| File name: | StoneMilitiaV3.exe |
| Full analysis: | https://app.any.run/tasks/eeea4e11-373f-4bde-ae69-f32c13538f97 |
| Verdict: | Malicious activity |
| Analysis date: | July 05, 2025, 22:56:08 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (console) x86-64, for MS Windows, 7 sections |
| MD5: | 41C33F556823E75B6603A4BB946063A6 |
| SHA1: | 714A3BE4C71B077657FE2B0CB937788FDAAFA92C |
| SHA256: | CEBCDB8FE56DAFB55F565BE02B99889CEE2964EEFF674521CEEE18ECF948F019 |
| SSDEEP: | 98304:OD/lV77gok2xumzy72mUb9RvOYVAYwVf9TtYw9pk9dbXtpEKLuIgqNT9iaadc5QC:AI4YJEEZ5KAA49G/150 |
MALICIOUS
No malicious indicators.SUSPICIOUS
Process drops legitimate windows executable
- StoneMilitiaV3.exe (PID: 6852)
The process drops C-runtime libraries
- StoneMilitiaV3.exe (PID: 6852)
Process drops python dynamic module
- StoneMilitiaV3.exe (PID: 6852)
Executable content was dropped or overwritten
- StoneMilitiaV3.exe (PID: 6852)
Application launched itself
- StoneMilitiaV3.exe (PID: 6852)
Loads Python modules
- StoneMilitiaV3.exe (PID: 1052)
INFO
Checks supported languages
- StoneMilitiaV3.exe (PID: 6852)
- StoneMilitiaV3.exe (PID: 1052)
Reads the computer name
- StoneMilitiaV3.exe (PID: 6852)
The sample compiled with english language support
- StoneMilitiaV3.exe (PID: 6852)
Create files in a temporary directory
- StoneMilitiaV3.exe (PID: 6852)
PyInstaller has been detected (YARA)
- StoneMilitiaV3.exe (PID: 6852)
Checks proxy server information
- slui.exe (PID: 3864)
Reads the software policy settings
- slui.exe (PID: 3864)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | InstallShield setup (57.6) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (36.9) |
| .exe | | | Generic Win/DOS Executable (2.6) |
| .exe | | | DOS Executable Generic (2.6) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2025:07:05 22:49:13+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.43 |
| CodeSize: | 179712 |
| InitializedDataSize: | 155136 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xc650 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows command line |
Total processes
135
Monitored processes
4
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1052 | "C:\Users\admin\Desktop\StoneMilitiaV3.exe" | C:\Users\admin\Desktop\StoneMilitiaV3.exe | — | StoneMilitiaV3.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 1 Modules
| |||||||||||||||
| 2324 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | StoneMilitiaV3.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3864 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6852 | "C:\Users\admin\Desktop\StoneMilitiaV3.exe" | C:\Users\admin\Desktop\StoneMilitiaV3.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 1 Modules
| |||||||||||||||
Total events
3 661
Read events
3 661
Write events
0
Delete events
0
Modification events
Executable files
56
Suspicious files
3
Text files
920
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6852 | StoneMilitiaV3.exe | C:\Users\admin\AppData\Local\Temp\_MEI68522\_socket.pyd | executable | |
MD5:B77017BAA2004833EF3847A3A3141280 | SHA256:A19E3C7C03EF1B5625790B1C9C42594909311AB6DF540FBF43C6AA93300AB166 | |||
| 6852 | StoneMilitiaV3.exe | C:\Users\admin\AppData\Local\Temp\_MEI68522\VCRUNTIME140.dll | executable | |
MD5:BE8DBE2DC77EBE7F88F910C61AEC691A | SHA256:4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83 | |||
| 6852 | StoneMilitiaV3.exe | C:\Users\admin\AppData\Local\Temp\_MEI68522\_lzma.pyd | executable | |
MD5:B86B9F292AF12006187EBE6C606A377D | SHA256:F5E01B516C2C23035F7703E23569DEC26C5616C05A929B2580AE474A5C6722C5 | |||
| 6852 | StoneMilitiaV3.exe | C:\Users\admin\AppData\Local\Temp\_MEI68522\_bz2.pyd | executable | |
MD5:AA1083BDE6D21CABFC630A18F51B1926 | SHA256:00B8CA9A338D2B47285C9E56D6D893DB2A999B47216756F18439997FB80A56E3 | |||
| 6852 | StoneMilitiaV3.exe | C:\Users\admin\AppData\Local\Temp\_MEI68522\_decimal.pyd | executable | |
MD5:C88282908BA54510EDA3887C488198EB | SHA256:980A63F2B39CF16910F44384398E25F24482346A482ADDB00DE42555B17D4278 | |||
| 6852 | StoneMilitiaV3.exe | C:\Users\admin\AppData\Local\Temp\_MEI68522\_tcl_data\encoding\cp1252.enc | text | |
MD5:E9117326C06FEE02C478027CB625C7D8 | SHA256:741859CF238C3A63BBB20EC6ED51E46451372BB221CFFF438297D261D0561C2E | |||
| 6852 | StoneMilitiaV3.exe | C:\Users\admin\AppData\Local\Temp\_MEI68522\_tcl_data\encoding\cp1251.enc | text | |
MD5:83DAF47FD1F87B7B1E9E086F14C39E5B | SHA256:0AA66DFF8A7AE570FEE83A803F8F5391D9F0C9BD6311796592D9B6E8E36BE6FC | |||
| 6852 | StoneMilitiaV3.exe | C:\Users\admin\AppData\Local\Temp\_MEI68522\_tcl_data\encoding\cp1250.enc | text | |
MD5:9568EDE60D3F917F1671F5A625A801C4 | SHA256:E2991A6F7A7A4D8D3C4C97947298FD5BACB3EAA2F898CEE17F5E21A9861B9626 | |||
| 6852 | StoneMilitiaV3.exe | C:\Users\admin\AppData\Local\Temp\_MEI68522\_tcl_data\encoding\cp1253.enc | text | |
MD5:441B86A0DE77F25C91DF1CD4685F651D | SHA256:5B8D47451F847C1BDE12CACA3739CA29860553C0B6399EE990D51B26F9A69722 | |||
| 6852 | StoneMilitiaV3.exe | C:\Users\admin\AppData\Local\Temp\_MEI68522\_tcl_data\encoding\cp1255.enc | text | |
MD5:6DEA4179969D6C81C66C3B0F91B39769 | SHA256:47576CAE321C80E69C7F35205639680BF28010111E86E228ED191B084FAC6B91 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
19
DNS requests
9
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5944 | MoUsoCoreWorker.exe | GET | 200 | 23.53.40.176:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 23.53.40.176:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
2072 | RUXIMICS.exe | GET | 200 | 23.53.40.176:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
2072 | RUXIMICS.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
— | — | POST | 500 | 20.83.72.98:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
5944 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1268 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2072 | RUXIMICS.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | 23.53.40.176:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
2072 | RUXIMICS.exe | 23.53.40.176:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
1268 | svchost.exe | 23.53.40.176:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5944 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
2072 | RUXIMICS.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |