Analysis
-
max time kernel
639s -
max time network
640s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
-
submitted
23-08-2024 03:25
General
-
Target
BrowserCollector_x64.exe
-
Size
779KB
-
MD5
71b5e70a257f47dd6c9ead4f1010bd88
-
SHA1
f75c41ecbf6f34ca0048534d72f8847b37c38229
-
SHA256
9edcf4905388c25cb2782272ed5458157c6fded7d6e5ef0439102f1c74fd9925
-
SHA512
475fd6c74c835fcdc765b56bb7baa18926e6da6c497f160386429938148f9277447918a678b41c9bf1293988896530f4fcac17d1fa93f630a446263f07d9f45f
-
SSDEEP
12288:ksUHsZCB1OcBfiv3P6gIo/Bw9av4Xzo0P9MqETKTvNo4UvXCt:k3RB8Wfiv3PJImBw9ag5P9MqETWxI
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Signatures
-
InfinityLock Ransomware
Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
-
UAC bypass 3 TTPs 64 IoCs
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 64 IoCs
-
Loads dropped DLL 7 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 5 IoCs
-
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 16 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 9 IoCs
-
Modifies Internet Explorer settings 1 TTPs 29 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 37 IoCs
-
Modifies registry key 1 TTPs 64 IoCs
-
NTFS ADS 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\BrowserCollector_x64.exe"C:\Users\Admin\AppData\Local\Temp\BrowserCollector_x64.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause2⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff37bdcc40,0x7fff37bdcc4c,0x7fff37bdcc582⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1788,i,15910491102374467725,3799692720292492923,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1776 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1588,i,15910491102374467725,3799692720292492923,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2100 /prefetch:32⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2180,i,15910491102374467725,3799692720292492923,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2196 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,15910491102374467725,3799692720292492923,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3244 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,15910491102374467725,3799692720292492923,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3380 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4472,i,15910491102374467725,3799692720292492923,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3764 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4756,i,15910491102374467725,3799692720292492923,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4788 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4792,i,15910491102374467725,3799692720292492923,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4788 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1880 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {22867ffe-612f-4138-8aa8-de1b645af718} 5440 "\\.\pipe\gecko-crash-server-pipe.5440" gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2344 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {92878e97-4393-4179-962d-a6cf449316ee} 5440 "\\.\pipe\gecko-crash-server-pipe.5440" socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2884 -childID 1 -isForBrowser -prefsHandle 2620 -prefMapHandle 2840 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b233fc9c-3162-4751-954b-d775e00e0b41} 5440 "\\.\pipe\gecko-crash-server-pipe.5440" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2808 -childID 2 -isForBrowser -prefsHandle 3672 -prefMapHandle 1504 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4b9ea9c-0df6-4d34-8424-af8c1b6625e6} 5440 "\\.\pipe\gecko-crash-server-pipe.5440" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4644 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4704 -prefMapHandle 4700 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a12c4229-77fa-495b-85e4-7a795c511b8f} 5440 "\\.\pipe\gecko-crash-server-pipe.5440" utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5376 -childID 3 -isForBrowser -prefsHandle 5364 -prefMapHandle 5352 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb941d4a-f797-44ee-aaf2-f18a133fdd5e} 5440 "\\.\pipe\gecko-crash-server-pipe.5440" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5468 -childID 4 -isForBrowser -prefsHandle 5476 -prefMapHandle 5248 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a96ac652-a328-4549-921c-680d17aacf49} 5440 "\\.\pipe\gecko-crash-server-pipe.5440" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5644 -childID 5 -isForBrowser -prefsHandle 5652 -prefMapHandle 5656 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5cc80e58-b2f4-4425-bc23-9ce36fbe06c6} 5440 "\\.\pipe\gecko-crash-server-pipe.5440" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1720 -childID 6 -isForBrowser -prefsHandle 2916 -prefMapHandle 2616 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7f4bffd-1d87-44f8-b754-c08fa8c1d1ab} 5440 "\\.\pipe\gecko-crash-server-pipe.5440" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2920 -childID 7 -isForBrowser -prefsHandle 6312 -prefMapHandle 2888 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {823538e0-6c34-4717-a8c5-7a68d3b9d2e5} 5440 "\\.\pipe\gecko-crash-server-pipe.5440" tab3⤵
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\InfinityCrypt\[email protected]"C:\Users\Admin\Downloads\InfinityCrypt\[email protected]"1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\WannaCrypt0r\[email protected]"C:\Users\Admin\Downloads\WannaCrypt0r\[email protected]"1⤵
- Drops startup file
- Sets desktop wallpaper using registry
-
C:\Windows\SysWOW64\attrib.exeattrib +h .2⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 277791724383971.bat2⤵
-
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs3⤵
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s F:\$RECYCLE2⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]
-
C:\Users\Admin\Downloads\WannaCrypt0r\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exe
-
C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2764⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 6404⤵
- Program crash
-
-
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exetaskse.exe C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "olcfvlzcexhkc292" /t REG_SZ /d "\"C:\Users\Admin\Downloads\WannaCrypt0r\tasksche.exe\"" /f2⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "olcfvlzcexhkc292" /t REG_SZ /d "\"C:\Users\Admin\Downloads\WannaCrypt0r\tasksche.exe\"" /f3⤵
- Adds Run key to start application
-
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exe
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exe
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exe
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exe
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exe
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2388 -ip 23881⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2388 -ip 23881⤵
-
C:\Windows\system32\NOTEPAD.EXE
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\root\Office16\Winword.exe"C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\Downloads\WannaCrypt0r\t.wnry"2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]"C:\Users\Admin\Downloads\PolyRansom\[email protected]"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\PMkQgkYg\LWwkAMIQ.exe"C:\Users\Admin\PMkQgkYg\LWwkAMIQ.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
-
C:\ProgramData\ouMoEgoM\uwEUcAUg.exe"C:\ProgramData\ouMoEgoM\uwEUcAUg.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"2⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"4⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom5⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"6⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom7⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"8⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom9⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"10⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom11⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"12⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom13⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"14⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom15⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"16⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV117⤵
-
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom17⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"18⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom19⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"20⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom21⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"22⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"24⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV125⤵
-
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom25⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"26⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom27⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"28⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom29⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"30⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom31⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"32⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom33⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"34⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom35⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"36⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom37⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"38⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom39⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"40⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom41⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"42⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom43⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"44⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom45⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"46⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom47⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"48⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom49⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"50⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom51⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"52⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom53⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"54⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom55⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"56⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV157⤵
-
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom57⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"58⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom59⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"60⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom61⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"62⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom63⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"64⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom65⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"66⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom67⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"68⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV169⤵
-
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom69⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"70⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom71⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"72⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom73⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"74⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom75⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"76⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom77⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"78⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom79⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"80⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom81⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"82⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom83⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"84⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom85⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"86⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom87⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"88⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom89⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"90⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom91⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"92⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom93⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"94⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom95⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"96⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom97⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"98⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom99⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"100⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1101⤵
-
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom101⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"102⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom103⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"104⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom105⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"106⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom107⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"108⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom109⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"110⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom111⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"112⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom113⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"114⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom115⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"116⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom117⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"118⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1119⤵
-
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom119⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"120⤵
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom121⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-