File name:

Mantas.exe

Full analysis: https://app.any.run/tasks/1d5999e5-caf2-4ec0-b6b8-873a2833c2dd
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: May 16, 2025, 16:40:46
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

53F25F98742C5114EEC23C6487AF624C

SHA1:

671AF46401450D6ED9C0904402391640A1BDDCC2

SHA256:

7B5DEC6A48EE2114C3056F4CCB6935F3E7418EF0B0BC4A58931F2C80FC94D705

SSDEEP:

768:rz4RBkfbi/FG9Of8Ejex0a6zALVlXt32KtYFPYA3HxAnIIGSEsuB:4Ciw9a8EG05zMt3jKYA3xAYnsw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • Mantas.exe (PID: 7424)

    • Actions looks like stealing of personal data

      • Mantas.exe (PID: 7424)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Mantas.exe (PID: 7424)

    • The process creates files with name similar to system file names

      • Mantas.exe (PID: 7424)

  • INFO

    • Checks supported languages

      • Mantas.exe (PID: 7424)

    • Failed to create an executable file in Windows directory

      • Mantas.exe (PID: 7424)

    • Auto-launch of the file from Registry key

      • Mantas.exe (PID: 7424)

    • Checks proxy server information

      • slui.exe (PID: 7936)

    • Reads the software policy settings

      • slui.exe (PID: 7936)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (39.3)
.exe | Win32 EXE Yoda's Crypter (38.6)
.dll | Win32 Dynamic Link Library (generic) (9.5)
.exe | Win32 Executable (generic) (6.5)
.exe | Generic Win/DOS Executable (2.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2003:09:21 22:37:22+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 40960
InitializedDataSize: 4096
UninitializedDataSize: 28672
EntryPoint: 0x114e0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start mantas.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7424"C:\Users\admin\Desktop\Mantas.exe" C:\Users\admin\Desktop\Mantas.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\mantas.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7936C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 375
Read events
3 374
Write events
1
Delete events
0

Modification events

(PID) Process:(7424) Mantas.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Windows Manager
Value:
C:\WINDOWS\system32\winmants.exe
Executable files
202
Suspicious files
0
Text files
30
Unknown types
0

Dropped files

PID
Process
Filename
Type
7424Mantas.exeC:\Users\admin\Documents\child porn.jpgimage
MD5:58B1840B979AE31F23AA8EB3594D5C17
SHA256:B2BB460AA299C6064E7FC947BFF314E0F915C6EE6F8F700007129E3B6A314F47
7424Mantas.exeC:\Users\admin\Documents\blowjob.jpgimage
MD5:58B1840B979AE31F23AA8EB3594D5C17
SHA256:B2BB460AA299C6064E7FC947BFF314E0F915C6EE6F8F700007129E3B6A314F47
7424Mantas.exeC:\Users\admin\Documents\teen sex.jpgimage
MD5:58B1840B979AE31F23AA8EB3594D5C17
SHA256:B2BB460AA299C6064E7FC947BFF314E0F915C6EE6F8F700007129E3B6A314F47
7424Mantas.exeC:\Users\admin\Documents\anal sex.jpgimage
MD5:58B1840B979AE31F23AA8EB3594D5C17
SHA256:B2BB460AA299C6064E7FC947BFF314E0F915C6EE6F8F700007129E3B6A314F47
7424Mantas.exeC:\Users\admin\Documents\bondage.jpgimage
MD5:58B1840B979AE31F23AA8EB3594D5C17
SHA256:B2BB460AA299C6064E7FC947BFF314E0F915C6EE6F8F700007129E3B6A314F47
7424Mantas.exeC:\Users\admin\Documents\cumshot.jpgimage
MD5:58B1840B979AE31F23AA8EB3594D5C17
SHA256:B2BB460AA299C6064E7FC947BFF314E0F915C6EE6F8F700007129E3B6A314F47
7424Mantas.exeC:\Users\admin\Documents\teen .screxecutable
MD5:53F25F98742C5114EEC23C6487AF624C
SHA256:7B5DEC6A48EE2114C3056F4CCB6935F3E7418EF0B0BC4A58931F2C80FC94D705
7424Mantas.exeC:\Users\admin\Documents\ilikeyou.jpgimage
MD5:58B1840B979AE31F23AA8EB3594D5C17
SHA256:B2BB460AA299C6064E7FC947BFF314E0F915C6EE6F8F700007129E3B6A314F47
7424Mantas.exeC:\Users\admin\Documents\mantas.exeexecutable
MD5:53F25F98742C5114EEC23C6487AF624C
SHA256:7B5DEC6A48EE2114C3056F4CCB6935F3E7418EF0B0BC4A58931F2C80FC94D705
7424Mantas.exeC:\Users\admin\Documents\keygen.exeexecutable
MD5:53F25F98742C5114EEC23C6487AF624C
SHA256:7B5DEC6A48EE2114C3056F4CCB6935F3E7418EF0B0BC4A58931F2C80FC94D705
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
47
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4996
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4996
RUXIMICS.exe
GET
200
23.48.23.148:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7736
SIHClient.exe
GET
200
104.119.109.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7736
SIHClient.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7736
SIHClient.exe
GET
200
104.119.109.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7736
SIHClient.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7736
SIHClient.exe
GET
200
104.119.109.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7736
SIHClient.exe
GET
200
104.119.109.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7736
SIHClient.exe
GET
200
104.119.109.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4996
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.126.31.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4996
RUXIMICS.exe
23.48.23.148:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4996
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
login.live.com
  • 40.126.31.131
  • 20.190.159.131
  • 20.190.159.68
  • 20.190.159.128
  • 40.126.31.67
  • 40.126.31.129
  • 20.190.159.130
  • 40.126.31.1
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 23.48.23.148
  • 23.48.23.135
  • 23.48.23.146
  • 23.48.23.156
  • 23.48.23.143
  • 23.48.23.147
  • 23.48.23.140
  • 23.48.23.158
  • 23.48.23.155
  • 2.19.11.120
  • 2.19.11.105
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 104.119.109.218
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.14
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Mantas.exe