File name:

drip lite.zip

Full analysis: https://app.any.run/tasks/be9d215f-0030-4e0f-aaf1-d6725e6a3d26
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: January 27, 2025, 19:09:25
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
github
stealer
python
pyinstaller
susp-powershell
discordgrabber
generic
upx
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=AES Encrypted
MD5:

1D870395DB9E8FF05F8F824EDA544936

SHA1:

2F995B23C1A2853747336FD9DFBABFC1A918F0C6

SHA256:

68FE570D6D73477E2304059DF89B157314E17EAAC8D52BEFE9D07CFF721E4FF0

SSDEEP:

196608:LIEaMnIs6MmgYhx9R3/babnHRb6UNwCCRmH:LbhIs6Mmg4xD01f

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • drip lite.exe (PID: 7160)

    • Create files in the Startup directory

      • drip lite.exe (PID: 7160)

    • Steals credentials from Web Browsers

      • drip lite.exe (PID: 7160)

    • Changes settings for reporting to Microsoft Active Protection Service (MAPS)

      • powershell.exe (PID: 6716)

    • Adds extension to the Windows Defender exclusion list

      • drip lite.exe (PID: 7160)
      • cmd.exe (PID: 6640)

    • Changes Controlled Folder Access settings

      • powershell.exe (PID: 6716)

    • Changes settings for sending potential threat samples to Microsoft servers

      • powershell.exe (PID: 6716)

    • Changes settings for checking scripts for malicious actions

      • powershell.exe (PID: 6716)

    • Changes settings for real-time protection

      • powershell.exe (PID: 6716)

    • Changes settings for protection against network attacks (IPS)

      • powershell.exe (PID: 6716)

    • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

      • powershell.exe (PID: 6716)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 6640)

    • DISCORDGRABBER has been detected (YARA)

      • drip lite.exe (PID: 7160)

  • SUSPICIOUS

    • Process drops python dynamic module

      • drip lite.exe (PID: 7068)

    • Executable content was dropped or overwritten

      • drip lite.exe (PID: 7068)
      • drip lite.exe (PID: 7160)

    • Process drops legitimate windows executable

      • drip lite.exe (PID: 7068)

    • Application launched itself

      • drip lite.exe (PID: 7068)

    • The process drops C-runtime libraries

      • drip lite.exe (PID: 7068)

    • Loads Python modules

      • drip lite.exe (PID: 7160)

    • Starts CMD.EXE for commands execution

      • drip lite.exe (PID: 7160)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 5748)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6640)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 6640)

    • Script disables Windows Defender's IPS

      • cmd.exe (PID: 6640)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 6640)

    • The process hide an interactive prompt from the user

      • cmd.exe (PID: 6640)

    • Script adds exclusion extension to Windows Defender

      • cmd.exe (PID: 6640)

    • There is functionality for taking screenshot (YARA)

      • drip lite.exe (PID: 7068)
      • drip lite.exe (PID: 7160)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 2600)

    • Checks for external IP

      • drip lite.exe (PID: 7160)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 5696)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6424)

    • Checks supported languages

      • drip lite.exe (PID: 7068)
      • drip lite.exe (PID: 7160)

    • Manual execution by a user

      • drip lite.exe (PID: 7068)

    • The sample compiled with english language support

      • drip lite.exe (PID: 7068)

    • Reads the computer name

      • drip lite.exe (PID: 7068)
      • drip lite.exe (PID: 7160)

    • Create files in a temporary directory

      • drip lite.exe (PID: 7068)
      • drip lite.exe (PID: 7160)

    • Creates files or folders in the user directory

      • drip lite.exe (PID: 7160)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6716)
      • powershell.exe (PID: 5880)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 4228)
      • powershell.exe (PID: 6716)
      • powershell.exe (PID: 6236)
      • powershell.exe (PID: 5880)

    • PyInstaller has been detected (YARA)

      • drip lite.exe (PID: 7068)
      • drip lite.exe (PID: 7160)

    • Found Base64 encoded access to Windows Defender via PowerShell (YARA)

      • drip lite.exe (PID: 7160)

    • UPX packer has been detected

      • drip lite.exe (PID: 7160)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 5696)

    • Checks proxy server information

      • drip lite.exe (PID: 7160)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Unknown (99)
ZipModifyDate: 2025:01:27 21:52:26
ZipCRC: 0x4083354b
ZipCompressedSize: 16178362
ZipUncompressedSize: 26828756
ZipFileName: drip lite.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
15
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe drip lite.exe #DISCORDGRABBER drip lite.exe cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2600C:\WINDOWS\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"C:\Windows\System32\cmd.exedrip lite.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
3664netsh wlan show profilesC:\Windows\System32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
3876\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4228powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\admin\Local" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
4996\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5696C:\Windows\System32\wbem\WMIC.exe csproduct get uuidC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
5748C:\WINDOWS\system32\cmd.exe /c "netsh wlan show profiles"C:\Windows\System32\cmd.exedrip lite.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
5808\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5880powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
6236powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\admin\AppData" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
Total events
23 462
Read events
23 453
Write events
9
Delete events
0

Modification events

(PID) Process:(6424) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6424) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6424) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6424) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Downloads\drip lite.zip
(PID) Process:(6424) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6424) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6424) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6424) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6424) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
Executable files
81
Suspicious files
4
Text files
34
Unknown types
0

Dropped files

PID
Process
Filename
Type
7068drip lite.exeC:\Users\admin\AppData\Local\Temp\_MEI70682\Cryptodome\Cipher\_pkcs1_decode.pydexecutable
MD5:7977186DF2EED3C3BAB0246395986CC2
SHA256:EFD2559CB56400D7ABFC9DD633B7FE11993B6CD9FC912ABB005CA42E5276D614
7068drip lite.exeC:\Users\admin\AppData\Local\Temp\_MEI70682\Cryptodome\Cipher\_raw_blowfish.pydexecutable
MD5:F6CFEFC41965EF7B85786EA8DC5590DE
SHA256:9E8EE94D60B47AF4213129DE2B059480B2C7D79A0AC173BA80112EAA10B47DA3
7068drip lite.exeC:\Users\admin\AppData\Local\Temp\_MEI70682\Cryptodome\Cipher\_raw_arc2.pydexecutable
MD5:12E4F395D68F7D0A5E3101D7C5D3DD91
SHA256:70961A6EF5B8F4C197597B81BB5AA53D469881BA3698D5285E61E789F7C3D398
7068drip lite.exeC:\Users\admin\AppData\Local\Temp\_MEI70682\Cryptodome\Cipher\_raw_ocb.pydexecutable
MD5:A0B02D41F1ECD52575A39D8F8EDCF4C4
SHA256:5AE55228358B9867E346D0B96D96C0388789C146F8BE07052A9B465792DBA49E
6424WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb6424.30497\drip lite.exeexecutable
MD5:55240329F8205FA0C585E47910FF3B61
SHA256:24A8E1C1B411FA1D9704A29A9BD73836BBA5E968D53DC1607BB5AD9339A72A38
7068drip lite.exeC:\Users\admin\AppData\Local\Temp\_MEI70682\Cryptodome\Cipher\_Salsa20.pydexecutable
MD5:4593AD39D8CC5C129FADE3566E30E3E9
SHA256:7FECF764E2A8C81EDAD1966E65B4AB7A87884D4812070F869E2BC34918AB1AA2
7068drip lite.exeC:\Users\admin\AppData\Local\Temp\_MEI70682\Cryptodome\Cipher\_ARC4.pydexecutable
MD5:6E403FEC9A5B09D8580A2458BA1111DC
SHA256:257D744E9500CD050A1696EE24E7DCA3CCD71CF7352063B400D237155D838ABB
7068drip lite.exeC:\Users\admin\AppData\Local\Temp\_MEI70682\Cryptodome\Cipher\_raw_aesni.pydexecutable
MD5:C9458985193733C1EA2B4D06C38F67F3
SHA256:2E73C112AF9DC2C051630981883BEFD49D5DC3B894E71E6D347225B38AB703BD
7068drip lite.exeC:\Users\admin\AppData\Local\Temp\_MEI70682\Cryptodome\Cipher\_raw_cfb.pydexecutable
MD5:A5045EE4056013D68E3EAF0BB071C4F9
SHA256:CE8CD2B12526536171105A4A2F3DCB62613B3B6D596E5E4FBB0080B02BBF9129
7068drip lite.exeC:\Users\admin\AppData\Local\Temp\_MEI70682\Cryptodome\Cipher\_raw_aes.pydexecutable
MD5:604708EBEAF89C04F30AF924BD96CA89
SHA256:F7EBD6DD301B2050B712C64E456F0B09CBF0AE4332E49AB5451E129BF95B83CD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
32
DNS requests
21
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
QA
binary
973 b
whitelisted
1176
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
DE
binary
471 b
whitelisted
6896
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
DE
binary
419 b
whitelisted
6192
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
DE
binary
471 b
whitelisted
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
DE
binary
312 b
whitelisted
6896
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
DE
binary
408 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
2.23.242.9:443
go.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
1176
svchost.exe
20.190.159.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
ocsp.digicert.com
  • 2.23.77.188
  • 2.17.190.73
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 23.35.229.160
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
go.microsoft.com
  • 2.23.242.9
whitelisted
login.live.com
  • 20.190.159.73
  • 40.126.31.69
  • 20.190.159.2
  • 20.190.159.71
  • 40.126.31.73
  • 20.190.159.75
  • 20.190.159.4
  • 20.190.159.23
whitelisted
www.bing.com
  • 92.123.104.38
  • 92.123.104.47
  • 92.123.104.32
  • 92.123.104.34
  • 92.123.104.31
  • 92.123.104.33
  • 92.123.104.21
  • 92.123.104.19
  • 92.123.104.11
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
api.ipify.org
  • 172.67.74.152
  • 104.26.13.205
  • 104.26.12.205
shared

Threats

PID
Process
Class
Message
2192
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
7160
drip lite.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
drip lite.zip