Malware analysis https://drive.viewgoogle.com/file/d/Video_recorded_iPhone17Pro.mp4/view?usp=sharing&Email=google%40drive.com&__cf_chl_tk=XmLQuBXRyZ4SuvjNObCb5whwuD8aGZw4BB0pnfEtlCY-1774536820-1.0.1.1-mwd5EllbrXXuRnFMQdJTExCLkW.JBXKRcVUdRCNL1B8 Malicious activity

Add for printing

URL:	https://drive.viewgoogle.com/file/d/Video_recorded_iPhone17Pro.mp4/view?usp=sharing&Email=google%40drive.com&__cf_chl_tk=XmLQuBXRyZ4SuvjNObCb5whwuD8aGZw4BB0pnfEtlCY-1774536820-1.0.1.1-mwd5EllbrXXuRnFMQdJTExCLkW.JBXKRcVUdRCNL1B8
Full analysis:	https://app.any.run/tasks/58474e06-fd25-44ee-b7f0-4a655e244c51
Verdict:	Malicious activity
Analysis date:	March 26, 2026, 20:04:22
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	telegram phishing python
Indicators:
MD5:	4167DDBDE0E134C0577A3C830BFC2640
SHA1:	077AB6CAB37E94EB362CCF6E04BC87A8C9C359E0
SHA256:	20889D3246F72E34CA46206CEC43DBF60BAB25E8C656D2B74A6F2C4141CA911D
SSDEEP:	3:N8PMMBzloivkg1Y0BAIVsnJZVJ1zBcTudA+K4OQQ38INS0GtfUlVdFzSM84oRmIb:2x+g1RsJZVJHi0EdS07zx84oAdwI+d

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java(TM) SE Development Kit 25.0.2 (64-bit) (25.0.2.0)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- PHISHING has been detected (SURICATA)
  - msedge.exe (PID: 1132)
- Changes the autorun value in the registry
  - msiexec.exe (PID: 7248)
- Create files in the Startup directory
  - powershell.exe (PID: 8484)
- Changes powershell execution policy (Bypass)
  - agent.exe (PID: 2304)
- Run PowerShell with an invisible window
  - powershell.exe (PID: 8484)
SUSPICIOUS
- Starts application with an unusual extension
  - msedge.exe (PID: 2676)
- Executable content was dropped or overwritten
  - Video_recorded_iPhone17Pro.mp4 Drive.google.com (PID: 2960)
- Reads the Windows owner or organization settings
  - msiexec.exe (PID: 7248)
- Reads the date of Windows installation
  - agent.exe (PID: 8340)
- Application launched itself
  - agent.exe (PID: 8340)
- The process drops C-runtime libraries
  - Video_recorded_iPhone17Pro.mp4 Drive.google.com (PID: 2960)
- Process drops python dynamic module
  - Video_recorded_iPhone17Pro.mp4 Drive.google.com (PID: 2960)
- Loads Python modules
  - python.exe (PID: 8196)
- Bypass execution policy to execute commands
  - powershell.exe (PID: 8484)
- The process bypasses the loading of PowerShell profile settings
  - agent.exe (PID: 2304)
- Starts POWERSHELL.EXE for commands execution
  - agent.exe (PID: 2304)
INFO
- Checks supported languages
  - identity_helper.exe (PID: 2656)
  - Video_recorded_iPhone17Pro.mp4 Drive.google.com (PID: 2960)
  - msiexec.exe (PID: 7248)
  - agent.exe (PID: 8340)
  - agent.exe (PID: 2304)
  - python.exe (PID: 8196)
- Reads the computer name
  - identity_helper.exe (PID: 2656)
  - msiexec.exe (PID: 7248)
  - agent.exe (PID: 8340)
  - agent.exe (PID: 2304)
- Application launched itself
  - msedge.exe (PID: 2676)
- Executable content was dropped or overwritten
  - msedge.exe (PID: 2676)
  - msiexec.exe (PID: 7248)
- Reads Environment values
  - identity_helper.exe (PID: 2656)
  - agent.exe (PID: 8340)
  - agent.exe (PID: 2304)
- Create files in a temporary directory
  - Video_recorded_iPhone17Pro.mp4 Drive.google.com (PID: 2960)
- Creates files or folders in the user directory
  - msiexec.exe (PID: 7248)
  - Video_recorded_iPhone17Pro.mp4 Drive.google.com (PID: 2960)
- Launching a file from a Registry key
  - msiexec.exe (PID: 7248)
- Creates a software uninstall entry
  - msiexec.exe (PID: 7248)
- Disables trace logs
  - agent.exe (PID: 8340)
  - agent.exe (PID: 2304)
- Reads security settings of Internet Explorer
  - agent.exe (PID: 8340)
- The sample compiled with english language support
  - Video_recorded_iPhone17Pro.mp4 Drive.google.com (PID: 2960)
- Reads the machine GUID from the registry
  - agent.exe (PID: 8340)
  - agent.exe (PID: 2304)
  - python.exe (PID: 8196)
- Launching a file from the Startup directory
  - powershell.exe (PID: 8484)
- The executable file from the user directory is run by the Powershell process
  - python.exe (PID: 8196)
- Python executable
  - python.exe (PID: 8196)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

169

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1132

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=2288,i,3813229959328331992,15832171962802448158,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=2284 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2156

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=2780,i,3813229959328331992,15832171962802448158,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=2816 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2304

"C:\Users\admin\AppData\Local\MyRMMAgent\agent.exe"

C:\Users\admin\AppData\Local\MyRMMAgent\agent.exe

agent.exe

User:

admin

Company:

agent

Integrity Level:

MEDIUM

Description:

agent

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\local\myrmmagent\agent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

2656

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=5264,i,3813229959328331992,15832171962802448158,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=4628 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2656

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=5360,i,3813229959328331992,15832171962802448158,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=6620 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.92\identity_helper.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

PWA Identity Proxy Host

Exit code:

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\identity_helper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

2676

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --disable-features=HttpsUpgrades,HttpsFirstModeV2,HttpsOnlyMode,HttpsFirstBalancedMode --no-first-run --no-default-browser-check https://drive.viewgoogle.com/file/d/Video_recorded_iPhone17Pro.mp4/view?usp=sharing&Email=google%40drive.com&__cf_chl_tk=XmLQuBXRyZ4SuvjNObCb5whwuD8aGZw4BB0pnfEtlCY-1774536820-1.0.1.1-mwd5EllbrXXuRnFMQdJTExCLkW.JBXKRcVUdRCNL1B8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2956

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=6200,i,3813229959328331992,15832171962802448158,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=6404 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2960

"C:\Users\admin\Downloads\Video_recorded_iPhone17Pro.mp4 Drive.google.com"

C:\Users\admin\Downloads\Video_recorded_iPhone17Pro.mp4 Drive.google.com

msedge.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images
c:\users\admin\downloads\video_recorded_iphone17pro.mp4 drive.google.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll

3324

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.92 --initial-client-data=0x294,0x298,0x29c,0x28c,0x2a4,0x7ffe2335f208,0x7ffe2335f214,0x7ffe2335f220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3552

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3604,i,3813229959328331992,15832171962802448158,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=3652 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

8 868

Read events

8 757

Write events

102

Delete events

Modification events


(PID) Process:	(7248) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Owner
Value: 501C0000C14DE2D75BBDDC01
(PID) Process:	(7248) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	SessionHash
Value: 5C9C974240A2E65F3DF93DA5B060CB108980475A65063F879C1876AC399C8D3F
(PID) Process:	(7248) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Sequence
Value: 1
(PID) Process:	(7248) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:	write	Name:	C:\Users\admin\AppData\Roaming\Microsoft\Installer\
Value:
(PID) Process:	(7248) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1693682860-607145093-2874071422-1001\Components\75819A94967EEA4579BB69142FAAA683
Operation:	write	Name:	AAD133254D8D7844EBCA56B3429AE4A8
Value: C:\Users\admin\AppData\Local\MyRMMAgent\agent.exe
(PID) Process:	(7248) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\75819A94967EEA4579BB69142FAAA683
Operation:	write	Name:	00000000000000000000000000000000
Value: C:\Users\admin\AppData\Local\MyRMMAgent\agent.exe
(PID) Process:	(7248) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1693682860-607145093-2874071422-1001\Components\2D9A8829D16A717539A111B7C6EF4589
Operation:	write	Name:	AAD133254D8D7844EBCA56B3429AE4A8
Value: 01:\Software\Microsoft\Windows\CurrentVersion\Run\NVIDIA_FrameView_Background
(PID) Process:	(7248) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2D9A8829D16A717539A111B7C6EF4589
Operation:	write	Name:	00000000000000000000000000000000
Value: 01:\Software\Microsoft\Windows\CurrentVersion\Run\NVIDIA_FrameView_Background
(PID) Process:	(7248) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\Installer\Features\AAD133254D8D7844EBCA56B3429AE4A8
Operation:	write	Name:	Main
Value:
(PID) Process:	(7248) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1693682860-607145093-2874071422-1001\Products\AAD133254D8D7844EBCA56B3429AE4A8\Features
Operation:	write	Name:	Main
Value: 1WCb?~JN6CS0n)9iQ8.6k,0+WZg=~Cc3'WO&)VzX

Add for printing

Executable files

Suspicious files

234

Text files

854

Unknown types

Dropped files

PID	Process	Filename		Type
2676	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RFdfbc5.TMP		—
		MD5:—	SHA256:—
2676	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RFdfbc5.TMP		—
		MD5:—	SHA256:—
2676	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old		—
		MD5:—	SHA256:—
2676	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—
2676	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RFdfbd5.TMP		—
		MD5:—	SHA256:—
2676	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old		—
		MD5:—	SHA256:—
2676	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RFdfbe5.TMP		—
		MD5:—	SHA256:—
2676	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old		—
		MD5:—	SHA256:—
2676	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RFdfc14.TMP		—
		MD5:—	SHA256:—
2676	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RFdfc14.TMP		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1132	msedge.exe	OPTIONS	200	35.190.80.1:443	https://a.nel.cloudflare.com/report/v4?s=S4Y9qHxYS4RkpDgv7P3ZjDdn1iMa9WkDUdDuGSfZe2evcn1zUCCyL4uNnUpTrGROS1T%2F5SeKMpq5%2BWz%2FYZxgNPTdFaYLOZYX2OOGCxAPHJP5DhShVehUDxO%2FF1xLZ237F%2FCFmg1zPg%3D%3D	US	—	—	unknown
1132	msedge.exe	GET	200	2.16.204.151:443	https://www.bing.com/bloomfilterfiles/ExpandedDomainsFilterGlobal.json	NL	text	665 Kb	whitelisted
1132	msedge.exe	GET	403	172.67.199.253:443	https://drive.viewgoogle.com/favicon.ico	US	html	5.35 Kb	unknown
1132	msedge.exe	GET	200	104.18.94.41:443	https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/turnstile/f/ov2/av0/rch/7zr48/0x4AAAAAAADnPIDROrmt1Wwj/light/fbE/new/normal?lang=auto	US	html	205 Kb	unknown
1132	msedge.exe	GET	200	104.18.94.41:443	https://challenges.cloudflare.com/turnstile/v0/g/ea2d291c0fdc/api.js?onload=MNurp8&render=explicit	US	text	49.9 Kb	unknown
1132	msedge.exe	GET	200	104.18.94.41:443	https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/cmg/1	US	image	86 b	unknown
1132	msedge.exe	POST	200	104.18.94.41:443	https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/flow/ov1/1151758751:1774424211:4o8Wa4Enn-QTt2lnuwi1reIgADkO95lDbuYaz16VfCU/9e28c3c4daa7643c/siZV3OQ6gtLlUguNtDwa__mHy9k5mu34uOvPehUPDiI-1774555469-1.2.1.1-DRcOCs05OWIZOJQWEyN.jgqLWSYJIY.VS5CxUqMu0KecjEQV9xTm2P4XqL7cQIsU	US	text	250 Kb	unknown
5276	MoUsoCoreWorker.exe	GET	200	23.53.41.90:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
5276	MoUsoCoreWorker.exe	GET	200	23.59.18.102:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
1132	msedge.exe	GET	304	150.171.27.11:443	https://edge.microsoft.com/abusiveadblocking/api/v1/blocklist	US	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
5484	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	48.192.1.64:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5276	MoUsoCoreWorker.exe	23.53.41.90:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
5276	MoUsoCoreWorker.exe	23.59.18.102:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
5532	SearchApp.exe	2.16.204.151:443	www.bing.com	AKAMAI-ASN1	NL	whitelisted
—	—	23.11.41.157:80	ocsp.digicert.com	AKAMAI-AMS	NL	whitelisted
—	—	204.79.197.203:80	oneocsp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
1132	msedge.exe	150.171.27.11:80	edge.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.124.78.146	whitelisted
activation-v2.sls.microsoft.com	48.192.1.64	whitelisted
crl.microsoft.com	23.53.41.90 23.53.40.178 23.55.110.193 23.55.110.211	whitelisted
www.microsoft.com	23.59.18.102 88.221.169.152	whitelisted
google.com	142.251.140.174	whitelisted
www.bing.com	2.16.204.151 2.16.204.138 2.16.204.159 2.16.204.136 2.16.204.145 2.16.204.135	whitelisted
ocsp.digicert.com	23.11.41.157	whitelisted
oneocsp.microsoft.com	204.79.197.203	whitelisted
edge.microsoft.com	150.171.27.11 150.171.28.11	whitelisted
config.edge.skype.com	52.123.243.217 52.123.243.81 52.123.243.75 52.123.243.91	whitelisted

Threats

PID	Process	Class	Message
1132	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
1132	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
1132	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
1132	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
1132	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
1132	msedge.exe	Potentially Bad Traffic	SUSPICIOUS [ANY.RUN] Challenge-Platform Page Request to cdn-cgi
1132	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
1132	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
1132	msedge.exe	Misc activity	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
1132	msedge.exe	Misc activity	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup

Add for printing

No debug info

General Info

https://drive.viewgoogle.com/file/d/Video_recorded_iPhone17Pro.mp4/view?usp=sharing&Email=google%40drive.com&__cf_chl_tk=XmLQuBXRyZ4SuvjNObCb5whwuD8aGZw4BB0pnfEtlCY-1774536820-1.0.1.1-mwd5EllbrXXuRnFMQdJTExCLkW.JBXKRcVUdRCNL1B8

4167DDBDE0E134C0577A3C830BFC2640

077AB6CAB37E94EB362CCF6E04BC87A8C9C359E0

20889D3246F72E34CA46206CEC43DBF60BAB25E8C656D2B74A6F2C4141CA911D

3:N8PMMBzloivkg1Y0BAIVsnJZVJ1zBcTudA+K4OQQ38INS0GtfUlVdFzSM84oRmIb:2x+g1RsJZVJHi0EdS07zx84oAdwI+d

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

PHISHING has been detected (SURICATA)

Changes the autorun value in the registry

Create files in the Startup directory

Changes powershell execution policy (Bypass)

Run PowerShell with an invisible window

SUSPICIOUS

Starts application with an unusual extension

Executable content was dropped or overwritten

Reads the Windows owner or organization settings

Reads the date of Windows installation

Application launched itself

The process drops C-runtime libraries

Process drops python dynamic module

Loads Python modules

Bypass execution policy to execute commands

The process bypasses the loading of PowerShell profile settings

Starts POWERSHELL.EXE for commands execution

INFO

Checks supported languages

Reads the computer name

Application launched itself

Executable content was dropped or overwritten

Reads Environment values

Create files in a temporary directory

Creates files or folders in the user directory

Launching a file from a Registry key

Creates a software uninstall entry

Disables trace logs

Reads security settings of Internet Explorer

The sample compiled with english language support

Reads the machine GUID from the registry

Launching a file from the Startup directory

The executable file from the user directory is run by the Powershell process

Python executable

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections