File name:

security.GPF.exe

Full analysis: https://app.any.run/tasks/f0dc6d99-b071-4aeb-9cd3-eb303b797c68
Verdict: Malicious activity
Analysis date: April 12, 2025, 12:00:29
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
telegram
python
pyinstaller
ims-api
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

3EA0F397D1FC05E6B4790C88C4392579

SHA1:

A9291B98A000520B3DD12C44FCDBF0384DD456DB

SHA256:

D458BE15494F553C17C41F99CD1E23602EE37D9375204E81218D818B748D9887

SSDEEP:

98304:K1T2Q6BvdxypWj98WVeIg8S3kAE7t/173N+cZe0j13JaezT9xZMJx69XzQqy7UJP:TZOTyYbr0S6f

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • security.GPF.exe (PID: 496)

    • Process drops legitimate windows executable

      • security.GPF.exe (PID: 496)

    • Process drops python dynamic module

      • security.GPF.exe (PID: 496)

    • Executable content was dropped or overwritten

      • security.GPF.exe (PID: 496)

    • Application launched itself

      • security.GPF.exe (PID: 496)

    • Loads Python modules

      • security.GPF.exe (PID: 7200)

    • There is functionality for taking screenshot (YARA)

      • security.GPF.exe (PID: 496)
      • security.GPF.exe (PID: 7200)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • security.GPF.exe (PID: 7200)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • security.GPF.exe (PID: 7200)

  • INFO

    • Reads the computer name

      • security.GPF.exe (PID: 496)
      • security.GPF.exe (PID: 7200)

    • Checks supported languages

      • security.GPF.exe (PID: 496)
      • security.GPF.exe (PID: 7200)

    • The sample compiled with english language support

      • security.GPF.exe (PID: 496)

    • Create files in a temporary directory

      • security.GPF.exe (PID: 496)

    • Checks proxy server information

      • security.GPF.exe (PID: 7200)

    • PyInstaller has been detected (YARA)

      • security.GPF.exe (PID: 496)
      • security.GPF.exe (PID: 7200)

    • Attempting to use instant messaging service

      • security.GPF.exe (PID: 7200)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(7200) security.GPF.exe
Telegram-Tokens (1)7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8
Telegram-Info-Links
7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8
Get info about bothttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/getMe
Get incoming updateshttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/getUpdates
Get webhookhttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/deleteWebhook?drop_pending_updates=true
Telegram-Responses
oktrue
result
message_id1847
from
id7521992080
is_bottrue
first_nameVPN
usernameTeqcSFADxisbot
chat
id7715088812
first_nameהכל
last_nameלטובה
usernameFfffgdv
typeprivate
date1744459239
edit_date1744459248
text⏳ ממתין... 121 שניות נותרו
Telegram-Responses
oktrue
result
message_id1847
from
id7521992080
is_bottrue
first_nameVPN
usernameTeqcSFADxisbot
chat
id7715088812
first_nameהכל
last_nameלטובה
usernameFfffgdv
typeprivate
date1744459239
text⏳ ממתין... 130 שניות נותרו
Telegram-Tokens (1)7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8
Telegram-Info-Links
7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8
Get info about bothttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/getMe
Get incoming updateshttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/getUpdates
Get webhookhttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8
End-PointeditMessageText
Args
Token7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8
End-PointsendMessage
Args
Telegram-Responses
oktrue
result
message_id1847
from
id7521992080
is_bottrue
first_nameVPN
usernameTeqcSFADxisbot
chat
id7715088812
first_nameהכל
last_nameלטובה
usernameFfffgdv
typeprivate
date1744459239
edit_date1744459249
text⏳ ממתין... 120 שניות נותרו
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:04:09 20:10:56+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.42
CodeSize: 173568
InitializedDataSize: 155648
UninitializedDataSize: -
EntryPoint: 0xce20
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start security.gpf.exe security.gpf.exe sppextcomobj.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
496"C:\Users\admin\AppData\Local\Temp\security.GPF.exe" C:\Users\admin\AppData\Local\Temp\security.GPF.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\security.gpf.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7200"C:\Users\admin\AppData\Local\Temp\security.GPF.exe" C:\Users\admin\AppData\Local\Temp\security.GPF.exe
security.GPF.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\security.gpf.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
ims-api
(PID) Process(7200) security.GPF.exe
Telegram-Tokens (1)7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8
Telegram-Info-Links
7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8
Get info about bothttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/getMe
Get incoming updateshttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/getUpdates
Get webhookhttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/deleteWebhook?drop_pending_updates=true
(PID) Process(7200) security.GPF.exe
Telegram-Responses
oktrue
result
message_id1847
from
id7521992080
is_bottrue
first_nameVPN
usernameTeqcSFADxisbot
chat
id7715088812
first_nameהכל
last_nameלטובה
usernameFfffgdv
typeprivate
date1744459239
edit_date1744459248
text⏳ ממתין... 121 שניות נותרו
(PID) Process(7200) security.GPF.exe
Telegram-Responses
oktrue
result
message_id1847
from
id7521992080
is_bottrue
first_nameVPN
usernameTeqcSFADxisbot
chat
id7715088812
first_nameהכל
last_nameלטובה
usernameFfffgdv
typeprivate
date1744459239
text⏳ ממתין... 130 שניות נותרו
(PID) Process(7200) security.GPF.exe
Telegram-Tokens (1)7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8
Telegram-Info-Links
7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8
Get info about bothttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/getMe
Get incoming updateshttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/getUpdates
Get webhookhttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8
End-PointeditMessageText
Args
Token7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8
End-PointsendMessage
Args
Telegram-Responses
oktrue
result
message_id1847
from
id7521992080
is_bottrue
first_nameVPN
usernameTeqcSFADxisbot
chat
id7715088812
first_nameהכל
last_nameלטובה
usernameFfffgdv
typeprivate
date1744459239
edit_date1744459249
text⏳ ממתין... 120 שניות נותרו
7224C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7256"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
672
Read events
672
Write events
0
Delete events
0

Modification events

No data
Executable files
23
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
496security.GPF.exeC:\Users\admin\AppData\Local\Temp\_MEI4962\libcrypto-3.dllexecutable
MD5:123AD0908C76CCBA4789C084F7A6B8D0
SHA256:4E5D5D20D6D31E72AB341C81E97B89E514326C4C861B48638243BDF0918CFA43
496security.GPF.exeC:\Users\admin\AppData\Local\Temp\_MEI4962\VCRUNTIME140_1.dllexecutable
MD5:68156F41AE9A04D89BB6625A5CD222D4
SHA256:82A2F9AE1E6146AE3CB0F4BC5A62B7227E0384209D9B1AEF86BBCC105912F7CD
496security.GPF.exeC:\Users\admin\AppData\Local\Temp\_MEI4962\_lzma.pydexecutable
MD5:66A9028EFD1BB12047DAFCE391FD6198
SHA256:E44DEA262A24DF69FD9B50B08D09AE6F8B051137CE0834640C977091A6F9FCA8
496security.GPF.exeC:\Users\admin\AppData\Local\Temp\_MEI4962\psutil\_psutil_windows.pydexecutable
MD5:D30149D319EFCAECF0A5C5E71EF6CB39
SHA256:4F1ABCFBEF2DACC6B9EBF1EA7BE859B9B8673671EC1942E5DD69DC75F321DF11
496security.GPF.exeC:\Users\admin\AppData\Local\Temp\_MEI4962\_hashlib.pydexecutable
MD5:422E214CA76421E794B99F99A374B077
SHA256:78223AEF72777EFC93C739F5308A3FC5DE28B7D10E6975B8947552A62592772B
496security.GPF.exeC:\Users\admin\AppData\Local\Temp\_MEI4962\_wmi.pydexecutable
MD5:C629CE084FC76AC60B7A77479CB2225C
SHA256:AFAD80F9E62A57814779CF3E48352B583C1A0697B11A23CC9DB3F4E43F7F8664
496security.GPF.exeC:\Users\admin\AppData\Local\Temp\_MEI4962\_queue.pydexecutable
MD5:955B197C38EA5BD537CE9C7CB2109802
SHA256:73CADE82EE139459FE5841E5631274FC9CAF7F579418B613F278125435653539
496security.GPF.exeC:\Users\admin\AppData\Local\Temp\_MEI4962\charset_normalizer\md__mypyc.cp313-win_amd64.pydexecutable
MD5:501B867C424A8E3A41A9BE4AB22DBEED
SHA256:437CEB75E7BC7C72C9090558397EF3598B0BC7BC499434AF5827028083D300CA
496security.GPF.exeC:\Users\admin\AppData\Local\Temp\_MEI4962\base_library.zipcompressed
MD5:01ADF05C570DCDFBEBB58746C3CC97DD
SHA256:9E258258A0F6C03B9E8DCC2E60684DC820510FECED1669A3669DA6FE4D15D0E7
496security.GPF.exeC:\Users\admin\AppData\Local\Temp\_MEI4962\libssl-3.dllexecutable
MD5:4FF168AAA6A1D68E7957175C8513F3A2
SHA256:2E4D35B681A172D3298CAF7DC670451BE7A8BA27C26446EFC67470742497A950
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
119
DNS requests
15
Threats
54

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.216.77.25:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7748
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7748
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.216.77.25:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
2112
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7200
security.GPF.exe
142.250.186.36:80
www.google.com
GOOGLE
US
whitelisted
7200
security.GPF.exe
149.154.167.220:443
api.telegram.org
Telegram Messenger Inc
GB
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.71:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.216.77.25
  • 23.216.77.30
  • 23.216.77.20
  • 23.216.77.6
  • 23.216.77.36
  • 23.216.77.8
  • 23.216.77.22
  • 23.216.77.38
  • 23.216.77.28
whitelisted
google.com
  • 142.250.185.78
whitelisted
www.google.com
  • 142.250.186.36
  • 172.217.18.4
whitelisted
api.telegram.org
  • 149.154.167.220
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.159.71
  • 40.126.31.67
  • 40.126.31.71
  • 20.190.159.73
  • 20.190.159.128
  • 40.126.31.128
  • 40.126.31.129
  • 20.190.159.23
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
7200
security.GPF.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
7200
security.GPF.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
7200
security.GPF.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
7200
security.GPF.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
7200
security.GPF.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
7200
security.GPF.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
7200
security.GPF.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
7200
security.GPF.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
7200
security.GPF.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
security.GPF.exe