0a5ea03ce75893cddd21dffbc25b19efeca7da9c5f96c3cd680078aebc0552e8

Analysis

max time kernel
89s
max time network
99s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
14/09/2024, 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

shift-v9.3.3.1096-stable-x64.exe
Size

96.2MB
MD5

c7ffb1d443c2d6beafce63a3d5d41f71
SHA1

e2cd47f9f853ab2f2e11c1fcee9f6bd5466b8695
SHA256

0a5ea03ce75893cddd21dffbc25b19efeca7da9c5f96c3cd680078aebc0552e8
SHA512

359182a1b3fe42f228c6291833784bd0cac2f3a71f478f256f94fac09032604c341cdd82597ce8e6c747f883624c22543f571caee933d15213b802905edb8f53
SSDEEP

3145728:T8+Lmt7DGWoeFZE+LhUx6DRrGWEL5lNoB:T8+Lmt7DGmFZVrlmgB

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 20 IoCs

pid	Process
3312	shift-v9.3.3.1096-stable-x64.tmp
1484	shift.exe
3648	shift.exe
700	shift.exe
2060	shift.exe
4076	shift.exe
2152	shift.exe
1080	shift.exe
1540	shift.exe
1480	shift.exe
736	shift.exe
3360	shift.exe
4196	shift.exe
4764	update_notifier.exe
3284	shift.exe
4152	shift.exe
1524	shift.exe
1840	shift.exe
1380	shift.exe
2964	shift.exe

Loads dropped DLL 38 IoCs

pid	Process
1484	shift.exe
3648	shift.exe
1484	shift.exe
700	shift.exe
700	shift.exe
2060	shift.exe
2060	shift.exe
2060	shift.exe
2060	shift.exe
2060	shift.exe
4076	shift.exe
4076	shift.exe
1080	shift.exe
2152	shift.exe
1080	shift.exe
1540	shift.exe
1480	shift.exe
1480	shift.exe
1540	shift.exe
736	shift.exe
736	shift.exe
2152	shift.exe
3360	shift.exe
3360	shift.exe
4196	shift.exe
4196	shift.exe
3284	shift.exe
3284	shift.exe
4152	shift.exe
1524	shift.exe
1524	shift.exe
4152	shift.exe
1840	shift.exe
1840	shift.exe
1380	shift.exe
2964	shift.exe
1380	shift.exe
2964	shift.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Windows\CurrentVersion\Run\Shift = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Shift\\shift.exe\""	shift.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	shift.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	shift.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	shift.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shift-v9.3.3.1096-stable-x64.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shift-v9.3.3.1096-stable-x64.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	shift.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	shift.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	shift.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	shift.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	shift.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2352	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	shift.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133708170417364786"	shift.exe

Modifies registry class 18 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\shift\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Shift\\shift.exe\" \"%1\""	shift-v9.3.3.1096-stable-x64.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\ShiftHTM\ = "Shift HTML Document"	shift-v9.3.3.1096-stable-x64.tmp
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\ShiftHTM\DefaultIcon	shift-v9.3.3.1096-stable-x64.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\ShiftHTM\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Shift\\shift.exe,0"	shift-v9.3.3.1096-stable-x64.tmp
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\ShiftHTM\shell	shift-v9.3.3.1096-stable-x64.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-970747758-134341002-3585657277-1000\{6EFF5032-00A8-4CBA-AB30-9FE699D4B236}	shift.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\shift	shift-v9.3.3.1096-stable-x64.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\shift\URL Protocol	shift-v9.3.3.1096-stable-x64.tmp
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\shift\shell	shift-v9.3.3.1096-stable-x64.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\ShiftHTM\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Shift\\shift.exe\" \"%1\""	shift-v9.3.3.1096-stable-x64.tmp
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\shift\shell\open\command	shift-v9.3.3.1096-stable-x64.tmp
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\shift\DefaultIcon	shift-v9.3.3.1096-stable-x64.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\shift\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Shift\\shift.exe,0"	shift-v9.3.3.1096-stable-x64.tmp
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\shift\shell\open	shift-v9.3.3.1096-stable-x64.tmp
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\ShiftHTM	shift-v9.3.3.1096-stable-x64.tmp
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\ShiftHTM\shell\open\command	shift-v9.3.3.1096-stable-x64.tmp
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\ShiftHTM\shell\open	shift-v9.3.3.1096-stable-x64.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\shift\ = "URL:shift Protocol"	shift-v9.3.3.1096-stable-x64.tmp

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3312	shift-v9.3.3.1096-stable-x64.tmp
3312	shift-v9.3.3.1096-stable-x64.tmp
1484	shift.exe
1484	shift.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1484	shift.exe
1484	shift.exe
1484	shift.exe
1484	shift.exe
1484	shift.exe
1484	shift.exe
1484	shift.exe
1484	shift.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2352	taskkill.exe
Token: SeShutdownPrivilege	1484	shift.exe
Token: SeCreatePagefilePrivilege	1484	shift.exe
Token: SeShutdownPrivilege	1484	shift.exe
Token: SeCreatePagefilePrivilege	1484	shift.exe
Token: SeShutdownPrivilege	1484	shift.exe
Token: SeCreatePagefilePrivilege	1484	shift.exe
Token: SeShutdownPrivilege	1484	shift.exe
Token: SeCreatePagefilePrivilege	1484	shift.exe
Token: SeShutdownPrivilege	1484	shift.exe
Token: SeCreatePagefilePrivilege	1484	shift.exe
Token: SeShutdownPrivilege	1484	shift.exe
Token: SeCreatePagefilePrivilege	1484	shift.exe
Token: SeShutdownPrivilege	1484	shift.exe
Token: SeCreatePagefilePrivilege	1484	shift.exe
Token: SeShutdownPrivilege	1484	shift.exe
Token: SeCreatePagefilePrivilege	1484	shift.exe
Token: SeShutdownPrivilege	1484	shift.exe
Token: SeCreatePagefilePrivilege	1484	shift.exe
Token: SeShutdownPrivilege	1484	shift.exe
Token: SeCreatePagefilePrivilege	1484	shift.exe
Token: SeShutdownPrivilege	1484	shift.exe
Token: SeCreatePagefilePrivilege	1484	shift.exe
Token: SeShutdownPrivilege	1484	shift.exe
Token: SeCreatePagefilePrivilege	1484	shift.exe
Token: SeShutdownPrivilege	1484	shift.exe
Token: SeCreatePagefilePrivilege	1484	shift.exe
Token: SeShutdownPrivilege	1484	shift.exe
Token: SeCreatePagefilePrivilege	1484	shift.exe
Token: SeShutdownPrivilege	1484	shift.exe
Token: SeCreatePagefilePrivilege	1484	shift.exe
Token: SeShutdownPrivilege	1484	shift.exe
Token: SeCreatePagefilePrivilege	1484	shift.exe
Token: SeShutdownPrivilege	1484	shift.exe
Token: SeCreatePagefilePrivilege	1484	shift.exe
Token: SeShutdownPrivilege	1484	shift.exe
Token: SeCreatePagefilePrivilege	1484	shift.exe
Token: SeShutdownPrivilege	1484	shift.exe
Token: SeCreatePagefilePrivilege	1484	shift.exe
Token: SeShutdownPrivilege	1484	shift.exe
Token: SeCreatePagefilePrivilege	1484	shift.exe
Token: SeShutdownPrivilege	1484	shift.exe
Token: SeCreatePagefilePrivilege	1484	shift.exe
Token: SeShutdownPrivilege	1484	shift.exe
Token: SeCreatePagefilePrivilege	1484	shift.exe
Token: SeShutdownPrivilege	1484	shift.exe
Token: SeCreatePagefilePrivilege	1484	shift.exe
Token: SeShutdownPrivilege	1484	shift.exe
Token: SeCreatePagefilePrivilege	1484	shift.exe
Token: SeShutdownPrivilege	1484	shift.exe
Token: SeCreatePagefilePrivilege	1484	shift.exe
Token: SeShutdownPrivilege	1484	shift.exe
Token: SeCreatePagefilePrivilege	1484	shift.exe
Token: SeShutdownPrivilege	1484	shift.exe
Token: SeCreatePagefilePrivilege	1484	shift.exe
Token: SeShutdownPrivilege	1484	shift.exe
Token: SeCreatePagefilePrivilege	1484	shift.exe
Token: SeShutdownPrivilege	1484	shift.exe
Token: SeCreatePagefilePrivilege	1484	shift.exe
Token: SeShutdownPrivilege	1484	shift.exe
Token: SeCreatePagefilePrivilege	1484	shift.exe
Token: SeShutdownPrivilege	1484	shift.exe
Token: SeCreatePagefilePrivilege	1484	shift.exe
Token: SeShutdownPrivilege	1484	shift.exe

Suspicious use of FindShellTrayWindow 19 IoCs

pid	Process
3312	shift-v9.3.3.1096-stable-x64.tmp
1484	shift.exe
1484	shift.exe
1484	shift.exe
1484	shift.exe
1484	shift.exe
1484	shift.exe
1484	shift.exe
1484	shift.exe
1484	shift.exe
1484	shift.exe
1484	shift.exe
1484	shift.exe
1484	shift.exe
1484	shift.exe
1484	shift.exe
1484	shift.exe
1484	shift.exe
1484	shift.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
1484	shift.exe
1484	shift.exe
1484	shift.exe
1484	shift.exe
1484	shift.exe
1484	shift.exe
1484	shift.exe
1484	shift.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4256 wrote to memory of 3312	4256	shift-v9.3.3.1096-stable-x64.exe	81
PID 4256 wrote to memory of 3312	4256	shift-v9.3.3.1096-stable-x64.exe	81
PID 4256 wrote to memory of 3312	4256	shift-v9.3.3.1096-stable-x64.exe	81
PID 3312 wrote to memory of 2352	3312	shift-v9.3.3.1096-stable-x64.tmp	82
PID 3312 wrote to memory of 2352	3312	shift-v9.3.3.1096-stable-x64.tmp	82
PID 3312 wrote to memory of 2352	3312	shift-v9.3.3.1096-stable-x64.tmp	82
PID 3312 wrote to memory of 1484	3312	shift-v9.3.3.1096-stable-x64.tmp	86
PID 3312 wrote to memory of 1484	3312	shift-v9.3.3.1096-stable-x64.tmp	86
PID 1484 wrote to memory of 3648	1484	shift.exe	87
PID 1484 wrote to memory of 3648	1484	shift.exe	87
PID 1484 wrote to memory of 2060	1484	shift.exe	88
PID 1484 wrote to memory of 2060	1484	shift.exe	88
PID 1484 wrote to memory of 2060	1484	shift.exe	88
PID 1484 wrote to memory of 2060	1484	shift.exe	88
PID 1484 wrote to memory of 2060	1484	shift.exe	88
PID 1484 wrote to memory of 2060	1484	shift.exe	88
PID 1484 wrote to memory of 2060	1484	shift.exe	88
PID 1484 wrote to memory of 2060	1484	shift.exe	88
PID 1484 wrote to memory of 2060	1484	shift.exe	88
PID 1484 wrote to memory of 2060	1484	shift.exe	88
PID 1484 wrote to memory of 2060	1484	shift.exe	88
PID 1484 wrote to memory of 2060	1484	shift.exe	88
PID 1484 wrote to memory of 2060	1484	shift.exe	88
PID 1484 wrote to memory of 2060	1484	shift.exe	88
PID 1484 wrote to memory of 2060	1484	shift.exe	88
PID 1484 wrote to memory of 2060	1484	shift.exe	88
PID 1484 wrote to memory of 2060	1484	shift.exe	88
PID 1484 wrote to memory of 2060	1484	shift.exe	88
PID 1484 wrote to memory of 2060	1484	shift.exe	88
PID 1484 wrote to memory of 2060	1484	shift.exe	88
PID 1484 wrote to memory of 2060	1484	shift.exe	88
PID 1484 wrote to memory of 2060	1484	shift.exe	88
PID 1484 wrote to memory of 2060	1484	shift.exe	88
PID 1484 wrote to memory of 2060	1484	shift.exe	88
PID 1484 wrote to memory of 2060	1484	shift.exe	88
PID 1484 wrote to memory of 2060	1484	shift.exe	88
PID 1484 wrote to memory of 2060	1484	shift.exe	88
PID 1484 wrote to memory of 2060	1484	shift.exe	88
PID 1484 wrote to memory of 2060	1484	shift.exe	88
PID 1484 wrote to memory of 2060	1484	shift.exe	88
PID 1484 wrote to memory of 700	1484	shift.exe	89
PID 1484 wrote to memory of 700	1484	shift.exe	89
PID 1484 wrote to memory of 4076	1484	shift.exe	90
PID 1484 wrote to memory of 4076	1484	shift.exe	90
PID 1484 wrote to memory of 4076	1484	shift.exe	90
PID 1484 wrote to memory of 4076	1484	shift.exe	90
PID 1484 wrote to memory of 4076	1484	shift.exe	90
PID 1484 wrote to memory of 4076	1484	shift.exe	90
PID 1484 wrote to memory of 4076	1484	shift.exe	90
PID 1484 wrote to memory of 4076	1484	shift.exe	90
PID 1484 wrote to memory of 4076	1484	shift.exe	90
PID 1484 wrote to memory of 4076	1484	shift.exe	90
PID 1484 wrote to memory of 4076	1484	shift.exe	90
PID 1484 wrote to memory of 4076	1484	shift.exe	90
PID 1484 wrote to memory of 4076	1484	shift.exe	90
PID 1484 wrote to memory of 4076	1484	shift.exe	90
PID 1484 wrote to memory of 4076	1484	shift.exe	90
PID 1484 wrote to memory of 4076	1484	shift.exe	90
PID 1484 wrote to memory of 4076	1484	shift.exe	90
PID 1484 wrote to memory of 4076	1484	shift.exe	90
PID 1484 wrote to memory of 4076	1484	shift.exe	90
PID 1484 wrote to memory of 4076	1484	shift.exe	90
PID 1484 wrote to memory of 4076	1484	shift.exe	90
PID 1484 wrote to memory of 4076	1484	shift.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\shift-v9.3.3.1096-stable-x64.exe
"C:\Users\Admin\AppData\Local\Temp\shift-v9.3.3.1096-stable-x64.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4256
- C:\Users\Admin\AppData\Local\Temp\is-E1L6T.tmp\shift-v9.3.3.1096-stable-x64.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-E1L6T.tmp\shift-v9.3.3.1096-stable-x64.tmp" /SL5="$A0104,99835465,1308160,C:\Users\Admin\AppData\Local\Temp\shift-v9.3.3.1096-stable-x64.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3312
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im shift.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2352
- - C:\Users\Admin\AppData\Local\Programs\Shift\shift.exe
    "C:\Users\Admin\AppData\Local\Programs\Shift\shift.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Checks system information in the registry
    - Drops file in Windows directory
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Users\Admin\AppData\Local\Programs\Shift\shift.exe
      C:\Users\Admin\AppData\Local\Programs\Shift\shift.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\ShiftData\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\ShiftData\User Data\Crashpad" --url=https://o1334372.ingest.sentry.io/api/6600693/minidump/?sentry_key=b4514b17378b4719b314ed378502c6b4 --annotation=plat=Win64 --annotation=prod=Shift --annotation=ver=9.3.3.1096 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff904a16760,0x7ff904a1676c,0x7ff904a16778
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3648
  - - C:\Users\Admin\AppData\Local\Programs\Shift\shift.exe
      "C:\Users\Admin\AppData\Local\Programs\Shift\shift.exe" --type=gpu-process --no-appcompat-clear --start-stack-profiler --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --running-vivaldi --mojo-platform-channel-handle=1844 --field-trial-handle=1848,i,3258079540947206937,17996024801809421253,262144 --variations-seed-version /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2060
  - - C:\Users\Admin\AppData\Local\Programs\Shift\shift.exe
      "C:\Users\Admin\AppData\Local\Programs\Shift\shift.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --running-vivaldi --service-sandbox-type=none --no-appcompat-clear --start-stack-profiler --mojo-platform-channel-handle=2072 --field-trial-handle=1848,i,3258079540947206937,17996024801809421253,262144 --variations-seed-version /prefetch:3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:700
  - - C:\Users\Admin\AppData\Local\Programs\Shift\shift.exe
      "C:\Users\Admin\AppData\Local\Programs\Shift\shift.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --running-vivaldi --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2536 --field-trial-handle=1848,i,3258079540947206937,17996024801809421253,262144 --variations-seed-version /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4076
  - - C:\Users\Admin\AppData\Local\Programs\Shift\shift.exe
      "C:\Users\Admin\AppData\Local\Programs\Shift\shift.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --running-vivaldi --mojo-platform-channel-handle=2560 --field-trial-handle=1848,i,3258079540947206937,17996024801809421253,262144 --variations-seed-version /prefetch:1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2152
  - - C:\Users\Admin\AppData\Local\Programs\Shift\shift.exe
      "C:\Users\Admin\AppData\Local\Programs\Shift\shift.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --running-vivaldi --mojo-platform-channel-handle=2676 --field-trial-handle=1848,i,3258079540947206937,17996024801809421253,262144 --variations-seed-version /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1080
  - - C:\Users\Admin\AppData\Local\Programs\Shift\shift.exe
      "C:\Users\Admin\AppData\Local\Programs\Shift\shift.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --running-vivaldi --mojo-platform-channel-handle=3480 --field-trial-handle=1848,i,3258079540947206937,17996024801809421253,262144 --variations-seed-version /prefetch:1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3360
  - - C:\Users\Admin\AppData\Local\Programs\Shift\shift.exe
      "C:\Users\Admin\AppData\Local\Programs\Shift\shift.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --running-vivaldi --mojo-platform-channel-handle=3684 --field-trial-handle=1848,i,3258079540947206937,17996024801809421253,262144 --variations-seed-version /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1540
  - - C:\Users\Admin\AppData\Local\Programs\Shift\shift.exe
      "C:\Users\Admin\AppData\Local\Programs\Shift\shift.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --running-vivaldi --mojo-platform-channel-handle=3856 --field-trial-handle=1848,i,3258079540947206937,17996024801809421253,262144 --variations-seed-version /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1480
  - - C:\Users\Admin\AppData\Local\Programs\Shift\shift.exe
      "C:\Users\Admin\AppData\Local\Programs\Shift\shift.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --running-vivaldi --mojo-platform-channel-handle=4548 --field-trial-handle=1848,i,3258079540947206937,17996024801809421253,262144 --variations-seed-version /prefetch:1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:736
  - - C:\Users\Admin\AppData\Local\Programs\Shift\shift.exe
      "C:\Users\Admin\AppData\Local\Programs\Shift\shift.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --running-vivaldi --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5516 --field-trial-handle=1848,i,3258079540947206937,17996024801809421253,262144 --variations-seed-version /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4196
  - - C:\Users\Admin\AppData\Local\Programs\Shift\update_notifier.exe
      "C:\Users\Admin\AppData\Local\Programs\Shift\update_notifier.exe" --is-enabled
      4⤵
      Executes dropped EXE
      PID:4764
  - - C:\Users\Admin\AppData\Local\Programs\Shift\shift.exe
      "C:\Users\Admin\AppData\Local\Programs\Shift\shift.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --running-vivaldi --mojo-platform-channel-handle=3888 --field-trial-handle=1848,i,3258079540947206937,17996024801809421253,262144 --variations-seed-version /prefetch:1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4152
  - - C:\Users\Admin\AppData\Local\Programs\Shift\shift.exe
      "C:\Users\Admin\AppData\Local\Programs\Shift\shift.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --running-vivaldi --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3912 --field-trial-handle=1848,i,3258079540947206937,17996024801809421253,262144 --variations-seed-version /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3284
  - - C:\Users\Admin\AppData\Local\Programs\Shift\shift.exe
      "C:\Users\Admin\AppData\Local\Programs\Shift\shift.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --running-vivaldi --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5992 --field-trial-handle=1848,i,3258079540947206937,17996024801809421253,262144 --variations-seed-version /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1524
  - - C:\Users\Admin\AppData\Local\Programs\Shift\shift.exe
      "C:\Users\Admin\AppData\Local\Programs\Shift\shift.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --running-vivaldi --mojo-platform-channel-handle=3708 --field-trial-handle=1848,i,3258079540947206937,17996024801809421253,262144 --variations-seed-version /prefetch:1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1840
  - - C:\Users\Admin\AppData\Local\Programs\Shift\shift.exe
      "C:\Users\Admin\AppData\Local\Programs\Shift\shift.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --running-vivaldi --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=6000 --field-trial-handle=1848,i,3258079540947206937,17996024801809421253,262144 --variations-seed-version /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1380
  - - C:\Users\Admin\AppData\Local\Programs\Shift\shift.exe
      "C:\Users\Admin\AppData\Local\Programs\Shift\shift.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --running-vivaldi --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6036 --field-trial-handle=1848,i,3258079540947206937,17996024801809421253,262144 --variations-seed-version /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      PID:2964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Programs\Shift\9.3.3.1096\MEIPreload\manifest.json

Filesize
238B

MD5
442699c95b20a60470421c6a4d29960f

SHA1
c7317f2d2414c991c21205ba3c68a187b997e3c1

SHA256
44844cf3dde6e80087ae0e6bf0d9326d7ef7d23326d24ac83af0850be26923d2

SHA512
c89cf089f7feeb80c6ded11f1fce84287abe8216a6e05723d1a7faf567c501c043cd1246ff8dbee1240d2d79c41b698ef4cc3459589e68e5bfc5bed7fc3a150b

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shift\9.3.3.1096\MEIPreload\preloaded_data.pb

Filesize
8KB

MD5
d5e4c2634eff8a9b3faf432bf406d6d1

SHA1
a691f5c9877079193c1f7dfb16dbc30bb0372ec9

SHA256
c6070a157b4e28d16fbccbd233e93846ddb070c85e1a1bc64469b7a5f1424fad

SHA512
b264e28ac8f111df01c553445aadc7bcdb3f32a38a1a19d3f9d458270dfeaf80efa7144407bd999892022af9dde9dbf8a0e19e7212720e1c6511ea9125afb166

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shift\9.3.3.1096\d3dcompiler_47.dll

Filesize
4.7MB

MD5
03a60a6652caf4f49ea5912ce4e1b33c

SHA1
a0d949d4af7b1048dc55e39d1d1260a1e0660c4f

SHA256
b23e7b820ed5c6ea7dcd77817e2cd79f1cec9561d457172287ee634a8bd658c3

SHA512
6711d40d171ea200c92d062226a69f33eb41e9232d74291ef6f0202de73cf4dc54fbdd769104d2bb3e89dc2d81f2f2f3479e4258a5d6a54c545e56b07746b4c4

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shift\9.3.3.1096\icudtl.dat

Filesize
10.2MB

MD5
e0f1ad85c0933ecce2e003a2c59ae726

SHA1
a8539fc5a233558edfa264a34f7af6187c3f0d4f

SHA256
f5170aa2b388d23bebf98784dd488a9bcb741470384a6a9a8d7a2638d768defb

SHA512
714ed5ae44dfa4812081b8de42401197c235a4fa05206597f4c7b4170dd37e8360cc75d176399b735c9aec200f5b7d5c81c07b9ab58cbca8dc08861c6814fb28

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shift\9.3.3.1096\libEGL.dll

Filesize
442KB

MD5
f3cd15c0038981b5b6274ac38ab6c871

SHA1
104741775f93131e128ad641e50bae2bc86788ea

SHA256
b519b9fd4f317af50c3f5283d708965926244eeb94daa4422e7c2fa978049c3a

SHA512
083c15da64250aaf130deac8a21a5aa0abc04a2560a9ba963347604bbbb7ccf21980fd997545a6411d2fc045403d313c3b2d7a471a2fb5b1d44ed30368d06dcd

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shift\9.3.3.1096\libGLESv2.dll

Filesize
7.4MB

MD5
dac6690cae834ced8bcbfae0a0dc88e9

SHA1
bd3ddc077a824f2ebea45443cc6f31325b3148d7

SHA256
9e912da1bdc8374bfa64c4d05a5bd851e900769959fdc5af623ea2a78c09fc05

SHA512
a8984b9fe23a5dd5e6a24c1979025da63642cd0846481c33e4272d16831429acfa429d10943cd6252f750e0e4ce647b531315902accf9fb93f38e4491e9201a9

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shift\9.3.3.1096\locales\en-US.pak

Filesize
393KB

MD5
9dce3872121cbf64c533b5393b4f211d

SHA1
391e9f77915a5bb5bff402b930008dac9b58195b

SHA256
c48f2153da09f2efb4ac0ed70307cb01bfa4f94314bbeca926f58ec97f816ee7

SHA512
69108e5a2ce0be7ee1aabbd095509fe443fcfe5af7d3ca8e9fe677a3057607f9f5d884e90e381d0a241f5f9e946acba81211dd3900c0fc83937a5d1a82316a89

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shift\9.3.3.1096\locales\is-AMS80.tmp

Filesize
438KB

MD5
9bd230cdd8aaaddca40f997b17463a57

SHA1
647f42930972b46d30db840c0d45ebd17fc85fa1

SHA256
fa8aedcbe669f3bb1dac81098fc1ea41f73246309a7e523d2325ed8ff4a082ba

SHA512
0da72f044ce96fa12f2f84890b812b704a34942c036d063f39b01d55bac86256ea9bb8a4ccda54772a019cae83ca33c9c9986810513941a216f97ef37c5c9f25

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shift\9.3.3.1096\locales\is-IRO24.tmp

Filesize
1.1MB

MD5
7f6ca0ee84c41f883871dbc4e1b62c37

SHA1
8a8b90bc1aa6e34d8d949493d9067da03170669a

SHA256
da2cde0831b10690a21076d15a5e62866ac836580cff460986769e099ca4c959

SHA512
49f4b2e8ee3889c1eb9e9a16edab2e4e8dbb0c625fd94c39a326649f064f4de7af9d78f229f06c658ea13d7039c97cea2b22b51350aebdc6176e1134609a0f57

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shift\9.3.3.1096\locales\is-R8QND.tmp

Filesize
1.1MB

MD5
6ecd072c5340b2cfa1c1c7a7a87cf3ed

SHA1
cc1df223936e7d12817c3e473d0478b8107099b7

SHA256
1157f38e295b5cee016dd18f998421435446c444f14577be02ac50963d581b35

SHA512
46bce51daf26ece1621df5925c5a81c6b0f076cbdc68ea39a8498e067c8358690db58cb9b2c2952146f22069f1157be6186e98f88e6945513a215735cdcb5492

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shift\9.3.3.1096\resources.pak

Filesize
7.9MB

MD5
23ac924e466e78d9733a32e5b7c1e068

SHA1
18ad907772bb1ecb168592b94c4375e41e1a651d

SHA256
14443d317296dc0fa317c0529856197e6b17a24c5799bc2f212e86b63661f394

SHA512
fffece8bcc7f7660abaf27129685ba462b457279853c18968476c34c7b420dec9b4c9f04dbaa7e84c8cdb4d3f402e1608acf6f5c93c9154d79655b47824f9c78

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shift\9.3.3.1096\resources\shift\background.js

Filesize
2KB

MD5
1f5f67749e9336089e904833d28790f9

SHA1
d6c6d446bc154d569f2706fb0f1ef73f807c1b53

SHA256
f4537f7c6908e6fc3af3f5d2452c98df9d32b37885ea11ff4007d674caa05a57

SHA512
0b0926878204da3c61293f61b6ab5c2b0c55be83f7b147d9ca2d161e6fd573b638685a4f45ae732a8cdf02b177bdeee8dfa3513692d100b46cbd6471015d973c

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shift\9.3.3.1096\resources\shift\browser.html

Filesize
378B

MD5
bddc4d2baba718e245b396a781aab740

SHA1
bc434ede328b71cccfde4f0fb909149b3a92746a

SHA256
16b0def798f5eb333728712addd6a13fd6ce325a575cc27d626378f51235da8b

SHA512
86b9879d3732ca20fcd2bc8bf0f3879dfadef013f6a417c323b97b0c56ff298d10d3e927fd75da02eb82791f4a6bd85209c4e549d1fea88d03a01d72cdaa2106

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shift\9.3.3.1096\resources\shift\menus\mainmenu.json

Filesize
21KB

MD5
ef1fbe654c1af7216c7107a57fafef88

SHA1
c4c5781b7da9b222791e45115765662e439561d8

SHA256
ba6938a42abd7d04f608fef6a22524d093adadec04aaa1b350a3a92e893f2936

SHA512
437f40bc5dbadd3eaec3d247c663100315c20c95352a0c7d2e537e9001aa373c29f69dfabff1213f0115a1ddc0fd95da85fc5a2e26c86942f8d2a3cf55f9263f

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shift\9.3.3.1096\resources\shift\prefs_definitions.json

Filesize
135KB

MD5
73e220cd65c08e4bec655e5deba6b97f

SHA1
61b83f1ee83f4a0b440456b75c9bb8ae92c2e56e

SHA256
1dd6241b4f5bacb88f62edb75e1236fc7dd07b787a2bb02121b7844123e519df

SHA512
d9d12d445738780b90163c59d652fe30c5fec291094d0be0e295d490544db45241e3fb1cdddb55d3572a6927ebdad0321064cc533a121c822525fca90c9cccf3

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shift\9.3.3.1096\resources\shift\preloader.js

Filesize
1.3MB

MD5
bf1653578f8b9bd54591c8051be1416e

SHA1
a29b232a0e43141a612d2acd33d688021227969d

SHA256
6192e590a99279aa4152d91987a2e3308bd1c8eb65f8547e782f8c2a67bee110

SHA512
e2a064d89d51742a479ff71b4de4681862c22525d8cf9a315ee5662e99d70df9756f9690d9dcec1a07b426a57332dd16c82d0e3a533afe755ee15d8064f2e9e1

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shift\9.3.3.1096\resources\shift\ultra\browser.js

Filesize
3.1MB

MD5
e9a3785f255a46550af04b2343d59cf6

SHA1
d27bfda0962b25e37a7e5ac604bb1d4305a16c24

SHA256
e83871129a9ac119a3dfe2f7204a1cad20e3141733bf48bc4f1b54856c3b3da9

SHA512
18ac58849cb2c7c0231f875d9cbc622f69928d526ff32524ad63c9fee3fd595c41ad66f9e3ddd8b18ddb4cca211d40b3f5428c28556fecc1f3b1bb4a139fa720

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shift\9.3.3.1096\resources\shift\ultra\workers\history-index.js

Filesize
95KB

MD5
5de659329617b1bb0583ef821190e381

SHA1
15857aebb7d25e37b93deccaa35dd0f6939f79a2

SHA256
8cf83e1e50b029821fe990af240b4338c1bd4028e375689fb22b0f8064b13cb2

SHA512
c605dc8a8d466f88656678eddb8f7ed3db1155700423b35bd9a2198890386158ca9e962d06913615759cfa69c0aa792e01ccc68026c89d78951afee60ea081cb

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shift\9.3.3.1096\resources\shift\web-accessible\ultra\chrome-webui-overrides\is-LUKLV.tmp

Filesize
2KB

MD5
1bdd0976ceeae575317fc88d8a244376

SHA1
f04e15974bd1f273908966f5d0449c14213e0913

SHA256
0e768b4df353fab9a5fba3d9dbb89c4d0e33322dbc3e18137105e731c0717d8f

SHA512
3394b0d95163bc4dd46d9a2aea0fafeddbab70973c373f18c555051a06d288503aafab137b10b15ef077602bdc38c0ed03a9fc0b9aba4ec815f01719a737ff31

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shift\9.3.3.1096\resources\shift\web-accessible\ultra\images\is-89CF1.tmp

Filesize
10KB

MD5
3a6c97e62a208474a6aa13d19d6a321e

SHA1
ba42fb3908e32fb2561a4739afb09976d78d263a

SHA256
9e54e0678485281053cb5db735dac1f0b5f04e80b0c137daf5f11a49984aa590

SHA512
eb97bae85fc816d5014789a9366a2eba4e00920ea6a5774ad42f1993201c96889ed60b7ec769ad94b11efe86a433bbdb13124f989c22022332e84cfd4a5d586c

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shift\9.3.3.1096\shift_100_percent.pak

Filesize
1.7MB

MD5
795cbf235d88c96ca9257fe823fb3a2c

SHA1
0cb48b46af99d3778fb886f85c8d5a630899b472

SHA256
94d03641a1f3ddab576a96463554ae59eac504c05e913f455655f40f0811cb2e

SHA512
8df12ef3e377239e560fdc88f8023a3839d65a646d1f15b82e58f17afeace6ff8f8ab975258a6f3595f64ffcc87f3a5f04868897a9efe8829dee7e4ddf64d4bc

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shift\9.3.3.1096\shift_200_percent.pak

Filesize
2.2MB

MD5
0ee304322cd9c5c984a05d2c1803c2ea

SHA1
8301ad5eab446456c7a6c980660a2c799e1970ba

SHA256
046f12b4010c8b4fb1a5c01dd5e2840cd033d659e924d60ee22862d270884087

SHA512
abdd766b1945fbf34b1ba2314f841798e9ab69fbc4edd84cda0abd9d7a0179ba86c5a4ce7bb00cc713b589108ea23d4c8792fb366c2a9ee21fc7396d194ae4b7

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shift\9.3.3.1096\shift_elf.dll

Filesize
1.1MB

MD5
bde5e49418aab74215c9b494695346ca

SHA1
1db66bec87011d556bdbfb56d216ee99af35557b

SHA256
bf986c2ac693932d52fb6ad31e55a27120f5f22ae74ffa8360a47f46d09181c5

SHA512
a3355f2ceaab0bfe4986bf73b44545ba09a76b3dd8d49f1c43fac58c17b4c987a13e7e5f9fefc1479d6b69c29f24a85d515a155e14693b67136bc44cbce29f84

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shift\9.3.3.1096\v8_context_snapshot.bin

Filesize
663KB

MD5
2c80c5d20ad5cb6d738e18baab6964f1

SHA1
b8c77170ae53f416b4fc426a61c209a09ae3c528

SHA256
5f2e9d5fe86c66166216fe6d15527face8e0868b49a21070fbee6e69aee2faf5

SHA512
36b66ea676f61042710e42f2edb15086e99758b10532690b4b3d34a18313406f20e8dca07f7db1ce5643ed385cb801d63cbbd559bf446440452452cfcbaf36db

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shift\shift.exe

Filesize
2.5MB

MD5
24e3f007fa680a8eafb1328472fc972c

SHA1
9173618df5aa881a5d966620e596eaa136baad2d

SHA256
660a5c5b8621f3f6ec5e7af5e1522002a4666ab51a8d4a31c6922134added4de

SHA512
8b8ab7ca53a11d81e512ef89db7b5572a08ca97cc7f18ae88fe512e6f2bc275c5ae86e1550cd01f2ef2b14ac7d5620b8a43592a753c1b42117e14123ca3cc17f

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shift\update_notifier.exe

Filesize
3.5MB

MD5
276aa41ecfdf87e5c57e3aa02319c525

SHA1
0fe028066573e33767e2bb92626160ff17fa2a18

SHA256
cada98ce02fcafaf27c1944e1bd2156e5e09fe33dacfc5ad423f9b53b7aba8a4

SHA512
e12040c88a010a800101a3ae650e8b70259f0c6209650015e218148912587b0f389fb3c353d90a027ed01577dde7b559abbe29d27143faf2df7b9bc8fef9d893

Download Submit
C:\Users\Admin\AppData\Local\ShiftData\User Data\Default\5cee8f77-ea06-4cae-961f-f77c89d9894c.tmp

Filesize
185KB

MD5
dec9afa8a868c4c87d033d79030823ff

SHA1
48eb041b03c67bad86e52a44d3b22e8443af103a

SHA256
40006199d0018e569abb826910132711381354f24ee138e8ad3d4b84fb45c492

SHA512
e023737c629ca11af3a8100d6047a749f0dc9646d977705b1ac00aa8de1cb00f30d025b9626bd443e195050867cde16d45706eb9b23346df6ec7d2320eb684e6

Download Submit
C:\Users\Admin\AppData\Local\ShiftData\User Data\Default\Cache\Cache_Data\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\ShiftData\User Data\Default\Cache\Cache_Data\data_3

Filesize
4.0MB

MD5
27065830e450c18d3fa13d736f73d867

SHA1
c14aee47987578d3b17e24fb143cb7e034f7cc8a

SHA256
c226027b065a2dd1b4b39420283df562d0e3230585922cbee2b96d1a7777033a

SHA512
15caf639cb69e652986d7c1054b939df35e9d093d0924e47fb4441f09f973c3f571abafbdd2984d2b7afff41a17d387d9162493ffd62439ea1657494960b394f

Download Submit
C:\Users\Admin\AppData\Local\ShiftData\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
ca9c6bb537e74a2eb3c740f861fc20a7

SHA1
647c2010011cad037da866845da3e25e8f55a264

SHA256
295dbc86eb490f521794bfe35df89cd76663b0bb1d711e6ed03615c285bad035

SHA512
b68cb32ff345c197a50e371bec39a79ebdae4ad7c064715d37e6c8027b64d689db0109e6e19116e08ed3ecd24e82c87e47513e6396930fcf7c786ee844bbd56a

Download Submit
C:\Users\Admin\AppData\Local\ShiftData\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
181c5f75c8e81eb6eeb08c287b427f6e

SHA1
bc8a6c8a3046ae6e1dcbabe53610ff88e3c3912d

SHA256
d0120ee31a3eff3a106639b2046efcf10b43e57fb1728b776dec76ff5aec5262

SHA512
78ca51c8fe4b4d5d2cefab264c50ccc589cbd1b4533686967dc940874829995053bada541e42c774d9e8aa696052bb8376bbd513a74ed65b5f8c40a2e9289eb5

Download Submit
C:\Users\Admin\AppData\Local\ShiftData\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\ShiftData\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
7af36d68625504a7ba47d26ec35849fd

SHA1
99287de586b48a2e36806750b67ca32287268207

SHA256
55de1f02dfcfdb857dfefabe7e76b1fa97adc697099f428c25d7b0e45668a720

SHA512
ccceb737e909206b7d3a5182617e4feb49b62d3266a3be609a615900f2600a01427567644218ec326e81f525d2adfcdc1b4f00cb5610326b9567e2d71778e8ec

Download Submit
C:\Users\Admin\AppData\Local\ShiftData\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
e950f0d86b73d6120cdb896f93e96972

SHA1
cd44eb0dac93bab26260b7d47712cba772f03f7a

SHA256
07fcb80f7504ea22700da9d082fd9353106eeafc6a16976821fb009bf94e8001

SHA512
fa84ea6379e2a201025867ceed4a93e57015c56bbd8094ec143689b794bf5812fb1ea71ce7dec9118ece9d66285349521e1d5452ccac1237a8b10a0a9b58a575

Download Submit
C:\Users\Admin\AppData\Local\ShiftData\User Data\Default\Network\TransportSecurity~RFe58a65d.TMP

Filesize
356B

MD5
39b41401db206ea24d037e357d4d2184

SHA1
88c1a96fe267437080c83421b4314519a69721e0

SHA256
580e8aca63708c13dbf0b4a135a89e0324d51da7fbc5403b2e1b3994be1803e2

SHA512
ab7c3e33fe734e94d75bafe7aeadda5494283ce94d3deaaf8a293a1bbf17ec3a98bd95cb49154ca849f0fa15ddfdbde50030e22e30c68ccf68c4d4767efce139

Download Submit
C:\Users\Admin\AppData\Local\ShiftData\User Data\Default\Preferences

Filesize
6KB

MD5
e5355a44edd509087866b3e557f2d8fa

SHA1
3e1bb99b044d09766c76c26bb01e5432c40db2dc

SHA256
ead11dbf851fd8c759d1be5af2afe59dcfa313215405e17e5beba443973052bc

SHA512
a44e4d12b1b650c75f36f0ada4ff85a848aecaf5ff63051381e796a069cfecca9d51d39ca5295a24e4a6f199305299f266a5b184c07e6dc637daf8e542a17bd1

Download Submit
C:\Users\Admin\AppData\Local\ShiftData\User Data\Default\Preferences~RFe589a37.TMP

Filesize
6KB

MD5
dac997199d65c3f84baaece8c15ab56c

SHA1
0d9a7668d96f54fbe0ae4586ea951907285aac8e

SHA256
3295ab3e92547bfb60f9430d9b078d1023f51aa4215128bc3d1055f5a10a4527

SHA512
3ae91b5efe91d902a3101fa8b98692057132750a279fd10410bf82777f6c92d4d5551e3470dcba64666458c008016d76367d125c3ff1b4c7bcd2928683bcffa7

Download Submit
C:\Users\Admin\AppData\Local\ShiftData\User Data\Default\Site Characteristics Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\ShiftData\User Data\Default\Storage\ext\pgdnofojngdmpiicpfbnemlccmhgcgfg\def\Code Cache\wasm\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\ShiftData\User Data\Default\Storage\ext\pgdnofojngdmpiicpfbnemlccmhgcgfg\def\DawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\ShiftData\User Data\Default\Storage\ext\pgdnofojngdmpiicpfbnemlccmhgcgfg\def\Network\TransportSecurity

Filesize
522B

MD5
ce5f2bc14774b5771befaa4b9a78e243

SHA1
1ea45ff4ffadf02e2ed18aab8606e93360359077

SHA256
7ff367532577f2542cd2ffac76e04cd06b9e1ac619719cdda0b2644761cb5b7f

SHA512
7bfd73d4581b811263cd19ecc832a0c1a707a2aa691e5c13bdd3d921bddc7752d934ae4f981a6cc4913a89828ec533d0ca73a6cea35263e0f0c152452c469ff0

Download Submit
C:\Users\Admin\AppData\Local\ShiftData\User Data\Default\Storage\ext\pgdnofojngdmpiicpfbnemlccmhgcgfg\def\Network\TransportSecurity~RFe58a728.TMP

Filesize
522B

MD5
aae961da85a9f078121e2eaf99d4614a

SHA1
3ac76084f3870d6f6156be43483d471eaa40f2e9

SHA256
1e14e10a3c8b1136a9154d4c99697aaa8e3f5d4421efc13da97ccd76fea79e62

SHA512
96ba08554bad00b44449e78385b75eeb26ecadc68d2d517cf8d154951075b698262307f37fda1cfbde3f2fc66ed798c2b7197f5aae69d8925c57d07848106c5c

Download Submit
C:\Users\Admin\AppData\Local\ShiftData\User Data\Default\Sync Data\LevelDB\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\ShiftData\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\ShiftData\User Data\Local State

Filesize
3KB

MD5
ba3d810db0130fb0bd8c661d4981885c

SHA1
16b07572647e8f78d9063776d27f4f643e93200e

SHA256
5b0f2c1c5671ca653503e030de97c2ebcee189e6c25fe5a9061b5f03c1afd8f3

SHA512
6f5a7006651a07c25669d694f5b9371dd06153ebd7ed2f2ffdb556015658a32face8d577c961da75462a7b416ac21427a689cd8a05bc5335bfa35ef09a1910b1

Download Submit
C:\Users\Admin\AppData\Local\ShiftData\User Data\Local State

Filesize
3KB

MD5
f95c2b1b217d3a86bd977ccf4dee15e1

SHA1
ed8c9be2f9121db66184363740c262c3289505ed

SHA256
98ea8fd861e71ea8d62ee5903f574c767d5ea610458293368bd1971f8b35335f

SHA512
dbcac421f20654840534854f396ce6cadfa353518bcbe24b82fe50c5602b2dfbaf7d2b3b91ac644d0873a381d352db0ce1b9e55c00fdd7c0eb94b8e8cb4a6932

Download Submit
C:\Users\Admin\AppData\Local\ShiftData\User Data\Local State~RFe5824aa.TMP

Filesize
926B

MD5
fac94da0665a5d2900f4d7cbbf6f8168

SHA1
0f0244b479070434a19c9b1c6ff6735ceec6f6a0

SHA256
7b6e7c7cee071552e3f1ab73abc0e65c740a9deed6549e2d85e7472c058d2925

SHA512
6623703e3cbba716506fd573de6ba1438e9f0a68ce2501672f10c168880c099b277cdaef3a0b4364630038ffcf814d40b73997e51bff1dba43315e4598ab321f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-E1L6T.tmp\shift-v9.3.3.1096-stable-x64.tmp

Filesize
3.5MB

MD5
7bfc0dcb655d63e89a7a440c7a3c23f4

SHA1
5c6d06bab0d6100cb5c94a150b4886ede41701e8

SHA256
1226758c3dca3354f55ec63805546adde4a24e3bf67743c988a155eb64200f00

SHA512
7c8f8e582f6ca26bc03651c95877df1072042dba788fcccff61f3b46dafd3e9aff04a55124c727789343ad4ce1b1cd75fb9bd545faa1f9c0e9246f880eeaf9fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Shift.lnk

Filesize
1KB

MD5
6acd18018b7c86e91d2d4b6b9463809e

SHA1
ed574029d53b118c42d5808a78e6f4f3aaa185d9

SHA256
b5c522b0f8689ea5153bdd331a86fac9567442376e39928e41026dd8b42cadaf

SHA512
520efb8780ced4cec5ddda89fec7ccebabca9345d9d786a3ff6fbbe339035e81a2c275a3b96b7a190cd9be85447f8a63f28c62814beec1c7b13ef2bc9bfbbe8d

Download Submit
memory/736-1508-0x000001954B1B0000-0x000001954B21F000-memory.dmp

Filesize
444KB

Download
memory/1080-1498-0x00000259A2360000-0x00000259A23CF000-memory.dmp

Filesize
444KB

Download
memory/1380-1616-0x0000016D5AC40000-0x0000016D5ACAF000-memory.dmp

Filesize
444KB

Download
memory/1480-1501-0x000001BE5A550000-0x000001BE5A5BF000-memory.dmp

Filesize
444KB

Download
memory/1540-1500-0x00000266EF8F0000-0x00000266EF95F000-memory.dmp

Filesize
444KB

Download
memory/1840-1615-0x0000020035850000-0x00000200358BF000-memory.dmp

Filesize
444KB

Download
memory/2060-1494-0x0000015F4F070000-0x0000015F4F0DF000-memory.dmp

Filesize
444KB

Download
memory/2060-1157-0x00007FF924900000-0x00007FF924901000-memory.dmp

Filesize
4KB

Download
memory/2152-1497-0x00000241445E0000-0x000002414464F000-memory.dmp

Filesize
444KB

Download
memory/3312-6-0x0000000000400000-0x0000000000788000-memory.dmp

Filesize
3.5MB

Download
memory/3312-615-0x0000000000400000-0x0000000000788000-memory.dmp

Filesize
3.5MB

Download
memory/3312-1131-0x0000000000400000-0x0000000000788000-memory.dmp

Filesize
3.5MB

Download
memory/3312-10-0x0000000000400000-0x0000000000788000-memory.dmp

Filesize
3.5MB

Download
memory/3360-1499-0x00000179A5600000-0x00000179A566F000-memory.dmp

Filesize
444KB

Download
memory/4076-1496-0x000001EEDB720000-0x000001EEDB751000-memory.dmp

Filesize
196KB

Download
memory/4076-1495-0x000001EED99B0000-0x000001EED9A1F000-memory.dmp

Filesize
444KB

Download
memory/4076-1193-0x00007FF924440000-0x00007FF924441000-memory.dmp

Filesize
4KB

Download
memory/4076-1194-0x00007FF923D40000-0x00007FF923D41000-memory.dmp

Filesize
4KB

Download
memory/4152-1614-0x000001F8D2E10000-0x000001F8D2E7F000-memory.dmp

Filesize
444KB

Download
memory/4256-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/4256-0-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/4256-1132-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/4256-8-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download