File name:

Shift_pishi3.exe

Full analysis: https://app.any.run/tasks/687a0f3a-3e6c-40d6-8f30-739219d2b8e7
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: August 12, 2025, 14:06:23
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
delphi
inno
installer
adware
innosetup
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections
MD5:

AF15C569D09BB8AD9C3083DAAB9524EB

SHA1:

D9BC811B452F935A35C0CBBE06911019D3C53512

SHA256:

CB845E4AA0EB8954064EC006C6B87162F2A3FF56D2BEE3867552FBDC1F98932C

SSDEEP:

98304:0+cD4dnHwICNdt3ucWs5h77G64oLXsQpZX5vEVpyQn6hHzwOeNO4SPvsm6Puq/Gz:yaBI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Shift_pishi3.exe (PID: 2228)
      • Shift_pishi3.tmp (PID: 6128)

    • Reads the Windows owner or organization settings

      • Shift_pishi3.tmp (PID: 6128)

    • There is functionality for taking screenshot (YARA)

      • Shift_pishi3.tmp (PID: 6128)

  • INFO

    • Checks supported languages

      • Shift_pishi3.exe (PID: 2228)
      • Shift_pishi3.tmp (PID: 6128)

    • Create files in a temporary directory

      • Shift_pishi3.exe (PID: 2228)
      • Shift_pishi3.tmp (PID: 6128)

    • Reads the computer name

      • Shift_pishi3.tmp (PID: 6128)

    • Reads the software policy settings

      • Shift_pishi3.tmp (PID: 6128)
      • slui.exe (PID: 2384)

    • Reads the machine GUID from the registry

      • Shift_pishi3.tmp (PID: 6128)

    • Compiled with Borland Delphi (YARA)

      • Shift_pishi3.exe (PID: 2228)
      • Shift_pishi3.tmp (PID: 6128)

    • Detects InnoSetup installer (YARA)

      • Shift_pishi3.tmp (PID: 6128)
      • Shift_pishi3.exe (PID: 2228)

    • Checks proxy server information

      • Shift_pishi3.tmp (PID: 6128)
      • slui.exe (PID: 2384)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:02:15 14:54:16+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741888
InitializedDataSize: 421888
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 135.2.0.0
ProductVersionNumber: 135.2.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Shift Technologies, Inc.
FileDescription: Shift Browser Setup
FileVersion: 135.2.0
LegalCopyright: Copyright Shift Technologies, Inc.. All rights reserved.
OriginalFileName:
ProductName: Shift Browser
ProductVersion: 135.2.0
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
3
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start shift_pishi3.exe shift_pishi3.tmp slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2228"C:\Users\admin\Desktop\Shift_pishi3.exe" C:\Users\admin\Desktop\Shift_pishi3.exe
explorer.exe
User:
admin
Company:
Shift Technologies, Inc.
Integrity Level:
MEDIUM
Description:
Shift Browser Setup
Version:
135.2.0
Modules
Images
c:\users\admin\desktop\shift_pishi3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
2384C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6128"C:\Users\admin\AppData\Local\Temp\is-LGOTQ.tmp\Shift_pishi3.tmp" /SL5="$B033C,1545339,1164800,C:\Users\admin\Desktop\Shift_pishi3.exe" C:\Users\admin\AppData\Local\Temp\is-LGOTQ.tmp\Shift_pishi3.tmp
Shift_pishi3.exe
User:
admin
Company:
Shift Technologies, Inc.
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-lgotq.tmp\shift_pishi3.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
Total events
7 171
Read events
7 171
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
0
Text files
15
Unknown types
0

Dropped files

PID
Process
Filename
Type
6128Shift_pishi3.tmpC:\Users\admin\AppData\Local\Temp\is-8T00V.tmp\is-PK7GM.tmp
MD5:
SHA256:
2228Shift_pishi3.exeC:\Users\admin\AppData\Local\Temp\is-LGOTQ.tmp\Shift_pishi3.tmpexecutable
MD5:AF9A776F48F6E0B7A3D29078D1A0BCC1
SHA256:809370BBF361A7B7E3D54635A54622183F3001E68A7E0DE6193F5A3D30E78A61
6128Shift_pishi3.tmpC:\Users\admin\AppData\Local\Temp\is-8T00V.tmp\exit-pressed.bmpimage
MD5:53178FD9661AE74BBFA7A562653A7773
SHA256:FFE6D8F0EA0ACB8660389C9E7F399133BC570803789638AA884AE2F247D8BF10
6128Shift_pishi3.tmpC:\Users\admin\AppData\Local\Temp\is-8T00V.tmp\min-10-light.pngimage
MD5:2257B1D0D33A41F509E7C3E117819F8B
SHA256:D43E4B285B5B54313B53E87D2A56CA9BA0C85F8F55C9C5FDCDB4FAC815FF4D02
6128Shift_pishi3.tmpC:\Users\admin\AppData\Local\Temp\is-8T00V.tmp\button-hover.bmpimage
MD5:82EBBC3800C3BB5E5E0B2215806FAB91
SHA256:CAC6CDAA9E776B7CD504152E90B760A650E008A3AF56AB73AF143457B4D50C38
6128Shift_pishi3.tmpC:\Users\admin\AppData\Local\Temp\is-8T00V.tmp\shift.pngimage
MD5:0423D0589E58341B5B64C6099F4123B7
SHA256:A1D2C48437058F24A5EA85C323469473AC4430198770794522A32C28783AADB7
6128Shift_pishi3.tmpC:\Users\admin\AppData\Local\Temp\is-8T00V.tmp\min-rest.bmpimage
MD5:2484489C7443EC4745488A77ED084D80
SHA256:70B6921812F29B698F454927802DB818C1625402BAEFD53CED1BFB9135C17D5A
6128Shift_pishi3.tmpC:\Users\admin\AppData\Local\Temp\is-8T00V.tmp\exit-10-light.pngimage
MD5:2CCE6763F61DDDB4599CB058D6761C56
SHA256:0FC8E40A3B0E7A516E108DC0F3267DCCCB4DE04D28A21EB68A45A8AC1BB9DF8F
6128Shift_pishi3.tmpC:\Users\admin\AppData\Local\Temp\is-8T00V.tmp\button-pressed.bmpimage
MD5:B74A8ED182B79A9FCE54806727A79AFF
SHA256:27E358564C55757F04F682B0AAB12E80BA3D36D05E60234464305E6CF54EF0BC
6128Shift_pishi3.tmpC:\Users\admin\AppData\Local\Temp\is-8T00V.tmp\exit-rest.bmpimage
MD5:B8AD3B36AE539BBB3D8C41FAA57FE4F6
SHA256:33BD571330E590730A52C6880EA744A63B8D5342A0C8BF2DF871C41D190D57F0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
40
TCP/UDP connections
53
DNS requests
21
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
18.216.89.106:443
https://attribution.shiftapis.com/pdata/pishi3
unknown
binary
336 b
unknown
POST
200
3.12.26.187:443
https://updates.shiftapis.com/preflight
unknown
text
10 b
unknown
1268
svchost.exe
GET
200
23.216.77.20:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.20:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4544
RUXIMICS.exe
GET
200
23.216.77.20:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4544
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
18.224.248.162:443
https://updates.shiftapis.com/splittests
unknown
binary
1.15 Kb
unknown
POST
200
18.223.45.126:443
https://updates.shiftapis.com/settings
unknown
binary
3.52 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4544
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6128
Shift_pishi3.tmp
18.216.89.106:443
attribution.shiftapis.com
AMAZON-02
US
unknown
6128
Shift_pishi3.tmp
3.12.26.187:443
updates.shiftapis.com
AMAZON-02
US
unknown
1268
svchost.exe
23.216.77.20:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.20:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4544
RUXIMICS.exe
23.216.77.20:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.174
whitelisted
attribution.shiftapis.com
  • 18.216.89.106
  • 3.147.106.223
  • 3.134.219.15
unknown
updates.shiftapis.com
  • 3.12.26.187
  • 18.223.45.126
  • 18.224.248.162
unknown
crl.microsoft.com
  • 23.216.77.20
  • 23.216.77.36
  • 23.216.77.29
  • 23.216.77.26
  • 23.216.77.21
  • 23.216.77.22
  • 23.216.77.28
  • 23.216.77.42
  • 23.216.77.8
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 23.3.109.244
whitelisted
login.live.com
  • 20.190.160.130
  • 20.190.160.5
  • 20.190.160.131
  • 40.126.32.133
  • 20.190.160.3
  • 20.190.160.65
  • 40.126.32.76
  • 20.190.160.4
whitelisted
cdn77-downloads.tryshift.com
  • 195.181.175.41
  • 195.181.170.19
  • 79.127.211.89
  • 207.211.211.27
  • 37.19.194.81
  • 212.102.56.179
unknown
client.wns.windows.com
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 20.165.94.63
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] InnoSetup Installer
Device Retrieving External IP Address Detected
SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] InnoSetup Installer
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Shift_pishi3.exe