File name:

vanish.exe

Full analysis: https://app.any.run/tasks/ed8da92d-67a6-4a44-8901-cce34265f5d5
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: May 27, 2025, 21:23:05
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
trox
stealer
python
discordgrabber
generic
pyinstaller
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:

D881AD827C43A30707E52D1CC06CB67C

SHA1:

438F8B014A27A2C1AEA53D8D6C81472A24E40B15

SHA256:

C917F3782D0ACB5332D3C1131B9DF4785CD18B7CE6867EEB5637980846663CE6

SSDEEP:

196608:U8nXKoQRR+4OvyFhrTmWYSYBaTa4WfaOTcpPt/lRScsdw:VnXKoQf+44sFKTb4Wfa+QFbSc6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • TROX has been detected

      • vanish.exe (PID: 6268)

    • DISCORDGRABBER has been detected (YARA)

      • vanish.exe (PID: 5512)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • vanish.exe (PID: 6268)

    • Process drops python dynamic module

      • vanish.exe (PID: 6268)

    • The process drops C-runtime libraries

      • vanish.exe (PID: 6268)

    • Process drops legitimate windows executable

      • vanish.exe (PID: 6268)

    • Loads Python modules

      • vanish.exe (PID: 5512)

    • Starts CMD.EXE for commands execution

      • vanish.exe (PID: 5512)

  • INFO

    • Checks supported languages

      • vanish.exe (PID: 6268)
      • vanish.exe (PID: 5512)

    • The sample compiled with english language support

      • vanish.exe (PID: 6268)

    • Checks operating system version

      • vanish.exe (PID: 5512)

    • Create files in a temporary directory

      • vanish.exe (PID: 6268)

    • Checks proxy server information

      • vanish.exe (PID: 5512)
      • slui.exe (PID: 2800)

    • PyInstaller has been detected (YARA)

      • vanish.exe (PID: 5512)

    • Reads the computer name

      • vanish.exe (PID: 5512)

    • Reads the software policy settings

      • slui.exe (PID: 2800)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:12:10 01:40:33+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.35
CodeSize: 127488
InitializedDataSize: 20585472
UninitializedDataSize: -
EntryPoint: 0xbbac
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
9
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #TROX vanish.exe conhost.exe no specs #DISCORDGRABBER vanish.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs slui.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2800C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3176C:\WINDOWS\system32\cmd.exe /c C:\Windows\System32\cmd.exevanish.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
5512"C:\Users\admin\Desktop\vanish.exe" C:\Users\admin\AppData\Local\Temp\onefile_6268_133928545958339019\vanish.exe
vanish.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\onefile_6268_133928545958339019\vanish.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\onefile_6268_133928545958339019\python311.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\version.dll
5892C:\WINDOWS\system32\cmd.exe /c "ver"C:\Windows\System32\cmd.exevanish.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
6028C:\WINDOWS\system32\cmd.exe /c clsC:\Windows\System32\cmd.exevanish.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
6132\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exevanish.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6268"C:\Users\admin\Desktop\vanish.exe" C:\Users\admin\Desktop\vanish.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\vanish.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
6792C:\WINDOWS\system32\cmd.exe /c title Vanish - Loaded 0 Tokens - Made By VirtualC:\Windows\System32\cmd.exevanish.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
Total events
6 618
Read events
6 618
Write events
0
Delete events
0

Modification events

No data
Executable files
37
Suspicious files
598
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
6268vanish.exeC:\Users\admin\AppData\Local\Temp\onefile_6268_133928545958339019\vanish.exe
MD5:
SHA256:
6268vanish.exeC:\Users\admin\AppData\Local\Temp\onefile_6268_133928545958339019\_asyncio.pydexecutable
MD5:511A52BCB0BD19EDA7AA980F96723C93
SHA256:D1FB700F280E7793E9B0DCA33310EF9CD08E9E0EC4F7416854DFFAF6F658A394
6268vanish.exeC:\Users\admin\AppData\Local\Temp\onefile_6268_133928545958339019\_cffi_backend.pydexecutable
MD5:FDE9A1D6590026A13E81712CD2F23522
SHA256:16ECCC4BAF6CF4AB72ACD53C72A1F2B04D952E07E385E9050A933E78074A7D5B
6268vanish.exeC:\Users\admin\AppData\Local\Temp\onefile_6268_133928545958339019\libssl-3.dllexecutable
MD5:64ACB046FE68D64EE475E19F67253A3C
SHA256:B21309ABD3DBBB1BF8FB6AA3C250FC85D7B0D9984BF4C942D1D4421502F31A10
6268vanish.exeC:\Users\admin\AppData\Local\Temp\onefile_6268_133928545958339019\_uuid.pydexecutable
MD5:4FAA479423C54D5BE2A103B46ECB4D04
SHA256:C2AD3C1B4333BC388B6A22049C89008505C434B1B85BFF0823B19EF0CF48065A
6268vanish.exeC:\Users\admin\AppData\Local\Temp\onefile_6268_133928545958339019\_lzma.pydexecutable
MD5:737119A80303EF4ECCAA998D500E7640
SHA256:7158C1290AC29169160B3EC94D9C8BCDE4012D67A555F325D44B418C54E2CC28
6268vanish.exeC:\Users\admin\AppData\Local\Temp\onefile_6268_133928545958339019\_hashlib.pydexecutable
MD5:1524882AF71247ADECF5815A4E55366A
SHA256:6F7742DFDD371C39048D775F37DF3BC2D8D4316C9008E62347B337D64EBED327
6268vanish.exeC:\Users\admin\AppData\Local\Temp\onefile_6268_133928545958339019\_decimal.pydexecutable
MD5:BE315973AFF9BDEB06629CD90E1A901F
SHA256:0F9C6CC463611A9B2C692382FE1CDD7A52FEA4733FFAF645D433F716F8BBD725
6268vanish.exeC:\Users\admin\AppData\Local\Temp\onefile_6268_133928545958339019\_multiprocessing.pydexecutable
MD5:2CA9FE51BF2EE9F56F633110A08B45CD
SHA256:1D6F1E7E9F55918967A37CBD744886C2B7EE193C5FB8F948132BA40B17119A81
6268vanish.exeC:\Users\admin\AppData\Local\Temp\onefile_6268_133928545958339019\_queue.pydexecutable
MD5:8BBED19359892F8C95C802C6AD7598E9
SHA256:4E5B7C653C1B3DC3FD7519E4F39CC8A2FB2746E0ECDC4E433FE6029F5F4D9065
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
21
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1020
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1020
RUXIMICS.exe
GET
200
23.48.23.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1020
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1020
RUXIMICS.exe
23.48.23.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1020
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5512
vanish.exe
3.125.36.175:443
vanishnet.netlify.app
AMAZON-02
DE
malicious
6728
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2800
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 23.48.23.178
  • 23.48.23.167
  • 23.48.23.192
  • 23.48.23.193
  • 23.48.23.169
  • 23.48.23.173
  • 23.48.23.166
  • 23.48.23.181
  • 23.48.23.180
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
vanishnet.netlify.app
  • 3.125.36.175
  • 3.75.10.80
malicious
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
vanish.exe