URL:

https://app.shift.com/manuals/1

Full analysis: https://app.any.run/tasks/b7addfa4-0e67-4ea9-9e4b-ab3c2f188620
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: February 13, 2026, 22:09:42
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
inno
installer
delphi
stealer
evasion
adware
innosetup
Indicators:
MD5:

FAF532DB046C5BF344A4937905258EB1

SHA1:

86FB71E0E13FB64171075AC0BB5A5FFB7FAA5E81

SHA256:

413C94D3C6BA660AEDF522418DE39CDFCF44EADB8A32E9736EDF477664D79295

SSDEEP:

3:N8auMNyG6EJGn:2aD4G6Dn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • shift.exe (PID: 8260)
      • shift.exe (PID: 3220)

    • Steals credentials from Web Browsers

      • shift.exe (PID: 8260)

    • Changes the autorun value in the registry

      • shift.exe (PID: 8260)

    • INNOSETUP has been detected (SURICATA)

      • Shift - Manuals_xkvv3v.tmp (PID: 1792)

  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • Shift - Manuals_xkvv3v.tmp (PID: 1792)
      • Shift - Manuals_xkvv3v.tmp (PID: 2036)
      • Shift Setup_xkvv3v.tmp (PID: 7736)

    • Uses TASKKILL.EXE to kill process

      • Shift Setup_xkvv3v.tmp (PID: 7736)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 3004)

    • Uses ICACLS.EXE to modify access control lists

      • Shift Setup_xkvv3v.tmp (PID: 7736)

    • Application launched itself

      • shift.exe (PID: 8260)

    • Reads Mozilla Firefox installation path

      • shift.exe (PID: 8260)

    • Possible stealing from browsers

      • shift.exe (PID: 8260)

    • Executes application which crashes

      • Shift Setup_xkvv3v.tmp (PID: 7736)

    • Checks for external IP

      • Shift Setup_xkvv3v.tmp (PID: 7736)
      • Shift - Manuals_xkvv3v.tmp (PID: 1792)
      • Shift - Manuals_xkvv3v.tmp (PID: 2036)

    • Access to an unwanted program domain was detected

      • Shift - Manuals_xkvv3v.tmp (PID: 1792)

  • INFO

    • Drops script file

      • msedge.exe (PID: 6156)
      • msedge.exe (PID: 6072)
      • Shift Setup_xkvv3v.tmp (PID: 7736)
      • icacls.exe (PID: 1820)
      • icacls.exe (PID: 1856)
      • shift.exe (PID: 8260)

    • Checks supported languages

      • identity_helper.exe (PID: 1700)
      • Shift - Manuals_xkvv3v.exe (PID: 5788)
      • Shift - Manuals_xkvv3v.tmp (PID: 1792)
      • Shift - Manuals_xkvv3v.exe (PID: 5520)
      • Shift - Manuals_xkvv3v.tmp (PID: 2036)
      • Shift Setup_xkvv3v.exe (PID: 6848)
      • Shift Setup_xkvv3v.tmp (PID: 7736)
      • shift.exe (PID: 8260)
      • shift.exe (PID: 6808)
      • shift.exe (PID: 8756)
      • shift.exe (PID: 7764)
      • shift.exe (PID: 8364)
      • shift.exe (PID: 3220)
      • shift.exe (PID: 6948)
      • shift.exe (PID: 7700)
      • shift.exe (PID: 1388)
      • shift.exe (PID: 2332)
      • shift.exe (PID: 6908)

    • Application launched itself

      • msedge.exe (PID: 6156)

    • Reads Environment values

      • identity_helper.exe (PID: 1700)
      • shift.exe (PID: 8260)

    • Reads the computer name

      • identity_helper.exe (PID: 1700)
      • Shift - Manuals_xkvv3v.tmp (PID: 1792)
      • Shift - Manuals_xkvv3v.tmp (PID: 2036)
      • Shift Setup_xkvv3v.tmp (PID: 7736)
      • shift.exe (PID: 8260)
      • shift.exe (PID: 8756)
      • shift.exe (PID: 7764)
      • shift.exe (PID: 3220)
      • shift.exe (PID: 6908)

    • Launching a file from the Downloads directory

      • msedge.exe (PID: 6156)

    • Create files in a temporary directory

      • Shift - Manuals_xkvv3v.tmp (PID: 1792)
      • Shift - Manuals_xkvv3v.exe (PID: 5788)
      • Shift - Manuals_xkvv3v.exe (PID: 5520)
      • Shift - Manuals_xkvv3v.tmp (PID: 2036)
      • Shift Setup_xkvv3v.exe (PID: 6848)
      • Shift Setup_xkvv3v.tmp (PID: 7736)
      • shift.exe (PID: 8260)
      • shift.exe (PID: 3220)

    • Checks proxy server information

      • Shift - Manuals_xkvv3v.tmp (PID: 1792)
      • shift.exe (PID: 8260)
      • WerFault.exe (PID: 4852)
      • WerFault.exe (PID: 7508)
      • slui.exe (PID: 8048)

    • Detects InnoSetup installer (YARA)

      • Shift - Manuals_xkvv3v.tmp (PID: 1792)
      • Shift - Manuals_xkvv3v.exe (PID: 5788)
      • Shift - Manuals_xkvv3v.tmp (PID: 2036)
      • Shift - Manuals_xkvv3v.exe (PID: 5520)
      • Shift Setup_xkvv3v.exe (PID: 6848)
      • Shift Setup_xkvv3v.tmp (PID: 7736)

    • Compiled with Borland Delphi (YARA)

      • Shift - Manuals_xkvv3v.tmp (PID: 1792)
      • Shift - Manuals_xkvv3v.exe (PID: 5788)
      • Shift - Manuals_xkvv3v.exe (PID: 5520)
      • Shift - Manuals_xkvv3v.tmp (PID: 2036)
      • Shift Setup_xkvv3v.exe (PID: 6848)
      • Shift Setup_xkvv3v.tmp (PID: 7736)

    • Process checks computer location settings

      • Shift - Manuals_xkvv3v.tmp (PID: 1792)
      • Shift - Manuals_xkvv3v.tmp (PID: 2036)
      • Shift Setup_xkvv3v.tmp (PID: 7736)
      • shift.exe (PID: 8260)
      • shift.exe (PID: 7700)
      • shift.exe (PID: 6948)
      • shift.exe (PID: 1388)
      • shift.exe (PID: 2332)

    • Reads security settings of Internet Explorer

      • Shift - Manuals_xkvv3v.tmp (PID: 2036)
      • Shift - Manuals_xkvv3v.tmp (PID: 1792)
      • Shift Setup_xkvv3v.tmp (PID: 7736)
      • shift.exe (PID: 8260)

    • There is functionality for taking screenshot (YARA)

      • Shift - Manuals_xkvv3v.tmp (PID: 1792)
      • Shift - Manuals_xkvv3v.tmp (PID: 2036)
      • Shift Setup_xkvv3v.tmp (PID: 7736)

    • Reads the machine GUID from the registry

      • Shift - Manuals_xkvv3v.tmp (PID: 1792)
      • Shift Setup_xkvv3v.tmp (PID: 7736)
      • shift.exe (PID: 8260)

    • Creates files or folders in the user directory

      • Shift Setup_xkvv3v.tmp (PID: 7736)
      • shift.exe (PID: 6808)
      • shift.exe (PID: 8260)
      • shift.exe (PID: 7764)
      • WerFault.exe (PID: 4852)
      • WerFault.exe (PID: 7508)

    • Creates a software uninstall entry

      • Shift Setup_xkvv3v.tmp (PID: 7736)

    • Launching a file from a Registry key

      • shift.exe (PID: 8260)

    • Reads CPU info

      • shift.exe (PID: 8260)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
220
Monitored processes
63
Malicious processes
5
Suspicious processes
2

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs shift - manuals_xkvv3v.exe no specs #INNOSETUP shift - manuals_xkvv3v.tmp msedge.exe no specs msedge.exe no specs msedge.exe no specs shift - manuals_xkvv3v.exe no specs shift - manuals_xkvv3v.tmp shift setup_xkvv3v.exe no specs shift setup_xkvv3v.tmp taskkill.exe no specs conhost.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs schtasks.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs shift.exe shift.exe no specs shift.exe no specs shift.exe shift.exe no specs shift.exe shift.exe no specs msedge.exe no specs msedge.exe no specs shift.exe no specs shift.exe no specs shift.exe no specs werfault.exe werfault.exe shift.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1156"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=7528,i,17461359900251928398,17437368607706139166,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=6380 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1388"C:\Users\admin\AppData\Local\Shift\chromium\shift.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-pre-read-main-dll --force-high-res-timeticks=disabled --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=9 --metrics-shmem-handle=4672,i,4182341940568925777,10565767996520181953,2097152 --field-trial-handle=1968,i,12637400767987130764,2728391277996050435,262144 --variations-seed-version --trace-process-track-uuid=3190708994745248135 --mojo-platform-channel-handle=4200 /prefetch:1C:\Users\admin\AppData\Local\Shift\chromium\shift.exeshift.exe
User:
admin
Company:
Shift Technologies Inc.
Integrity Level:
LOW
Description:
Shift Browser
Version:
142.2.1.3509
Modules
Images
c:\users\admin\appdata\local\shift\chromium\shift.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\shift\chromium\142.2.1.3509\shift_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1516"c:\program files (x86)\microsoft\edge\application\msedge.exe" https://app.shift.com/manuals/thanks?data=eyJhZF9ibG9ja2VyX2RldGVjdGVkIjpmYWxzZSwidGhhbmtzX3VybCI6Imh0dHBzOi8vYXBwLnNoaWZ0LmNvbS9tYW51YWxzL3RoYW5rcyIsImxwX3VybCI6Imh0dHBzOi8vYXBwLnNoaWZ0LmNvbS9tYW51YWxzLzEiLCJwcm9maWxlX2lkIjoxMDYsImRpc3RpbmN0X2lkIjoiM2FiZmEyY2UtYTc1Ny00YTQ0LTlmYTctZjA4Zjg3YzliYWQzIiwicHJvZmlsZSI6InNoaWZ0LW1hbnVhbHMiLCJsYW5nIjoiZW4iLCJ3aGl0ZWxhYmVsIjoibWFudWFscyIsInVhIjoiZWRnZSIsImluc3RhbGxlcl9maWxlbmFtZSI6InNoaWZ0LXYxNDIuMi4xLXdlYi5leGUiLCJpbnN0YWxsX3RpbWUiOjE3NzEwMjA2MTEsImRlZmF1bHRfYnJvd3NlciI6Ik1pY3Jvc29mdCBFZGdlIiwiaW5pdGlhbF92ZXJzaW9uIjoiMTQyLjIuMS4zNTA5IiwiYXR0cmlidXRpb25fa2V5IjoieGt2djN2In0=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeshift.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1700"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=5892,i,17461359900251928398,17437368607706139166,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=6012 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.92\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\identity_helper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1792"C:\Users\admin\AppData\Local\Temp\is-J4BEF.tmp\Shift - Manuals_xkvv3v.tmp" /SL5="$1302AC,7424037,1214464,C:\Users\admin\Downloads\Shift - Manuals_xkvv3v.exe" C:\Users\admin\AppData\Local\Temp\is-J4BEF.tmp\Shift - Manuals_xkvv3v.tmp
Shift - Manuals_xkvv3v.exe
User:
admin
Company:
Shift Technologies Inc.
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-j4bef.tmp\shift - manuals_xkvv3v.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\comdlg32.dll
c:\windows\syswow64\msvcrt.dll
1820"icacls" "C:\Users\admin\AppData\Local\Shift\chromium" /grant *S-1-15-3-1024-3424233489-972189580-2057154623-747635277-1604371224-316187997-3786583170-1043257646:(OI)(CI)(RX) /tC:\Windows\System32\icacls.exeShift Setup_xkvv3v.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ntmarta.dll
1856"icacls" "C:\Users\admin\AppData\Local\Shift\chromium" /grant *S-1-15-3-1024-2302894289-466761758-1166120688-1039016420-2430351297-4240214049-4028510897-3317428798:(OI)(CI)(RX) /tC:\Windows\System32\icacls.exeShift Setup_xkvv3v.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ntmarta.dll
1872"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1784,i,17461359900251928398,17437368607706139166,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=2276 /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2036"C:\Users\admin\AppData\Local\Temp\is-3G8GD.tmp\Shift - Manuals_xkvv3v.tmp" /SL5="$B0398,7424037,1214464,C:\Users\admin\Downloads\Shift - Manuals_xkvv3v.exe" /PDATA=eyJhZF9ibG9ja2VyX2RldGVjdGVkIjpmYWxzZSwidGhhbmtzX3VybCI6Imh0dHBzOi8vYXBwLnNoaWZ0LmNvbS9tYW51YWxzL3RoYW5rcyIsImxwX3VybCI6Imh0dHBzOi8vYXBwLnNoaWZ0LmNvbS9tYW51YWxzLzEiLCJwcm9maWxlX2lkIjoxMDYsImRpc3RpbmN0X2lkIjoiM2FiZmEyY2UtYTc1Ny00YTQ0LTlmYTctZjA4Zjg3YzliYWQzIiwicHJvZmlsZSI6InNoaWZ0LW1hbnVhbHMiLCJsYW5nIjoiZW4iLCJ3aGl0ZWxhYmVsIjoibWFudWFscyIsInVhIjoiZWRnZSIsImluc3RhbGxlcl9maWxlbmFtZSI6InNoaWZ0LXYxNDIuMi4xLXdlYi5leGUiLCJpbnN0YWxsX3RpbWUiOjE3NzEwMjA2MTEsImRlZmF1bHRfYnJvd3NlciI6Ik1pY3Jvc29mdCBFZGdlIiwiaW5pdGlhbF92ZXJzaW9uIjoiMTQyLjIuMS4zNTA5IiwiYXR0cmlidXRpb25fa2V5IjoieGt2djN2In0= /SPLITS=eyJzcGxpdCI6ImIiLCJzcGxpdDIiOiJhIiwibm9fc3BsaXQiOmZhbHNlLCJsb2NhbF9zcGxpdF90ZXN0cyI6e30sInNlcnZlcl9zaWRlX3NwbGl0X3Rlc3RzIjp7InNwbGl0X3N0NjQ4OF9hbWF6b25fbW9uZXRpemVkX3ByZXBpbm5lZCI6eyJ2YWx1ZSI6ImNvbnRyb2wifSwic3BsaXRfc3Q0MzM3X3N0NDMzOF9vcGVuX3Zpc2l0ZWRfc2l0ZXNfaW1wb3J0X2hpc3RvcnkiOnsidmFsdWUiOiJ2YXJpYXRpb24ifSwic3BsaXRfc3QxMjM2X3Bpbl9wcm9maWxlX2FwcF90b190YXNrYmFyIjp7InZhbHVlIjoiY29udHJvbCJ9LCJzcGxpdF9zdDUwNjNfYnJpbmdfdG9fZm9yZWdyb3VuZF9tYXhpbWl6ZWQiOnsidmFsdWUiOiJ2YXJpYXRpb24ifSwic3BsaXRfc3Q1MTExX3BpbGloX2xpbWl0ZXJfb25fdW5sb2NrIjp7InZhbHVlIjoiY29udHJvbCJ9LCJzcGxpdF9zdDYxMjVfYWx0ZXJuYXRlX2Rvd25sb2FkX2NkbiI6eyJ2YWx1ZSI6ImNvbnRyb2wifSwic3BsaXRfc3Q1NTgyX3BpbGloX3ByaW1hcnlfbW9uaXRvciI6eyJ2YWx1ZSI6ImNvbnRyb2wifSwic3BsaXRfc3Q1NjU0X3JlZ3VsYXJfdnNfc2ltcGxpZmllZF9hcHBfdmlldyI6eyJ2YWx1ZSI6InZhcmlhdGlvbiJ9LCJzcGxpdF9zdDEzOTFfZG9udF9pbXBvcnRfaGlzdG9yeSI6eyJ2YWx1ZSI6InZhcmlhdGlvbiJ9LCJzcGxpdF9zdDEyMzJfcmVuYW1lX3Nob3J0Y3V0c19zaGlmdF9icm93c2VyIjp7InZhbHVlIjoidmFyaWF0aW9uIn0sInNwbGl0X3N0OTMxOV8zd2F5X29tbmlib3hfZm9jdXMiOnsidmFsdWUiOiJjb250cm9sIn0sInNwbGl0X3N0NDU3M19pbXByb3ZlX2JyaW5nX3RvX2ZvcmVncm91bmQiOnsidmFsdWUiOiJ2YXJpYXRpb24yIn19LCJhdHRyaWJ1dGlvbl9zcGxpdF90ZXN0cyI6e30sImVuY29kZWRfc3BsaXRzIjoiMDAwIn0= /LAUNCHER /VERYSILENTC:\Users\admin\AppData\Local\Temp\is-3G8GD.tmp\Shift - Manuals_xkvv3v.tmp
Shift - Manuals_xkvv3v.exe
User:
admin
Company:
Shift Technologies Inc.
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-3g8gd.tmp\shift - manuals_xkvv3v.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\comdlg32.dll
c:\windows\syswow64\msvcrt.dll
2288"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=5160,i,17461359900251928398,17437368607706139166,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=6908 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
16 351
Read events
16 234
Write events
114
Delete events
3

Modification events

(PID) Process:(2036) Shift - Manuals_xkvv3v.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:Owner
Value:
F40700004894248C359DDC01
(PID) Process:(2036) Shift - Manuals_xkvv3v.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:SessionHash
Value:
2CB7899E21E846D8281AD8229A25409A7D98A080A5C70B3315FC09E8C24DBB01
(PID) Process:(2036) Shift - Manuals_xkvv3v.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:Sequence
Value:
1
(PID) Process:(7736) Shift Setup_xkvv3v.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Shift
Operation:writeName:pv
Value:
142.2.1.3509
(PID) Process:(7736) Shift Setup_xkvv3v.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Shift
Operation:writeName:EnterpriseProduct<{95fcf903-63b1-44bd-ab77-358a5bd30aae}_is1>
Value:
(PID) Process:(7736) Shift Setup_xkvv3v.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Shift
Operation:writeName:InstallSwitches
Value:
(PID) Process:(7736) Shift Setup_xkvv3v.tmpKey:HKEY_CLASSES_ROOT\CLSID\{E797BF82-EFC0-4B94-A059-AA797B10D29C}\LocalServer32
Operation:writeName:ServerExecutable
Value:
C:\Users\admin\AppData\Local\Shift\chromium\142.2.1.3509\notification_helper.exe
(PID) Process:(7736) Shift Setup_xkvv3v.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Shift\Browser\Capability
Operation:writeName:ApplicationDescription
Value:
Shift Browser
(PID) Process:(7736) Shift Setup_xkvv3v.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Shift\Browser\Capability
Operation:writeName:ApplicationName
Value:
Shift Browser
(PID) Process:(7736) Shift Setup_xkvv3v.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Shift\Browser\Capability\FileAssociations
Operation:writeName:.htm
Value:
ShiftHTML
Executable files
0
Suspicious files
48
Text files
260
Unknown types
1 182

Dropped files

PID
Process
Filename
Type
6156msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RF1e54a6.TMP
MD5:
SHA256:
6156msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
6156msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF1e54b5.TMP
MD5:
SHA256:
6156msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF1e54b5.TMP
MD5:
SHA256:
6156msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
6156msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
6156msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF1e54b5.TMP
MD5:
SHA256:
6156msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old
MD5:
SHA256:
6156msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF1e54c5.TMP
MD5:
SHA256:
6156msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
211
TCP/UDP connections
206
DNS requests
207
Threats
14

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2456
msedge.exe
GET
200
52.123.243.215:443
https://config.edge.skype.com/config/v1/Edge/133.0.3065.92?clientId=4489578223053569932&agents=Edge%2CEdgeConfig%2CEdgeServices%2CEdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=66&mngd=0&installdate=1661339457&edu=0&soobedate=1504771245&bphint=2&fg=1&lbfgdate=1766135237&lafgdate=0
US
4.47 Kb
whitelisted
2456
msedge.exe
GET
200
172.66.152.231:443
https://app.shift.com/manuals/1
US
133 Kb
unknown
2456
msedge.exe
GET
200
13.107.213.44:443
https://api.edgeoffer.microsoft.com/edgeoffer/pb/experiments?appId=edge-extensions&country=US
US
82 b
whitelisted
2456
msedge.exe
GET
200
104.18.23.222:443
https://copilot.microsoft.com/c/api/user/eligibility
US
25 b
whitelisted
2456
msedge.exe
GET
200
150.171.27.11:443
https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=133.0.3065.92&experimentationmode=2&scpguard=0&scpfull=0&scpver=0
US
446 b
whitelisted
2456
msedge.exe
GET
200
34.149.250.58:443
https://cdn.sanity.io/images/6dbdxxya/production/41ef27f04d6c05b3939467a7a04882534bfd6231-32x32.svg?w=1920&fit=max&auto=format
US
binary
1.22 Kb
unknown
2456
msedge.exe
GET
200
34.149.250.58:443
https://cdn.sanity.io/images/6dbdxxya/production/78ac9031d38141e58841dde7621ac3554e8abb0e-2976x1272.webp?w=1536&fit=max&auto=format
US
17.9 Kb
unknown
2456
msedge.exe
GET
200
172.66.152.231:443
https://app.shift.com/ga4/
US
468 Kb
unknown
2456
msedge.exe
GET
200
34.149.250.58:443
https://cdn.sanity.io/images/6dbdxxya/production/9f82eae1783fed5fbab539c0666cf269e9e0f2aa-3600x2025.webp?w=1536&fit=max&auto=format
US
19.7 Kb
unknown
2456
msedge.exe
GET
200
172.66.152.231:443
https://app.shift.com/_nuxt/entry.1zjIqNVE.css
US
binary
3.17 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
7240
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3344
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2456
msedge.exe
52.123.243.215:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
2456
msedge.exe
150.171.27.11:80
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2456
msedge.exe
172.66.152.231:443
app.shift.com
CLOUDFLARENET
US
whitelisted
2456
msedge.exe
104.16.79.73:443
static.cloudflareinsights.com
CLOUDFLARENET
US
whitelisted

DNS requests

Domain
IP
Reputation
self.events.data.microsoft.com
  • 13.69.239.73
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.251.127.102
  • 142.251.127.138
  • 142.251.127.139
  • 142.251.127.113
  • 142.251.127.100
  • 142.251.127.101
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.248
whitelisted
edge.microsoft.com
  • 150.171.27.11
  • 150.171.28.11
whitelisted
config.edge.skype.com
  • 52.123.243.215
  • 52.123.243.71
  • 52.123.243.81
  • 52.123.243.74
whitelisted
app.shift.com
  • 172.66.152.231
  • 104.20.24.60
malicious
api.edgeoffer.microsoft.com
  • 13.107.213.44
  • 13.107.246.44
whitelisted
copilot.microsoft.com
  • 104.18.23.222
  • 104.18.22.222
whitelisted
www.bing.com
  • 2.16.106.196
  • 2.16.106.207
  • 2.16.106.200
  • 46.137.24.143
whitelisted

Threats

PID
Process
Class
Message
2456
msedge.exe
Potentially Bad Traffic
ET INFO PE EXE or DLL Windows file download HTTP
2456
msedge.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3344
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
7764
shift.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
7764
shift.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
7764
shift.exe
Not Suspicious Traffic
INFO [ANY.RUN] An application monitoring request to sentry .io
7764
shift.exe
Not Suspicious Traffic
INFO [ANY.RUN] An application monitoring request to sentry .io
7764
shift.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
7764
shift.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
7764
shift.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
Process
Message
shift.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Shift directory exists )
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://app.shift.com/manuals/1