File name:

vanish.exe

Full analysis: https://app.any.run/tasks/ed8da92d-67a6-4a44-8901-cce34265f5d5
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: May 27, 2025, 21:23:05
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
trox
stealer
python
discordgrabber
generic
pyinstaller
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:

D881AD827C43A30707E52D1CC06CB67C

SHA1:

438F8B014A27A2C1AEA53D8D6C81472A24E40B15

SHA256:

C917F3782D0ACB5332D3C1131B9DF4785CD18B7CE6867EEB5637980846663CE6

SSDEEP:

196608:U8nXKoQRR+4OvyFhrTmWYSYBaTa4WfaOTcpPt/lRScsdw:VnXKoQf+44sFKTb4Wfa+QFbSc6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • TROX has been detected

      • vanish.exe (PID: 6268)

    • DISCORDGRABBER has been detected (YARA)

      • vanish.exe (PID: 5512)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • vanish.exe (PID: 6268)

    • Process drops python dynamic module

      • vanish.exe (PID: 6268)

    • Starts CMD.EXE for commands execution

      • vanish.exe (PID: 5512)

    • The process drops C-runtime libraries

      • vanish.exe (PID: 6268)

    • Process drops legitimate windows executable

      • vanish.exe (PID: 6268)

    • Loads Python modules

      • vanish.exe (PID: 5512)

  • INFO

    • Checks supported languages

      • vanish.exe (PID: 6268)
      • vanish.exe (PID: 5512)

    • The sample compiled with english language support

      • vanish.exe (PID: 6268)

    • Checks operating system version

      • vanish.exe (PID: 5512)

    • Create files in a temporary directory

      • vanish.exe (PID: 6268)

    • Reads the computer name

      • vanish.exe (PID: 5512)

    • Checks proxy server information

      • vanish.exe (PID: 5512)
      • slui.exe (PID: 2800)

    • PyInstaller has been detected (YARA)

      • vanish.exe (PID: 5512)

    • Reads the software policy settings

      • slui.exe (PID: 2800)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:12:10 01:40:33+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.35
CodeSize: 127488
InitializedDataSize: 20585472
UninitializedDataSize: -
EntryPoint: 0xbbac
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
9
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #TROX vanish.exe conhost.exe no specs #DISCORDGRABBER vanish.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs slui.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2800C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3176C:\WINDOWS\system32\cmd.exe /c C:\Windows\System32\cmd.exevanish.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
5512"C:\Users\admin\Desktop\vanish.exe" C:\Users\admin\AppData\Local\Temp\onefile_6268_133928545958339019\vanish.exe
vanish.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\onefile_6268_133928545958339019\vanish.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\onefile_6268_133928545958339019\python311.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\version.dll
5892C:\WINDOWS\system32\cmd.exe /c "ver"C:\Windows\System32\cmd.exevanish.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
6028C:\WINDOWS\system32\cmd.exe /c clsC:\Windows\System32\cmd.exevanish.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
6132\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exevanish.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6268"C:\Users\admin\Desktop\vanish.exe" C:\Users\admin\Desktop\vanish.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\vanish.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
6792C:\WINDOWS\system32\cmd.exe /c title Vanish - Loaded 0 Tokens - Made By VirtualC:\Windows\System32\cmd.exevanish.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
Total events
6 618
Read events
6 618
Write events
0
Delete events
0

Modification events

No data
Executable files
37
Suspicious files
598
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
6268vanish.exeC:\Users\admin\AppData\Local\Temp\onefile_6268_133928545958339019\vanish.exe
MD5:
SHA256:
6268vanish.exeC:\Users\admin\AppData\Local\Temp\onefile_6268_133928545958339019\_asyncio.pydexecutable
MD5:511A52BCB0BD19EDA7AA980F96723C93
SHA256:D1FB700F280E7793E9B0DCA33310EF9CD08E9E0EC4F7416854DFFAF6F658A394
6268vanish.exeC:\Users\admin\AppData\Local\Temp\onefile_6268_133928545958339019\_bz2.pydexecutable
MD5:4438AFFAAA0CA1DF5B9B1CDAA0115EC1
SHA256:EC91E2B4BACA31B992D016B84B70F110CE2B1B2DFD54F5E5BEF6270ED7D13B85
6268vanish.exeC:\Users\admin\AppData\Local\Temp\onefile_6268_133928545958339019\_ctypes.pydexecutable
MD5:6114277C6FC040F68D25CA90E25924CD
SHA256:F07FE92CE85F7786F96A4D59C6EE5C05FE1DB63A1889BA40A67E37069639B656
6268vanish.exeC:\Users\admin\AppData\Local\Temp\onefile_6268_133928545958339019\_lzma.pydexecutable
MD5:737119A80303EF4ECCAA998D500E7640
SHA256:7158C1290AC29169160B3EC94D9C8BCDE4012D67A555F325D44B418C54E2CC28
6268vanish.exeC:\Users\admin\AppData\Local\Temp\onefile_6268_133928545958339019\_decimal.pydexecutable
MD5:BE315973AFF9BDEB06629CD90E1A901F
SHA256:0F9C6CC463611A9B2C692382FE1CDD7A52FEA4733FFAF645D433F716F8BBD725
6268vanish.exeC:\Users\admin\AppData\Local\Temp\onefile_6268_133928545958339019\_hashlib.pydexecutable
MD5:1524882AF71247ADECF5815A4E55366A
SHA256:6F7742DFDD371C39048D775F37DF3BC2D8D4316C9008E62347B337D64EBED327
6268vanish.exeC:\Users\admin\AppData\Local\Temp\onefile_6268_133928545958339019\_multiprocessing.pydexecutable
MD5:2CA9FE51BF2EE9F56F633110A08B45CD
SHA256:1D6F1E7E9F55918967A37CBD744886C2B7EE193C5FB8F948132BA40B17119A81
6268vanish.exeC:\Users\admin\AppData\Local\Temp\onefile_6268_133928545958339019\_overlapped.pydexecutable
MD5:AC053EF737E4F13B02BFA81F9E46170B
SHA256:CB68E10748E2EFD86F7495D647A2774CEA9F97AD5C6FE179F90DC1C467B9280F
6268vanish.exeC:\Users\admin\AppData\Local\Temp\onefile_6268_133928545958339019\_queue.pydexecutable
MD5:8BBED19359892F8C95C802C6AD7598E9
SHA256:4E5B7C653C1B3DC3FD7519E4F39CC8A2FB2746E0ECDC4E433FE6029F5F4D9065
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
21
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1020
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1020
RUXIMICS.exe
GET
200
23.48.23.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1020
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1020
RUXIMICS.exe
23.48.23.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1020
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5512
vanish.exe
3.125.36.175:443
vanishnet.netlify.app
AMAZON-02
DE
malicious
6728
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2800
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 23.48.23.178
  • 23.48.23.167
  • 23.48.23.192
  • 23.48.23.193
  • 23.48.23.169
  • 23.48.23.173
  • 23.48.23.166
  • 23.48.23.181
  • 23.48.23.180
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
vanishnet.netlify.app
  • 3.125.36.175
  • 3.75.10.80
malicious
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
vanish.exe