File name:

Shift - Recipes_cyv7n.exe

Full analysis: https://app.any.run/tasks/003e28a0-18c5-41d0-9baa-08cdc77c40d9
Verdict: Malicious activity
Analysis date: December 19, 2024, 21:52:45
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections
MD5:

B0D37920896763C67D773105603503ED

SHA1:

E0AC11F66E0BDAFCB88604F18087727115F5F60E

SHA256:

BAD8F06E71D76C3A9F9F0571C9A7EA3CE5AFA8A768739B3CA575F2544B2B74D6

SSDEEP:

98304:v+cD4dnHwICNdt3upEBitlGXJy1kNXsQpZX5vEVpyQn6hHzwOeNO4SPvsm6Puq/x:TaB7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • shift.exe (PID: 836)
      • shift.exe (PID: 3040)

    • Steals credentials from Web Browsers

      • shift.exe (PID: 836)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Shift - Recipes_cyv7n.exe (PID: 3220)
      • Shift - Recipes_cyv7n.tmp (PID: 3608)
      • Shift - Recipes_cyv7n.exe (PID: 6952)
      • Shift - Recipes_cyv7n.tmp (PID: 6976)
      • Shift Setup_cyv7n.exe (PID: 7028)
      • Shift Setup_cyv7n.tmp (PID: 7048)
      • shift.exe (PID: 836)

    • Reads the Windows owner or organization settings

      • Shift - Recipes_cyv7n.tmp (PID: 3608)
      • Shift Setup_cyv7n.tmp (PID: 7048)

    • Reads security settings of Internet Explorer

      • Shift - Recipes_cyv7n.tmp (PID: 3608)
      • Shift Setup_cyv7n.tmp (PID: 7048)
      • Shift - Recipes_cyv7n.tmp (PID: 6976)

    • There is functionality for taking screenshot (YARA)

      • Shift - Recipes_cyv7n.tmp (PID: 3608)

    • Uses TASKKILL.EXE to kill process

      • Shift Setup_cyv7n.tmp (PID: 7048)

    • Process drops legitimate windows executable

      • Shift Setup_cyv7n.tmp (PID: 7048)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 4704)

    • Application launched itself

      • shift.exe (PID: 836)

    • Executes application which crashes

      • Shift Setup_cyv7n.tmp (PID: 7048)

  • INFO

    • Create files in a temporary directory

      • Shift - Recipes_cyv7n.exe (PID: 3220)
      • Shift - Recipes_cyv7n.exe (PID: 6952)
      • Shift - Recipes_cyv7n.tmp (PID: 6976)
      • Shift - Recipes_cyv7n.tmp (PID: 3608)
      • Shift Setup_cyv7n.exe (PID: 7028)
      • Shift Setup_cyv7n.tmp (PID: 7048)
      • shift.exe (PID: 3040)
      • shift.exe (PID: 836)

    • Reads the computer name

      • Shift - Recipes_cyv7n.tmp (PID: 3608)
      • Shift Setup_cyv7n.tmp (PID: 7048)
      • shift.exe (PID: 836)

    • Checks supported languages

      • Shift - Recipes_cyv7n.tmp (PID: 3608)
      • Shift - Recipes_cyv7n.exe (PID: 3220)
      • Shift - Recipes_cyv7n.exe (PID: 6952)
      • Shift - Recipes_cyv7n.tmp (PID: 6976)
      • Shift Setup_cyv7n.tmp (PID: 7048)
      • shift.exe (PID: 3040)
      • shift.exe (PID: 3508)
      • shift.exe (PID: 836)

    • The process uses the downloaded file

      • Shift - Recipes_cyv7n.tmp (PID: 3608)
      • Shift - Recipes_cyv7n.tmp (PID: 6976)
      • Shift Setup_cyv7n.tmp (PID: 7048)

    • Reads the machine GUID from the registry

      • Shift - Recipes_cyv7n.tmp (PID: 3608)
      • shift.exe (PID: 836)

    • Process checks computer location settings

      • Shift - Recipes_cyv7n.tmp (PID: 3608)
      • Shift - Recipes_cyv7n.tmp (PID: 6976)
      • Shift Setup_cyv7n.tmp (PID: 7048)

    • Checks proxy server information

      • Shift - Recipes_cyv7n.tmp (PID: 3608)

    • Reads the software policy settings

      • Shift - Recipes_cyv7n.tmp (PID: 6976)
      • Shift Setup_cyv7n.tmp (PID: 7048)
      • shift.exe (PID: 3040)

    • Creates files or folders in the user directory

      • Shift Setup_cyv7n.tmp (PID: 7048)
      • shift.exe (PID: 836)
      • shift.exe (PID: 6312)

    • The sample compiled with english language support

      • Shift Setup_cyv7n.tmp (PID: 7048)
      • shift.exe (PID: 836)

    • Sends debugging messages

      • shift.exe (PID: 4052)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:02:15 14:54:16+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741888
InitializedDataSize: 421888
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 118.8.0.0
ProductVersionNumber: 118.8.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Shift
FileDescription: Shift Setup
FileVersion: 118.8.0
LegalCopyright: Copyright Shift. All rights reserved.
OriginalFileName:
ProductName: Shift
ProductVersion: 118.8.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
150
Monitored processes
23
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start shift - recipes_cyv7n.exe shift - recipes_cyv7n.tmp shift - recipes_cyv7n.exe shift - recipes_cyv7n.tmp shift setup_cyv7n.exe shift setup_cyv7n.tmp taskkill.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs shift.exe shift.exe shift.exe no specs shift.exe shift.exe no specs shift.exe no specs shift.exe no specs shift.exe shift.exe no specs shift.exe no specs werfault.exe shift.exe no specs werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
836"C:\Users\admin\AppData\Local\Shift\chromium\shift.exe" --start-maximizedC:\Users\admin\AppData\Local\Shift\chromium\shift.exe
Shift Setup_cyv7n.tmp
User:
admin
Company:
Shift
Integrity Level:
MEDIUM
Description:
Shift
Version:
118.8.0.714
Modules
Images
c:\users\admin\appdata\local\shift\chromium\shift.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\users\admin\appdata\local\shift\chromium\118.8.0.714\chrome_elf.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
1616\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2324\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2672"C:\Users\admin\AppData\Local\Shift\chromium\shift.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 --field-trial-handle=2144,i,17280293836527952810,3782130594193655818,262144 /prefetch:8C:\Users\admin\AppData\Local\Shift\chromium\shift.exeshift.exe
User:
admin
Company:
Shift
Integrity Level:
MEDIUM
Description:
Shift
Exit code:
0
Version:
118.8.0.714
Modules
Images
c:\users\admin\appdata\local\shift\chromium\shift.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\shift\chromium\118.8.0.714\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\shcore.dll
2792C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7048 -s 2964C:\Windows\SysWOW64\WerFault.exe
Shift Setup_cyv7n.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
3040"C:\Users\admin\AppData\Local\Shift\chromium\shift.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4316 --field-trial-handle=2144,i,17280293836527952810,3782130594193655818,262144 /prefetch:8C:\Users\admin\AppData\Local\Shift\chromium\shift.exe
shift.exe
User:
admin
Company:
Shift
Integrity Level:
MEDIUM
Description:
Shift
Exit code:
0
Version:
118.8.0.714
Modules
Images
c:\users\admin\appdata\local\shift\chromium\shift.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\shift\chromium\118.8.0.714\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\shcore.dll
3220"C:\Users\admin\AppData\Local\Temp\Shift - Recipes_cyv7n.exe" C:\Users\admin\AppData\Local\Temp\Shift - Recipes_cyv7n.exe
explorer.exe
User:
admin
Company:
Shift
Integrity Level:
MEDIUM
Description:
Shift Setup
Exit code:
0
Version:
118.8.0
Modules
Images
c:\users\admin\appdata\local\temp\shift - recipes_cyv7n.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
3508"C:\Users\admin\AppData\Local\Shift\chromium\shift.exe" --type=renderer --instant-process --start-stack-profiler --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4616 --field-trial-handle=2144,i,17280293836527952810,3782130594193655818,262144 /prefetch:1C:\Users\admin\AppData\Local\Shift\chromium\shift.exeshift.exe
User:
admin
Company:
Shift
Integrity Level:
LOW
Description:
Shift
Version:
118.8.0.714
Modules
Images
c:\users\admin\appdata\local\shift\chromium\shift.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\shift\chromium\118.8.0.714\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\shcore.dll
c:\windows\system32\combase.dll
3608"C:\Users\admin\AppData\Local\Temp\is-Q0EQU.tmp\Shift - Recipes_cyv7n.tmp" /SL5="$502EE,1390925,1164800,C:\Users\admin\AppData\Local\Temp\Shift - Recipes_cyv7n.exe" C:\Users\admin\AppData\Local\Temp\is-Q0EQU.tmp\Shift - Recipes_cyv7n.tmp
Shift - Recipes_cyv7n.exe
User:
admin
Company:
Shift
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-q0equ.tmp\shift - recipes_cyv7n.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
4052C:\Users\admin\AppData\Local\Shift\chromium\shift.exe --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Shift\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Shift\User Data\Crashpad" --url=https://o1334372.ingest.sentry.io/api/4506193009180672/minidump/?sentry_key=1c60a0cacdead91f905faa80e9c82d03 --annotation=plat=Win64 --annotation=prod=Shift --annotation=ver=118.8.0.714 --initial-client-data=0x148,0x14c,0x150,0x124,0x154,0x7ff8220977e0,0x7ff8220977f0,0x7ff822097800C:\Users\admin\AppData\Local\Shift\chromium\shift.exe
shift.exe
User:
admin
Company:
Shift
Integrity Level:
MEDIUM
Description:
Shift
Exit code:
1
Version:
118.8.0.714
Modules
Images
c:\users\admin\appdata\local\shift\chromium\shift.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\shift\chromium\118.8.0.714\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\shcore.dll
Total events
11 629
Read events
11 533
Write events
94
Delete events
2

Modification events

(PID) Process:(6976) Shift - Recipes_cyv7n.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:Owner
Value:
401B0000B83C49686052DB01
(PID) Process:(6976) Shift - Recipes_cyv7n.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:SessionHash
Value:
E31C22C5745F465F0DD85AC38933761F240C12F34E1714A0482B46E0C3CDA212
(PID) Process:(6976) Shift - Recipes_cyv7n.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:Sequence
Value:
1
(PID) Process:(7048) Shift Setup_cyv7n.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Shift\Browser\Capability
Operation:writeName:ApplicationDescription
Value:
Shift Browser
(PID) Process:(7048) Shift Setup_cyv7n.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Shift\Browser\Capability
Operation:writeName:ApplicationName
Value:
Shift Browser
(PID) Process:(7048) Shift Setup_cyv7n.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Shift\Browser\Capability\FileAssociations
Operation:writeName:.htm
Value:
ShiftHTML
(PID) Process:(7048) Shift Setup_cyv7n.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Shift\Browser\Capability\FileAssociations
Operation:writeName:.html
Value:
ShiftHTML
(PID) Process:(7048) Shift Setup_cyv7n.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Shift\Browser\Capability\FileAssociations
Operation:writeName:.pdf
Value:
ShiftHTML
(PID) Process:(7048) Shift Setup_cyv7n.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Shift\Browser\Capability\FileAssociations
Operation:writeName:.shtml
Value:
ShiftHTML
(PID) Process:(7048) Shift Setup_cyv7n.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Shift\Browser\Capability\FileAssociations
Operation:writeName:.svg
Value:
ShiftHTML
Executable files
39
Suspicious files
182
Text files
208
Unknown types
104

Dropped files

PID
Process
Filename
Type
3608Shift - Recipes_cyv7n.tmpC:\Users\admin\AppData\Local\Temp\is-GHGSJ.tmp\is-TC3L1.tmp
MD5:
SHA256:
3608Shift - Recipes_cyv7n.tmpC:\Users\admin\AppData\Local\Temp\is-GHGSJ.tmp\Shift Setup.exe
MD5:
SHA256:
3608Shift - Recipes_cyv7n.tmpC:\Users\admin\AppData\Local\Temp\Shift Setup.exe
MD5:
SHA256:
6976Shift - Recipes_cyv7n.tmpC:\Users\admin\AppData\Local\Temp\Shift Setup_cyv7n.exe
MD5:
SHA256:
3608Shift - Recipes_cyv7n.tmpC:\Users\admin\AppData\Local\Temp\is-GHGSJ.tmp\shift.bmpimage
MD5:6C091E46C4B50CBE372A0826B8D38331
SHA256:385B8FD4363F4A13469B1E9BCF21365FF7BBD9DD4CD90E52B290FC89DDE1927C
3608Shift - Recipes_cyv7n.tmpC:\Users\admin\AppData\Local\Temp\is-GHGSJ.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
3608Shift - Recipes_cyv7n.tmpC:\Users\admin\AppData\Local\Temp\is-GHGSJ.tmp\min-10-light.pngimage
MD5:2257B1D0D33A41F509E7C3E117819F8B
SHA256:D43E4B285B5B54313B53E87D2A56CA9BA0C85F8F55C9C5FDCDB4FAC815FF4D02
3608Shift - Recipes_cyv7n.tmpC:\Users\admin\AppData\Local\Temp\is-GHGSJ.tmp\min-rest.bmpimage
MD5:2484489C7443EC4745488A77ED084D80
SHA256:70B6921812F29B698F454927802DB818C1625402BAEFD53CED1BFB9135C17D5A
3220Shift - Recipes_cyv7n.exeC:\Users\admin\AppData\Local\Temp\is-Q0EQU.tmp\Shift - Recipes_cyv7n.tmpexecutable
MD5:A1E940A7449CC05308F107CD4D6B0858
SHA256:ABDD61AE83680715CCE174F5E475D6E3D7DE48D5DF0415239B4F188450AA0553
3608Shift - Recipes_cyv7n.tmpC:\Users\admin\AppData\Local\Temp\is-GHGSJ.tmp\Win32Library.dllexecutable
MD5:D82B30898C428A7DBEE81CECEA520F68
SHA256:92AF9D054E3B5DC9F472FF9534060D1C70E2AC77F768AE9E5029E29FCD606198
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
55
DNS requests
56
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7084
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6228
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
7084
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2792
WerFault.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2792
WerFault.exe
GET
200
23.48.23.164:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6312
shift.exe
GET
200
172.217.16.142:80
http://clients2.google.com/time/1/current?cup2key=7:lpY0HzX5IFRRbJiH0tJjKL_o75THHtFQHtIGKHJnHfc&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
unknown
whitelisted
6312
shift.exe
GET
200
172.217.16.142:80
http://clients2.google.com/time/1/current?cup2key=7:bKZWLP83DxRqkapl99-0nM49BUVilcgvZSdylvX6Caw&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
unknown
whitelisted
6312
shift.exe
GET
200
172.217.16.142:80
http://clients2.google.com/time/1/current?cup2key=7:kIuJIJ_m1wUWXTTSfWLtsLXL9-lM9COlc_dqTr0VVCE&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
23.212.110.184:443
www.bing.com
Akamai International B.V.
CZ
whitelisted
3608
Shift - Recipes_cyv7n.tmp
3.21.221.219:443
attribution.shiftapis.com
AMAZON-02
US
unknown
3608
Shift - Recipes_cyv7n.tmp
18.117.65.72:443
updates.shiftapis.com
AMAZON-02
US
unknown
1176
svchost.exe
20.190.159.0:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3608
Shift - Recipes_cyv7n.tmp
172.67.4.202:443
downloads.tryshift.com
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
www.bing.com
  • 23.212.110.184
  • 23.212.110.209
  • 23.212.110.177
  • 23.212.110.203
  • 23.212.110.202
  • 23.212.110.185
  • 23.212.110.211
  • 23.212.110.178
  • 23.212.110.217
whitelisted
attribution.shiftapis.com
  • 3.21.221.219
  • 3.130.142.81
  • 18.190.17.5
unknown
updates.shiftapis.com
  • 18.117.65.72
  • 3.138.83.118
  • 18.118.249.129
unknown
update.shiftapis.com
unknown
login.live.com
  • 20.190.159.0
  • 40.126.31.71
  • 20.190.159.64
  • 20.190.159.71
  • 40.126.31.69
  • 40.126.31.67
  • 40.126.31.73
  • 20.190.159.68
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
downloads.tryshift.com
  • 172.67.4.202
  • 104.22.76.241
  • 104.22.77.241
unknown
go.microsoft.com
  • 23.35.238.131
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted

Threats

PID
Process
Class
Message
6312
shift.exe
Not Suspicious Traffic
INFO [ANY.RUN] An application monitoring request to sentry .io
6312
shift.exe
Not Suspicious Traffic
INFO [ANY.RUN] An application monitoring request to sentry .io
Process
Message
shift.exe
[1219/215338.465:ERROR:crash_report_database_win.cc(614)] CreateDirectory C:\Users\admin\AppData\Local\Shift\User Data\Crashpad: The system cannot find the path specified. (0x3)
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Shift - Recipes_cyv7n.exe