File name:

Shift - PDF_jh3jd.exe

Full analysis: https://app.any.run/tasks/bf31224e-d770-4bd7-adb3-06b0e046e7f1
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: September 05, 2024, 14:17:15
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

C28724FF89818A1A322F54A4A3CC5666

SHA1:

243BDF58ACC4830E109E591C4FF3A31A0FABB9EA

SHA256:

77E9158FD342A50C5C83346EFE198D446F6226E92A25BFB7B4A04B1ABA86FB32

SSDEEP:

98304:8+cD4dnHwICNdt3uIdN5hUXsQpZX5vEVpyQn6hHzwOeNO4SPvsm6Puq/GpBjNWsE:UrYaBh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • shift.exe (PID: 7164)

    • Actions looks like stealing of personal data

      • shift.exe (PID: 7164)
      • shift.exe (PID: 6340)

    • Changes the autorun value in the registry

      • shift.exe (PID: 7164)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Shift - PDF_jh3jd.exe (PID: 5724)
      • Shift - PDF_jh3jd.tmp (PID: 6936)
      • Shift - PDF_jh3jd.exe (PID: 1128)
      • Shift Setup_jh3jd.exe (PID: 2876)
      • Shift Setup_jh3jd.tmp (PID: 6176)
      • Shift - PDF_jh3jd.tmp (PID: 5032)

    • Reads the Windows owner or organization settings

      • Shift - PDF_jh3jd.tmp (PID: 6936)
      • Shift Setup_jh3jd.tmp (PID: 6176)
      • Shift - PDF_jh3jd.tmp (PID: 5032)

    • Reads security settings of Internet Explorer

      • Shift - PDF_jh3jd.tmp (PID: 6936)
      • Shift - PDF_jh3jd.tmp (PID: 5032)
      • Shift Setup_jh3jd.tmp (PID: 6176)
      • shift.exe (PID: 7164)

    • There is functionality for taking screenshot (YARA)

      • Shift - PDF_jh3jd.tmp (PID: 6936)
      • Shift - PDF_jh3jd.tmp (PID: 5032)
      • Shift Setup_jh3jd.tmp (PID: 6176)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 6656)

    • Uses TASKKILL.EXE to kill process

      • Shift Setup_jh3jd.tmp (PID: 6176)

    • Process drops legitimate windows executable

      • Shift Setup_jh3jd.tmp (PID: 6176)

    • Uses ICACLS.EXE to modify access control lists

      • Shift Setup_jh3jd.tmp (PID: 6176)

    • Application launched itself

      • shift.exe (PID: 7164)
      • shift.exe (PID: 1148)
      • shift.exe (PID: 8736)

    • Reads Mozilla Firefox installation path

      • shift.exe (PID: 7164)

    • Reads the date of Windows installation

      • shift.exe (PID: 7164)

    • Executes application which crashes

      • Shift Setup_jh3jd.tmp (PID: 6176)

  • INFO

    • Create files in a temporary directory

      • Shift - PDF_jh3jd.tmp (PID: 6936)
      • Shift - PDF_jh3jd.exe (PID: 5724)
      • Shift - PDF_jh3jd.exe (PID: 1128)
      • Shift - PDF_jh3jd.tmp (PID: 5032)
      • Shift Setup_jh3jd.exe (PID: 2876)
      • Shift Setup_jh3jd.tmp (PID: 6176)
      • shift.exe (PID: 6340)
      • shift.exe (PID: 7164)

    • Reads the computer name

      • Shift - PDF_jh3jd.tmp (PID: 6936)
      • Shift - PDF_jh3jd.tmp (PID: 5032)
      • Shift Setup_jh3jd.tmp (PID: 6176)
      • shift.exe (PID: 1148)
      • shift.exe (PID: 7164)
      • shift.exe (PID: 6340)
      • shift.exe (PID: 940)
      • shift.exe (PID: 4524)
      • shift.exe (PID: 7268)
      • shift.exe (PID: 8736)

    • Checks supported languages

      • Shift - PDF_jh3jd.exe (PID: 5724)
      • Shift - PDF_jh3jd.tmp (PID: 6936)
      • Shift - PDF_jh3jd.exe (PID: 1128)
      • Shift - PDF_jh3jd.tmp (PID: 5032)
      • Shift Setup_jh3jd.exe (PID: 2876)
      • Shift Setup_jh3jd.tmp (PID: 6176)
      • shift.exe (PID: 2624)
      • shift.exe (PID: 7164)
      • shift.exe (PID: 1148)
      • shift.exe (PID: 940)
      • shift.exe (PID: 4524)
      • shift.exe (PID: 3896)
      • shift.exe (PID: 1084)
      • shift.exe (PID: 6340)
      • shift.exe (PID: 6464)
      • shift.exe (PID: 32)
      • shift.exe (PID: 2132)
      • shift.exe (PID: 2096)
      • shift.exe (PID: 5300)
      • shift.exe (PID: 7268)
      • shift.exe (PID: 7024)
      • shift.exe (PID: 6840)
      • shift.exe (PID: 8388)
      • shift.exe (PID: 8736)
      • shift.exe (PID: 8892)
      • shift.exe (PID: 8756)
      • shift.exe (PID: 8824)
      • shift.exe (PID: 9008)
      • shift.exe (PID: 8424)

    • Reads the software policy settings

      • Shift - PDF_jh3jd.tmp (PID: 6936)
      • Shift - PDF_jh3jd.tmp (PID: 5032)
      • slui.exe (PID: 6480)
      • Shift Setup_jh3jd.tmp (PID: 6176)
      • shift.exe (PID: 7164)
      • shift.exe (PID: 6340)
      • WerFault.exe (PID: 6884)
      • WerFault.exe (PID: 7512)
      • slui.exe (PID: 1492)

    • Reads the machine GUID from the registry

      • Shift - PDF_jh3jd.tmp (PID: 6936)
      • Shift Setup_jh3jd.tmp (PID: 6176)
      • shift.exe (PID: 7164)

    • Checks proxy server information

      • Shift - PDF_jh3jd.tmp (PID: 6936)
      • shift.exe (PID: 7164)
      • WerFault.exe (PID: 6884)
      • WerFault.exe (PID: 7512)
      • slui.exe (PID: 1492)

    • The process uses the downloaded file

      • Shift - PDF_jh3jd.tmp (PID: 6936)
      • Shift - PDF_jh3jd.tmp (PID: 5032)
      • Shift Setup_jh3jd.tmp (PID: 6176)
      • shift.exe (PID: 7164)
      • chrome.exe (PID: 6760)
      • chrome.exe (PID: 7824)
      • chrome.exe (PID: 7704)
      • chrome.exe (PID: 7812)
      • chrome.exe (PID: 8028)
      • chrome.exe (PID: 6168)
      • chrome.exe (PID: 7412)
      • chrome.exe (PID: 7612)

    • Process checks computer location settings

      • Shift - PDF_jh3jd.tmp (PID: 6936)
      • Shift - PDF_jh3jd.tmp (PID: 5032)
      • Shift Setup_jh3jd.tmp (PID: 6176)
      • shift.exe (PID: 7164)
      • shift.exe (PID: 1084)
      • shift.exe (PID: 5300)
      • shift.exe (PID: 6464)
      • shift.exe (PID: 2132)
      • shift.exe (PID: 32)
      • shift.exe (PID: 2096)
      • shift.exe (PID: 7024)
      • shift.exe (PID: 6840)
      • shift.exe (PID: 8892)
      • shift.exe (PID: 8824)
      • shift.exe (PID: 8424)

    • Creates files or folders in the user directory

      • Shift Setup_jh3jd.tmp (PID: 6176)
      • shift.exe (PID: 4524)
      • shift.exe (PID: 7164)
      • WerFault.exe (PID: 6884)
      • WerFault.exe (PID: 7512)
      • shift.exe (PID: 8736)
      • shift.exe (PID: 8756)

    • Creates a software uninstall entry

      • Shift Setup_jh3jd.tmp (PID: 6176)

    • Sends debugging messages

      • shift.exe (PID: 2624)
      • shift.exe (PID: 1148)

    • Application launched itself

      • chrome.exe (PID: 6696)

    • Manual execution by a user

      • shift.exe (PID: 8736)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:02:15 14:54:16+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741888
InitializedDataSize: 421888
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 127.1.1.0
ProductVersionNumber: 127.1.1.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Shift
FileDescription: Shift Setup
FileVersion: 127.1.1
LegalCopyright: Copyright Shift. All rights reserved.
OriginalFileName:
ProductName: Shift
ProductVersion: 127.1.1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
222
Monitored processes
88
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start shift - pdf_jh3jd.exe THREAT shift - pdf_jh3jd.tmp sppextcomobj.exe no specs slui.exe shift - pdf_jh3jd.exe THREAT shift - pdf_jh3jd.tmp shift setup_jh3jd.exe THREAT shift setup_jh3jd.tmp slui.exe taskkill.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs shift.exe shift.exe shift.exe shift.exe no specs shift.exe shift.exe no specs shift.exe shift.exe no specs chrome.exe shift.exe no specs shift.exe no specs chrome.exe no specs shift.exe no specs shift.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs shift.exe no specs werfault.exe shift.exe no specs werfault.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs shift.exe no specs shift.exe no specs chrome.exe no specs shift.exe no specs shift.exe no specs chrome.exe no specs shift.exe no specs shift.exe no specs shift.exe no specs shift.exe no specs shift.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
32"C:\Users\admin\AppData\Local\Shift\chromium\shift.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5796,i,3860512386129248184,9620456711048513385,262144 --variations-seed-version --mojo-platform-channel-handle=4624 /prefetch:1C:\Users\admin\AppData\Local\Shift\chromium\shift.exeshift.exe
User:
admin
Company:
Shift
Integrity Level:
LOW
Description:
Shift
Exit code:
0
Version:
127.1.1.1271
Modules
Images
c:\users\admin\appdata\local\shift\chromium\shift.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\shift\chromium\127.1.1.1271\shift_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\shcore.dll
c:\windows\system32\combase.dll
568"C:\program files\google\chrome\application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=2272,i,2816240173345331527,17455047263315858344,262144 --variations-seed-version /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
872"C:\program files\google\chrome\application\chrome.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=7352 --field-trial-handle=2272,i,2816240173345331527,17455047263315858344,262144 --variations-seed-version /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
940"C:\Users\admin\AppData\Local\Shift\chromium\shift.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2244,i,3860512386129248184,9620456711048513385,262144 --variations-seed-version --mojo-platform-channel-handle=2240 /prefetch:2C:\Users\admin\AppData\Local\Shift\chromium\shift.exeshift.exe
User:
admin
Company:
Shift
Integrity Level:
LOW
Description:
Shift
Version:
127.1.1.1271
Modules
Images
c:\users\admin\appdata\local\shift\chromium\shift.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\shift\chromium\127.1.1.1271\shift_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\shcore.dll
1084"C:\Users\admin\AppData\Local\Shift\chromium\shift.exe" --type=renderer --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3864,i,3860512386129248184,9620456711048513385,262144 --variations-seed-version --mojo-platform-channel-handle=3876 /prefetch:2C:\Users\admin\AppData\Local\Shift\chromium\shift.exeshift.exe
User:
admin
Company:
Shift
Integrity Level:
LOW
Description:
Shift
Version:
127.1.1.1271
Modules
Images
c:\users\admin\appdata\local\shift\chromium\shift.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\shift\chromium\127.1.1.1271\shift_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\shcore.dll
c:\windows\system32\combase.dll
1128"C:\Users\admin\AppData\Local\Temp\Shift - PDF_jh3jd.exe" /PDATA=eyJnYWRfc291cmNlIjoiNSIsInV0bV9jYW1wYWlnbiI6IjIxMTMyMzA4ODMyIiwidXRtX21lZGl1bSI6IjE1OTA2MTMyMTA5NCIsInByb2ZpbGUiOiJzaGlmdC1wZGYiLCJ1YSI6ImNocm9tZSIsImluc3RhbGxlcl9maWxlbmFtZSI6InNoaWZ0LXYxMjcuMS4xLXdlYi5leGUiLCJ1dG1fdGVybSI6IndvcmtzaGVldHNwYWNrLmNvbSIsImdjbGlkIjoiRUFJYUlRb2JDaE1JeGZTYXNlLXJpQU1WQXdwUENCMTdRaHFhRUFFWUFTQUFFZ0ptcHZEX0J3RSIsInRoYW5rc191cmwiOiJodHRwczovL2FwcC5zaGlmdC5jb20vcGRmL3RoYW5rcyIsImRpc3RpbmN0X2lkIjoiZGFjZTRkZjMtNjU1NS00YmYzLWE5ZjgtYTA2MmFhYTVmZDZkIiwicHJvZmlsZV9pZCI6MTA4LCJscF91cmwiOiJodHRwczovL2FwcC5zaGlmdC5jb20vcGRmLzEiLCJ3aGl0ZWxhYmVsIjoicGRmIiwidXRtX3NvdXJjZSI6Im9oLWdkbiIsInV0bV9jb250ZW50IjoiNjk0OTMyNTE5MzMwIiwiaW5zdGFsbF90aW1lIjoxNzI1NTQ1ODQ1LCJkZWZhdWx0X2Jyb3dzZXIiOiJNU0VkZ2VIVE0iLCJpbml0aWFsX3ZlcnNpb24iOiIxMjcuMS4xLjEyNzEiLCJhdHRyaWJ1dGlvbl9rZXkiOiJqaDNqZCJ9 /SPLITS=eyJzcGxpdCI6ImMiLCJzcGxpdDIiOiJhIiwibm9fc3BsaXQiOmZhbHNlLCJsb2NhbF9zcGxpdF90ZXN0cyI6eyJzcGxpdF9icng1NzBfY2xvc2VfYXBwX2RpYWxvZyI6eyJ2YWx1ZSI6InZhcmlhdGlvbiJ9fSwic2VydmVyX3NpZGVfc3BsaXRfdGVzdHMiOnsic3BsaXRfc3QxMzkxX2RvbnRfaW1wb3J0X2hpc3RvcnkiOnsidmFsdWUiOiJ2YXJpYXRpb24ifSwic3BsaXRfc3QxMjMyX3JlbmFtZV9zaG9ydGN1dHNfc2hpZnRfYnJvd3NlciI6eyJ2YWx1ZSI6InZhcmlhdGlvbiJ9LCJzcGxpdF90ZXN0X3NoaWZ0bmV3c19yb2xsb3V0Ijp7InZhbHVlIjoiY29udHJvbCJ9fSwiYXR0cmlidXRpb25fc3BsaXRfdGVzdHMiOnt9LCJlbmNvZGVkX3NwbGl0cyI6IjI1NiJ9 /LAUNCHER /VERYSILENTC:\Users\admin\AppData\Local\Temp\Shift - PDF_jh3jd.exe
Shift - PDF_jh3jd.tmp
User:
admin
Company:
Shift
Integrity Level:
MEDIUM
Description:
Shift Setup
Exit code:
0
Version:
127.1.1
Modules
Images
c:\users\admin\appdata\local\temp\shift - pdf_jh3jd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
1148C:\Users\admin\AppData\Local\Shift\chromium\shift.exe --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Shift\User Data" /prefetch:4 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\admin\AppData\Local\Shift\User Data" --monitor-self-argument=/prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Shift\User Data\Crashpad" --url=https://o1334372.ingest.sentry.io/api/4506193009180672/minidump/?sentry_key=1c60a0cacdead91f905faa80e9c82d03 --annotation=plat=Win64 --annotation=prod=Shift --annotation=ver=127.1.1.1271 --initial-client-data=0x148,0x14c,0x150,0x124,0x154,0x7fffd5618740,0x7fffd561874c,0x7fffd5618758C:\Users\admin\AppData\Local\Shift\chromium\shift.exe
shift.exe
User:
admin
Company:
Shift
Integrity Level:
MEDIUM
Description:
Shift
Exit code:
1
Version:
127.1.1.1271
Modules
Images
c:\users\admin\appdata\local\shift\chromium\shift.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\shift\chromium\127.1.1.1271\shift_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\shcore.dll
1492C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1712"C:\program files\google\chrome\application\chrome.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=7632 --field-trial-handle=2272,i,2816240173345331527,17455047263315858344,262144 --variations-seed-version /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2092C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
Total events
26 820
Read events
26 707
Write events
110
Delete events
3

Modification events

(PID) Process:(5032) Shift - PDF_jh3jd.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:Owner
Value:
A81300006725697C9EFFDA01
(PID) Process:(5032) Shift - PDF_jh3jd.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:SessionHash
Value:
6787BBD82E10A08D6B44E746DDAF4E2C8BA4A5A25BB2206C12DA7DC327FFCA4D
(PID) Process:(5032) Shift - PDF_jh3jd.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:Sequence
Value:
1
(PID) Process:(6176) Shift Setup_jh3jd.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Shift
Operation:writeName:pv
Value:
127.1.1.1271
(PID) Process:(6176) Shift Setup_jh3jd.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Shift
Operation:writeName:EnterpriseProduct<{95fcf903-63b1-44bd-ab77-358a5bd30aae}_is1>
Value:
(PID) Process:(6176) Shift Setup_jh3jd.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Shift\Browser\Capability
Operation:writeName:ApplicationDescription
Value:
Shift Browser
(PID) Process:(6176) Shift Setup_jh3jd.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Shift\Browser\Capability
Operation:writeName:ApplicationName
Value:
Shift Browser
(PID) Process:(6176) Shift Setup_jh3jd.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Shift\Browser\Capability\FileAssociations
Operation:writeName:.htm
Value:
ShiftHTML
(PID) Process:(6176) Shift Setup_jh3jd.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Shift\Browser\Capability\FileAssociations
Operation:writeName:.html
Value:
ShiftHTML
(PID) Process:(6176) Shift Setup_jh3jd.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Shift\Browser\Capability\FileAssociations
Operation:writeName:.pdf
Value:
ShiftHTML
Executable files
43
Suspicious files
610
Text files
282
Unknown types
150

Dropped files

PID
Process
Filename
Type
6936Shift - PDF_jh3jd.tmpC:\Users\admin\AppData\Local\Temp\is-NSGMG.tmp\is-MTTKJ.tmp
MD5:
SHA256:
6936Shift - PDF_jh3jd.tmpC:\Users\admin\AppData\Local\Temp\is-NSGMG.tmp\Shift Setup.exe
MD5:
SHA256:
6936Shift - PDF_jh3jd.tmpC:\Users\admin\AppData\Local\Temp\Shift Setup.exe
MD5:
SHA256:
5032Shift - PDF_jh3jd.tmpC:\Users\admin\AppData\Local\Temp\Shift Setup_jh3jd.exe
MD5:
SHA256:
6936Shift - PDF_jh3jd.tmpC:\Users\admin\AppData\Local\Temp\is-NSGMG.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
5724Shift - PDF_jh3jd.exeC:\Users\admin\AppData\Local\Temp\is-8TC9C.tmp\Shift - PDF_jh3jd.tmpexecutable
MD5:97C5FC3EB63E9F55E0392B46F1582387
SHA256:9ABEE9A74B253B08C8B0730E22C1F3A7E5AF18F429CBCF6106DB840961493987
6936Shift - PDF_jh3jd.tmpC:\Users\admin\AppData\Local\Temp\is-NSGMG.tmp\min-rest.bmpimage
MD5:2484489C7443EC4745488A77ED084D80
SHA256:70B6921812F29B698F454927802DB818C1625402BAEFD53CED1BFB9135C17D5A
6936Shift - PDF_jh3jd.tmpC:\Users\admin\AppData\Local\Temp\is-NSGMG.tmp\shift.pngimage
MD5:0423D0589E58341B5B64C6099F4123B7
SHA256:A1D2C48437058F24A5EA85C323469473AC4430198770794522A32C28783AADB7
6936Shift - PDF_jh3jd.tmpC:\Users\admin\AppData\Local\Temp\is-NSGMG.tmp\Win32Library.dllexecutable
MD5:D82B30898C428A7DBEE81CECEA520F68
SHA256:92AF9D054E3B5DC9F472FF9534060D1C70E2AC77F768AE9E5029E29FCD606198
6936Shift - PDF_jh3jd.tmpC:\Users\admin\AppData\Local\Temp\is-NSGMG.tmp\shift.bmpimage
MD5:6C091E46C4B50CBE372A0826B8D38331
SHA256:385B8FD4363F4A13469B1E9BCF21365FF7BBD9DD4CD90E52B290FC89DDE1927C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
320
DNS requests
451
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.32.185.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2036
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5516
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6140
SIHClient.exe
GET
200
23.32.185.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2120
MoUsoCoreWorker.exe
GET
200
23.32.185.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6140
SIHClient.exe
GET
200
23.32.185.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
8556
svchost.exe
HEAD
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acqtptz2ge4uaz5nopftvmvbgc6q_2024.8.23.1/niikhdgajlphfehepabhhblakbdgeefj_2024.08.23.01_all_ac5clw7ya2fzc3252yiojn6lp6ya.crx3
unknown
whitelisted
6884
WerFault.exe
GET
200
23.32.185.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
8556
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acqtptz2ge4uaz5nopftvmvbgc6q_2024.8.23.1/niikhdgajlphfehepabhhblakbdgeefj_2024.08.23.01_all_ac5clw7ya2fzc3252yiojn6lp6ya.crx3
unknown
whitelisted
8556
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acqtptz2ge4uaz5nopftvmvbgc6q_2024.8.23.1/niikhdgajlphfehepabhhblakbdgeefj_2024.08.23.01_all_ac5clw7ya2fzc3252yiojn6lp6ya.crx3
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6320
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.32.185.131:80
www.microsoft.com
AKAMAI-AS
BR
whitelisted
2120
MoUsoCoreWorker.exe
23.32.185.131:80
www.microsoft.com
AKAMAI-AS
BR
whitelisted
192.168.100.255:138
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4324
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3260
svchost.exe
20.198.162.78:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
SG
whitelisted
6936
Shift - PDF_jh3jd.tmp
44.227.59.33:443
attribution.shiftapis.com
AMAZON-02
US
unknown
6936
Shift - PDF_jh3jd.tmp
52.32.222.231:443
updates.shiftapis.com
AMAZON-02
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
www.microsoft.com
  • 23.32.185.131
whitelisted
google.com
  • 142.250.185.238
whitelisted
client.wns.windows.com
  • 20.198.162.78
  • 40.113.103.199
whitelisted
attribution.shiftapis.com
  • 44.227.59.33
  • 44.224.192.141
  • 44.237.157.143
unknown
updates.shiftapis.com
  • 52.32.222.231
  • 34.211.197.16
  • 54.190.246.59
  • 34.210.120.195
unknown
login.live.com
  • 40.126.31.71
  • 40.126.31.67
  • 20.190.159.64
  • 20.190.159.71
  • 20.190.159.23
  • 20.190.159.0
  • 20.190.159.4
  • 40.126.31.69
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
downloads.tryshift.com
  • 104.22.76.241
  • 104.22.77.241
  • 172.67.4.202
unknown
arc.msn.com
  • 20.223.35.26
whitelisted

Threats

PID
Process
Class
Message
Not Suspicious Traffic
INFO [ANY.RUN] An application monitoring request to sentry .io
Not Suspicious Traffic
INFO [ANY.RUN] An application monitoring request to sentry .io
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
Process
Message
shift.exe
[0905/141859.834:ERROR:crash_report_database_win.cc(613)] CreateDirectory C:\Users\admin\AppData\Local\Shift\User Data\Crashpad: The system cannot find the path specified. (0x3)
shift.exe
[0905/141859.849:ERROR:registration_protocol_win.cc(136)] TransactNamedPipe: The pipe has been ended. (0x6D)
shift.exe
[0905/141859.849:ERROR:crash_report_database_win.cc(613)] CreateDirectory C:\Users\admin\AppData\Local\Shift\User Data\Crashpad: The system cannot find the path specified. (0x3)
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Shift - PDF_jh3jd.exe