File name:

StoneMilitiaV3.exe

Full analysis: https://app.any.run/tasks/83648ad6-5c98-43f7-aeee-783d57f9a564
Verdict: Malicious activity
Analysis date: July 06, 2025, 00:16:31
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
pyinstaller
python
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:

8C71E3A9606FDDF101771CA4755F2007

SHA1:

8001C58B95C66BE7C84B8821385E0822446C1ED0

SHA256:

AEA357BF06FCD6675CE3CAADD8D2151426C61C33A3BBD47DD71C416165DDCFB4

SSDEEP:

98304:LD/lU46u8MhHmOVWjtKxgJpNHb9RvOYVAYwVf9TtYw9pk9dbXtpEKLuIgqNT9iay:SpI4xYCB3pIwfDbro49

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • StoneMilitiaV3.exe (PID: 5724)

    • Process drops python dynamic module

      • StoneMilitiaV3.exe (PID: 5724)

    • Process drops legitimate windows executable

      • StoneMilitiaV3.exe (PID: 5724)

    • Application launched itself

      • StoneMilitiaV3.exe (PID: 5724)

    • Executable content was dropped or overwritten

      • StoneMilitiaV3.exe (PID: 5724)

    • Loads Python modules

      • StoneMilitiaV3.exe (PID: 5372)

    • There is functionality for taking screenshot (YARA)

      • StoneMilitiaV3.exe (PID: 5372)

  • INFO

    • PyInstaller has been detected (YARA)

      • StoneMilitiaV3.exe (PID: 5724)
      • StoneMilitiaV3.exe (PID: 5372)

    • The sample compiled with english language support

      • StoneMilitiaV3.exe (PID: 5724)

    • Reads the computer name

      • StoneMilitiaV3.exe (PID: 5724)
      • StoneMilitiaV3.exe (PID: 5372)

    • Checks supported languages

      • StoneMilitiaV3.exe (PID: 5724)
      • StoneMilitiaV3.exe (PID: 5372)

    • Create files in a temporary directory

      • StoneMilitiaV3.exe (PID: 5724)

    • Reads the machine GUID from the registry

      • StoneMilitiaV3.exe (PID: 5372)

    • Reads the software policy settings

      • slui.exe (PID: 3960)

    • Checks proxy server information

      • slui.exe (PID: 3960)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (57.6)
.exe | Win64 Executable (generic) (36.9)
.exe | Generic Win/DOS Executable (2.6)
.exe | DOS Executable Generic (2.6)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:07:06 00:06:21+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 179712
InitializedDataSize: 155136
UninitializedDataSize: -
EntryPoint: 0xc650
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start stonemilitiav3.exe conhost.exe no specs stonemilitiav3.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
3960C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4512\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeStoneMilitiaV3.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5372"C:\Users\admin\Desktop\StoneMilitiaV3.exe" C:\Users\admin\Desktop\StoneMilitiaV3.exe
StoneMilitiaV3.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\stonemilitiav3.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
5724"C:\Users\admin\Desktop\StoneMilitiaV3.exe" C:\Users\admin\Desktop\StoneMilitiaV3.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\stonemilitiav3.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
3 719
Read events
3 719
Write events
0
Delete events
0

Modification events

No data
Executable files
64
Suspicious files
3
Text files
920
Unknown types
0

Dropped files

PID
Process
Filename
Type
5724StoneMilitiaV3.exeC:\Users\admin\AppData\Local\Temp\_MEI57242\_socket.pydexecutable
MD5:819166054FEC07EFCD1062F13C2147EE
SHA256:E6DEB751039CD5424A139708475CE83F9C042D43E650765A716CB4A924B07E4F
5724StoneMilitiaV3.exeC:\Users\admin\AppData\Local\Temp\_MEI57242\VCRUNTIME140.dllexecutable
MD5:F34EB034AA4A9735218686590CBA2E8B
SHA256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
5724StoneMilitiaV3.exeC:\Users\admin\AppData\Local\Temp\_MEI57242\_tcl_data\encoding\big5.enctext
MD5:41A874778111CC218BD421CF9C795EC2
SHA256:AD1ED201B69855BFD353BF969DFC55576DA35A963ABF1BF7FC6D8B5142A61A61
5724StoneMilitiaV3.exeC:\Users\admin\AppData\Local\Temp\_MEI57242\_decimal.pydexecutable
MD5:20C77203DDF9FF2FF96D6D11DEA2EDCF
SHA256:9AAC010A424C757C434C460C3C0A6515D7720966AB64BAD667539282A17B4133
5724StoneMilitiaV3.exeC:\Users\admin\AppData\Local\Temp\_MEI57242\_tcl_data\encoding\cp1253.enctext
MD5:441B86A0DE77F25C91DF1CD4685F651D
SHA256:5B8D47451F847C1BDE12CACA3739CA29860553C0B6399EE990D51B26F9A69722
5724StoneMilitiaV3.exeC:\Users\admin\AppData\Local\Temp\_MEI57242\_ctypes.pydexecutable
MD5:1635A0C5A72DF5AE64072CBB0065AEBE
SHA256:1EA3DD3DF393FA9B27BF6595BE4AC859064CD8EF9908A12378A6021BBA1CB177
5724StoneMilitiaV3.exeC:\Users\admin\AppData\Local\Temp\_MEI57242\_lzma.pydexecutable
MD5:7447EFD8D71E8A1929BE0FAC722B42DC
SHA256:60793C8592193CFBD00FD3E5263BE4315D650BA4F9E4FDA9C45A10642FD998BE
5724StoneMilitiaV3.exeC:\Users\admin\AppData\Local\Temp\_MEI57242\_queue.pydexecutable
MD5:D8C1B81BBC125B6AD1F48A172181336E
SHA256:925F05255F4AAE0997DC4EC94D900FD15950FD840685D5B8AA755427C7422B14
5724StoneMilitiaV3.exeC:\Users\admin\AppData\Local\Temp\_MEI57242\_tcl_data\encoding\cp1251.enctext
MD5:83DAF47FD1F87B7B1E9E086F14C39E5B
SHA256:0AA66DFF8A7AE570FEE83A803F8F5391D9F0C9BD6311796592D9B6E8E36BE6FC
5724StoneMilitiaV3.exeC:\Users\admin\AppData\Local\Temp\_MEI57242\_tcl_data\clock.tcltext
MD5:88BB44A1364147FDD80F9FD78FBCEF61
SHA256:1947F8B188AB4AB6AA72EA68A58D2D9ADD0894FDF320F6B074EAE0F198368FB7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
24
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2320
RUXIMICS.exe
GET
200
2.20.245.136:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.20.245.136:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2320
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
13.77.207.86:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
1268
svchost.exe
GET
200
2.20.245.136:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2320
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
2.20.245.136:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
2.20.245.136:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2320
RUXIMICS.exe
2.20.245.136:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 2.20.245.136
  • 2.20.245.139
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
activation-v2.sls.microsoft.com
  • 13.77.207.86
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 20.189.173.15
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
StoneMilitiaV3.exe