File name:

Shift - PDF_jgqf4.exe

Full analysis: https://app.any.run/tasks/7dfcc7a7-1fb3-4fa6-8135-18b672bb6eb7
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: September 12, 2024, 11:32:27
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

0191566449AAE1A7FFED02A61D585686

SHA1:

A82CEEFDFD16502FB9BD2DEA8845653E247E62DA

SHA256:

446262C04A0809EFD68A55713CBFBE5D8F78ACF606F2C7F2A27532407681EE93

SSDEEP:

98304:h+cD4dnHwICNdt3uJrGpkbO/uFSJyXsQpZX5vEVpyQn6hHzwOeNO4SPvsm6Puq/s:aaBa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials

      • Shift - PDF_jgqf4.tmp (PID: 7092)
      • Shift Setup_jgqf4.tmp (PID: 5504)
      • shift.exe (PID: 6780)
      • shift.exe (PID: 1640)
      • shift.exe (PID: 6016)

    • Actions looks like stealing of personal data

      • shift.exe (PID: 6780)
      • shift.exe (PID: 5988)

    • Changes the autorun value in the registry

      • shift.exe (PID: 6780)

    • Steals credentials from Web Browsers

      • shift.exe (PID: 6780)

  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • Shift - PDF_jgqf4.tmp (PID: 7092)
      • Shift - PDF_jgqf4.tmp (PID: 6488)
      • Shift Setup_jgqf4.tmp (PID: 5504)
      • Shift - PDF_jgqf4.tmp (PID: 5768)

    • Executable content was dropped or overwritten

      • Shift - PDF_jgqf4.exe (PID: 1156)
      • Shift - PDF_jgqf4.tmp (PID: 7092)
      • Shift - PDF_jgqf4.exe (PID: 3036)
      • Shift - PDF_jgqf4.tmp (PID: 6488)
      • Shift Setup_jgqf4.exe (PID: 6288)
      • Shift Setup_jgqf4.tmp (PID: 5504)
      • Shift - PDF_jgqf4.exe (PID: 5744)
      • Shift - PDF_jgqf4.tmp (PID: 5768)

    • There is functionality for taking screenshot (YARA)

      • Shift - PDF_jgqf4.tmp (PID: 7092)
      • Shift - PDF_jgqf4.tmp (PID: 6488)
      • Shift Setup_jgqf4.tmp (PID: 5504)

    • Reads security settings of Internet Explorer

      • Shift - PDF_jgqf4.tmp (PID: 7092)
      • Shift - PDF_jgqf4.tmp (PID: 6488)
      • Shift Setup_jgqf4.tmp (PID: 5504)

    • Process drops legitimate windows executable

      • Shift Setup_jgqf4.tmp (PID: 5504)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 2112)

    • Uses TASKKILL.EXE to kill process

      • Shift Setup_jgqf4.tmp (PID: 5504)

    • Application launched itself

      • shift.exe (PID: 6780)

    • Reads Mozilla Firefox installation path

      • shift.exe (PID: 6780)

    • Executes application which crashes

      • Shift Setup_jgqf4.tmp (PID: 5504)

    • The process checks if it is being run in the virtual environment

      • shift.exe (PID: 6780)

    • Searches for installed software

      • Shift - PDF_jgqf4.tmp (PID: 5768)

  • INFO

    • Checks supported languages

      • Shift - PDF_jgqf4.exe (PID: 1156)
      • Shift - PDF_jgqf4.tmp (PID: 7092)
      • Shift - PDF_jgqf4.tmp (PID: 6488)
      • Shift - PDF_jgqf4.exe (PID: 3036)
      • Shift Setup_jgqf4.tmp (PID: 5504)
      • Shift Setup_jgqf4.exe (PID: 6288)
      • shift.exe (PID: 6780)
      • shift.exe (PID: 2820)
      • shift.exe (PID: 4784)
      • shift.exe (PID: 6016)
      • shift.exe (PID: 1640)
      • shift.exe (PID: 5980)
      • shift.exe (PID: 3716)
      • shift.exe (PID: 4996)
      • shift.exe (PID: 5988)
      • shift.exe (PID: 4980)
      • shift.exe (PID: 2648)
      • shift.exe (PID: 5172)
      • Shift - PDF_jgqf4.exe (PID: 5744)
      • Shift - PDF_jgqf4.tmp (PID: 5768)

    • Create files in a temporary directory

      • Shift - PDF_jgqf4.exe (PID: 1156)
      • Shift - PDF_jgqf4.tmp (PID: 7092)
      • Shift - PDF_jgqf4.exe (PID: 3036)
      • Shift - PDF_jgqf4.tmp (PID: 6488)
      • Shift Setup_jgqf4.exe (PID: 6288)
      • Shift Setup_jgqf4.tmp (PID: 5504)
      • shift.exe (PID: 5988)
      • shift.exe (PID: 6780)
      • Shift - PDF_jgqf4.exe (PID: 5744)
      • Shift - PDF_jgqf4.tmp (PID: 5768)

    • Reads the computer name

      • Shift - PDF_jgqf4.tmp (PID: 7092)
      • Shift - PDF_jgqf4.tmp (PID: 6488)
      • Shift Setup_jgqf4.tmp (PID: 5504)
      • shift.exe (PID: 6780)
      • shift.exe (PID: 6016)
      • shift.exe (PID: 4784)
      • shift.exe (PID: 5988)
      • shift.exe (PID: 5172)
      • Shift - PDF_jgqf4.tmp (PID: 5768)

    • Reads the software policy settings

      • Shift - PDF_jgqf4.tmp (PID: 7092)
      • Shift - PDF_jgqf4.tmp (PID: 6488)
      • Shift Setup_jgqf4.tmp (PID: 5504)
      • shift.exe (PID: 5988)
      • shift.exe (PID: 6780)
      • WerFault.exe (PID: 1680)
      • WerFault.exe (PID: 7088)
      • Shift - PDF_jgqf4.tmp (PID: 5768)

    • Reads the machine GUID from the registry

      • Shift - PDF_jgqf4.tmp (PID: 7092)
      • Shift Setup_jgqf4.tmp (PID: 5504)
      • shift.exe (PID: 6780)

    • Process checks computer location settings

      • Shift - PDF_jgqf4.tmp (PID: 7092)
      • Shift - PDF_jgqf4.tmp (PID: 6488)
      • Shift Setup_jgqf4.tmp (PID: 5504)
      • shift.exe (PID: 6780)
      • shift.exe (PID: 3716)
      • shift.exe (PID: 4996)
      • shift.exe (PID: 5980)
      • shift.exe (PID: 4980)
      • shift.exe (PID: 2648)

    • Checks proxy server information

      • Shift - PDF_jgqf4.tmp (PID: 7092)
      • shift.exe (PID: 6780)
      • WerFault.exe (PID: 1680)
      • WerFault.exe (PID: 7088)

    • The process uses the downloaded file

      • Shift - PDF_jgqf4.tmp (PID: 7092)
      • Shift - PDF_jgqf4.tmp (PID: 6488)
      • Shift Setup_jgqf4.tmp (PID: 5504)

    • Creates files or folders in the user directory

      • Shift Setup_jgqf4.tmp (PID: 5504)
      • shift.exe (PID: 6780)
      • shift.exe (PID: 6016)
      • WerFault.exe (PID: 1680)

    • Creates a software uninstall entry

      • Shift Setup_jgqf4.tmp (PID: 5504)

    • Sends debugging messages

      • shift.exe (PID: 2820)

    • Manual execution by a user

      • Shift - PDF_jgqf4.exe (PID: 5744)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:02:15 14:54:16+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741888
InitializedDataSize: 421888
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 122.11.0.0
ProductVersionNumber: 122.11.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Shift
FileDescription: Shift Setup
FileVersion: 122.11.0
LegalCopyright: Copyright Shift. All rights reserved.
OriginalFileName:
ProductName: Shift
ProductVersion: 122.11.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
155
Monitored processes
27
Malicious processes
8
Suspicious processes
1

Behavior graph

Click at the process to see the details
start shift - pdf_jgqf4.exe THREAT shift - pdf_jgqf4.tmp shift - pdf_jgqf4.exe THREAT shift - pdf_jgqf4.tmp shift setup_jgqf4.exe THREAT shift setup_jgqf4.tmp taskkill.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs shift.exe shift.exe shift.exe no specs shift.exe shift.exe shift.exe shift.exe no specs shift.exe no specs shift.exe no specs shift.exe no specs werfault.exe shift.exe no specs shift.exe no specs werfault.exe rundll32.exe no specs shift - pdf_jgqf4.exe shift - pdf_jgqf4.tmp

Process information

PID
CMD
Path
Indicators
Parent process
1156"C:\Users\admin\Downloads\Shift - PDF_jgqf4.exe" C:\Users\admin\Downloads\Shift - PDF_jgqf4.exe
explorer.exe
User:
admin
Company:
Shift
Integrity Level:
MEDIUM
Description:
Shift Setup
Exit code:
0
Version:
122.11.0
Modules
Images
c:\users\admin\downloads\shift - pdf_jgqf4.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
1640"C:\Users\admin\AppData\Local\Shift\chromium\shift.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-pre-read-main-dll --mojo-platform-channel-handle=2536 --field-trial-handle=2248,i,369390912892348591,11623620364176651931,262144 --variations-seed-version /prefetch:8C:\Users\admin\AppData\Local\Shift\chromium\shift.exe
shift.exe
User:
admin
Company:
Shift
Integrity Level:
LOW
Description:
Shift
Version:
122.11.0.1151
Modules
Images
c:\users\admin\appdata\local\shift\chromium\shift.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\shift\chromium\122.11.0.1151\shift_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\shcore.dll
c:\windows\system32\combase.dll
1680C:\WINDOWS\SysWOW64\WerFault.exe -u -p 5504 -s 2564C:\Windows\SysWOW64\WerFault.exe
Shift Setup_jgqf4.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
2112"schtasks" /delete /tn ShiftLaunchTask /fC:\Windows\System32\schtasks.exeShift Setup_jgqf4.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2648"C:\Users\admin\AppData\Local\Shift\chromium\shift.exe" --type=renderer --no-pre-read-main-dll --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5100 --field-trial-handle=2248,i,369390912892348591,11623620364176651931,262144 --variations-seed-version /prefetch:1C:\Users\admin\AppData\Local\Shift\chromium\shift.exeshift.exe
User:
admin
Company:
Shift
Integrity Level:
LOW
Description:
Shift
Version:
122.11.0.1151
Modules
Images
c:\users\admin\appdata\local\shift\chromium\shift.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\shift\chromium\122.11.0.1151\shift_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\shcore.dll
c:\windows\system32\combase.dll
2724\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2820C:\Users\admin\AppData\Local\Shift\chromium\shift.exe --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Shift\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Shift\User Data\Crashpad" --url=https://o1334372.ingest.sentry.io/api/4506193009180672/minidump/?sentry_key=1c60a0cacdead91f905faa80e9c82d03 --annotation=plat=Win64 --annotation=prod=Shift --annotation=ver=122.11.0.1151 --initial-client-data=0x150,0x154,0x158,0x12c,0x15c,0x7fffd6645700,0x7fffd664570c,0x7fffd6645718C:\Users\admin\AppData\Local\Shift\chromium\shift.exe
shift.exe
User:
admin
Company:
Shift
Integrity Level:
MEDIUM
Description:
Shift
Exit code:
1
Version:
122.11.0.1151
Modules
Images
c:\users\admin\appdata\local\shift\chromium\shift.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\shift\chromium\122.11.0.1151\shift_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\shcore.dll
3036"C:\Users\admin\Downloads\Shift - PDF_jgqf4.exe" /PDATA=eyJtZXNzYWdlIjoiTm8gUmVjb3JkIEZvdW5kIiwiaW5zdGFsbF90aW1lIjoxNzI2MTQwNzU5LCJkaXN0aW5jdF9pZCI6IkJCRTFGMDkxLTY3MEYtNDFDMS1BQzQ1LTFCNzJCNTUwOTQyMSIsImRlZmF1bHRfYnJvd3NlciI6Ik1TRWRnZUhUTSIsImluaXRpYWxfdmVyc2lvbiI6IjEyMi4xMS4wLjExNTEiLCJhdHRyaWJ1dGlvbl9rZXkiOiJqZ3FmNCJ9 /SPLITS=eyJzcGxpdCI6ImMiLCJzcGxpdDIiOiJhIiwibm9fc3BsaXQiOmZhbHNlLCJsb2NhbF9zcGxpdF90ZXN0cyI6eyJzcGxpdF9icng1NzBfY2xvc2VfYXBwX2RpYWxvZyI6eyJ2YWx1ZSI6InZhcmlhdGlvbiJ9fSwic2VydmVyX3NpZGVfc3BsaXRfdGVzdHMiOnsic3BsaXRfc3QxMjMyX3JlbmFtZV9zaG9ydGN1dHNfc2hpZnRfYnJvd3NlciI6eyJ2YWx1ZSI6InZhcmlhdGlvbiJ9LCJzcGxpdF9zdDEzOTFfZG9udF9pbXBvcnRfaGlzdG9yeSI6eyJ2YWx1ZSI6InZhcmlhdGlvbiJ9fSwiYXR0cmlidXRpb25fc3BsaXRfdGVzdHMiOnt9LCJlbmNvZGVkX3NwbGl0cyI6IjI1NiJ9 /LAUNCHER /VERYSILENTC:\Users\admin\Downloads\Shift - PDF_jgqf4.exe
Shift - PDF_jgqf4.tmp
User:
admin
Company:
Shift
Integrity Level:
MEDIUM
Description:
Shift Setup
Version:
122.11.0
Modules
Images
c:\users\admin\downloads\shift - pdf_jgqf4.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
3316C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
3716"C:\Users\admin\AppData\Local\Shift\chromium\shift.exe" --type=renderer --extension-process --no-pre-read-main-dll --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=4552 --field-trial-handle=2248,i,369390912892348591,11623620364176651931,262144 --variations-seed-version /prefetch:2C:\Users\admin\AppData\Local\Shift\chromium\shift.exeshift.exe
User:
admin
Company:
Shift
Integrity Level:
LOW
Description:
Shift
Version:
122.11.0.1151
Modules
Images
c:\users\admin\appdata\local\shift\chromium\shift.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\shift\chromium\122.11.0.1151\shift_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\shcore.dll
c:\windows\system32\combase.dll
Total events
12 741
Read events
12 652
Write events
88
Delete events
1

Modification events

(PID) Process:(6488) Shift - PDF_jgqf4.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:Owner
Value:
58190000E0A2FC9A0705DB01
(PID) Process:(6488) Shift - PDF_jgqf4.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:SessionHash
Value:
BEE110EE16E6D456D07309189FF80AA63A36C97B7828A2ABD082526F459D1112
(PID) Process:(6488) Shift - PDF_jgqf4.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:Sequence
Value:
1
(PID) Process:(5504) Shift Setup_jgqf4.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Shift
Operation:writeName:pv
Value:
122.11.0.1151
(PID) Process:(5504) Shift Setup_jgqf4.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Shift
Operation:writeName:EnterpriseProduct<{95fcf903-63b1-44bd-ab77-358a5bd30aae}_is1>
Value:
(PID) Process:(5504) Shift Setup_jgqf4.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Shift\Browser\Capability
Operation:writeName:ApplicationDescription
Value:
Shift Browser
(PID) Process:(5504) Shift Setup_jgqf4.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Shift\Browser\Capability
Operation:writeName:ApplicationName
Value:
Shift Browser
(PID) Process:(5504) Shift Setup_jgqf4.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Shift\Browser\Capability\FileAssociations
Operation:writeName:.htm
Value:
ShiftHTML
(PID) Process:(5504) Shift Setup_jgqf4.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Shift\Browser\Capability\FileAssociations
Operation:writeName:.html
Value:
ShiftHTML
(PID) Process:(5504) Shift Setup_jgqf4.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Shift\Browser\Capability\FileAssociations
Operation:writeName:.pdf
Value:
ShiftHTML
Executable files
43
Suspicious files
223
Text files
223
Unknown types
99

Dropped files

PID
Process
Filename
Type
7092Shift - PDF_jgqf4.tmpC:\Users\admin\AppData\Local\Temp\is-R8V4M.tmp\is-1TUJR.tmp
MD5:
SHA256:
7092Shift - PDF_jgqf4.tmpC:\Users\admin\AppData\Local\Temp\is-R8V4M.tmp\Shift Setup.exe
MD5:
SHA256:
7092Shift - PDF_jgqf4.tmpC:\Users\admin\AppData\Local\Temp\Shift Setup.exe
MD5:
SHA256:
6488Shift - PDF_jgqf4.tmpC:\Users\admin\AppData\Local\Temp\Shift Setup_jgqf4.exe
MD5:
SHA256:
1156Shift - PDF_jgqf4.exeC:\Users\admin\AppData\Local\Temp\is-273TK.tmp\Shift - PDF_jgqf4.tmpexecutable
MD5:9569CD3D574CB04BB31A5D4B8FEDD0A3
SHA256:DBE50ABD58F642ED529313A9CFD99DBA055219DFC2919C7CFA0F53A28C6B0928
7092Shift - PDF_jgqf4.tmpC:\Users\admin\AppData\Local\Temp\is-R8V4M.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
5504Shift Setup_jgqf4.tmpC:\Users\admin\AppData\Local\Temp\is-9P8E3.tmp\exit-pressed.bmpimage
MD5:53178FD9661AE74BBFA7A562653A7773
SHA256:FFE6D8F0EA0ACB8660389C9E7F399133BC570803789638AA884AE2F247D8BF10
5504Shift Setup_jgqf4.tmpC:\Users\admin\AppData\Local\Temp\is-9P8E3.tmp\min-10-light.pngimage
MD5:2257B1D0D33A41F509E7C3E117819F8B
SHA256:D43E4B285B5B54313B53E87D2A56CA9BA0C85F8F55C9C5FDCDB4FAC815FF4D02
7092Shift - PDF_jgqf4.tmpC:\Users\admin\AppData\Local\Temp\is-R8V4M.tmp\shift.bmpimage
MD5:6C091E46C4B50CBE372A0826B8D38331
SHA256:385B8FD4363F4A13469B1E9BCF21365FF7BBD9DD4CD90E52B290FC89DDE1927C
7092Shift - PDF_jgqf4.tmpC:\Users\admin\AppData\Local\Temp\is-R8V4M.tmp\shift.pngimage
MD5:0423D0589E58341B5B64C6099F4123B7
SHA256:A1D2C48437058F24A5EA85C323469473AC4430198770794522A32C28783AADB7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
70
DNS requests
76
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1776
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6160
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4436
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1680
WerFault.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4436
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6160
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
3260
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7092
Shift - PDF_jgqf4.tmp
3.20.228.199:443
attribution.shiftapis.com
AMAZON-02
US
unknown
7092
Shift - PDF_jgqf4.tmp
3.142.206.112:443
updates.shiftapis.com
AMAZON-02
US
unknown
7092
Shift - PDF_jgqf4.tmp
104.22.76.241:443
downloads.tryshift.com
CLOUDFLARENET
unknown
1776
svchost.exe
20.190.160.22:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1776
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 142.250.185.238
whitelisted
client.wns.windows.com
  • 40.113.103.199
  • 40.115.3.253
whitelisted
attribution.shiftapis.com
  • 3.20.228.199
  • 3.19.187.54
  • 3.142.81.60
  • 18.216.97.176
  • 52.15.173.233
  • 3.23.254.36
  • 3.13.92.238
  • 3.13.15.156
  • 3.140.163.98
unknown
updates.shiftapis.com
  • 3.142.206.112
  • 3.135.50.184
  • 3.23.232.6
unknown
downloads.tryshift.com
  • 104.22.76.241
  • 172.67.4.202
  • 104.22.77.241
unknown
login.live.com
  • 20.190.160.22
  • 20.190.160.17
  • 40.126.32.76
  • 40.126.32.136
  • 40.126.32.133
  • 40.126.32.74
  • 20.190.160.14
  • 20.190.160.20
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
slscr.update.microsoft.com
  • 40.68.123.157
whitelisted

Threats

PID
Process
Class
Message
Not Suspicious Traffic
INFO [ANY.RUN] An application monitoring request to sentry .io
Not Suspicious Traffic
INFO [ANY.RUN] An application monitoring request to sentry .io
Process
Message
shift.exe
[0912/113355.079:ERROR:crash_report_database_win.cc(613)] CreateDirectory C:\Users\admin\AppData\Local\Shift\User Data\Crashpad: The system cannot find the path specified. (0x3)
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Shift - PDF_jgqf4.exe