Analysis Report Pedido N#U00famero 4432003039.exe

Overview

General Information

Sample Name: Pedido N#U00famero 4432003039.exe
Analysis ID: 433934
MD5: d7c368f0c65c2a8c565df3815e70ef9e
SHA1: 0ff96bb6c163c9dfc6f5e42c4407347c947dcb6c
SHA256: 439b1ce1850d9e816c22919cc13a412b9d1f00098486a642e97f34e7a62bd63a
Tags: exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://andreameixueiro.com/karin_vJoQSJCpNl6.bin"}
Multi AV Scanner detection for submitted file
Source: Pedido N#U00famero 4432003039.exe Virustotal: Detection: 50% Perma Link
Source: Pedido N#U00famero 4432003039.exe Metadefender: Detection: 34% Perma Link
Source: Pedido N#U00famero 4432003039.exe ReversingLabs: Detection: 62%

Compliance:

barindex
Uses 32bit PE files
Source: Pedido N#U00famero 4432003039.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://andreameixueiro.com/karin_vJoQSJCpNl6.bin

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD559D NtAllocateVirtualMemory, 0_2_02AD559D
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD55A5 NtAllocateVirtualMemory, 0_2_02AD55A5
Detected potential crypto function
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD559D 0_2_02AD559D
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD2EA2 0_2_02AD2EA2
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD3EBF 0_2_02AD3EBF
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD2A6A 0_2_02AD2A6A
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD0266 0_2_02AD0266
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD5242 0_2_02AD5242
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD479E 0_2_02AD479E
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD83F5 0_2_02AD83F5
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD3715 0_2_02AD3715
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD3F63 0_2_02AD3F63
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD4345 0_2_02AD4345
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD0341 0_2_02AD0341
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD2C89 0_2_02AD2C89
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD7CEF 0_2_02AD7CEF
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD1CD8 0_2_02AD1CD8
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD2CDB 0_2_02AD2CDB
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD082F 0_2_02AD082F
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD281E 0_2_02AD281E
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD2819 0_2_02AD2819
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD9069 0_2_02AD9069
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD905A 0_2_02AD905A
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD55A5 0_2_02AD55A5
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD51B0 0_2_02AD51B0
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD2DB3 0_2_02AD2DB3
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD0594 0_2_02AD0594
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD01FC 0_2_02AD01FC
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD29C3 0_2_02AD29C3
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD8147 0_2_02AD8147
PE file contains strange resources
Source: Pedido N#U00famero 4432003039.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: Pedido N#U00famero 4432003039.exe, 00000000.00000002.764259501.0000000002950000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamesamm.exeFE2X vs Pedido N#U00famero 4432003039.exe
Source: Pedido N#U00famero 4432003039.exe, 00000000.00000002.758690514.0000000000431000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamesamm.exe vs Pedido N#U00famero 4432003039.exe
Source: Pedido N#U00famero 4432003039.exe Binary or memory string: OriginalFilenamesamm.exe vs Pedido N#U00famero 4432003039.exe
Uses 32bit PE files
Source: Pedido N#U00famero 4432003039.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal92.rans.troj.evad.winEXE@1/0@0/0
Source: Pedido N#U00famero 4432003039.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Pedido N#U00famero 4432003039.exe Virustotal: Detection: 50%
Source: Pedido N#U00famero 4432003039.exe Metadefender: Detection: 34%
Source: Pedido N#U00famero 4432003039.exe ReversingLabs: Detection: 62%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_0041F015 pushfd ; iretd 0_2_0041F06D
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_0041F018 pushfd ; iretd 0_2_0041F06D
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_0041E0FA push ebx; ret 0_2_0041E0FB
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_0041AB4F pushfd ; iretd 0_2_0041AB8D
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_0041AB86 pushfd ; iretd 0_2_0041AB8D
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_0041F3AC pushad ; iretd 0_2_0041F3CB
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_005E15F3 push edx; ret 0_2_005E1621
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_005E1054 push edx; ret 0_2_005E1081
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_005E2854 push edx; ret 0_2_005E2881
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_005E4054 push edx; ret 0_2_005E4081
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_005E5854 push edx; ret 0_2_005E5881
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_005E7054 push edx; ret 0_2_005E7081
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_005E6844 push edx; ret 0_2_005E6871
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_005E0843 push edx; ret 0_2_005E0871
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_005E2043 push edx; ret 0_2_005E2071
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_005E3843 push edx; ret 0_2_005E3871
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_005E5043 push edx; ret 0_2_005E5071
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_005E0878 push edx; ret 0_2_005E08A1
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_005E2074 push edx; ret 0_2_005E20A1
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_005E3874 push edx; ret 0_2_005E38A1
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_005E5074 push edx; ret 0_2_005E50A1
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_005E6875 push edx; ret 0_2_005E68A1
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_005E0068 push edx; ret 0_2_005E0091
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_005E6065 push edx; ret 0_2_005E6091
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_005E3063 push edx; ret 0_2_005E3091
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_005E1863 push edx; ret 0_2_005E1891
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_005E4863 push edx; ret 0_2_005E4891
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_005E0818 push edx; ret 0_2_005E0841
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_005E6814 push edx; ret 0_2_005E6841
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_005E3813 push edx; ret 0_2_005E3841
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_005E2013 push edx; ret 0_2_005E2041
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD63BD 0_2_02AD63BD
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD60F8 0_2_02AD60F8
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD1CD8 0_2_02AD1CD8
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD61DB 0_2_02AD61DB
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe RDTSC instruction interceptor: First address: 0000000002AD92FE second address: 0000000002AD92FE instructions:
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe RDTSC instruction interceptor: First address: 0000000002AD7E11 second address: 0000000002AD7E3C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp cl, bl 0x00000005 test bh, bh 0x00000007 mov esi, 8C42B5F4h 0x0000000c xor esi, B79F116Eh 0x00000012 cmp cx, cx 0x00000015 xor esi, 85571E78h 0x0000001b cmp al, bl 0x0000001d sub esi, BE89CAE2h 0x00000023 test bl, bl 0x00000025 pushad 0x00000026 mov ecx, 000000C3h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe RDTSC instruction interceptor: First address: 0000000002AD7E3C second address: 0000000002AD7E62 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp cl, bl 0x00000005 test bh, bh 0x00000007 add esi, 00001000h 0x0000000d cmp cx, cx 0x00000010 cmp esi, 0000F000h 0x00000016 je 00007F9DDCF52513h 0x0000001c cmp al, bl 0x0000001e test bl, bl 0x00000020 pushad 0x00000021 mov ecx, 00000009h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe RDTSC instruction interceptor: First address: 0000000002AD7E62 second address: 0000000002AD7EA1 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp esi, 7FFFF000h 0x00000009 je 00007F9DDCF771CAh 0x0000000f cmp cl, bl 0x00000011 push 764A4EDBh 0x00000016 test bh, bh 0x00000018 xor dword ptr [esp], DE964CF3h 0x0000001f xor dword ptr [esp], 78705B66h 0x00000026 cmp cx, cx 0x00000029 add dword ptr [esp], 2F53A6B2h 0x00000030 cmp al, bl 0x00000032 push 74674D7Ah 0x00000037 test bl, bl 0x00000039 pushad 0x0000003a mov ecx, 000000A7h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe RDTSC instruction interceptor: First address: 0000000002AD92FE second address: 0000000002AD92FE instructions:
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe RDTSC instruction interceptor: First address: 0000000002AD7FDA second address: 0000000002AD802C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov dword ptr [ebp+00000212h], eax 0x00000009 test dl, dl 0x0000000b mov eax, ebx 0x0000000d push eax 0x0000000e cmp ah, ch 0x00000010 mov eax, dword ptr [ebp+00000212h] 0x00000016 mov dword ptr [ebp+00000231h], esi 0x0000001c cmp edx, BA999675h 0x00000022 mov esi, ecx 0x00000024 push esi 0x00000025 mov esi, dword ptr [ebp+00000231h] 0x0000002b mov dword ptr [ebp+00000243h], ecx 0x00000031 mov ecx, esi 0x00000033 test ch, 0000000Fh 0x00000036 push ecx 0x00000037 mov ecx, dword ptr [ebp+00000243h] 0x0000003d test edx, ecx 0x0000003f mov dword ptr [ebp+00000198h], eax 0x00000045 cmp bx, 5F43h 0x0000004a mov eax, esi 0x0000004c pushad 0x0000004d mov ebx, 0000006Fh 0x00000052 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD559D rdtsc 0_2_02AD559D
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD559D rdtsc 0_2_02AD559D
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD83F5 mov eax, dword ptr fs:[00000030h] 0_2_02AD83F5
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD3715 mov eax, dword ptr fs:[00000030h] 0_2_02AD3715
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD2C89 mov eax, dword ptr fs:[00000030h] 0_2_02AD2C89
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD78E5 mov eax, dword ptr fs:[00000030h] 0_2_02AD78E5
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD741C mov eax, dword ptr fs:[00000030h] 0_2_02AD741C
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD517B mov eax, dword ptr fs:[00000030h] 0_2_02AD517B
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD8147 mov eax, dword ptr fs:[00000030h] 0_2_02AD8147
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: Pedido N#U00famero 4432003039.exe, 00000000.00000002.759701760.0000000000C60000.00000002.00000001.sdmp Binary or memory string: uProgram Manager
Source: Pedido N#U00famero 4432003039.exe, 00000000.00000002.759701760.0000000000C60000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Pedido N#U00famero 4432003039.exe, 00000000.00000002.759701760.0000000000C60000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Pedido N#U00famero 4432003039.exe, 00000000.00000002.759701760.0000000000C60000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe Code function: 0_2_02AD63BD cpuid 0_2_02AD63BD
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 433934 Sample: Pedido N#U00famero 4432003039.exe Startdate: 14/06/2021 Architecture: WINDOWS Score: 92 7 Potential malicious icon found 2->7 9 Found malware configuration 2->9 11 Multi AV Scanner detection for submitted file 2->11 13 6 other signatures 2->13 5 Pedido N#U00famero 4432003039.exe 2->5         started        process3
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://andreameixueiro.com/karin_vJoQSJCpNl6.bin true
  • Avira URL Cloud: safe
 unknown