File name:

StoneMilitiaV3.exe

Full analysis: https://app.any.run/tasks/9a513995-0a24-4138-b992-2244389ae826
Verdict: Malicious activity
Analysis date: July 06, 2025, 03:35:56
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
pyinstaller
python
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:

01D38EAD8D26A0BBE4CDE10C4216F672

SHA1:

83EF5EF68829224052D21F800CEC3970F52998A0

SHA256:

383298736AEC6E4F9E6252D19ACE1E7784BDA2A28A8B09782A9992B2FF5E1E4C

SSDEEP:

98304:2D/lUVhu8MhH3VWjtKxgvb9RvOYVAYwVf9TtYw9pk9dbXtpEKLuIgqNT9iaadc5U:rvI4JYK3pIwfDbro49

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops python dynamic module

      • StoneMilitiaV3.exe (PID: 3392)

    • The process drops C-runtime libraries

      • StoneMilitiaV3.exe (PID: 3392)

    • Executable content was dropped or overwritten

      • StoneMilitiaV3.exe (PID: 3392)

    • Process drops legitimate windows executable

      • StoneMilitiaV3.exe (PID: 3392)

    • Application launched itself

      • StoneMilitiaV3.exe (PID: 3392)

    • Loads Python modules

      • StoneMilitiaV3.exe (PID: 4044)

  • INFO

    • Checks supported languages

      • StoneMilitiaV3.exe (PID: 3392)
      • StoneMilitiaV3.exe (PID: 4044)

    • Reads the computer name

      • StoneMilitiaV3.exe (PID: 3392)

    • The sample compiled with english language support

      • StoneMilitiaV3.exe (PID: 3392)

    • Create files in a temporary directory

      • StoneMilitiaV3.exe (PID: 3392)

    • PyInstaller has been detected (YARA)

      • StoneMilitiaV3.exe (PID: 3392)

    • Reads the machine GUID from the registry

      • StoneMilitiaV3.exe (PID: 4044)

    • Checks proxy server information

      • slui.exe (PID: 5780)

    • Reads the software policy settings

      • slui.exe (PID: 5780)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (57.6)
.exe | Win64 Executable (generic) (36.9)
.exe | Generic Win/DOS Executable (2.6)
.exe | DOS Executable Generic (2.6)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:07:06 03:22:24+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 179712
InitializedDataSize: 155136
UninitializedDataSize: -
EntryPoint: 0xc650
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start stonemilitiav3.exe conhost.exe no specs stonemilitiav3.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2732\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeStoneMilitiaV3.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3392"C:\Users\admin\Desktop\StoneMilitiaV3.exe" C:\Users\admin\Desktop\StoneMilitiaV3.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\stonemilitiav3.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
4044"C:\Users\admin\Desktop\StoneMilitiaV3.exe" C:\Users\admin\Desktop\StoneMilitiaV3.exeStoneMilitiaV3.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\stonemilitiav3.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
5780C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 560
Read events
3 560
Write events
0
Delete events
0

Modification events

No data
Executable files
56
Suspicious files
3
Text files
920
Unknown types
0

Dropped files

PID
Process
Filename
Type
3392StoneMilitiaV3.exeC:\Users\admin\AppData\Local\Temp\_MEI33922\_tcl_data\encoding\cp1252.enctext
MD5:E9117326C06FEE02C478027CB625C7D8
SHA256:741859CF238C3A63BBB20EC6ED51E46451372BB221CFFF438297D261D0561C2E
3392StoneMilitiaV3.exeC:\Users\admin\AppData\Local\Temp\_MEI33922\_hashlib.pydexecutable
MD5:D4674750C732F0DB4C4DD6A83A9124FE
SHA256:CAA4D2F8795E9A55E128409CC016E2CC5C694CB026D7058FC561E4DD131ED1C9
3392StoneMilitiaV3.exeC:\Users\admin\AppData\Local\Temp\_MEI33922\_socket.pydexecutable
MD5:819166054FEC07EFCD1062F13C2147EE
SHA256:E6DEB751039CD5424A139708475CE83F9C042D43E650765A716CB4A924B07E4F
3392StoneMilitiaV3.exeC:\Users\admin\AppData\Local\Temp\_MEI33922\_bz2.pydexecutable
MD5:86D1B2A9070CD7D52124126A357FF067
SHA256:62173A8FADD4BF4DD71AB89EA718754AA31620244372F0C5BBBAE102E641A60E
3392StoneMilitiaV3.exeC:\Users\admin\AppData\Local\Temp\_MEI33922\_tcl_data\encoding\cns11643.enctext
MD5:B6A7C59E6A48D91CC2DBCB2BBA7E4510
SHA256:8924545CC92584169138AADB64683C07BBF846A57014C2E668D23B63F43F3610
3392StoneMilitiaV3.exeC:\Users\admin\AppData\Local\Temp\_MEI33922\_tcl_data\auto.tcltext
MD5:08EDF746B4A088CB4185C165177BD604
SHA256:517204EE436D08EFC287ABC97433C3BFFCAF42EC6592A3009B9FD3B985AD772C
3392StoneMilitiaV3.exeC:\Users\admin\AppData\Local\Temp\_MEI33922\_tcl_data\clock.tcltext
MD5:88BB44A1364147FDD80F9FD78FBCEF61
SHA256:1947F8B188AB4AB6AA72EA68A58D2D9ADD0894FDF320F6B074EAE0F198368FB7
3392StoneMilitiaV3.exeC:\Users\admin\AppData\Local\Temp\_MEI33922\_tcl_data\encoding\ascii.enctext
MD5:9E3A454FA480E9A99D2D5ACDAA775233
SHA256:FB87BF197F4F485B08EA81F7534BC07D9C3A538D022424BE11011A1FE3C413FD
3392StoneMilitiaV3.exeC:\Users\admin\AppData\Local\Temp\_MEI33922\_tcl_data\encoding\big5.enctext
MD5:41A874778111CC218BD421CF9C795EC2
SHA256:AD1ED201B69855BFD353BF969DFC55576DA35A963ABF1BF7FC6D8B5142A61A61
3392StoneMilitiaV3.exeC:\Users\admin\AppData\Local\Temp\_MEI33922\_tcl_data\encoding\cp1251.enctext
MD5:83DAF47FD1F87B7B1E9E086F14C39E5B
SHA256:0AA66DFF8A7AE570FEE83A803F8F5391D9F0C9BD6311796592D9B6E8E36BE6FC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
42
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6368
RUXIMICS.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6368
RUXIMICS.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.160.128:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
20.190.160.128:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
200
40.126.32.136:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
whitelisted
6756
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6368
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
6368
RUXIMICS.exe
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
6368
RUXIMICS.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 2.20.245.137
  • 2.20.245.139
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 95.101.149.131
whitelisted
login.live.com
  • 20.190.160.14
  • 20.190.160.17
  • 20.190.160.22
  • 20.190.160.131
  • 20.190.160.132
  • 40.126.32.133
  • 40.126.32.136
  • 20.190.160.66
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.31
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.250
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
StoneMilitiaV3.exe