File name:

purchaseorder.exe

Full analysis: https://app.any.run/tasks/1b7d5924-d9a2-4df9-b089-85f770b0950c
Verdict: Malicious activity
Threats:

GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.

Malware Trends Tracker     >>>
Analysis date: March 24, 2025, 12:27:36
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
guloader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

EEED189C0CE7579F5C74C7180BC14B98

SHA1:

C0D10B4591641E2930603709266B35A1D0C52F82

SHA256:

0F67BCEC32B7E5430FBADC1061806E44773DF523F087AC46650176EF9628A7EE

SSDEEP:

24576:b78qqEItndycAm9GI8f8fBoyJykGY1RwVvFE43ev69w5x0Nu846BM3eZ4b5:X8qqEItndycAm9GI8f8fBoyJykGY1Rwk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GULOADER SHELLCODE has been detected (YARA)

      • purchaseorder.exe (PID: 7472)
      • purchaseorder.exe (PID: 7252)

    • GULOADER has been detected (YARA)

      • purchaseorder.exe (PID: 7472)
      • purchaseorder.exe (PID: 7252)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • purchaseorder.exe (PID: 7472)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • purchaseorder.exe (PID: 7472)

    • There is functionality for taking screenshot (YARA)

      • purchaseorder.exe (PID: 7472)
      • purchaseorder.exe (PID: 7252)

    • The process creates files with name similar to system file names

      • purchaseorder.exe (PID: 7472)

    • Application launched itself

      • purchaseorder.exe (PID: 7472)

    • Reads security settings of Internet Explorer

      • purchaseorder.exe (PID: 7252)

  • INFO

    • Checks supported languages

      • purchaseorder.exe (PID: 7472)
      • purchaseorder.exe (PID: 7252)

    • The sample compiled with english language support

      • purchaseorder.exe (PID: 7472)

    • Create files in a temporary directory

      • purchaseorder.exe (PID: 7472)

    • Reads the computer name

      • purchaseorder.exe (PID: 7472)
      • purchaseorder.exe (PID: 7252)

    • Checks proxy server information

      • purchaseorder.exe (PID: 7252)
      • slui.exe (PID: 5936)

    • Reads the machine GUID from the registry

      • purchaseorder.exe (PID: 7252)

    • Reads the software policy settings

      • purchaseorder.exe (PID: 7252)
      • slui.exe (PID: 5936)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:01:30 03:57:41+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26112
InitializedDataSize: 141824
UninitializedDataSize: 2048
EntryPoint: 0x34a5
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 3.1.0.0
ProductVersionNumber: 3.1.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: sviregasten bagatellernes auditoriernes
FileVersion: 3.1.0.0
LegalCopyright: idiosynkrasis naturstridig liberatress
OriginalFileName: illusionsls footwarmers.exe
ProductName: selvforsyningens mature
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #GULOADER purchaseorder.exe #GULOADER purchaseorder.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
5936C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7252"C:\Users\admin\Desktop\purchaseorder.exe" C:\Users\admin\Desktop\purchaseorder.exe
purchaseorder.exe
User:
admin
Company:
sviregasten bagatellernes auditoriernes
Integrity Level:
MEDIUM
Version:
3.1.0.0
Modules
Images
c:\windows\syswow64\mshtml.dll
c:\users\admin\desktop\purchaseorder.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
7472"C:\Users\admin\Desktop\purchaseorder.exe" C:\Users\admin\Desktop\purchaseorder.exe
explorer.exe
User:
admin
Company:
sviregasten bagatellernes auditoriernes
Integrity Level:
MEDIUM
Exit code:
0
Version:
3.1.0.0
Modules
Images
c:\users\admin\desktop\purchaseorder.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
7 383
Read events
7 102
Write events
281
Delete events
0

Modification events

(PID) Process:(7472) purchaseorder.exeKey:HKEY_CURRENT_USER\tusindedels\Uninstall\generaliseret\rdnbenes
Operation:writeName:enantobiosis
Value:
0
(PID) Process:(7472) purchaseorder.exeKey:HKEY_CURRENT_USER\jointing\saccharostarchy
Operation:writeName:within
Value:
%stoutening%\Nedrulningerne151\knaphulssilkerne.haa
(PID) Process:(7252) purchaseorder.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7252) purchaseorder.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7252) purchaseorder.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
1
Suspicious files
13
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
7472purchaseorder.exeC:\Users\admin\AppData\Local\Temp\Kahytsjomfruen\omklaedningsrummet\precomputations\Bombiccite.Nonbinary
MD5:C5242A62D1A78D9815FB378988BC1DDB
SHA256:4E8D9A4C59FA689134A45A78DCAB5F4B122754FA6F12A4D0E4DF5E12203B621F
7472purchaseorder.exeC:\Users\admin\AppData\Local\Temp\Kahytsjomfruen\omklaedningsrummet\precomputations\Dekameter\Gribefladens\cadette.jpgbinary
MD5:A234E88A7628830881C1A4F702D166F5
SHA256:2865AA32299CB37827CE5616FE67EE4D6B29883675F65F21515F3E8424908601
7472purchaseorder.exeC:\Users\admin\AppData\Local\Temp\Kahytsjomfruen\omklaedningsrummet\precomputations\Dekameter\Gribefladens\Amerikanerinden\sharkishness.txttext
MD5:6A758D89D1AA8D9A8BBD28570EF7B4A5
SHA256:9421FF05F832D95EECA62F604772CD48BB7744B66B17D0C9048055DF4CB397EF
7472purchaseorder.exeC:\Users\admin\AppData\Local\Temp\Kahytsjomfruen\omklaedningsrummet\precomputations\Dekameter\Gribefladens\mizpah.nodbinary
MD5:07DE1B5CEC3CF94F70E7F07D7F1A93BA
SHA256:04A1E95FA97825ABFEFCB3B182B8B527353CA99539A66045D6C348BBED351EAA
7472purchaseorder.exeC:\Users\admin\AppData\Local\Temp\Kahytsjomfruen\omklaedningsrummet\precomputations\Dekameter\Nudiped.typbinary
MD5:E4E0A8A2BFCD8E1CA1AD1907D598650C
SHA256:475807078F1BB47CBF5FBC4BF82F988A5E3E8526B4C11D59902B451100F02499
7472purchaseorder.exeC:\Users\admin\AppData\Local\Temp\Kahytsjomfruen\omklaedningsrummet\precomputations\Dekameter\Gribefladens\go.forbinary
MD5:96D74DBF2AD4FF45D49FDE586F12EAB9
SHA256:630EE82F94549B2E4A18B43881A7F6A8A461EB98E625D880B13E072062E48179
7472purchaseorder.exeC:\Users\admin\AppData\Local\Temp\nsxC905.tmpbinary
MD5:8CE4B16B22B58894AA86C421E8759DF3
SHA256:8254C329A92850F6D539DD376F4816EE2764517DA5E0235514AF433164480D7A
7472purchaseorder.exeC:\Users\admin\AppData\Local\Temp\Kahytsjomfruen\omklaedningsrummet\precomputations\Dekameter\Lingeriers.helbinary
MD5:86106EAF2F2B8834767E5F65480F3791
SHA256:4D437C5ACC0D6676884CD57E4AEEEF8763EC705F0CDE21F5B650F9EAE297012D
7472purchaseorder.exeC:\Users\admin\AppData\Local\Temp\Kahytsjomfruen\omklaedningsrummet\precomputations\Dekameter\Gribefladens\genopfrelsens.txttext
MD5:80AE8A8122C4F3127E97801AC93A7DA3
SHA256:FA22C88B7B3449C8071CD9EFB2AFDA3A58E8E536634246E227DE8F6B51CD30CF
7472purchaseorder.exeC:\Users\admin\AppData\Local\Temp\nsqC5D4.tmpbinary
MD5:8CE4B16B22B58894AA86C421E8759DF3
SHA256:8254C329A92850F6D539DD376F4816EE2764517DA5E0235514AF433164480D7A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
22
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6392
RUXIMICS.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
GET
404
140.82.121.4:443
https://github.com/richie213/zz/raw/refs/heads/main/ZHoCtvxU253.bin
unknown
html
266 Kb
whitelisted
GET
404
140.82.121.3:443
https://github.com/richie213/zz/raw/refs/heads/main/ZHoCtvxU253.bin
unknown
html
266 Kb
whitelisted
GET
404
140.82.121.4:443
https://github.com/richie213/zz/raw/refs/heads/main/ZHoCtvxU253.bin
unknown
html
266 Kb
whitelisted
GET
404
140.82.121.3:443
https://github.com/richie213/zz/raw/refs/heads/main/ZHoCtvxU253.bin
unknown
html
266 Kb
whitelisted
GET
404
140.82.121.3:443
https://github.com/richie213/zz/raw/refs/heads/main/ZHoCtvxU253.bin
unknown
html
266 Kb
whitelisted
GET
404
140.82.121.4:443
https://github.com/richie213/zz/raw/refs/heads/main/ZHoCtvxU253.bin
unknown
html
266 Kb
whitelisted
GET
404
140.82.121.4:443
https://github.com/richie213/zz/raw/refs/heads/main/ZHoCtvxU253.bin
unknown
html
266 Kb
whitelisted
GET
404
140.82.121.3:443
https://github.com/richie213/zz/raw/refs/heads/main/ZHoCtvxU253.bin
unknown
html
266 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6392
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6392
RUXIMICS.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
7252
purchaseorder.exe
140.82.121.3:443
github.com
GITHUB
US
whitelisted
6620
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5936
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
github.com
  • 140.82.121.3
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
purchaseorder.exe