File name:

security.GPF.exe

Full analysis: https://app.any.run/tasks/f0dc6d99-b071-4aeb-9cd3-eb303b797c68
Verdict: Malicious activity
Analysis date: April 12, 2025, 12:00:29
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
telegram
python
pyinstaller
ims-api
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

3EA0F397D1FC05E6B4790C88C4392579

SHA1:

A9291B98A000520B3DD12C44FCDBF0384DD456DB

SHA256:

D458BE15494F553C17C41F99CD1E23602EE37D9375204E81218D818B748D9887

SSDEEP:

98304:K1T2Q6BvdxypWj98WVeIg8S3kAE7t/173N+cZe0j13JaezT9xZMJx69XzQqy7UJP:TZOTyYbr0S6f

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • security.GPF.exe (PID: 496)

    • The process drops C-runtime libraries

      • security.GPF.exe (PID: 496)

    • Application launched itself

      • security.GPF.exe (PID: 496)

    • Executable content was dropped or overwritten

      • security.GPF.exe (PID: 496)

    • Loads Python modules

      • security.GPF.exe (PID: 7200)

    • Process drops python dynamic module

      • security.GPF.exe (PID: 496)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • security.GPF.exe (PID: 7200)

    • There is functionality for taking screenshot (YARA)

      • security.GPF.exe (PID: 496)
      • security.GPF.exe (PID: 7200)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • security.GPF.exe (PID: 7200)

  • INFO

    • Create files in a temporary directory

      • security.GPF.exe (PID: 496)

    • Reads the computer name

      • security.GPF.exe (PID: 496)
      • security.GPF.exe (PID: 7200)

    • Checks supported languages

      • security.GPF.exe (PID: 496)
      • security.GPF.exe (PID: 7200)

    • The sample compiled with english language support

      • security.GPF.exe (PID: 496)

    • Checks proxy server information

      • security.GPF.exe (PID: 7200)

    • Attempting to use instant messaging service

      • security.GPF.exe (PID: 7200)

    • PyInstaller has been detected (YARA)

      • security.GPF.exe (PID: 496)
      • security.GPF.exe (PID: 7200)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(7200) security.GPF.exe
Telegram-Tokens (1)7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8
Telegram-Info-Links
7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8
Get info about bothttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/getMe
Get incoming updateshttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/getUpdates
Get webhookhttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/deleteWebhook?drop_pending_updates=true
Telegram-Responses
oktrue
result
message_id1847
from
id7521992080
is_bottrue
first_nameVPN
usernameTeqcSFADxisbot
chat
id7715088812
first_nameהכל
last_nameלטובה
usernameFfffgdv
typeprivate
date1744459239
edit_date1744459248
text⏳ ממתין... 121 שניות נותרו
Telegram-Responses
oktrue
result
message_id1847
from
id7521992080
is_bottrue
first_nameVPN
usernameTeqcSFADxisbot
chat
id7715088812
first_nameהכל
last_nameלטובה
usernameFfffgdv
typeprivate
date1744459239
text⏳ ממתין... 130 שניות נותרו
Telegram-Tokens (1)7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8
Telegram-Info-Links
7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8
Get info about bothttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/getMe
Get incoming updateshttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/getUpdates
Get webhookhttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8
End-PointeditMessageText
Args
Token7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8
End-PointsendMessage
Args
Telegram-Responses
oktrue
result
message_id1847
from
id7521992080
is_bottrue
first_nameVPN
usernameTeqcSFADxisbot
chat
id7715088812
first_nameהכל
last_nameלטובה
usernameFfffgdv
typeprivate
date1744459239
edit_date1744459249
text⏳ ממתין... 120 שניות נותרו
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:04:09 20:10:56+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.42
CodeSize: 173568
InitializedDataSize: 155648
UninitializedDataSize: -
EntryPoint: 0xce20
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start security.gpf.exe security.gpf.exe sppextcomobj.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
496"C:\Users\admin\AppData\Local\Temp\security.GPF.exe" C:\Users\admin\AppData\Local\Temp\security.GPF.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\security.gpf.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7200"C:\Users\admin\AppData\Local\Temp\security.GPF.exe" C:\Users\admin\AppData\Local\Temp\security.GPF.exe
security.GPF.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\security.gpf.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
ims-api
(PID) Process(7200) security.GPF.exe
Telegram-Tokens (1)7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8
Telegram-Info-Links
7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8
Get info about bothttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/getMe
Get incoming updateshttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/getUpdates
Get webhookhttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/deleteWebhook?drop_pending_updates=true
(PID) Process(7200) security.GPF.exe
Telegram-Responses
oktrue
result
message_id1847
from
id7521992080
is_bottrue
first_nameVPN
usernameTeqcSFADxisbot
chat
id7715088812
first_nameהכל
last_nameלטובה
usernameFfffgdv
typeprivate
date1744459239
edit_date1744459248
text⏳ ממתין... 121 שניות נותרו
(PID) Process(7200) security.GPF.exe
Telegram-Responses
oktrue
result
message_id1847
from
id7521992080
is_bottrue
first_nameVPN
usernameTeqcSFADxisbot
chat
id7715088812
first_nameהכל
last_nameלטובה
usernameFfffgdv
typeprivate
date1744459239
text⏳ ממתין... 130 שניות נותרו
(PID) Process(7200) security.GPF.exe
Telegram-Tokens (1)7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8
Telegram-Info-Links
7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8
Get info about bothttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/getMe
Get incoming updateshttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/getUpdates
Get webhookhttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8
End-PointeditMessageText
Args
Token7521992080:AAGg2T6Bavu0tbnBKXxV-bsqogCUcCCaLU8
End-PointsendMessage
Args
Telegram-Responses
oktrue
result
message_id1847
from
id7521992080
is_bottrue
first_nameVPN
usernameTeqcSFADxisbot
chat
id7715088812
first_nameהכל
last_nameלטובה
usernameFfffgdv
typeprivate
date1744459239
edit_date1744459249
text⏳ ממתין... 120 שניות נותרו
7224C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7256"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
672
Read events
672
Write events
0
Delete events
0

Modification events

No data
Executable files
23
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
496security.GPF.exeC:\Users\admin\AppData\Local\Temp\_MEI4962\charset_normalizer\md.cp313-win_amd64.pydexecutable
MD5:480B5EB45AF69A315BD2C3B1B34459D1
SHA256:1F8A5173D8BFE6C569E81C738B830800307ED4586D2AE9AC5CC13A468C6E1892
496security.GPF.exeC:\Users\admin\AppData\Local\Temp\_MEI4962\_wmi.pydexecutable
MD5:C629CE084FC76AC60B7A77479CB2225C
SHA256:AFAD80F9E62A57814779CF3E48352B583C1A0697B11A23CC9DB3F4E43F7F8664
496security.GPF.exeC:\Users\admin\AppData\Local\Temp\_MEI4962\_bz2.pydexecutable
MD5:C17DCB7FC227601471A641EC90E6237F
SHA256:55894B2B98D01F37B9A8CF4DAF926D0161FF23C2FB31C56F9DBBAC3A61932712
496security.GPF.exeC:\Users\admin\AppData\Local\Temp\_MEI4962\_queue.pydexecutable
MD5:955B197C38EA5BD537CE9C7CB2109802
SHA256:73CADE82EE139459FE5841E5631274FC9CAF7F579418B613F278125435653539
496security.GPF.exeC:\Users\admin\AppData\Local\Temp\_MEI4962\_decimal.pydexecutable
MD5:AD4324E5CC794D626FFCCDA544A5A833
SHA256:040F361F63204B55C17A100C260C7DDFADD00866CC055FBD641B83A6747547D5
496security.GPF.exeC:\Users\admin\AppData\Local\Temp\_MEI4962\_lzma.pydexecutable
MD5:66A9028EFD1BB12047DAFCE391FD6198
SHA256:E44DEA262A24DF69FD9B50B08D09AE6F8B051137CE0834640C977091A6F9FCA8
496security.GPF.exeC:\Users\admin\AppData\Local\Temp\_MEI4962\charset_normalizer\md__mypyc.cp313-win_amd64.pydexecutable
MD5:501B867C424A8E3A41A9BE4AB22DBEED
SHA256:437CEB75E7BC7C72C9090558397EF3598B0BC7BC499434AF5827028083D300CA
496security.GPF.exeC:\Users\admin\AppData\Local\Temp\_MEI4962\_hashlib.pydexecutable
MD5:422E214CA76421E794B99F99A374B077
SHA256:78223AEF72777EFC93C739F5308A3FC5DE28B7D10E6975B8947552A62592772B
496security.GPF.exeC:\Users\admin\AppData\Local\Temp\_MEI4962\libffi-8.dllexecutable
MD5:0F8E4992CA92BAAF54CC0B43AACCCE21
SHA256:EFF52743773EB550FCC6CE3EFC37C85724502233B6B002A35496D828BD7B280A
496security.GPF.exeC:\Users\admin\AppData\Local\Temp\_MEI4962\base_library.zipcompressed
MD5:01ADF05C570DCDFBEBB58746C3CC97DD
SHA256:9E258258A0F6C03B9E8DCC2E60684DC820510FECED1669A3669DA6FE4D15D0E7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
119
DNS requests
15
Threats
54

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.216.77.25:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7748
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7748
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.216.77.25:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
2112
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7200
security.GPF.exe
142.250.186.36:80
www.google.com
GOOGLE
US
whitelisted
7200
security.GPF.exe
149.154.167.220:443
api.telegram.org
Telegram Messenger Inc
GB
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.71:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.216.77.25
  • 23.216.77.30
  • 23.216.77.20
  • 23.216.77.6
  • 23.216.77.36
  • 23.216.77.8
  • 23.216.77.22
  • 23.216.77.38
  • 23.216.77.28
whitelisted
google.com
  • 142.250.185.78
whitelisted
www.google.com
  • 142.250.186.36
  • 172.217.18.4
whitelisted
api.telegram.org
  • 149.154.167.220
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.159.71
  • 40.126.31.67
  • 40.126.31.71
  • 20.190.159.73
  • 20.190.159.128
  • 40.126.31.128
  • 40.126.31.129
  • 20.190.159.23
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
7200
security.GPF.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
7200
security.GPF.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
7200
security.GPF.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
7200
security.GPF.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
7200
security.GPF.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
7200
security.GPF.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
7200
security.GPF.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
7200
security.GPF.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
7200
security.GPF.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
security.GPF.exe