File name:

Drip.exe

Full analysis: https://app.any.run/tasks/85df9d07-f58b-4582-86a6-498110cfabd0
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: June 08, 2025, 17:20:05
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
crypto-regex
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, 10 sections
MD5:

DC2B1893D568D58925E3F1094BABBDDC

SHA1:

96C3E4D4C40205A5C033A6AC902CF4A171A30023

SHA256:

F5C8D6B2A82CAC0DADEF403C4148EF259EAAAF0C63C4EB4F51A8C6AA8F0B5D23

SSDEEP:

196608:h4PATx2BN/ByveVRTV794UUzeuKaPtSTKvNKWxuBinVTLDYOfND1:xIN/sveVRx794fRlCKvAWxuinpUOfNx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Drip.exe (PID: 6300)
      • Drip.exe (PID: 3036)

    • Actions looks like stealing of personal data

      • Drip.exe (PID: 6300)

    • Steals credentials from Web Browsers

      • Drip.exe (PID: 6300)

  • SUSPICIOUS

    • The process checks if it is being run in the virtual environment

      • Drip.exe (PID: 6300)

    • Found regular expressions for crypto-addresses (YARA)

      • Drip.exe (PID: 6300)

    • Executes application which crashes

      • Drip.exe (PID: 6300)

  • INFO

    • Reads the computer name

      • Drip.exe (PID: 6300)

    • Checks supported languages

      • Drip.exe (PID: 6300)

    • Checks proxy server information

      • Drip.exe (PID: 6300)
      • slui.exe (PID: 3096)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 4284)

    • Reads the software policy settings

      • slui.exe (PID: 3096)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (18)
.exe | Win32 Executable (generic) (2.9)
.exe | Generic Win/DOS Executable (1.3)
.exe | DOS Executable Generic (1.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:06:03 17:53:36+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.44
CodeSize: 14307840
InitializedDataSize: 30971904
UninitializedDataSize: 1536
EntryPoint: 0x13d0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 0.1.0.0
ProductVersionNumber: 0.1.0.0
FileFlagsMask: 0x003f
ObjectFileType: Executable application
LanguageCode: Neutral
CharacterSet: Unicode
ProductName: Game Launcher fPaw
OriginalFileName: loaderx86_341.exe
FileOS: 0x00000004
FileFlagsExMask: 0x00000000
InternalName: loaderx86_341.exe
CompanyName: Digital Gaming Solutions
Charset: 0409
LegalCopyright: © Digital Gaming Solutions 2025. All rights reserved.
CodePage: 0409
FileSubtype: 0x00000000
FileVersion: 7.72.89.4
Language: 0409
FileFlags: 0x00000000
ProductVersion: 7.72.89.4
Type: Application
FileFlagsEx: 0x00000000
FileDescription: Game Launcher fPaw
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
5
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drip.exe conhost.exe no specs werfault.exe no specs slui.exe drip.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3036"C:\Users\admin\Desktop\Drip.exe" C:\Users\admin\Desktop\Drip.exeexplorer.exe
User:
admin
Company:
Digital Gaming Solutions
Integrity Level:
MEDIUM
Description:
Game Launcher fPaw
Exit code:
3221226540
Version:
7.72.89.4
Modules
Images
c:\users\admin\desktop\drip.exe
c:\windows\system32\ntdll.dll
3096C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4284C:\WINDOWS\system32\WerFault.exe -u -p 6300 -s 1064C:\Windows\System32\WerFault.exeDrip.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
5124\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeDrip.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6300"C:\Users\admin\Desktop\Drip.exe" C:\Users\admin\Desktop\Drip.exe
explorer.exe
User:
admin
Company:
Digital Gaming Solutions
Integrity Level:
HIGH
Description:
Game Launcher fPaw
Exit code:
3221226505
Version:
7.72.89.4
Modules
Images
c:\users\admin\desktop\drip.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
5 364
Read events
5 358
Write events
3
Delete events
3

Modification events

(PID) Process:(4284) WerFault.exeKey:\REGISTRY\A\{8d8427b8-9acc-5677-416b-d842c2828205}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(4284) WerFault.exeKey:\REGISTRY\A\{8d8427b8-9acc-5677-416b-d842c2828205}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
Executable files
0
Suspicious files
4
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
4284WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Drip.exe_c47f42af5b18c1ec3a3f1565da7e34772c31552_801c1e35_76b6d895-8419-4bd6-9215-948b9d4d285a\Report.wer
MD5:
SHA256:
6300Drip.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
4284WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERA0BC.tmp.dmpbinary
MD5:5B79A15A6CFEB2BE87748CB2F779B382
SHA256:A20FEEA522E64E7060425051B7E24EEA94119C26F0E14F440AAE093A936930AB
4284WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERA15A.tmp.WERInternalMetadata.xmlxml
MD5:F4E7DE4A393ADB1CE00B3837BBF480EF
SHA256:5EF5015F54D6AB62C70A585FBB7785BE26748614935AB7A3E118ECAD4B814F47
4284WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERA199.tmp.xmlxml
MD5:6F87DE392C197326BDDDDDEB174C15C8
SHA256:EC8F531917816ACA7F4FD222B95556FD06B4EA1F41D7F043D998D8EF55565E1F
4284WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\Drip.exe.6300.dmpbinary
MD5:98231636654FAAA21ADF2AC932C1385D
SHA256:2FD52091B9238EAE9FAC7D26ABCAE4A9150B63B8B134183A4AE512B3AD6579BE
4284WerFault.exeC:\Windows\appcompat\Programs\Amcache.hvebinary
MD5:E938813ACE9586036C29B144ED509B1B
SHA256:5340FFC7E915FA1391AC71FC241B61002D090231F8B27A9FB1EDB2AA72A8EEBF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
47
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
20.109.210.53:443
https://slscr.update.microsoft.com/sls/ping
unknown
GET
304
20.109.210.53:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
20.109.210.53:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
POST
200
20.190.159.128:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
POST
200
20.190.160.3:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
whitelisted
POST
200
20.190.160.3:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
POST
200
20.190.159.128:443
https://login.live.com/RST2.srf
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.193:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
20.190.160.65:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.193:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
2.16.253.202:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6300
Drip.exe
161.97.114.114:8080
Contabo GmbH
DE
unknown

DNS requests

Domain
IP
Reputation
login.live.com
  • 20.190.160.65
  • 20.190.160.3
  • 20.190.160.22
  • 20.190.160.130
  • 40.126.32.136
  • 20.190.160.131
  • 40.126.32.140
  • 20.190.160.67
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.110
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
crl.microsoft.com
  • 23.48.23.193
  • 23.48.23.145
  • 23.48.23.137
  • 23.48.23.135
  • 23.48.23.138
  • 23.48.23.194
  • 23.48.23.141
  • 23.48.23.134
  • 23.48.23.192
  • 2.16.168.124
  • 2.16.168.114
whitelisted
www.microsoft.com
  • 2.16.253.202
  • 23.219.150.101
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Drip.exe