General Info

File name

Promotion list.exe

Full analysis
https://app.any.run/tasks/aa15a2ef-c28a-459e-af77-c851335aee11
Verdict
Malicious activity
Analysis date
6/12/2019, 07:09:06
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

autoit

trojan

nanocore

rat

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
MD5

292d96ae0ecf7bb5001a5c6bac7acab5

SHA1

5b73b5dda4bc82a4330f6f6d116e7d92dd72d37c

SHA256

6ffb941eea8b5c7388277dc45329cda9e7396386c1e1a9bb813a17029fa19ce3

SSDEEP

24576:f2O/GlVQRb/Xd/cKu35svb/bFA6wmxhKbH3w1GthA0mQa:AK7d/cKg4bZA6wmxUT3zg0va

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Actions looks like stealing of personal data
  • vbc.exe (PID: 2332)
Application was dropped or rewritten from another process
  • RegSvcs.exe (PID: 3980)
  • ndc.exe (PID: 3288)
  • ndc.exe (PID: 828)
Changes the autorun value in the registry
  • RegSvcs.exe (PID: 3980)
  • ndc.exe (PID: 3288)
NanoCore was detected
  • RegSvcs.exe (PID: 3980)
Connects to CnC server
  • RegSvcs.exe (PID: 3980)
Executable content was dropped or overwritten
  • ndc.exe (PID: 3288)
  • RegSvcs.exe (PID: 3980)
  • Promotion list.exe (PID: 916)
Executes scripts
  • RegSvcs.exe (PID: 3980)
Creates files in the user directory
  • RegSvcs.exe (PID: 3980)
Loads DLL from Mozilla Firefox
  • vbc.exe (PID: 3488)
Application launched itself
  • ndc.exe (PID: 828)
Drop AutoIt3 executable file
  • Promotion list.exe (PID: 916)
Dropped object may contain Bitcoin addresses
  • ndc.exe (PID: 828)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable MS Visual C++ (generic) (35.8%)
.exe
|   Win64 Executable (generic) (31.7%)
.scr
|   Windows screen saver (15%)
.dll
|   Win32 Dynamic Link Library (generic) (7.5%)
.exe
|   Win32 Executable (generic) (5.1%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2012:06:09 15:19:49+02:00
PEType:
PE32
LinkerVersion:
9
CodeSize:
74752
InitializedDataSize:
58880
UninitializedDataSize:
null
EntryPoint:
0xac87
OSVersion:
5
ImageVersion:
null
SubsystemVersion:
5
Subsystem:
Windows GUI
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
09-Jun-2012 13:19:49
Detected languages
English - United States
Process Default Language
Debug artifacts
d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000F0
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
5
Time date stamp:
09-Jun-2012 13:19:49
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x0001231E 0x00012400 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.55555
.rdata 0x00014000 0x00001D15 0x00001E00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.99401
.data 0x00016000 0x00017724 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 3.54914
.CRT 0x0002E000 0x00000020 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 0.394141
.rsrc 0x0002F000 0x0000C2C0 0x0000C400 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 6.50862
Resources
1

7

8

9

10

11

12

100

101

ASKNEXTVOL

GETPASSWORD1

LICENSEDLG

RENAMEDLG

REPLACEFILEDLG

STARTDLG

Imports
    COMCTL32.dll

    SHLWAPI.dll

    KERNEL32.dll

    USER32.dll

    GDI32.dll

    COMDLG32.dll

    ADVAPI32.dll

    SHELL32.dll

    ole32.dll

    OLEAUT32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
37
Monitored processes
6
Malicious processes
4
Suspicious processes
0

Behavior graph

+
drop and start start drop and start promotion list.exe ndc.exe no specs ndc.exe #NANOCORE regsvcs.exe vbc.exe vbc.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
916
CMD
"C:\Users\admin\AppData\Local\Temp\Promotion list.exe"
Path
C:\Users\admin\AppData\Local\Temp\Promotion list.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\promotion list.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\riched32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\users\admin\appdata\local\temp\64229951\ndc.exe

PID
828
CMD
"C:\Users\admin\AppData\Local\Temp\64229951\ndc.exe" uao=cph
Path
C:\Users\admin\AppData\Local\Temp\64229951\ndc.exe
Indicators
No indicators
Parent process
Promotion list.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\64229951\ndc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll

PID
3288
CMD
C:\Users\admin\AppData\Local\Temp\64229951\ndc.exe C:\Users\admin\AppData\Local\Temp\64229951\ILCWN
Path
C:\Users\admin\AppData\Local\Temp\64229951\ndc.exe
Indicators
Parent process
ndc.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\64229951\ndc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\users\admin\appdata\local\temp\regsvcs.exe

PID
3980
CMD
"C:\Users\admin\AppData\Local\Temp\RegSvcs.exe"
Path
C:\Users\admin\AppData\Local\Temp\RegSvcs.exe
Indicators
Parent process
ndc.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft .NET Services Installation Utility
Version
4.6.1055.0 built by: NETFXREL2
Modules
Image
c:\users\admin\appdata\local\temp\regsvcs.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\5aac750b35b27770dccb1a43f83cced7\system.windows.forms.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.v9921e851#\7ca6a7b9413844e82108a9d62f88a2d9\microsoft.visualbasic.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms\v4.0_4.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll
c:\windows\microsoft.net\framework\v4.0.30319\diasymreader.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrcompression.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\4dfa27fdd6a4cce26f99585e1c744f9b\system.management.ni.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\microsoft.net\framework\v4.0.30319\wminet_utils.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe

PID
2332
CMD
"c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe" /shtml "C:\Users\admin\AppData\Local\Temp\4fsnpsls.csl"
Path
c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
Indicators
Parent process
RegSvcs.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Visual Basic Command Line Compiler
Version
14.0.1055.0
Modules
Image
c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\pstorec.dll
c:\windows\system32\atl.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptbase.dll

PID
3488
CMD
"c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe" /shtml "C:\Users\admin\AppData\Local\Temp\0l21pgfh.cvn"
Path
c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
Indicators
No indicators
Parent process
RegSvcs.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Visual Basic Command Line Compiler
Version
14.0.1055.0
Modules
Image
c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\version.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\pstorec.dll
c:\windows\system32\atl.dll
c:\windows\system32\vaultcli.dll
c:\program files\mozilla firefox\nss3.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\dbghelp.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\api-ms-win-crt-runtime-l1-1-0.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\api-ms-win-core-timezone-l1-1-0.dll
c:\windows\system32\api-ms-win-core-file-l2-1-0.dll
c:\windows\system32\api-ms-win-core-localization-l1-2-0.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-core-processthreads-l1-1-1.dll
c:\windows\system32\api-ms-win-core-file-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-string-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-heap-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-stdio-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-convert-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-locale-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-math-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-time-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-filesystem-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-environment-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-utility-l1-1-0.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\program files\mozilla firefox\api-ms-win-crt-multibyte-l1-1-0.dll
c:\program files\mozilla firefox\softokn3.dll
c:\program files\mozilla firefox\freebl3.dll

Registry activity

Total events
405
Read events
398
Write events
7
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
916
Promotion list.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
916
Promotion list.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3288
ndc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
WindowsUpdate
C:\Users\admin\AppData\Local\Temp\64229951\ndc.exe C:\Users\admin\AppData\Local\Temp\64229951\UAO_CP~1
3980
RegSvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
TCP Monitor
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe

Files activity

Executable files
4
Suspicious files
3
Text files
48
Unknown types
1

Dropped files

PID
Process
Filename
Type
3980
RegSvcs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe
executable
MD5: be5073ae05e68612ba0fc1a3d339e64c
SHA256: 1735ba356794975169a93ee2babd33862229a1842c6e2c6a0b67366f5856894e
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\ndc.exe
executable
MD5: c56b5f0201a3b3de53e561fe76912bfd
SHA256: 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
3288
ndc.exe
C:\Users\admin\AppData\Local\Temp\RegSvcs.exe
executable
MD5: be5073ae05e68612ba0fc1a3d339e64c
SHA256: 1735ba356794975169a93ee2babd33862229a1842c6e2c6a0b67366f5856894e
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\boa.docx
text
MD5: 5a109d5085279e3c1fb6159ae8fdbfe4
SHA256: 8939a50c64c33695462692af12415d13baa891ad313cbe0b724b4273c4173990
3980
RegSvcs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\settings.bin
binary
MD5: acd3fb4310417dc77fe06f15b0e353e6
SHA256: dc3ae604991c9bb8ff8bc4502ae3d0db8a3317512c0f432490b103b89c1a4368
3980
RegSvcs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\storage.dat
binary
MD5: e69fec21b2beb7097197563de982a48e
SHA256: ed2c7b393eb3d3ecdc62d6ed721f1e7b97bfcbc6b0489bb12d6905ae7551ee22
3980
RegSvcs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\catalog.dat
bs
MD5: d6be7408aa407ce4b325922f220d257e
SHA256: 01512f25bc4ac8d9a4192f4b8221c53b2f7db63f5ea9b610a747e360216624e6
3488
vbc.exe
C:\Users\admin\AppData\Local\Temp\0l21pgfh.cvn
––
MD5:  ––
SHA256:  ––
3980
RegSvcs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dat
text
MD5: d9b2cda92b018b70c5ab6906c440d2ae
SHA256: 63ee10f134ab51238ca1f6b64318d2fec884b95398e1bbd52efd68134861e165
3980
RegSvcs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\settings.bin
binary
MD5: 4e5e92e2369688041cc82ef9650eded2
SHA256: f8098a6290118f2944b9e7c842bd014377d45844379f863b00d54515a8a64b48
828
ndc.exe
C:\Users\admin\AppData\Local\Temp\64229951\ILCWN
text
MD5: 547180b798082631d2d432cbd0a1fd0f
SHA256: edf12748bd10cf30ecda47217673b35f8b52367f74d980f041fb11baaa08e60f
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\kmm.icm
text
MD5: 2a6c1928819f9e57715fd0cc8c4b2241
SHA256: 10566914ee64e9436b3da8b6541f975e6d38005382444f1808fac30aa08cf976
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\gcv.jpg
text
MD5: aa9da5dc89cdadc5b3d54bb67201dfb3
SHA256: 97a0892d2684bea570dc857effe7ef5070c1e5c0f78652cde3a70ad8e945704b
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\kcu.bmp
text
MD5: b8655e09b5cea706c97a82e7de4b99a4
SHA256: 93bdca7e86e06b3a9ed2573ab689d5bdbb5178ea2de8d19b73f4b64237960fb5
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\abg.docx
text
MD5: 38a682a633d5bc5cb99a8a7f051b6f3f
SHA256: 33e17c5d43bd6768a954196f77aa5d3ea3dd12c8e605be8161a5914223f67f77
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\ifu.txt
text
MD5: cf1ea5894ee6f7ee44daac7b77cf8108
SHA256: fbac06a5763c7dda884919bfd24b22c7a04dd38f2cf84f6591a3d96ec76abb36
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\xxx.ico
text
MD5: 3d0a9885827a87cf7e9416f96fa8614d
SHA256: f0b781ab509b8b4afd605c43b5f670b2410dcfa8bb11ca1650276434dd1ddeb2
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\elp.ppt
text
MD5: 34f5ce39f12cdeb116b19f273e6ade64
SHA256: a09e0e04185b3290f04485e85c67b27729a83cd585ae270d59da34d2e9cc9db5
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\rax.docx
text
MD5: 5ddfafd6ef13f06706eba4985c7b153a
SHA256: 7e7746a56bb93fc2b2b979d6068f60c11a19006c8c96ad25993c3a15ad585e4e
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\rjv.docx
text
MD5: ec5e8db0cac2e163564592a3ac52e44e
SHA256: 0c106bcefbc310cfbe1b56ee035e1a7d8c53ace1e929b9159279dfbb6244def6
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\kdl.bmp
text
MD5: b1d6bb6b6f59ba84fe8ff4fc86417157
SHA256: a4db1de72e7570c17c513e3cbcb1085bd2f63adfb434449a223e0707af5bed20
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\wju.mp4
text
MD5: 71dbbc006e2d0d5bece9a950171f6fd0
SHA256: cfa4fc562ef69ae59654592f9d602be60199752b73c71c99d40edd2b73ba1e93
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\ajg.xl
text
MD5: 9889833934f7faf0eaf82ed296c286a7
SHA256: 6904f547622962e390dfdf03a9fd6065d4a309196ad10569109d925c71d09263
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\ckd.pdf
text
MD5: d6ab4a763d61d88ce6f823fee40b1362
SHA256: fb3d701bbbdb097885a6cbad2ae3616fe809f6a752b686487368012196a8ef95
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\mqk.jpg
text
MD5: 1255357d495f5d2828e2de7a987f0211
SHA256: 7b6db44b3b5b37522f3b53c3256384d5c9ec7857df5ec83984c2e0ddc353bfd6
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\qtr.bmp
text
MD5: f48c00654dd30b1b0eb4c9d43d93fea3
SHA256: 0b988f6265799e498c68f5b0f9be090d41059a0ff78ae3ba73721449c007d344
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\mdl.xl
text
MD5: a890071fb7e04196f5ab838a58a6540e
SHA256: edebd0283bb745029b51d2199832afa48ac707bfae558f0b9a0a442dcb2c9bef
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\ckn.icm
text
MD5: 49c5dafdbccd831a97c5aac9ac74eeb1
SHA256: dbb00750df0bc9cf70df30bc9ec408a6344625bdc68ae9b61fb264fe11d086a7
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\skf.mp3
text
MD5: 5143ea5eee73b1e9b8d1a9e5a91a403f
SHA256: 6093ef1aa5cf4356bc3172fc6111a189f3e87b21e9cbf54439e8d577a7fc1d3a
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\dmm.ppt
text
MD5: c07d92ed4f71853ff4cc235ad25e28ce
SHA256: 7d40bd740cb4ef3239de64cea6b3ba52bf219479d49f27b658de51c3745f3084
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\wpa.docx
text
MD5: 6cd0fdf8ade6bc91e91be25f711e0705
SHA256: e2f6ce6452ff3b726e121801ceb06c6601e1211e80a4e70f45df3f9a69c36400
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\for.pdf
text
MD5: 36998a0c4008b92a6817541306b45f53
SHA256: 703356d5f69490a6bc7fef335f33342e563f593676410535cd414ba36802dcb4
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\gam.jpg
text
MD5: 004761d087864cfac371cb364a98ac1d
SHA256: 94c8de8555e5624e09a600d071aaae203c70aa290bc3b50af9f9691498eb9696
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\xgp.dat
text
MD5: 5874e630944321a8411a78c880eb70c1
SHA256: 5345510dd12fa708f2db98b2d31574bf2e826ba85b0bf7e70b06d347bc1f096f
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\bfa.pdf
text
MD5: a65c0dd6e12da8d4d7968df36c12dc19
SHA256: b915157dc27974e896041b4d865f1a3bfe087c303ef3625e086b1e1c3a937c39
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\wcn.dat
text
MD5: 6f033e74a9f55dd26f50e7a4f733ad54
SHA256: c6d33c03e2d808d731e130ad8a49a556862922cfb84262da11615d76a7de4d58
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\meb.ppt
text
MD5: 481de6a1c3d51f091d3c7e541ae3807d
SHA256: 21c464e6be4538ce2c108c20df7b294522a44818bd1111c30cb81ddabb427d0b
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\god.docx
text
MD5: 9685b5c7ca8e456923b8ae7baea62acc
SHA256: b4d34378dc57d01f349cc4bee50033f6d3bb299827cace64fe39b6a241946b6f
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\fwb.docx
text
MD5: d771f3d9731fb641b4f706d82e3994e1
SHA256: 3812b83e81e8b8b4ad72faa3b89b474dc498880d8923ce8ecf41beb363288e9b
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\avj.dat
text
MD5: 25d7feb1aba2ad4a3b94c91203cba6df
SHA256: dc7efa17b1e03a82952e1d2ce3b6e178f7b4aaa924dec66af9653dd8c2f834a1
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\qlp.mp3
text
MD5: 123bcbf8e0d4e854cd5c8ea4c16a5002
SHA256: f02588bab860e829b16a36f0f76f8a33079c6fd53e2e723000d3e3ca5c28e0ab
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\ruh.jpg
text
MD5: 6ac8285b353c38c57fd9711d736a792d
SHA256: 027c80c547b4e0e864b9b490eed9cee299b287b0cfe530c790577ead2e33a33c
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\nkt.dat
text
MD5: cf7db83865a12f6a27c0fe43718f5734
SHA256: 8a17c0f76a86c2e3ecb7648a4ef9b60c067aafa5d451454135346956d0371733
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\pgl.ppt
text
MD5: ae6e806711b80819452db82a9b2b7cbd
SHA256: fcf4f014d89b9201f411fa26441f12f3cd01472fec6768c489d72de591740944
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\icg.ico
text
MD5: 91e27c2a8a270184476a6762dff11e3a
SHA256: dc93c0578317f0e67d5db0a4c0af8fedbc54d64792737d304c197d1882ad7675
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\oxs.pdf
text
MD5: 351360c0c6dba614d36c589e3833678a
SHA256: e1da0cf66c9179b4a48ef462372de2b708551ed1ea83f1559aeb9e7576660a12
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\hjw.ppt
text
MD5: 3e0df57afcd479bb711b7473d478070b
SHA256: 32a6d31335ac088ea06ef4983b86f0e94fd68510e231f70ac2e4868f99a00e28
3980
RegSvcs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\settings.bak
––
MD5:  ––
SHA256:  ––
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\gpq.icm
text
MD5: e1afc0e2121e5cd460587723213b6277
SHA256: 1c0bd41721fa8a2924f47fbc7c83b0c8d7765a71782405e13c48e3597205454b
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\fgf.ppt
text
MD5: 2751c3991435cbeb10e74bb5b73196ee
SHA256: 860fa211e8f4b43766dd8dd1ce75fb5394a3dbef217e463a4809a00193addfd1
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\din.pdf
text
MD5: cdedd63b05302318469dd7c3e5ff6bfd
SHA256: 134302bd1e0348dfc0c3665bbf36e6601416a5a9dc62c360368858fc77d581e0
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\lea.mp3
text
MD5: 792b78db590133c1776c00295819734c
SHA256: 494d8acd075d665e3a0999e2e9ffee6787fad1b34ea20cd30f4717797193469c
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\vap.mp3
text
MD5: 8253cd92cfcec87722d97233a2eab78f
SHA256: 36499e43f3673ed6b9506b4f016c04af58ddf7c9ea39c1615a1bb576299766d6
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\vcp.mp3
text
MD5: 902585a87c6cb117bb71c32146eaf3b9
SHA256: f2cb20d56e96adb0cbf3e89864ea9ec327527cfc9cb548073e066d6d43e03edf
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\uao=cph
text
MD5: 5a430c4d88315ff2bc21200fec6be2fa
SHA256: fa1a2cfab6918ca8cc1cc79443c2409171776cc0f1ae884fe99eff43a253e810
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\ButtonConstants.docx
text
MD5: 44241c0cedfc8c37c9f56edf3976a134
SHA256: 0b2e4573cb744d4a5aca060bca7bdb555877ac1d336d8c9814a633b8c83e3fd9
916
Promotion list.exe
C:\Users\admin\AppData\Local\Temp\64229951\GuiDateTimePicker.jpg
text
MD5: 3fad010b61f2d9a0f937b0b2a0a2c3f7
SHA256: beaf5ec170ccf2abc81749a167a345db8334d759bde6bbc7279a41c5d6fc11c7
2332
vbc.exe
C:\Users\admin\AppData\Local\Temp\4fsnpsls.csl
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
27

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
3980 RegSvcs.exe 194.5.98.128:52943 FR malicious

DNS requests

Domain IP Reputation
johndickson.ddns.net 194.5.98.128
malicious

Threats

PID Process Class Message
3980 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 60B
3980 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
3980 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
3980 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
3980 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
3980 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
3980 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
3980 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
3980 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
3980 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
3980 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
3980 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
3980 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
3980 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B

13 ETPRO signatures available at the full report

Debug output strings

No debug info.