File name:

miner

Full analysis: https://app.any.run/tasks/0fab749e-bff0-4093-9956-9d9d97d52ae0
Verdict: Malicious activity
Threats:

Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.

Malware Trends Tracker     >>>
Analysis date: June 24, 2025, 11:51:09
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
miner
xmrig
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, 11 sections
MD5:

CE04088C565951B9BECB247EA6DB10F9

SHA1:

AF37916E700D64C73B0BBD5A3D3B47B553266B81

SHA256:

0F0E64DF4D5DF47D5052C69E726CA0724AF00192828E32E5F93FED5BC9FE61A4

SSDEEP:

98304:HVI0yKV5BsX3a5FtHYv1EgmGuHQJ3a6Jnl880wzlLjzNYK+WRT8resTAxsOKQ5nW:Y3a5FtH0a6oAhUhk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to the CnC server

      • sigverif.exe (PID: 6240)
      • sigverif.exe (PID: 1936)

    • MINER has been detected (SURICATA)

      • sigverif.exe (PID: 6240)
      • sigverif.exe (PID: 1936)

    • XMRIG has been detected (YARA)

      • miner.exe (PID: 2780)
      • sigverif.exe (PID: 1936)

  • SUSPICIOUS

    • Potential Corporate Privacy Violation

      • sigverif.exe (PID: 6240)
      • sigverif.exe (PID: 1936)

    • Executes application which crashes

      • sigverif.exe (PID: 6240)

    • Connects to unusual port

      • sigverif.exe (PID: 1936)
      • sigverif.exe (PID: 6240)

  • INFO

    • Checks supported languages

      • miner.exe (PID: 2780)

    • Checks proxy server information

      • slui.exe (PID: 2232)

    • Reads the software policy settings

      • slui.exe (PID: 2232)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | DOS Executable Generic (100)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:06:15 18:06:49+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.43
CodeSize: 11264
InitializedDataSize: 6185984
UninitializedDataSize: 512
EntryPoint: 0x10f6
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
141
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #XMRIG miner.exe no specs #MINER sigverif.exe werfault.exe no specs #MINER sigverif.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1936--algo=rx/0 --url=gulf.moneroocean.stream:10001 --user=47GrvVWRXX9CbpQ7WKAqR1fP1fEYJpurvj8pAkF8FcgcUJTFi5KpTAmWxv4modTHTMNXZXSxa8K8SijdVHDiAUs69xgStMY --pass=x --threads=2C:\Windows\System32\sigverif.exe
miner.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
File Signature Verification
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sigverif.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2128C:\WINDOWS\system32\WerFault.exe -u -p 6240 -s 1120C:\Windows\System32\WerFault.exesigverif.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\oleaut32.dll
2232C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2780"C:\Users\admin\AppData\Local\Temp\miner.exe" C:\Users\admin\AppData\Local\Temp\miner.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\miner.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
6240--algo=rx/0 --url=gulf.moneroocean.stream:10001 --user=47GrvVWRXX9CbpQ7WKAqR1fP1fEYJpurvj8pAkF8FcgcUJTFi5KpTAmWxv4modTHTMNXZXSxa8K8SijdVHDiAUs69xgStMY --pass=x --threads=2C:\Windows\System32\sigverif.exe
miner.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
File Signature Verification
Exit code:
3221225477
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sigverif.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
1 421
Read events
1 421
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
28
DNS requests
16
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6672
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1268
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2388
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2388
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2940
svchost.exe
GET
200
69.192.161.44:80
http://x1.c.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6256
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6240
sigverif.exe
152.53.121.6:10001
gulf.moneroocean.stream
US
shared
4
System
192.168.100.255:138
whitelisted
6672
svchost.exe
20.190.160.130:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6672
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1936
sigverif.exe
152.53.121.6:10001
gulf.moneroocean.stream
US
shared
2336
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.206
whitelisted
gulf.moneroocean.stream
  • 152.53.121.6
shared
login.live.com
  • 20.190.160.130
  • 40.126.32.133
  • 20.190.160.4
  • 20.190.160.2
  • 20.190.160.3
  • 40.126.32.140
  • 40.126.32.136
  • 20.190.160.66
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.22
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted

Threats

PID
Process
Class
Message
6240
sigverif.exe
Potential Corporate Privacy Violation
ET INFO Cryptocurrency Miner Checkin
1936
sigverif.exe
Potential Corporate Privacy Violation
ET INFO Cryptocurrency Miner Checkin
1936
sigverif.exe
Potential Corporate Privacy Violation
ET INFO Cryptocurrency Miner Checkin
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
1936
sigverif.exe
Potential Corporate Privacy Violation
ET INFO Cryptocurrency Miner Checkin
No debug info