| File name: | StoneMilitiaV3.exe |
| Full analysis: | https://app.any.run/tasks/9a513995-0a24-4138-b992-2244389ae826 |
| Verdict: | Malicious activity |
| Analysis date: | July 06, 2025, 03:35:56 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (console) x86-64, for MS Windows, 7 sections |
| MD5: | 01D38EAD8D26A0BBE4CDE10C4216F672 |
| SHA1: | 83EF5EF68829224052D21F800CEC3970F52998A0 |
| SHA256: | 383298736AEC6E4F9E6252D19ACE1E7784BDA2A28A8B09782A9992B2FF5E1E4C |
| SSDEEP: | 98304:2D/lUVhu8MhH3VWjtKxgvb9RvOYVAYwVf9TtYw9pk9dbXtpEKLuIgqNT9iaadc5U:rvI4JYK3pIwfDbro49 |
MALICIOUS
No malicious indicators.SUSPICIOUS
Process drops python dynamic module
- StoneMilitiaV3.exe (PID: 3392)
The process drops C-runtime libraries
- StoneMilitiaV3.exe (PID: 3392)
Process drops legitimate windows executable
- StoneMilitiaV3.exe (PID: 3392)
Application launched itself
- StoneMilitiaV3.exe (PID: 3392)
Loads Python modules
- StoneMilitiaV3.exe (PID: 4044)
Executable content was dropped or overwritten
- StoneMilitiaV3.exe (PID: 3392)
INFO
Checks supported languages
- StoneMilitiaV3.exe (PID: 3392)
- StoneMilitiaV3.exe (PID: 4044)
The sample compiled with english language support
- StoneMilitiaV3.exe (PID: 3392)
Reads the software policy settings
- slui.exe (PID: 5780)
Reads the computer name
- StoneMilitiaV3.exe (PID: 3392)
Checks proxy server information
- slui.exe (PID: 5780)
Create files in a temporary directory
- StoneMilitiaV3.exe (PID: 3392)
Reads the machine GUID from the registry
- StoneMilitiaV3.exe (PID: 4044)
PyInstaller has been detected (YARA)
- StoneMilitiaV3.exe (PID: 3392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | InstallShield setup (57.6) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (36.9) |
| .exe | | | Generic Win/DOS Executable (2.6) |
| .exe | | | DOS Executable Generic (2.6) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2025:07:06 03:22:24+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.43 |
| CodeSize: | 179712 |
| InitializedDataSize: | 155136 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xc650 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows command line |
Total processes
136
Monitored processes
4
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2732 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | StoneMilitiaV3.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3392 | "C:\Users\admin\Desktop\StoneMilitiaV3.exe" | C:\Users\admin\Desktop\StoneMilitiaV3.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 1 Modules
| |||||||||||||||
| 4044 | "C:\Users\admin\Desktop\StoneMilitiaV3.exe" | C:\Users\admin\Desktop\StoneMilitiaV3.exe | — | StoneMilitiaV3.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 1 Modules
| |||||||||||||||
| 5780 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
3 560
Read events
3 560
Write events
0
Delete events
0
Modification events
Executable files
56
Suspicious files
3
Text files
920
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3392 | StoneMilitiaV3.exe | C:\Users\admin\AppData\Local\Temp\_MEI33922\VCRUNTIME140.dll | executable | |
MD5:F34EB034AA4A9735218686590CBA2E8B | SHA256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1 | |||
| 3392 | StoneMilitiaV3.exe | C:\Users\admin\AppData\Local\Temp\_MEI33922\_decimal.pyd | executable | |
MD5:20C77203DDF9FF2FF96D6D11DEA2EDCF | SHA256:9AAC010A424C757C434C460C3C0A6515D7720966AB64BAD667539282A17B4133 | |||
| 3392 | StoneMilitiaV3.exe | C:\Users\admin\AppData\Local\Temp\_MEI33922\_tcl_data\auto.tcl | text | |
MD5:08EDF746B4A088CB4185C165177BD604 | SHA256:517204EE436D08EFC287ABC97433C3BFFCAF42EC6592A3009B9FD3B985AD772C | |||
| 3392 | StoneMilitiaV3.exe | C:\Users\admin\AppData\Local\Temp\_MEI33922\_lzma.pyd | executable | |
MD5:7447EFD8D71E8A1929BE0FAC722B42DC | SHA256:60793C8592193CFBD00FD3E5263BE4315D650BA4F9E4FDA9C45A10642FD998BE | |||
| 3392 | StoneMilitiaV3.exe | C:\Users\admin\AppData\Local\Temp\_MEI33922\_hashlib.pyd | executable | |
MD5:D4674750C732F0DB4C4DD6A83A9124FE | SHA256:CAA4D2F8795E9A55E128409CC016E2CC5C694CB026D7058FC561E4DD131ED1C9 | |||
| 3392 | StoneMilitiaV3.exe | C:\Users\admin\AppData\Local\Temp\_MEI33922\_tcl_data\encoding\cns11643.enc | text | |
MD5:B6A7C59E6A48D91CC2DBCB2BBA7E4510 | SHA256:8924545CC92584169138AADB64683C07BBF846A57014C2E668D23B63F43F3610 | |||
| 3392 | StoneMilitiaV3.exe | C:\Users\admin\AppData\Local\Temp\_MEI33922\_tcl_data\encoding\cp1257.enc | text | |
MD5:CC3D24543FDD4644BBBD4AAB30CA71BC | SHA256:C15AB85438728BF2C60D72B1A66AF80E8B1CE3CF5EB08BA6421FF1B2F73ACDF4 | |||
| 3392 | StoneMilitiaV3.exe | C:\Users\admin\AppData\Local\Temp\_MEI33922\_tcl_data\clock.tcl | text | |
MD5:88BB44A1364147FDD80F9FD78FBCEF61 | SHA256:1947F8B188AB4AB6AA72EA68A58D2D9ADD0894FDF320F6B074EAE0F198368FB7 | |||
| 3392 | StoneMilitiaV3.exe | C:\Users\admin\AppData\Local\Temp\_MEI33922\_tcl_data\encoding\cp1250.enc | text | |
MD5:9568EDE60D3F917F1671F5A625A801C4 | SHA256:E2991A6F7A7A4D8D3C4C97947298FD5BACB3EAA2F898CEE17F5E21A9861B9626 | |||
| 3392 | StoneMilitiaV3.exe | C:\Users\admin\AppData\Local\Temp\_MEI33922\_tcl_data\encoding\cp1254.enc | text | |
MD5:5FA9162BEC5A4DEA97B5EA2840CFB065 | SHA256:31639CA96A4D3602D59BD012540FE179917E0561CB11A0D0B61F1B950EB76911 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
42
DNS requests
20
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6368 | RUXIMICS.exe | GET | 200 | 2.20.245.137:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | NL | binary | 825 b | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | QA | binary | 814 b | whitelisted |
6368 | RUXIMICS.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | QA | binary | 814 b | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 2.20.245.137:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | NL | binary | 825 b | whitelisted |
— | — | POST | 400 | 20.190.160.128:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | text | 203 b | whitelisted |
— | — | POST | 400 | 20.190.160.131:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | text | 203 b | whitelisted |
1268 | svchost.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | QA | binary | 814 b | whitelisted |
— | — | POST | 200 | 20.190.160.128:443 | https://login.live.com/RST2.srf | US | xml | 1.24 Kb | whitelisted |
— | — | GET | 304 | 172.202.163.200:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | GB | — | — | unknown |
— | — | POST | 200 | 40.126.32.140:443 | https://login.live.com/RST2.srf | US | xml | 10.2 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
5944 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1268 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6368 | RUXIMICS.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | 2.20.245.137:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
6368 | RUXIMICS.exe | 2.20.245.137:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
1268 | svchost.exe | 2.20.245.137:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
5944 | MoUsoCoreWorker.exe | 2.23.246.101:80 | www.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
6368 | RUXIMICS.exe | 2.23.246.101:80 | www.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |