:	11728FC8EB26B552AD361CCD44EEBE9A6E09E5E69441C6DBFAC798AC89B6BF0099FAE19F73040EC0C6EFB5362EF6F3F7DCC8AAE24229F0EDD26A58C605D7DF69
Malicious:	false
Preview:	Tux Paint "Magic" Tool: Blur.. By Bill Kendrick <bill@newbreedsoftware.com>. Albert Cahalan <albert@users.sf.net>.. This makes the picture fuzzy wherever you drag the mouse... See also: Sharpen Smudge.

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\bricks.txt Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	306
Entropy (8bit):	4.097509539848269
Encrypted:	false
SSDEEP:	6:efHMRjFelB1Qcj/+9rqHcDhIYMaUi3Ko1fANeKJWMD:evMRAlp/Erq8Dh5UxoxaJWy
MD5:	375D17E06432A96922CED0BB212E0236
SHA1:	5AB300FB27322C2AF56AD8152847E9A787C9167D
SHA-256:	C4D52874A901D4B9EE7E7C7E802B51543D9B8D52768D3B5BFCEC3C2A70C8BC72
SHA-512:	25385690A79820417D27FD9A00D11E67BA4BBEC1FB1677EECF2465EA25AED35679FD990C0CE66C585888118B4D141D2F1E115359CD2469154C648B5D65DF7A7F
Malicious:	false
Preview:	Tux Paint "Magic" Tool: Bricks.. By Albert Cahalan <albert@users.sf.net>.. These two tools intelligently paint large and small brick patterns on the. canvas. The bricks can be tinted various redish hues by selecting. different colors in the color palette..

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\calligraphy.txt Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	224
Entropy (8bit):	4.185348214173884
Encrypted:	false
SSDEEP:	3:N/+fHor+KR1UwFFumJZ1cG7NGYvjNMQlCQRNgHTvEHMUE0Vu3SiZIdFZUeLKNZvn:sfHMR1fmmJZ1375yQlkHTEzVuiiIuXv
MD5:	E672B8D74BCC539C95661968933836AA
SHA1:	EA8CFC04F78F1794F70007FBF8972803F8401F35
SHA-256:	3D609E5B72CF5165774F573FB2F80A1A4FE2CD5491EB9486967D3281674894D9
SHA-512:	3A701C9EFEA254B76D50017E752CC9278454D94ED87F262DF84B525C2F7C004E9552391D40663CF64663AFBE5404E1C265D6E8F65488185BA1450A2BBD82C2EC
Malicious:	false
Preview:	Tux Paint "Magic" Tool: Calligraphy.. By Bill Kendrick <bill@newbreedsoftware.com>.. This paints on the canvas with a calligraphy pen. The quicker you move,. the thinner the lines..

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\cartoon.txt Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	UTF-8 Unicode text
Category:	dropped
Size (bytes):	252
Entropy (8bit):	4.222950300872223
Encrypted:	false
SSDEEP:	3:N/WfHor+KRJFumJZ1cG7NGYvjNM/+FAXAmV06bfHDprMZJbW+f/npR5GqWUErYQ7:UfHMRamJZ1375y//V06bvNrMi+3Dz9cb
MD5:	42AEC8730C7A3C4F05B2F5B737031DF7
SHA1:	0DDCB38BD037389BA06F9EE812A08930B20362CA
SHA-256:	DE6956C05070A38405CACEBE7D4C061B31E0FAD423B9F450096AD3D8EEAC9535
SHA-512:	69940196E66378A4FBDBC99500DA7F1AD2A2DF962D8EF1D62A329B1CCD833526876582C6C47C87566E562432F414E028A2AEF478E41122463651355F9D13CF89
Malicious:	false
Preview:	Tux Paint "Magic" Tool: Cartoon.. By Bill Kendrick <bill@newbreedsoftware.com>.. This makes the picture look like a cartoon . with thick outlines and. bright, solid colors . wherever you move the mouse..

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\chalk.txt Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	212
Entropy (8bit):	4.126129527640173
Encrypted:	false
SSDEEP:	3:N/EfHor+KRVJO3FXumJZ1cG7NGYvjNM/hFY+OXAiNAJKdKErYQHEJ5Qn+Isvn:efHMRVA0mJZ1375y/TKNSZcETQnQvn
MD5:	8E68D345262E930DE8AEE5D1F7B39978
SHA1:	C0888D6C8F46FE83F85D44A3099DE9952E88A56D
SHA-256:	5D0A74FA2B5DAEF91BE6ACE7AF573B32892E83595D8428C78611EA3F030AE002
SHA-512:	ECF8312F9BAC07BAEAADA3C4DE4E3C3298BFF7090F0D2F8577742427359A1CC4992C162246BFD0680618C8FFDD71F87CB71651CD0616B46C0FFD194526497128
Malicious:	false
Preview:	Tux Paint "Magic" Tool: Chalk.. By Bill Kendrick <bill@newbreedsoftware.com>.. This makes parts of the picture (where you move the mouse) look like a. chalk drawing..

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\color_and_white.txt Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	288
Entropy (8bit):	4.250387004557726
Encrypted:	false
SSDEEP:	6:EfHMRNt1FBg+s2PLy/TBJK2vg+s4v9yUaF+EGdyxev:EvMRLpXsyLkT7K2vg+XvRa4dyxev
MD5:	99D84F9FCD7D55137B8371612949334A
SHA1:	2B96CACA81E9585D34A3E131CECC51AC9268687E
SHA-256:	44F46B4D4CA3C600E218B3D08F183410E28409AF393FF0DB17600F3F8B08C484
SHA-512:	59780B6B24F69878C5A9BCB75E237817BB710A63C502F5C825717D626732B313A5FD6280B2D9DAA0907C580FADD365B28C47629DBC0EC0D9983584E40EAD7432
Malicious:	false
Preview:	Tux Paint "Magic" Tool: Color and White.. By Andrew Corcoran <akanewbie@gmail.com>.. This makes parts of your picture two colors: white, and the color chosen. in the palette. (i.e., if you choose black, you'll get a black and white. picture)..

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\color_shift.txt Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	164
Entropy (8bit):	3.9944801588287886
Encrypted:	false
SSDEEP:	3:N/+fHor+KRNfNS1XmUBXr+L4rL3HOgKbvvjNMljGgQVXCAb:sfHMRNfNaWg+s2PLylj+VX/
MD5:	75840D26A1D4F30F11D721B9DD58E412
SHA1:	D7A0F3E12DA4C51CE75470FEBE3C2E6F36506EA8
SHA-256:	39ED7DF04B0971967EC512595585EFED25011F84592FC38AAD807CA47E2DC31D
SHA-512:	DF9A3EA13C860A794DAA8D098BC2477B400AA19500B586D679816F5D86089548E9EB922AB0E881C559B7406B3717FE885CFB956C6BB40A871F6D45CFC755665F
Malicious:	false
Preview:	Tux Paint "Magic" Tool: Color Shift.. By Andrew Corcoran <akanewbie@gmail.com>.. This shifts the colors in your picture..

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\confetti.txt Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	156
Entropy (8bit):	3.9288725785911445
Encrypted:	false
SSDEEP:	3:N/WfHor+KRPDDee7EIC/aMcj1FLNXLdLDAR+EXKaaCAG:UfHMRPDi0xMcj5dT1aaC
MD5:	7222F79DE75E27E5FE77639C7D181B34
SHA1:	1C116198CD665421920095E184DB5BAB59F42120
SHA-256:	E781BEDD1F27641BF98BD7F8BC45F4B3F5BD55018B2C772B72CFA4439A42E83F
SHA-512:	35417E9E4D022499BA077D88624025FA7BEABA7CA0D313E3E90C436A780277743F3066D92764B04B763558CCC3B80A11D7D8BF64AAB630E77E9F12B89B3B7F30
Malicious:	false
Preview:	Tux Paint "Magic" Tool: Confetti.. By Adam Rakowski <foo-script@o2.pl>.. Throw confetti around your picture!.

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\darken.txt Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	281
Entropy (8bit):	4.225647131767845
Encrypted:	false
SSDEEP:	6:efHMRSOAYmJZ1375yuLpkQTnZYcAJZnW2Hz1:evMRSvY+L375kQTn2Nh9T1
MD5:	1593CD66885D79932CBD0FE742AD47FA
SHA1:	C8CB1A521CEDD3EDFC427622A627ED133D3948EB
SHA-256:	D4DDE148A57D872F6E8CBF6D33168A681B95E152E981D3D871E99B212E4881C9
SHA-512:	EA986FF5216BACD610ED1838A8F7A1EE2C32780ED3D45B4CE39E074E9A7F1DAFBB7072FB9CAD580FDE75D401EE28DF4B439ED04E015ED968E923ADB94481E557
Malicious:	false
Preview:	Tux Paint "Magic" Tool: Darken.. By Bill Kendrick <bill@newbreedsoftware.com>.. This dakrens the colors wherever you drag the mouse. (Do it to the same. spot many times, and it will eventually become black.).. See also: Lighten Tint.

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\distortion.txt Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	190
Entropy (8bit):	4.106365941774297
Encrypted:	false
SSDEEP:	3:N/cfHor+KRL2LL//FumJZ1cG7NGYvjNMG/1XAQyATWUErYQHb:GfHMRSv/cmJZ1375y+3yAT9cb
MD5:	355077CFAEE96429314CA653083EE2FA
SHA1:	108E5810C44A0BCDAC0BC2ABA81E1B8748EBC8D6
SHA-256:	9DF8BD97B496C0205EF8AB889C7AEEEED9B46536F278F8415F740146B58718A2
SHA-512:	CEF019F2115B6105AC7CD7FC04BA525E68067BACEF9649B44FFED208711D782C17D416909E0EC06DA8571577374E0CE56D96CAB38F2A7C813D5E77F40E497D79
Malicious:	false
Preview:	Tux Paint "Magic" Tool: Distortion.. By Bill Kendrick <bill@newbreedsoftware.com>.. This slightly distorts the picture wherever you move the mouse..

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\drip.txt Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	180
Entropy (8bit):	4.050327916613873
Encrypted:	false
SSDEEP:	3:N/ufHor+KR6dXumJZ1cG7NGYvjNM/+FBjcVHQy2WUErYQHb:8fHMRTmJZ1375y/2jcVQ9cb
MD5:	91B4102339A5CC893E14E12A36D87C82
SHA1:	1F6DC520F9866D639A2FAB40439505AC8800F54E
SHA-256:	DE80F3804B1381C9636748E0D74FEA770161A4A1993420CF9AB9E79912C2C3DD
SHA-512:	404991DC71D5A8022D0BD0F17768C72BD037187BFBA11C02F8CC2757B73A3F65E5C11F83CA5B19AD434294BCC792504E2751CB64A6FC753BAB2E4B16482435B0
Malicious:	false
Preview:	Tux Paint "Magic" Tool: Drip.. By Bill Kendrick <bill@newbreedsoftware.com>.. This makes the paint "drip" wherever you move the mouse..

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\edges.txt Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	211
Entropy (8bit):	4.111097448064194
Encrypted:	false
SSDEEP:	3:N/EfHor+KRKCzFXmUBXr+L4rL3HOgKbvvjXYFr7l7QVXCA+MTEGLjFBlH49dvn:efHMRZzsg+s2PLMUVXSvoodv
MD5:	A3D365C92648D2DA59F97FD80961373B
SHA1:	03C25BFAD511C8A3EABB06CD8C979D4083018BC5
SHA-256:	C0C1B6FD9755DAC255F3D7C9C2A19FFFEB7EC488DCE509A6E8C9585EDDB4ABA8
SHA-512:	601F5F6091644499D5A2B5D78A10A8BD18B970C2465EAF3CF5875A2988DFD76FE4330A0BEBBE3CAB9919C68C11819D432564B6100FB61B4C44AD218B000A176E
Malicious:	false
Preview:	Tux Paint "Magic" Tool: Edges.. By Andrew Corcoran <akanewbie@gmail.com>.. Trace the edges in your picture, over a white background... See also: Emboss Silhouette.

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\emboss.txt Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	318
Entropy (8bit):	4.217370349642728
Encrypted:	false
SSDEEP:	6:efHMRDYEmJZ1375y/TBJ6VNfQMUXAsZCApUVX0rGpfFebDdv:evMRb+L37uT76quVXLpfk/dv
MD5:	25DBFB49DC6AC792942CFEBA7F008FD0
SHA1:	8BBA8C9D47E89CBAD6D4A66F18ACC3807FB39CD3
SHA-256:	2669677B8C19756EEB3299D525F143D15F3327B3BED3D870B7D3F185A2869BF5
SHA-512:	B3BA792170E065744CA71CC8C95AFC70367D0E3152CCECCD89F27A56D4FC442DE10220E5BA85F0727EFE650E31D1D479967932B923441B94DCC123E9F8BAC300
Malicious:	false
Preview:	Tux Paint "Magic" Tool: Emboss.. By Bill Kendrick <bill@newbreedsoftware.com>.. This makes parts of your picture look "embossed." Wherever there are sharp. edges in your picture, the picture will look raised like it was stamped in. metal... See also: Edges Silhouette.

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\fill.txt Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	242
Entropy (8bit):	4.091392904312959
Encrypted:	false
SSDEEP:	3:N/ufHor+KRsvNFFumJZ1cG7NGYvjNMsRgrXARRNtK+qJQFUQuSFDtBWFYH+WXAwK:8fHMRs8mJZ1375ysRH3Ku0SFDm+BM7r
MD5:	F6EB096DFD31453384E43F31B7F4DD98
SHA1:	7B5C8D6334FEF4BE863A8F32BAC1B0C29F35D707
SHA-256:	F9C9526BBD82199AF7CCD1E23F48071534A827DD637A6E0FCDDC16DF28BB45D0
SHA-512:	B0668693121ACADE3ED66CF8E4747B5EB19C2C446C7244926885128F60F4A04000C87ED4FA7351890F593AAAC349B63350AB8CD5E5462982F120D69DDBEFD284
Malicious:	false
Preview:	Tux Paint "Magic" Tool: Fill.. By Bill Kendrick <bill@newbreedsoftware.com>.. This floods the picture with a color. It lets you quickly fill parts of. the picture, as if it were a coloring book..

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\fisheye.txt Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	191
Entropy (8bit):	4.060019270253886
Encrypted:	false
SSDEEP:	3:N/WfHor+KRuvtee7EIC/aMcj1FIE0CY9QJCAg+CktNXqFElN5M1vn:UfHMRuvM0xMcjQ4BJ8+bX+EJMl
MD5:	6770169CF98E94C42BFC307AD30027A2
SHA1:	5916437912D78BDA6CDE004FB17AC1DBA63834DC
SHA-256:	4964A114CB9A8570000D3194DC88413C03B505A6DE5620436CCC1AB28435DD5F
SHA-512:	C6B08430855E9783244663C99BC3C1FB7EB8C70C8CB6D953E4E5A0BB2C181B0B72C5E550C3C43DAE75D6ECD7693C6D8F596EFE4D1BD89DD2D25D35E3DAAEA654
Malicious:	false
Preview:	Tux Paint "Magic" Tool: Fisheye.. By Adam Rakowski <foo-script@o2.pl>.. Warp parts of your picture like it's being seen through a fisheye lens..

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\flip.txt Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	223
Entropy (8bit):	4.094194094073369
Encrypted:	false
SSDEEP:	3:N/ufHor+KRIumJZ1cG7NGYvkMxdxabH4uIrguh2c41iFYVTBK4hZsvn:8fHMRnmJZ1375sC6H4rgNziFYVT84nOn
MD5:	8DB4A593D34A78D663AD1700F57C540D
SHA1:	CFEA41759200C324322C5C0B2DC56CF238FB6817
SHA-256:	744292C861B3829D55675D24399BB042F7120C0DF37B9F2837BA94F2D490EF90
SHA-512:	B01465E89039ADEACD512416F4BC93306C5EA804EAD32926209B1DA7A78812F140ECF6E9F8E16237F60A36FF7C741F229BD284EE58CBA411CC8E4E85EECC87AC
Malicious:	false
Preview:	Tux Paint "Magic" Tool: Flip.. By Bill Kendrick <bill@newbreedsoftware.com>.. Similar to "Mirror." Click and the entire image will be turned. upside-down... See also: Mirror.

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\flower.txt Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	480
Entropy (8bit):	4.226780611379884
Encrypted:	false
SSDEEP:	12:evMR7+L37pBt5iYZ6+uiOGuc0PbB6gvOXYF8FySb1n:evi7+L3VBt5DZ6+Ec2bU63u
MD5:	05B371BD88A5EC91BBBFC8F5FE7B381D
SHA1:	8AA5B06E513700C31513CB6EA5EFA3A75ED1365E
SHA-256:	E9FEC19EB4D79EE50DBEAFA5D287D4EDBF5D7AFC44EDDC65CBD6F8E71DAEA0D3
SHA-512:	B7BA5790E60DF887BC48D06BFEF3BBEA4CE3B0AF41FCC8C249DAE63400A69C664B0ED1CBE2EAD7101E008D8559F3D64C802B7DDF61D4F30A6B903DB148F7264B
Malicious:	false
Preview:	Tux Paint "Magic" Tool: Flower.. By Bill Kendrick <bill@newbreedsoftware.com>.. This tool draws small flowers, with leafy bases and stalks. Click to set. the base, then drag the mouse upwards to drawe the stalk, and finally. release the mouse button to finish the flower. It will be drawn in the. currently-selected color. The shape and length of the stalk depends on how. you move the mouse while you drag... See also: Grass.

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\foam.txt Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	294
Entropy (8bit):	4.158666067640538
Encrypted:	false
SSDEEP:	6:8fHMR2/FmmJZ13758Jh9YcufIvOYEbZiEVbEW8KXsAk1+YV3u:8vMRmFm+L37qQSREb15ElK8LVV+
MD5:	98AC0183B3D6B3EE3ED9F7F1E1CE75B1
SHA1:	B746730D004C3F86FFA0B0D82AF66A454DD5E875
SHA-256:	FC54839A6FC8CC9A664700AECE125E58CF125973F7DA86A40F2E787FFE64ED4C
SHA-512:	82D06F049DE46717F00BBEFA4378B59249F3D0A1CE9E326D3CDFB8334D86DD0D87FA4EAA87E8CB8466D7599D91D9852086B0EE4E6DCD6066205ACBF37477B61C
Malicious:	false
Preview:	Tux Paint "Magic" Tool: Foam.. By Bill Kendrick <bill@newbreedsoftware.com>.. Click and drag the mouse to draw foamy bubbles. The more you drag the. mouse in a particular spot, the more likely small bubbles will combine to. form bigger bubbles..

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\fold.txt Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	342
Entropy (8bit):	4.032841637161007
Encrypted:	false
SSDEEP:	6:8fHMRYO0xMcju51375NzCgX2/KcJ7KBJSanAZ752l:8vMRYOWMcar37TzCSqK47ShnoY
MD5:	3A78D36BAD1A122724CFA33A119B44B9
SHA1:	288799E9C634B1BD58311B1247B0CBEAEFC6C07F
SHA-256:	A83D6F4190B22B9703D7BEC11F32539DCF8025AE8AE4E40D41CC34635F2066BA
SHA-512:	E458E16893E8A906294BCE4C07EA5A35BBBBF43650A7CE7ACFD9B2F4EC866E7ABF35602CC50D6F7ED813344C10D419A3D075ED4F100C3D1AD1A86539F2781886
Malicious:	false
Preview:	Tux Paint "Magic" Tool: Fold.. By Adam Rakowski <foo-script@o2.pl>. Bill Kendrick <bill@newbreedsoftware.com>. Pere Pujal i Carabantes <pere@fornol.no-ip.org>.. Click a corner of your picture and drag towards the center to fold it up. like a piece of paper..

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\glass_tile.txt Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	220
Entropy (8bit):	4.108379832503718
Encrypted:	false
SSDEEP:	6:GfHMRNK9mJZ13758JhbQSF5+F2uHCwMVv:GvMRw9+L37qpQSE2hwMF
MD5:	15DF95E3829CD04FE572D4E04BF53434
SHA1:	BC7DE2AF7BBA6A5FE2CA9A9C3075F20EE84EFA86
SHA-256:	667467CC74BDC9732A55B7792C9B7A5DD055981CBDF9220E6B35A77B7D8C17CD
SHA-512:	36E3A8A6292B3A722B78E5B7FDF0C636B0395E8D696E7DEFDE83767FAFA6E6B713312B102888221811E9AF4F935A62136D56498DC342D956A15A2527C09E55E9
Malicious:	false
Preview:	Tux Paint "Magic" Tool: Glass Tile.. By Bill Kendrick <bill@newbreedsoftware.com>.. Click and drag over your picture to make it look like it's being seen. through glass tiles..

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\grass.txt Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	370
Entropy (8bit):	4.144107115912495
Encrypted:	false
SSDEEP:	6:efHMRxklB1Qcj/yQlEQcJKfHLgWZWRc2CzA5VV8vIldN1fADyKJWMr6n:evMRxklp/bl1cSLQ8+VqIlzx8ZJWd
MD5:	D7E6D2F3974822AF1E601E11A2931520
SHA1:	3B0714EE1D3F634BE8B56ACF9CCE0FAB66B54C00
SHA-256:	08CC48B69360FFF8C460ECB735AABFA52084A8FB2A50CA048D55C2E1C8687C44
SHA-512:	1EDF2E5161225463FE82F8C1440D0E41B2D4E7FE5DEAD79B9A06D1C4A85047B4D7900CF172F23C71464E0CBAA0543EB76B21374465F1E87DCECA83826C34CB2E
Malicious:	false
Preview:	Tux Paint "Magic" Tool: Grass.. By Albert Cahalan <albert@users.sf.net>.. This paints grass on the image. The higher up the canvas, the smaller the. grass is drawn, giving an illusion of perspective. The grass can be tinted. various greenish hues by selecting different colors in the color palette... See also: Flower.

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\hexagon_mosaic.txt Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	246
Entropy (8bit):	4.190645359567186
Encrypted:	false
SSDEEP:	6:ufHMRc9NwuaOCgX2/KcGCEBJbjL5Dv8ouHqQEAS2do8:uvMRc9uuaOCSqKh7bjLdYHk5uo8
MD5:	C9A0D10596CC0E50CE3A344D0C9EBA9B
SHA1:	9E4F23A869ABA47D75BFB4480C5DC706089B797C
SHA-256:	A53A539D8D07FC5BF2ECD0542AA0FBDDAC5DA1F3B679CC4B7F58DBAA2EAC9433
SHA-512:	786486627642F32A5B282923A5C429BA959F2B3EDA38A3BFF0BE42AA3CCB1494329B167B9421FFA294863862DEB54DD08DB57DA49F24265A78DE5422CD76A7EB
Malicious:	false
Preview:	Tux Paint "Magic" Tool: Hexagon Mosaic.. By Pere Pujal i Carabantes <pere@fornol.no-ip.org>.. Converts parts of your picture into a mosaic of hexagon cells... See also: Irregular Mosaic Square Mosaic Mosaic.

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\blinds.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	614
Entropy (8bit):	5.232037273494703
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMR/56QclfdGxWHG+XHIWlvMR/wwC29/qjqedKdS05YDOWFqOL+j:Wd4vihsllGkIWlviIwC+CWwKdVq6CqW8
MD5:	983A7695A12A274A6A1F3DADFB6996E6
SHA1:	801EFE7EB313B7C77FF2CD4CFAA0E3F9EF8124A0
SHA-256:	A502523A74FC126AEF99681231FC6679379F5C25117BCB93301BD5C93EED09E7
SHA-512:	FCFBE84349D2DFE3691FA24F84588023FCD2BAE6DCC9EF1509A81E0900C3868E8DDE2CDF2573F6697EE08FA5F2F132D6B554707D2C535AB6CA3EA2B17E5FF7DE
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Blinds</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Blinds</h1>.<h2 align="center">By Pere Pujal i Carabantes <<a href="mailto:pere@fornol.no-ip.org">pere@fornol.no-ip.org</a>></h2>.<p>Click towards the edge of your picture to pull window blinds over it. Move perpendicularly to open or close the blinds.</p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\blocks.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	666
Entropy (8bit):	5.291269161015415
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMRDX6QclfdGxWHG+XHIWlvMRDpAvL3zJmTo4BOAvlx0ot8NATnn:Wd4vi7sllGkIWlvilAvL3zEcQO4lONAb
MD5:	C16E8671A7DEE6BB2059111144A86452
SHA1:	5CC3F563BC748DDB0C7FE02632928A45F81914D9
SHA-256:	A6D27BF55447BBE65C4C3A7EA92F7316870F143C97E2132CA1D029FAE23BE4B7
SHA-512:	B00125D3BB6AC0128D7DD0059CF6D521F533C142BC4BC20DC5443B908B89AF005D1CEF5A1059725F37418CB9C7A08969F2F8641F1798A08CEE0D7BBE030514C3
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Blocks</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Blocks</h1>.<h2 align="center">By Bill Kendrick <<a href="mailto:bill@newbreedsoftware.com">bill@newbreedsoftware.com</a>><br>.Albert Cahalan <<a href="mailto:albert@users.sf.net">albert@users.sf.net</a>><br>.</h2>.<p>This makes the picture blocky looking ("pixelated") wherever you drag the mouse.</p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\blur.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	725
Entropy (8bit):	5.277996387135983
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMRT06QclfdGxWHG+XHIWlvMRPjvL3zJmTo4BOAvlx0o7Rn2XVFH:Wd4viYsllGkIWlviPjvL3zEcQO4l7MfH
MD5:	6542478AD0E789DB017E1BF99822EBBD
SHA1:	BF96D545096B06413306B0740527E85771D2CA0D
SHA-256:	3892BFECFABFCAFAD9855D1BB2844E34926FC887D0723046FA0F033940ADCE9A
SHA-512:	424BF619CA8D6FA5CFD805B058828E3348BD6C367A293F95A8C467F2CFFD3B933E97C1CA1557DA91C046EB5240E5533A54A71984294141CC833948CBD22487FB
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Blur</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Blur</h1>.<h2 align="center">By Bill Kendrick <<a href="mailto:bill@newbreedsoftware.com">bill@newbreedsoftware.com</a>><br>.Albert Cahalan <<a href="mailto:albert@users.sf.net">albert@users.sf.net</a>><br>.</h2>.<p>This makes the picture fuzzy wherever you drag the mouse.</p>.<p>See also: <a href="sharpen.html">Sharpen</a> <a href="smudge.html">Smudge</a> </p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\bricks.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	661
Entropy (8bit):	5.154817563413309
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMRz6QclfdGxWHG+XHIWlvMR9AYROAvlxxrq8Dh5LH7+xox8ZJWi:Wd4vizsllGkIWlvi9AYRO4xHDhBb+xi4
MD5:	3B46BC955F0473A60E8BE6009E7B42D2
SHA1:	699D4BADFACFFAE7698B4520887EF572DAF6E790
SHA-256:	0EB97D54A8E2221F0D80B8E330E7B402D707BB7B3C5C5E70A865CF92759E8279
SHA-512:	BF3A9710CC09BA728D0E8720021939989B1EF7B3886CEDC3FDB0CA06EE5D243712BC0CE127D171D9373378307C5680A5B271341A7227F15AC3988643047CD7B6
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Bricks</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Bricks</h1>.<h2 align="center">By Albert Cahalan <<a href="mailto:albert@users.sf.net">albert@users.sf.net</a>></h2>.<p>These two tools intelligently paint large and small brick patterns on the canvas. The bricks can be tinted various redish hues by selecting different colors in the color palette.</p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\calligraphy.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	597
Entropy (8bit):	5.252024974359401
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMR1bXJ6QclfdGxWHG+XHIWlvMR1bTbAvL3zJmTMlkHTEz9v+j:Wd4vi1TJsllGkIWlvi1UvL3zEolkzU9U
MD5:	54DED997EC2EF07533B255DFC512313D
SHA1:	DD1D00591C4FFDEC561E4BE2DF4517BE93A888D0
SHA-256:	BED3FAF89FF6A620203196DCFFE0533C95D0A5E77A0F6F00BD8F88A55156D27A
SHA-512:	89E9092405778905EB4A31B39502830E5CE5576B4F074BF86E664A1C2AFABB0A6335AF1769BA08B19843385415838F20DD548FE95B653E3157F4C0C30A03F8E4
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Calligraphy</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Calligraphy</h1>.<h2 align="center">By Bill Kendrick <<a href="mailto:bill@newbreedsoftware.com">bill@newbreedsoftware.com</a>></h2>.<p>This paints on the canvas with a calligraphy pen. The quicker you move, the thinner the lines.</p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\cartoon.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	627
Entropy (8bit):	5.2384380447034795
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMRp6QclfdGxWHG+XHIWlvMRgvL3zJmTb/K6pXYzbXj9X+j:Wd4vipsllGkIWlvigvL3zEHJpXYzds
MD5:	0A5C8F5AF3FBC3A3E80DA3D18380A8D3
SHA1:	ACCD7BE5AFD7254CCCB28C2B97C7B6A4AEF86642
SHA-256:	013EA532557F6830EE2CBE195876BB0105D1FA9D4D64A0ED60989887AF2BCD6D
SHA-512:	8282ADDD77B16D1C5D2FE87BE53D7B7F897E5BF9FF6F9461989FAF27DC0BAB9EC9B5DCF20CC74B9DF091A5DD58EE0992911A25D71E62611AABF62998D7E1F5CD
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Cartoon</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Cartoon</h1>.<h2 align="center">By Bill Kendrick <<a href="mailto:bill@newbreedsoftware.com">bill@newbreedsoftware.com</a>></h2>.<p>This makes the picture look like a cartoon — with thick outlines and bright, solid colors — wherever you move the mouse.</p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\chalk.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	576
Entropy (8bit):	5.281491318385534
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMRk6QclfdGxWHG+XHIWlvMRvvL3zJmTbTKoZnT6YsL+j:Wd4viksllGkIWlvivvL3zEHOune5L8
MD5:	B3D70950AC1C6DACE1791DF38E59C457
SHA1:	7B33F3C479AE8694AF1CA6C1E187CE00B551635F
SHA-256:	69BED443C858CC8B89228C4202958DF3BF7B83154103EF140A3329248436D233
SHA-512:	38DCE5FB7EF0B34A3DE8136E5D0BEF614B3FE7248073703D01A55957C54472F519A4E63BAF8A255F7F1229972829FD2DDF9736EBF04D79AD7D6018C237012785
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Chalk</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Chalk</h1>.<h2 align="center">By Bill Kendrick <<a href="mailto:bill@newbreedsoftware.com">bill@newbreedsoftware.com</a>></h2>.<p>This makes parts of the picture (where you move the mouse) look like a chalk drawing.</p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\color_and_white.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.235307110792931
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMRLc6QclfdGxWHG+XHIWlvMRL3GQo7EOlT7K2vg+Xpa4dHE+j:Wd4viwsllGkIWlviT5ZWv6mh5
MD5:	0522A7E26205639BED6B469D630D2683
SHA1:	D3B82222DACC81999648E32F319A0FB4FF17AD8B
SHA-256:	F94C3A09C088C94A992E0ABCEFDF8A601E5A359C999F6FF77FA337EA9085409A
SHA-512:	7938A301C9D15639B02A65134AD048A565E419E5FD0BB1833C869EA677C143AEA5A31F762D8F1FAADED2183B97788E86DE582DFB783170F30FA666A16C2EFC7A
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Color and White</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Color and White</h1>.<h2 align="center">By Andrew Corcoran <<a href="mailto:akanewbie@gmail.com">akanewbie@gmail.com</a>></h2>.<p>This makes parts of your picture two colors: white, and the color chosen in the palette. (i.e., if you choose black, you'll get a black and white picture).</p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\color_shift.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	532
Entropy (8bit):	5.28667177790349
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMRQ6QclfdGxWHG+XHIWlvMRzGQo7EOX+VXKv+j:Wd4viQsllGkIWlviz5ZXVXKU
MD5:	E92BDA3EF55F9F854F9160E75AC48742
SHA1:	6A4081982664311373C5CA6A00EE1190CB91EA20
SHA-256:	8F36E57BA78DB13F577EA81C56766B216175BBB431EC2E06483BEA808B7A992E
SHA-512:	4341B4FAEDF764A2645833DE5758AA15AA15C9CC0406F2C4B11FE5FCCCA6E496643DD1831BDCB830218FDEDBB1622D8B44A5313EED8F8D2A7A203D4BB041C1DA
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Color Shift</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Color Shift</h1>.<h2 align="center">By Andrew Corcoran <<a href="mailto:akanewbie@gmail.com">akanewbie@gmail.com</a>></h2>.<p>This shifts the colors in your picture.</p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\confetti.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	514
Entropy (8bit):	5.308380280804241
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMRPD/J6QclfdGxWHG+XHIWlvMRPD7kZDMcyFMch+Vwj:Wd4vi7hsllGkIWlvi77kZDMcyMcUS
MD5:	D7B7A919806FAE79A3253E70CFC7E165
SHA1:	C8AA3A0C9EAA9B26EA7EADD3A70AF8DC761597D1
SHA-256:	F42AB9FEE6A0FACDE9D52B68A5F152D251F9A3F4BB7C172D0C4DA484B9FACAF1
SHA-512:	9DACB740179A09CC67AEA44ADC42F87733EA1FBAABCDE21285F2441D47F96F87DE2E24F59BE20A73EF2067E3C2AE7E9D5A2AA3DE90A4E5B79BAA2981920DF2F8
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Confetti</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Confetti</h1>.<h2 align="center">By Adam Rakowski <<a href="mailto:foo-script@o2.pl">foo-script@o2.pl</a>></h2>.<p>Throw confetti around your picture!</p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\darken.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	702
Entropy (8bit):	5.217823353308463
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMRSvT6QclfdGxWHG+XHIWlvMRSv2vL3zJmTmkQTn2J/99u7LD/j:Wd4viiTsllGkIWlvii2vL3zE1XJlsb7
MD5:	B02A76080071F23414C74E9ED1119DE1
SHA1:	C55C147B76B8F0603C797382AB52E78BAF032BA3
SHA-256:	3FD37989B8AAAE394B272398009345DD46D81235BB01EC6F5E89A9C9FD396EE0
SHA-512:	A566C20CCAA77C5A11BCA7FA32649F359A78F3F2B2E69B3CF9910D296F21E061BFCC0283AF8875F5B3B6A250A74340A7BFD68BD8B1BE675883C10539671335BE
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Darken</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Darken</h1>.<h2 align="center">By Bill Kendrick <<a href="mailto:bill@newbreedsoftware.com">bill@newbreedsoftware.com</a>></h2>.<p>This dakrens the colors wherever you drag the mouse. (Do it to the same spot many times, and it will eventually become black.)</p>.<p>See also: <a href="lighten.html">Lighten</a> <a href="tint.html">Tint</a> </p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\distortion.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	564
Entropy (8bit):	5.25615826884632
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMRSf6QclfdGxWHG+XHIWlvMRSqvL3zJmTHAT9X+j:Wd4viSfsllGkIWlviSqvL3zEsxs
MD5:	937A66FB6F3A5BBF45E4EF3D1776E5FB
SHA1:	CF4D9E2EEC8A4277C2492DA29A67CCF522601557
SHA-256:	DFD3FD6A0A47CF06335C84BB2BCFC6037DBD4FACF133491295E4F2DD5851784B
SHA-512:	697D44236A9E6079ED570EE72F3D5C6FB07B046FDF81CBC2329FFF8C71384106D21AF9480B6E90CBFD963E8E415DC6C42F581D4C230EF751CF24896A736FCFC3
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Distortion</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Distortion</h1>.<h2 align="center">By Bill Kendrick <<a href="mailto:bill@newbreedsoftware.com">bill@newbreedsoftware.com</a>></h2>.<p>This slightly distorts the picture wherever you move the mouse.</p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\drip.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	545
Entropy (8bit):	5.283163693553763
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMRK6QclfdGxWHG+XHIWlvMRRvL3zJmTb2jkQ9X+j:Wd4viKsllGkIWlviRvL3zEHlys
MD5:	5BC91F123739F7EFBBB9D537EFCBDBE2
SHA1:	C210FB8A2710249624994FEF73EBEC5BF507E734
SHA-256:	DF2874070B10D8C3233123A07C6D9B947A3010D79B604814D19BA51CC36FD926
SHA-512:	DC791C8EEC6B41CBE986FF68C5EE9340D75DEE6F60D45F7ADA09F14124271F337655E3C25064424A08BA713B11024320CD10F88AD0764085ABE586620A216A2C
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Drip</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Drip</h1>.<h2 align="center">By Bill Kendrick <<a href="mailto:bill@newbreedsoftware.com">bill@newbreedsoftware.com</a>></h2>.<p>This makes the paint "drip" wherever you move the mouse.</p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\edges.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	630
Entropy (8bit):	5.264861128394361
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMRZr6QclfdGxWHG+XHIWlvMRZ+GQo7EOsVXSvnQf9AwwZB5Bj:Wd4viJsllGkIWlviA5ZzVXSv4EZ1
MD5:	FB95D8DA3AEA403D32EE59D8955789A0
SHA1:	B4A77DC495F824DAA09B20E62461937CD362AD3C
SHA-256:	0F79A4BCBF08A44D9CE6BDDE9C91EADB8174AD7ADD140FBCE35D9444D8DA8417
SHA-512:	A5B2FEB1326A012E540B3F4A13080DD4B1F000A2427450A5574C4CF44477BE2E7D5C6E82BA04E8F0B0D99872B96AB4ABEF56B595DFBB93DFD64A98CEB50016A1
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Edges</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Edges</h1>.<h2 align="center">By Andrew Corcoran <<a href="mailto:akanewbie@gmail.com">akanewbie@gmail.com</a>></h2>.<p>Trace the edges in your picture, over a white background.</p>.<p>See also: <a href="emboss.html">Emboss</a> <a href="silhouette.html">Silhouette</a> </p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\emboss.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	740
Entropy (8bit):	5.196757887566926
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMRy6QclfdGxWHG+XHIWlvMRJvL3zJmTbT765VXLpfk7nNF9AwwP:Wd4viysllGkIWlviJvL3zEHvqVXN8DNY
MD5:	935B3BB6890EB9CD21D5C519118ADFFB
SHA1:	F5BF7F0BC1D83E8418B8639AB3A95EB5B8E88EBC
SHA-256:	CDB8C695F37AB445D923AD891A2004F0BDD947DDAF2A71AB9B6278E933C158AC
SHA-512:	01B26F2C6A975EF0D6FCDF63741A32A5BCA3A922978766688480E0C4CD9032CFA3EF5F3EF146995A8D350286D3DB82978AE1743A3E4C45CD5F9156C3C3462C14
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Emboss</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Emboss</h1>.<h2 align="center">By Bill Kendrick <<a href="mailto:bill@newbreedsoftware.com">bill@newbreedsoftware.com</a>></h2>.<p>This makes parts of your picture look "embossed." Wherever there are sharp edges in your picture, the picture will look raised like it was stamped in metal.</p>.<p>See also: <a href="edges.html">Edges</a> <a href="silhouette.html">Silhouette</a> </p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\fill.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	605
Entropy (8bit):	5.23379181888114
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMR06QclfdGxWHG+XHIWlvMR/vL3zJmT4uapFDmY2j:Wd4vi0sllGkIWlvi/vL3zEEuqDB0
MD5:	05DFA86ADCCE2C421CDF25E449C18FD1
SHA1:	8A442536273A4BBF767683A51EA887CF0E27EB69
SHA-256:	C7E8066743C867AF33396822966AC75A11DF55AB52EEA58A4DE317994FC14031
SHA-512:	23B10284B98C714BD09C590A07DDD04838C58C066BD71BB00785825CDB34F0D4A22448CAC9FFAD5076F681D920BF0C3638136EB87BEB0AEF073F0BEDDFF72C98
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Fill</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Fill</h1>.<h2 align="center">By Bill Kendrick <<a href="mailto:bill@newbreedsoftware.com">bill@newbreedsoftware.com</a>></h2>.<p>This floods the picture with a color. It lets you quickly fill parts of the picture, as if it were a coloring book.</p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\fisheye.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	548
Entropy (8bit):	5.293151744601026
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMRo6QclfdGxWHG+XHIWlvMR7ZDMcyFMchdqT7HbXF+j:Wd4viosllGkIWlvi7ZDMcyMcivR8
MD5:	8F06796BABBA049722B9920DCC231407
SHA1:	8A14450C7A36D5E76E50768FE6C09E82E647CA7F
SHA-256:	7B8974F341D5965C4B7EE1113DDCACD274BE1A15C6ECA6AA82E6D9A00753C74F
SHA-512:	8F810C7D3511C7D3B13332EC9013C9FC4BFF98B5B2B7654EB1918AECB77FBE29671DE641C632CFD62C76279101BDC137DD7B89534C6C4E75376CB9A5AC040692
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Fisheye</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Fisheye</h1>.<h2 align="center">By Adam Rakowski <<a href="mailto:foo-script@o2.pl">foo-script@o2.pl</a>></h2>.<p>Warp parts of your picture like it's being seen through a fisheye lens.</p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\flip.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	615
Entropy (8bit):	5.2470806297684955
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMRG6QclfdGxWHG+XHIWlvMR1vL3zJmTNRqghIm8O7og+j:Wd4viGsllGkIWlvi1vL3zEZ7hIQI
MD5:	1A4784F29D45EC163CB061B4CF1F316A
SHA1:	2F27165FFB08BA7FC74AE99541D2F0AFC38FC39B
SHA-256:	99366F4A2818BED4117DCB321BD747BCDBD4FC6DBC27F5504D57C2CF66C05F30
SHA-512:	F7147BA0843477139AA81515BC875F57FE96A2534F9B9212DAE4F6A0A028B9155ED8964ED7EE2D872F5C58A1A2153F1F33B65243CE75E15211F186B35638E6B6
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Flip</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Flip</h1>.<h2 align="center">By Bill Kendrick <<a href="mailto:bill@newbreedsoftware.com">bill@newbreedsoftware.com</a>></h2>.<p>Similar to "Mirror." Click and the entire image will be turned upside-down.</p>.<p>See also: <a href="mirror.html">Mirror</a></p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\flower.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	867
Entropy (8bit):	5.104038968424456
Encrypted:	false
SSDEEP:	24:Wd4vik5sllGkIWlvikwvL3zEoBt5DZ6+Ac2bC2dbQG:FglckIQmvcoBDol9J
MD5:	0BEF072597610938A87D8F16BD335314
SHA1:	EBFDA32F2EB737D8473DB918F817C13DB32DA5E7
SHA-256:	E66D126CAE340DB8E461339CBB94DD5720D75D1FD87088BC357EE6E59EB92FFE
SHA-512:	06F8BC1F1E5FAB368D2753010A960E37A8A0623FDD30B7B6BAB7E2F293A1B913ACADEFD7C7256092CBFB3439DFF432A2DC2212D81C77AC24B4CEB82ED4E56519
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Flower</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Flower</h1>.<h2 align="center">By Bill Kendrick <<a href="mailto:bill@newbreedsoftware.com">bill@newbreedsoftware.com</a>></h2>.<p>This tool draws small flowers, with leafy bases and stalks. Click to set the base, then drag the mouse upwards to drawe the stalk, and finally release the mouse button to finish the flower. It will be drawn in the currently-selected color. The shape and length of the stalk depends on how you move the mouse while you drag.</p>.<p>See also: <a href="grass.html">Grass</a></p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\foam.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.212251876187117
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMR4H6QclfdGxWHG+XHIWlvMRHvL3zJmTdeSlub2Y5ElK8bBv+j:Wd4vi4HsllGkIWlviHvL3zEJeEv4EQ86
MD5:	20B9DDD6B7A8CC0549C1A1B91207051F
SHA1:	80DC397D0F9A65BC92B85CD9097AF5D39A7A2CB7
SHA-256:	DB042F0AFE4E071A5AFC4DC563D137C85067512BD9D75B086753BF91E76D8627
SHA-512:	8D0F1D38AD3896C4F88EBE0B0FA0D3E07448BED63206501ABA49A292CC69ADF4752A62A42ADDACC21BA4D4A24F18052F10C664E8DF20933129D5353FDAA30468
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Foam</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Foam</h1>.<h2 align="center">By Bill Kendrick <<a href="mailto:bill@newbreedsoftware.com">bill@newbreedsoftware.com</a>></h2>.<p>Click and drag the mouse to draw foamy bubbles. The more you drag the mouse in a particular spot, the more likely small bubbles will combine to form bigger bubbles.</p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\fold.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	771
Entropy (8bit):	5.258513696276541
Encrypted:	false
SSDEEP:	24:Wd4vi2sllGkIWlvilZDMcyMcmr3zE5C+CWY9ShnqQ:FIlckIQ+pMcyMc18WYUhqQ
MD5:	D04C8967FD4C8AB6B0E3DB28FF8F8A08
SHA1:	ABCFA78AEC2CD76FAA2DE02EE2EE9778DCADD844
SHA-256:	42B9567EFA77F6DBEC0632EAF28AB16520ADA7A2A4508DBD693FE731F7B88B4B
SHA-512:	ECAFC86E0873B64E58675802A310132BE3212D8796638C623EDE98E09033E40D2E677BC7BB10DFB38209006FE047E190A6EF7F4865E0524C48388B1AAFB05425
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Fold</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Fold</h1>.<h2 align="center">By Adam Rakowski <<a href="mailto:foo-script@o2.pl">foo-script@o2.pl</a>><br>.Bill Kendrick <<a href="mailto:bill@newbreedsoftware.com">bill@newbreedsoftware.com</a>><br>.Pere Pujal i Carabantes <<a href="mailto:pere@fornol.no-ip.org">pere@fornol.no-ip.org</a>><br>.</h2>.<p>Click a corner of your picture and drag towards the center to fold it up like a piece of paper.</p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\glass_tile.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	591
Entropy (8bit):	5.251010531928589
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMRwI6QclfdGxWHG+XHIWlvMRwbvL3zJmTdvQSE2bX9wM4v+j:Wd4vihsllGkIWlviIvL3zEJIAKv8
MD5:	6749E25ABEF58ADF1BEF83F4A1BD55C1
SHA1:	288EA2A8B7FD08883FCB3D844683F666CAFF20B7
SHA-256:	F5EF9F28EAB16630B360D80B56D955E898040D74C95F0EA624AE6233017F1037
SHA-512:	DD81EF4929E007C94B3C8BA5F8FAB6ACE77856C310916A257166AFE4655AC45E079556B3F3BB42399D36A651F471C2A22F479A77FAA8215460F3B8B0491583C8
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Glass Tile</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Glass Tile</h1>.<h2 align="center">By Bill Kendrick <<a href="mailto:bill@newbreedsoftware.com">bill@newbreedsoftware.com</a>></h2>.<p>Click and drag over your picture to make it look like it's being seen through glass tiles.</p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\grass.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	753
Entropy (8bit):	5.144163849412595
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMRZ6QclfdGxWHG+XHIWlvMRQYROAvlxwl1cSLQy+VwxYx8ZJWpF:Wd4viZsllGkIWlviQYRO4wlKNyqwxyx/
MD5:	2450C76793C79B33DF6AD4EBFAF22B0F
SHA1:	F90876947AB8D1A73B6D044017A2E8FEBEDEFD08
SHA-256:	2BA111A6EFCA19CAA39509C32D476FEAFE415417A2D3EF703A286293AEDE2988
SHA-512:	0A14C3B2772681A1F21206E05A028A43CFFF44B876131EEA516E7464535488B391C4BECC204E6C7EF5E50599B73B67746D2A8A9437461859B775E24B2F62A02B
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Grass</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Grass</h1>.<h2 align="center">By Albert Cahalan <<a href="mailto:albert@users.sf.net">albert@users.sf.net</a>></h2>.<p>This paints grass on the image. The higher up the canvas, the smaller the grass is drawn, giving an illusion of perspective. The grass can be tinted various greenish hues by selecting different colors in the color palette.</p>.<p>See also: <a href="flower.html">Flower</a></p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\hexagon_mosaic.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	724
Entropy (8bit):	5.217854766970896
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMRc9K56QclfdGxWHG+XHIWlvMRc9KwwC29/qjqedC7bjLdzalv6:Wd4vib5sllGkIWlvibwwC+CWwKbjpme/
MD5:	37A143710602E7CEB1BFCC2246217F4C
SHA1:	B2ACEF7756ECF7A1E6C306F10AC266D03BCAC006
SHA-256:	81D3A5465CCD5DE912EA102575CCA5B109649F8AC1F89D44B416050F0B06AE0A
SHA-512:	39A605230F5F8E976979919C0934A260C0257D07895EA5762C4B85F0571A0A305885204B9751CD807C460791D65CB14D0C2A4EFA273BB222D382D1D7D9967768
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Hexagon Mosaic</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Hexagon Mosaic</h1>.<h2 align="center">By Pere Pujal i Carabantes <<a href="mailto:pere@fornol.no-ip.org">pere@fornol.no-ip.org</a>></h2>.<p>Converts parts of your picture into a mosaic of hexagon cells.</p>.<p>See also: <a href="irregular_mosaic.html">Irregular Mosaic</a> <a href="square_mosaic.html">Square Mosaic</a> <a href="mosaic.html">Mosaic</a> </p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\index.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	3417
Entropy (8bit):	4.816436300445072
Encrypted:	false
SSDEEP:	48:FClckIQQZ+clicOOK6u+sSllK9A2G5w66eSWd2R4XCK6qehCRYC4COCYbafKjfaA:FKPIQ0ltzSJ/1zQSfjXnZbX2OrL
MD5:	0A1C7BF255AC8C6A500144AE5C987438
SHA1:	AB3F75E07385544C2F2676C1B707696B740A1195
SHA-256:	9353CB37FC685371C1B8FA5AB793BC78CAA985C01A43A7F7172EDB8352F66249
SHA-512:	BCBB622A0C079F8CCC4C5E1FBE680173B349C5C3B6499C156EA3026237C234D1F7EFD1308836526BA9B3BC20738BC515160FB488228DB994192D4EC5E5D030FF
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: List of Magic Tools</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: List of Magic Tools</h1>.<li><a href="blinds.html">Blinds</a></li>.<li><a href="blocks.html">Blocks</a></li>.<li><a href="blur.html">Blur</a></li>.<li><a href="bricks.html">Bricks</a></li>.<li><a href="calligraphy.html">Calligraphy</a></li>.<li><a href="cartoon.html">Cartoon</a></li>.<li><a href="chalk.html">Chalk</a></li>.<li><a href="color_and_white.html">Color and White</a></li>.<li><a href="color_shift.html">Color Shift</a></li>.<li><a href="confetti.html">Confetti</a></li>.<li><a href="darken.html">Darken</a></li>.<li><a href="distortion.html">Distortion</a></li>.<li><a href="drip.html">Drip</a></li>.<li><a href="edges.html">Edges</a></l

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\irregular_mosaic.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	735
Entropy (8bit):	5.2198309271238434
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMRcl56QclfdGxWHG+XHIWlvMRclwwC29/qjqedC7bjLd2Hc73Pr:Wd4viQ5sllGkIWlviQwwC+CWwKbjF73D
MD5:	2DCCE01231F875B23048FBB9A9258D68
SHA1:	0E848A5911A1F1C828381E8B6C99A63BA86AC17E
SHA-256:	664FB492AB90B073BDD91A08F547BA1E356D1EB8112B87AB120B72EB3D735CAC
SHA-512:	074C4A2A88C69418DB1436E4BEE3FF0D78A41FFAF0799DB2379D98A3F849AEB3017D0EC39176AEE74125753A045A15347930C1EDF51E6C54FC530F5962FB4B4F
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Irregular Mosaic</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Irregular Mosaic</h1>.<h2 align="center">By Pere Pujal i Carabantes <<a href="mailto:pere@fornol.no-ip.org">pere@fornol.no-ip.org</a>></h2>.<p>Converts parts of your picture into a mosaic of irregularly-shaped cells.</p>.<p>See also: <a href="hexagon_mosaic.html">Hexagon Mosaic</a> <a href="square_mosaic.html">Square Mosaic</a> <a href="mosaic.html">Mosaic</a> </p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\kaleidoscope.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	710
Entropy (8bit):	5.218730862449994
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMR86QclfdGxWHG+XHIWlvMRWAvL3zJmTMlJnFhCsqg012s+j:Wd4vi8sllGkIWlviWAvL3zEolV7CZgkE
MD5:	35829418A4ADDB550B250D018FACBF13
SHA1:	EED880B2F5B97BE468FD8D8CE0F893AD99DA0DEE
SHA-256:	E8BA6AF84A408A3D58B8EC3487BC615C6ACB495D31EF8753F8172251F0C315FB
SHA-512:	D70B18A4445DD7C7DD4851078BB35D447F4851F9C86E8A684B119E9109276597359A85B29A90055C9BC88E7814AA50EF69ADDB29DD8364A25E40DFD20AD05517
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Kaleidoscope</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Kaleidoscope</h1>.<h2 align="center">By Bill Kendrick <<a href="mailto:bill@newbreedsoftware.com">bill@newbreedsoftware.com</a>></h2>.<p>This paint brush draws in four places at the same time, mirroring symmetrically, both horizontally and vertically. It uses the currently selected color.</p>.<p>See also: <a href="picasso.html">Picasso</a></p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\light.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	625
Entropy (8bit):	5.2158766334196995
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMR76QclfdGxWHG+XHIWlvMROvL3zJmTmHVctFRdK/v+j:Wd4vi7sllGkIWlviOvL3zEaYI/v8
MD5:	7AE4D6842BE02AC78CC74EBE2D2FB075
SHA1:	53E45134D20951A081258D5828D49E7268DC519C
SHA-256:	987370733B5F2815A31553BC08065A70FCEF34BC8E6F6AB9759B63C2497D18BD
SHA-512:	42D251C813E48B652C6630B1A9CBA21297C7DC58B73D3C70A8265C20F5FE0009F8A923381C713F9C9250F479E6B5C87256A0BBE8598697AE139C5588A4EAC85C
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Light</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Light</h1>.<h2 align="center">By Bill Kendrick <<a href="mailto:bill@newbreedsoftware.com">bill@newbreedsoftware.com</a>></h2>.<p>This draws a glowing beam on the canvas, in the currently-selected color. The more you use it on one spot, the more white it becomes.</p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\lighten.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	700
Entropy (8bit):	5.216609945353273
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMR86QclfdGxWHG+XHIWlvMRXvL3zJmTDkQTn2J/99DZev4A7LD7:Wd4vi8sllGkIWlviXvL3zE0XJl9DMb7
MD5:	A8F7186E354A20F24204F15C65D38348
SHA1:	2E009FB0F7BF9934FBCDC395F6A9752F1F4D4D12
SHA-256:	8A1A36231879CFF5A8016C89DB77B643A2B9EC6AAA5F2FCCDB62ED0810DBC09D
SHA-512:	0A17FBF24981735DD4CBBAC4BE8062B245D59D8077C1E87FC7AB4B42408B9463B5784373AB48E3C2ACF8B76D7E3F98785916A1740E0A55848587E9EEC6563844
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Lighten</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Lighten</h1>.<h2 align="center">By Bill Kendrick <<a href="mailto:bill@newbreedsoftware.com">bill@newbreedsoftware.com</a>></h2>.<p>This fades the colors wherever you drag the mouse. (Do it to the same spot many times, and it will eventually become white.)</p>.<p>See also: <a href="darken.html">Darken</a> <a href="tint.html">Tint</a> </p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\metal_paint.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	562
Entropy (8bit):	5.245848977191155
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMRo96QclfdGxWHG+XHIWlvMRo8vL3zJmTdVL5oJ+j:Wd4viAsllGkIWlvijvL3zEJdF
MD5:	91AA76DC43D2568EA5D32A2DF10BD40C
SHA1:	6EB8B68F7A06D14F9E476F395344FD8DE3B128CC
SHA-256:	60C84C68AC73A6C287D5BAA47059D6C71781FDC0D455F4D8AFEF087D15A4A404
SHA-512:	F1DD7DB170983137F07D4FDF43C2CA077C44F01D0C2A3837DA8776843F3BDCDFC00B41773133B83A16B6C19A9F6DFF639C67A359BE35FE13B93D7983838CDB0C
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Metal Paint</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Metal Paint</h1>.<h2 align="center">By Bill Kendrick <<a href="mailto:bill@newbreedsoftware.com">bill@newbreedsoftware.com</a>></h2>.<p>Click and drag to draw shiny metal using the current color.</p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\mirror.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	687
Entropy (8bit):	5.201512555298595
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMRA56QclfdGxWHG+XHIWlvMRAwvL3zJmTJAYVXoOcmhLRevUH+j:Wd4viWsllGkIWlviFvL3zEOYVXbhle9
MD5:	788689252DD10C7E1B141275D0706059
SHA1:	BE94AC821DC30702AC1D0A02DC376B3BDF367993
SHA-256:	5B3450942BFD89A971958141F80A82828FEF680964CA8915C97E74713A72B450
SHA-512:	9C63B858227FCACDE935AB6E6F2EB44A4A0417F5A5479C81CFC4569129E441134F49D81F9746CF463DE571F106A035C9B0DBAAF9F5BE58B8905BB9DC55720996
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Mirror</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Mirror</h1>.<h2 align="center">By Bill Kendrick <<a href="mailto:bill@newbreedsoftware.com">bill@newbreedsoftware.com</a>></h2>.<p>When you click the mouse in your picture with the "Mirror" magic effect selected, the entire image will be reversed, turning it into a mirror image.</p>.<p>See also: <a href="flip.html">Flip</a></p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\mosaic.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	791
Entropy (8bit):	5.275324025326369
Encrypted:	false
SSDEEP:	24:Wd4vi5V5sllGkIWlvi5VwZDMcyMcLC+CWVfKPPQIet:F6VqlckIQ6VwpMcyMcuWZKPYIet
MD5:	3C5B1828CD09AF8D4494D63A12A53F0B
SHA1:	35346E3D1CD4B988EE0A986FF548951E4552BB26
SHA-256:	71C32F7940D620DC5F1F2FFD7FEB6D30CAE4D6931B91F6FEEEBABBEEE35727BB
SHA-512:	F4937C4AC1789CAAF7EC50F59C17121BFA82082E4C071F330ED3293E39350ADDA3F22A7093CF2002B1282EB85183B52E136ED786D9463E0B13D717DFB3594919
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Mosaic</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Mosaic</h1>.<h2 align="center">By Adam Rakowski <<a href="mailto:foo-script@o2.pl">foo-script@o2.pl</a>><br>.Pere Pujal i Carabantes <<a href="mailto:pere@fornol.no-ip.org">pere@fornol.no-ip.org</a>><br>.</h2>.<p>Adds a glass mosaic effect to your picture.</p>.<p>See also: <a href="hexagon_mosaic.html">Hexagon Mosaic</a> <a href="irregular_mosaic.html">Irregular Mosaic</a> <a href="square_mosaic.html">Square Mosaic</a> </p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\negative.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	595
Entropy (8bit):	5.288192614719073
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMRS6QclfdGxWHG+XHIWlvMRpvL3zJmTUKkQTn2W1dIphAPj:Wd4viSsllGkIWlvipvL3zESXCSa
MD5:	F8DF46C89B3E90C7EBD98D150EB62F8E
SHA1:	F29AA7627E283729BE7B8BD6FE90221F9157776D
SHA-256:	7F9C0108CBDEBCEBA6E3CFFC75A5E90BDC5AAC24008008C02C6E0FD6C31B22EB
SHA-512:	A0890C1E5C02D8DBEDA2C08C2424F9648EBB61278DCF1BCEE570B8857688DFA117478615D6DD96A918F436182E5D34343952EF7123AADF8560703DEAFE37D5D0
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Negative</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Negative</h1>.<h2 align="center">By Bill Kendrick <<a href="mailto:bill@newbreedsoftware.com">bill@newbreedsoftware.com</a>></h2>.<p>This inverts the colors wherever you drag the mouse. (e.g., white becomes black, and vice versa.)</p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\noise.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.275693097316397
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMRJoQH6QclfdGxWHG+XHIWlvMRJ0jGQo7EOoYsiXKv+j:Wd4viJXsllGkIWlviJ0j5ZzLWKU
MD5:	DD23B611A10E0C9F0D1EB9B6D96B6D1A
SHA1:	03E893D3976671C061D6EBEE64DC98D88C6F2A8F
SHA-256:	E714EDA8A46149FE94EED79A0BCD7340230E312ED680650447630E67291BF7A8
SHA-512:	DF97BEA72832919029AE9BA4192B9F162C42DBC8FA7781990F5281BCEFDD5DC8D10DA8EDA1F7989B92EB4235527A01BCE92B6DEB79F3443D106D34C2C8E26595
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Noise</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Noise</h1>.<h2 align="center">By Andrew Corcoran <<a href="mailto:akanewbie@gmail.com">akanewbie@gmail.com</a>></h2>.<p>Add random noise and static to your picture.</p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\pattern.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	587
Entropy (8bit):	5.223076803683738
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMRd6QclfdGxWHG+XHIWlvMRcwC29/qjqe2avr19j:Wd4vidsllGkIWlvicwC+CWTaT1t
MD5:	D24CF22E0B3A2848D44E734AB4F568B8
SHA1:	EAE80DADD531A773B990378522EF1D1085A2DAAB
SHA-256:	830F39E3832D5218E0A05B93D27A365AB039C561EFFDCE417544D21072A4A571
SHA-512:	0DE921B7ECCC7FFC8AB7E555D487CCED52C52DB3D80C75CBA0713F63F2FB00C2E99B8714D5AD6C2334AC80341833B529DD63EF4C180C1E087E334C2171014F9C
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Pattern</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Pattern</h1>.<h2 align="center">By Pere Pujal i Carabantes <<a href="mailto:pere@fornol.no-ip.org">pere@fornol.no-ip.org</a>></h2>.<p>Draws a tiled pattern around the picture.</p>.<p>See also: <a href="tiles.html">Tiles</a> </p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\perspective.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	579
Entropy (8bit):	5.234902061726886
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMRaI56QclfdGxWHG+XHIWlvMRaIwwC29/qjqedj3M7Kv+j:Wd4viausllGkIWlviaNwC+CWwI7KU
MD5:	8EFEE31C47250AC5F56A145F44849226
SHA1:	FDD1147D1FDD4042798876D69FE407A7AD6B9BBD
SHA-256:	72DDFAEC0019C830798F1E9EF8A17AE23D99C9D977E62975343D41EB5F607C03
SHA-512:	F382216FE246EB2706707A7F3B3AD0B7AB7F0A66E78FA66497F9ABE0476B0B7991B0961C79665F5D95C9D0D065B1071E7C535360DD0F9FBB54D5AF4CA423D12F
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Perspective</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Perspective</h1>.<h2 align="center">By Pere Pujal i Carabantes <<a href="mailto:pere@fornol.no-ip.org">pere@fornol.no-ip.org</a>></h2>.<p>Click and drag from the corners to change the perspective of your picture.</p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\picasso.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	585
Entropy (8bit):	5.282166683589629
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMRF6QclfdGxWHG+XHIWlvMRUZDMcyFMchojPDC57h5E+j:Wd4viFsllGkIWlviUZDMcyMcQDeh9
MD5:	A1770C91B5E1327A035790B29BD6BD69
SHA1:	323D2C2784CAED3B1B5BB22417D3C29798EC11CA
SHA-256:	D6E6865DEF34DE7D9B40D0A5635ECE4CB08658F7733D22A6514D29CFE6FC96BF
SHA-512:	7902B31371E56BB36E955660CEAE68EB958E231600252E3755E98B901E923660EFC663F2AA688B930CCEC87F88644A875E01CDA23B38682691F45E1863AA8E57
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Picasso</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Picasso</h1>.<h2 align="center">By Adam Rakowski <<a href="mailto:foo-script@o2.pl">foo-script@o2.pl</a>></h2>.<p>Draw three swirling brushes at once, in a Picasso style.</p>.<p>See also: <a href="rosette.html">Rosette</a></p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\puzzle.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	532
Entropy (8bit):	5.33918991491807
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMRCA6QclfdGxWHG+XHIWlvMRCjZDMcyFMchZCw7+E6YL+j:Wd4viCAsllGkIWlviCjZDMcyMcrz+Z
MD5:	FB7EC1592068DD29086048AEE6E25F32
SHA1:	AAE1FCC5CB9CD6319F1B2D033235445E98F73422
SHA-256:	F348DCDC349EC9BEB2AB5DE7BDC19107E387987BE180070E1842C7A4E1EACB34
SHA-512:	7F1AA076B10FB117BF38FF99458654D3FCC7BB18F9F477072D060DA9CBD33D26642383759513E503439F7FB9CA715E2D9D15F8F5BC6BD7C3D40A9EA4F2814917
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Puzzle</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Puzzle</h1>.<h2 align="center">By Adam Rakowski <<a href="mailto:foo-script@o2.pl">foo-script@o2.pl</a>></h2>.<p>Slide parts of your picture around like a sliding puzzle.</p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\rails.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	733
Entropy (8bit):	5.2956954825287115
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMR26QclfdGxWHG+XHIWlvMRlZDMcyFMch5C29/qjqeYr3zJmTgJ:Wd4vi2sllGkIWlvilZDMcyMcLC+CWTr7
MD5:	1D393B6ACF5FB49401D10722D7EC184B
SHA1:	5298B873827B8E7E88E65AF667B73409DEB3A2CA
SHA-256:	311BFF34C2544CE768AB0FD9E49EEBCF52B8A208FB0EBA92A414CB870B7F20D7
SHA-512:	1CF999A873E54BE6244B8DC7241655F6CD321D6B854A45A324FCED6A98FF783E7C6D6A1074652809812524546DDDD5C50B302BFDB79E3FABDB8667F82DC4C3D3
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Rails</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Rails</h1>.<h2 align="center">By Adam Rakowski <<a href="mailto:foo-script@o2.pl">foo-script@o2.pl</a>><br>.Pere Pujal i Carabantes <<a href="mailto:pere@fornol.no-ip.org">pere@fornol.no-ip.org</a>><br>.Bill Kendrick <<a href="mailto:bill@newbreedsoftware.com">bill@newbreedsoftware.com</a>><br>.</h2>.<p>Draw connecting locomotive train rails on your picture.</p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\rain.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	609
Entropy (8bit):	5.286493715891186
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMRf6QclfdGxWHG+XHIWlvMRqGQo7EOQr0sXKv/IhROj:Wd4vifsllGkIWlviq5ZP0sXKnc+
MD5:	239B3F211E25B475698EF8A171CC5D3A
SHA1:	C6B01AA86E93D48BE8BC2928E8D8762AC257E050
SHA-256:	4484A726AF02045034F7F55F1C1E285AD3C198F29CCFB7794E81119C103C2938
SHA-512:	A43F52893C85CC5CE4642D1341FB98B39E316FFF752A33C6ADF70CE8517AEE0100ABD69513446188E888386D401E122591B637C482CCE799FD7C1C1A629BB599
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Rain</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Rain</h1>.<h2 align="center">By Andrew Corcoran <<a href="mailto:akanewbie@gmail.com">akanewbie@gmail.com</a>></h2>.<p>Paint raindrops on your picture.</p>.<p>See also: <a href="snow_ball.html">Snow Ball</a> <a href="snow_flake.html">Snow Flake</a> </p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\rainbow.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	611
Entropy (8bit):	5.2596328225482205
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMRPp6QclfdGxWHG+XHIWlvMRPgvL3zJmTNGkDvFCieL+j:Wd4viRsllGkIWlvi4vL3zEVvwL8
MD5:	C92D3FA175AD22C9B24D6A2994C2E9B6
SHA1:	BCD732F12FD8C526EF5649E721D695CDF65C5367
SHA-256:	BBA7012ED043B08A67B1E5CCD1DDD9B41513AF6CAF9654A5A6E725D91008B369
SHA-512:	D575C669988F2AA24B531EB5E892A02E1878AD49C8D7E09FC14FC7ABAEDD88A70B5D70E873A6E0AA994CFABAFF5CFDC07CFE9C96021731BFA597C3A2E0F6E8B6
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Rainbow</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Rainbow</h1>.<h2 align="center">By Bill Kendrick <<a href="mailto:bill@newbreedsoftware.com">bill@newbreedsoftware.com</a>></h2>.<p>This is similar to the paint brush, but as you move the mouse around, it cycles through a spectrum of bright colors.</p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\real_rainbow.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	559
Entropy (8bit):	5.259445738622684
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMRNJ6QclfdGxWHG+XHIWlvMRNAvL3zJmTjI1XBj:Wd4viHsllGkIWlviCvL3zE+XR
MD5:	7CD5AC61711E0211BEA6DD428D49CD51
SHA1:	2D86BD34699A21B5A1475B1AF0C0AA24B28E31F9
SHA-256:	9B8F80BD407CDA67F251116F2F3DCC99AB70AFEAD50C519AC18B10334BD9086D
SHA-512:	84E26EBB257B00117D0DBBE6A112D68661FDE5069EC3AF81F1BFD1049EED1EF55B414F868E0A5C9D067ECB0A77E4AE22379606CDA25EB0598EA5B49C5AB23541
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Real Rainbow</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Real Rainbow</h1>.<h2 align="center">By Bill Kendrick <<a href="mailto:bill@newbreedsoftware.com">bill@newbreedsoftware.com</a>></h2>.<p>Draw a transparent arc that looks like a real rainbow.</p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\ripples.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	565
Entropy (8bit):	5.269753561771794
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMRQ6QclfdGxWHG+XHIWlvMRzvL3zJmTdAVXSIz6etj:Wd4viQsllGkIWlvizvL3zEJAVXV6A
MD5:	33AA50548EA70C092BFA0173C070E64C
SHA1:	734E11C825338D256EAAEAF2D72EC3500A663B7C
SHA-256:	D4A8B765CB6FEFED6BA54D371CF518CDCDD62551322A4E2F12BC700592A1E3DE
SHA-512:	0D44CFF0CB65789F5F7BFAC32EF0B31489A3C6D88BFBE7C2156E60341F480530D0444468C257DE532AA3CA8712F3D6C10AC1B1AD99ABC4D2FAD8C24EB6E76497
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Ripples</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Ripples</h1>.<h2 align="center">By Bill Kendrick <<a href="mailto:bill@newbreedsoftware.com">bill@newbreedsoftware.com</a>></h2>.<p>Click in your picture to make water ripple distortions appear over it.</p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\rosette.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	622
Entropy (8bit):	5.258089237703929
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMRcAX6QclfdGxWHG+XHIWlvMRcASZDMcyFMchoBIK3jyQJj:Wd4vicAXsllGkIWlvicASZDMcyMcfsZZ
MD5:	0B164BC6005BAB603AD86BF7714BB7CE
SHA1:	ABAA941D75235AE95F19A42EF83D945B185D73C2
SHA-256:	B08878AE78A0B67719C5F00AF3A80E3CA813D0A07280D41A8F9CED375DE95E32
SHA-512:	45066E468C360BED0855B0056B6FA7ED0D1D2162EBDEC0E9D0B87E14073EE85BEDABB76B3A4B449CED661CF607EA239E09B51C99013A8CFD0CE5F2A312929A7E
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Rosette</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Rosette</h1>.<h2 align="center">By Adam Rakowski <<a href="mailto:foo-script@o2.pl">foo-script@o2.pl</a>></h2>.<p>Draw three brushes at once, in a rosette shape.</p>.<p>See also: <a href="kaleidoscope.html">Kaleidoscope</a> <a href="picasso.html">Picasso</a> </p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\roygbiv_rainbow.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	585
Entropy (8bit):	5.35909155214953
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMRD96QclfdGxWHG+XHIWlvMRD8vL3zJmTTEAEPj:Wd4vi5sllGkIWlviwvL3zEKL
MD5:	2F77BC005616A3767516528D26FA097B
SHA1:	F6CF109A5C21764293B531ED7648241AD01B16FA
SHA-256:	8F839F04DF274492048552575F1005D15ADF92D9D696EB17A6B8A97D16C1AC63
SHA-512:	C3F7EBCBB8DAE5575FF0A41F0F4B314741EC983A4CA97A5C9D4864E41F51A02440E5A6EE4693DAFF76523155FB28DDA5DC1EC6A696F73CC69B217E52363CD5F3
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: ROYGBIV Rainbow</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: ROYGBIV Rainbow</h1>.<h2 align="center">By Bill Kendrick <<a href="mailto:bill@newbreedsoftware.com">bill@newbreedsoftware.com</a>></h2>.<p>Draw a rainbow arc of red, orange, yellow, green, blue, indigo and violet.</p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\sharpen.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	564
Entropy (8bit):	5.285857469407185
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMRAt56QclfdGxWHG+XHIWlvMRAtwGQo7EOzjcG7vmF+j:Wd4viAt5sllGkIWlviAtw5ZqP7uC
MD5:	DDCACFFDC761A337CD89F1174891FF96
SHA1:	7303875BC3A8E63F661BF52231FE33FD5AFA0400
SHA-256:	3D3AF3DFCADAEE2BA18EFDD8E6C331E1FAB6E2F8BFD8F95A6DEA2B9A6E5FAD01
SHA-512:	7B21C669A314A34957EF1AECD4ABF5CED82E86DBC676F1B74526145D75CDB1CD7BAAA5BC451EE3593D1B1248666FFB1C1CF00349FD0DF0C75616621C265462E0
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Sharpen</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Sharpen</h1>.<h2 align="center">By Andrew Corcoran <<a href="mailto:akanewbie@gmail.com">akanewbie@gmail.com</a>></h2>.<p>Sharpen the focus of the picture.</p>.<p>See also: <a href="blur.html">Blur</a></p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\shift.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	605
Entropy (8bit):	5.252977742764282
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMRn6QclfdGxWHG+XHIWlvMRivL3zJmTOBHZpV6A+j:Wd4vinsllGkIWlviivL3zEaBEf
MD5:	8A2420A16E38F968FBD2EC858692EE8D
SHA1:	8CAFBAC53AEDC917CB1FAC82BE731B726CFB3C39
SHA-256:	5E3A2D05A85A7B43BDBEEADFDDA5906A507AD29A9870F0D8B04D057026BB8CED
SHA-512:	D99076623AB476F2F4C974C3F57F528BDF04BFD7FB477C15F1E32CA993750DE01A1B11B552830DD0CF3D80C3CCDDEF90CBA1D41271C049E6C4F4D188B6CEEF05
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Shift</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Shift</h1>.<h2 align="center">By Bill Kendrick <<a href="mailto:bill@newbreedsoftware.com">bill@newbreedsoftware.com</a>></h2>.<p>This shifts your picture around the canvas. Anything that gets shifts off an edge reappears on the opposite edge.</p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\silhouette.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	630
Entropy (8bit):	5.266491536247763
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMRb9dX6QclfdGxWHG+XHIWlvMRb9dSGQo7EOsVXSz8XnNYQ8j:Wd4vib9FsllGkIWlvib9U5ZzVXSz8XNW
MD5:	395CA436E0565D92A107027944E76FE3
SHA1:	326626BAEA22483B40D7D77960BECE3909E334CD
SHA-256:	08BEE548AF59088BF97E841F5C911BA37DFB612C2EA0CFE8BFE63D50A67B9E8B
SHA-512:	001E99BEAF667A3D52F6962210391734B0394C069035E0D0CF884936A6F9838FE5913EE5842F2C64B95E459D7B4290485019FF259D6EEB586C83C280DA5F2157
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Silhouette</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Silhouette</h1>.<h2 align="center">By Andrew Corcoran <<a href="mailto:akanewbie@gmail.com">akanewbie@gmail.com</a>></h2>.<p>Trace the edges in your picture, over a black background.</p>.<p>See also: <a href="edges.html">Edges</a> <a href="emboss.html">Emboss</a> </p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\smudge.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	651
Entropy (8bit):	5.243532586792734
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMRQH6QclfdGxWHG+XHIWlvMR/YROAvlxsiEtbXVj:Wd4vi0sllGkIWlvi/YRO4VEtJ
MD5:	79FC86A4D48DE74539F68994EF2AEC1C
SHA1:	7ADA0D09639C1589766CF841412E22619D0474DD
SHA-256:	5C8F8326701D63D34D1FDD77461DFAAAB58184FD45F8B92D070F6E15940D107E
SHA-512:	17CC046B589FD4B90B0AB1141845F84E09DF3270C5E1D6BBC35DA9DDF552DFE0F7C9FD1F69EC0FAA7169EAAA674914433BC91E45196AB5169CDA39BF67306641
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Smudge</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Smudge</h1>.<h2 align="center">By Albert Cahalan <<a href="mailto:albert@users.sf.net">albert@users.sf.net</a>></h2>.<p>This pushes the colors around under the mouse, like finger painting with wet paint.</p>.<p>See also: <a href="blur.html">Blur</a> <a href="wet_paint.html">Wet Paint</a> </p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\snow_ball.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	609
Entropy (8bit):	5.268316482745799
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMRF56QclfdGxWHG+XHIWlvMRFwGQo7EO57ZWj9ZhROj:Wd4vi7sllGkIWlviO5ZiEj7h+
MD5:	766E009FC80003402CE03D122F507735
SHA1:	05CDC91119F39453456E80680B4DF7B3F261D422
SHA-256:	BC988A92A845AFF5F8D0446BB73FE7705CF3A09281466F8AABC44271550073E0
SHA-512:	F54E6454F29ED9E518C199028DD4CB4C1C72B2023B2D1E609007E4729FF4D1E7610D260820073594C4040008CF771ACF29E6A2A03B6FA396973D1247123650CD
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Snow Ball</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Snow Ball</h1>.<h2 align="center">By Andrew Corcoran <<a href="mailto:akanewbie@gmail.com">akanewbie@gmail.com</a>></h2>.<p>Fill the picture with snowballs.</p>.<p>See also: <a href="rain.html">Rain</a> <a href="snow_flake.html">Snow Flake</a> </p>.</body></html>

C:\Users\user\AppData\Roaming\MySqlConsoleComponents\en\magic-docs\html\snow_flake.html Download File
Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	610
Entropy (8bit):	5.266407613004706
Encrypted:	false
SSDEEP:	12:BMQbwfce9x3CvMR266QclfdGxWHG+XHIWlvMR2BGQo7EO52xvj9ZlI9j:Wd4viXsllGkIWlviS5ZZxvj7lQ
MD5:	939775A37C05B9F077A2F75EC23859A0
SHA1:	4A440BB33ED341C87CB9CFF8140E51F89A43F106
SHA-256:	7EE4B81BF0381256A9F23F5A24B470222F7CD776540978F92D53BDAD80375268
SHA-512:	2B6BD6CB6F26B8838749B2231F6273DF89C04379429E1BFC49B046FE94757C363D501E46D958ABAC3BA05708D57870E93535A419147EAEFE69FB8E85B9953699
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<body><html><head><title>Tux Paint "Magic" Tool: Snow Flake</title>.<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">.</head>.<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF0000" alink="#FF00FF">.<h1 align="center">Tux Paint "Magic" Tool: Snow Flake</h1>.<h2 align="center">By Andrew Corcoran <<a href="mailto:akanewbie@gmail.com">akanewbie@gmail.com</a>></h2>.<p>Fill the picture with snowflakes.</p>.<p>See also: <a href="rain.html">Rain</a> <a href="snow_ball.html">Snow Ball</a> </p>.</body></html>

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.950377728718298
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PURCHASE ORDER.exe
File size:	3059224
MD5:	9d71011e0ef3208145dd434e229ab0e2
SHA1:	ecb4b62327a724ab00bd42bf98a51db3a3977079
SHA256:	8dccc7a8d24c010a59d807148c7a6779a7f2eac86868e1cf083235d0bcce3414
SHA512:	25712960e01e32ba92c323c80dbf1abb341a65ad934920b6dff149bbf5abd4c2ccd1cb7c80653a31c8212ffd4cbab1c98205fdb2e91daa7a657ec75eea286bbf
SSDEEP:	49152:tjYDLy+crA3wPtYzdrkW64QWfMNAFKmnk9vpRGH8owSI/dycghUmLNU8B83/Thok:tjPcII6W64QuTIvpELwXdycghjLNUt/n
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG..sw..PG..VA..PG.Rich.PG.........PE..L...".$_.................f...\|......H3............@

File Icon


Icon Hash:	f0f2ecece4e292c4

Static PE Info

General
Entrypoint:	0x403348
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5F24D722 [Sat Aug 1 02:44:50 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ced282d9b261d1462772017fe2f6972b

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080B8h]
call dword ptr [004080BCh]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042F42Ch], eax
je 00007F2F109AC4D3h
push ebx
call 00007F2F109AF636h
cmp eax, ebx
je 00007F2F109AC4C9h
push 00000C00h
call eax
mov esi, 004082A0h
push esi
call 00007F2F109AF5B2h
push esi
call dword ptr [004080CCh]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F2F109AC4ADh
push 0000000Bh
call 00007F2F109AF60Ah
push 00000009h
call 00007F2F109AF603h
push 00000007h
mov dword ptr [0042F424h], eax
call 00007F2F109AF5F7h
cmp eax, ebx
je 00007F2F109AC4D1h
push 0000001Eh
call eax
test eax, eax
je 00007F2F109AC4C9h
or byte ptr [0042F42Fh], 00000040h
push ebp
call dword ptr [00408038h]
push ebx
call dword ptr [00408288h]
mov dword ptr [0042F4F8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 00429850h
call dword ptr [0040816Ch]
push 0040A188h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8544	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x38000	0x2cc80	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x29c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6457	0x6600	False	0.66823682598	data	6.43498570321	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1380	0x1400	False	0.4625	data	5.26100389731	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x25538	0x600	False	0.463541666667	data	4.133728555	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x30000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x38000	0x2cc80	0x2ce00	False	0.289514058148	data	5.23542261106	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x38358	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x48b80	0x94a8	data	English	United States
RT_ICON	0x52028	0x5488	data	English	United States
RT_ICON	0x574b0	0x487c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x5bd30	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 254, next used block 2130706432	English	United States
RT_ICON	0x5ff58	0x25a8	data	English	United States
RT_ICON	0x62500	0x10a8	data	English	United States
RT_ICON	0x635a8	0x988	data	English	United States
RT_ICON	0x63f30	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x64398	0x100	data	English	United States
RT_DIALOG	0x64498	0x11c	data	English	United States
RT_DIALOG	0x645b8	0x60	data	English	United States
RT_GROUP_ICON	0x64618	0x84	data	English	United States
RT_VERSION	0x646a0	0x29c	data	English	United States
RT_MANIFEST	0x64940	0x340	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
SHELL32.dll	SHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
ole32.dll	IIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	SetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

Version Infos

Description	Data
LegalCopyright	Tarma Software Research Pty Ltd
ProductName	MySql Console Component
FileDescription	MySql Library Assembly Console Component
FileVersion	3.1.2.5
CompanyName	Tarma Software Research Pty Ltd
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x89 0x9E 0xEE
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x81 0x1E 0xEE
GetMessageW	INLINE	0x48 0x8B 0xB8 0x81 0x1E 0xEE
GetMessageA	INLINE	0x48 0x8B 0xB8 0x89 0x9E 0xEE

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: PURCHASE ORDER.exe PID: 5676 Parent PID: 5596

General

Start time:	09:34:15
Start date:	12/04/2021
Path:	C:\Users\user\Desktop\PURCHASE ORDER.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\PURCHASE ORDER.exe'
Imagebase:	0x400000
File size:	3059224 bytes
MD5 hash:	9D71011E0EF3208145DD434E229AB0E2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: MySqlAssemblyConsole.exe PID: 5444 Parent PID: 5676

General

Start time:	09:34:17
Start date:	12/04/2021
Path:	C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe
Imagebase:	0xbb0000
File size:	2223616 bytes
MD5 hash:	9C503420EE9E1F93D2B3C069B42FB899
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.431726955.00000000005D0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.431726955.00000000005D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.431726955.00000000005D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.431752828.0000000000600000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.431752828.0000000000600000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.431752828.0000000000600000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.432758571.00000000027EC000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.432758571.00000000027EC000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.432758571.00000000027EC000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.432137722.0000000000BB1000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.432137722.0000000000BB1000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.432137722.0000000000BB1000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: explorer.exe PID: 3472 Parent PID: 5444

General

Start time:	09:35:28
Start date:	12/04/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff693d90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: raserver.exe PID: 3904 Parent PID: 3472

General

Start time:	09:35:44
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\raserver.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\raserver.exe
Imagebase:	0x100000
File size:	108544 bytes
MD5 hash:	2AADF65E395BFBD0D9B71D7279C8B5EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000017.00000002.503999453.00000000004A0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000017.00000002.503999453.00000000004A0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000017.00000002.503999453.00000000004A0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000017.00000002.505688448.0000000002730000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000017.00000002.505688448.0000000002730000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000017.00000002.505688448.0000000002730000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Analysis Process: cmd.exe PID: 7072 Parent PID: 3904

General

Start time:	09:35:54
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
Imagebase:	0xdb0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 4612 Parent PID: 7072

General

Start time:	09:35:54
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: MySqlAssemblyConsole.exe PID: 5632 Parent PID: 3472

General

Start time:	09:36:06
Start date:	12/04/2021
Path:	C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe'
Imagebase:	0xbb0000
File size:	2223616 bytes
MD5 hash:	9C503420EE9E1F93D2B3C069B42FB899
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: MySqlAssemblyConsole.exe PID: 988 Parent PID: 3472

General

Start time:	09:36:16
Start date:	12/04/2021
Path:	C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\MySqlConsoleComponents\MySqlAssemblyConsole.exe'
Imagebase:	0xbb0000
File size:	2223616 bytes
MD5 hash:	9C503420EE9E1F93D2B3C069B42FB899
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report PURCHASE ORDER.com

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre