File name:	thi.exe
Full analysis:	https://app.any.run/tasks/9211b1e2-d865-4112-b8b7-001819b158be
Verdict:	Malicious activity
Threats:	Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Malware Trends Tracker >>>
Analysis date:	April 29, 2025, 15:02:34
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	auto generic miner pastebin winring0x64-sys vuln-driver upx xmrig xor-url
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 8 sections
MD5:	CB1AB881DF77D5E59C9CD71A042489DD
SHA1:	948C65951D6F888DACB567D9938BB21492D82097
SHA256:	23FA323EEA0A8A6367E810996A54337197C1750A9A0A53C306C8C4022DD94780
SSDEEP:	98304:WiGUZDIMGpNQVgB6W9Yj1FbFKGZkZk0a51wYKZpptRA3x9JEY0UiHO5RcrNkj6:NGpNfB8pFbFK1G0a5k7A3LJGUiu5WJk+

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

MachineType:	AMD AMD64
TimeStamp:	2025:03:23 12:13:03+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14
CodeSize:	74240
InitializedDataSize:	5286912
UninitializedDataSize:	-
EntryPoint:	0x1140
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	132.0.6833.0
ProductVersionNumber:	132.0.6833.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Unknown (0)
ObjectFileType:	Unknown
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	Google Installer
FileTitle:	Google Installer (x86)
FileDescription:	Google Installer
FileVersion:	132,0,6833,0
LegalCopyright:	Copyright 2024 Google LLC. All rights reserved.
LegalTrademark:	-
ProductName:	Google LLC
ProductVersion:	132,0,6833,0


(PID) Process:	(7584) thi.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT
Operation:	write	Name:	DontOfferThroughWUAU
Value: 1
(PID) Process:	(4180) Updater.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT
Operation:	write	Name:	DontOfferThroughWUAU
Value: 1

PID	Process	Filename		Type
7332	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5pifqcoj.g1q.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7332	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:192853531EDC0EA8660441461E6E6A2C	SHA256:8471825962DD37B0F797899BEA20DD179767C691C92D905EB93E3B7D5DE26238
1244	powershell.exe	C:\Windows\Temp\__PSScriptPolicyTest_ci54z0dd.yzt.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1244	powershell.exe	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:C960E76A42083AFFC9963496F5E4DADF	SHA256:F4FFC42C2023AE6396B578E21465805D791116967216BEC273F2E75D677EFA5A
1244	powershell.exe	C:\Windows\Temp\__PSScriptPolicyTest_tapmlqpw.aum.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7756	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_p52dgeph.uhg.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7756	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_aqwxmrqj.4t0.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7584	thi.exe	C:\ProgramData\GoogleUP\Chrome\Updater.exe		executable
		MD5:CB1AB881DF77D5E59C9CD71A042489DD	SHA256:23FA323EEA0A8A6367E810996A54337197C1750A9A0A53C306C8C4022DD94780
7332	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ak2rm2pj.mdm.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1244	powershell.exe	C:\Windows\Temp\__PSScriptPolicyTest_io3v0sfe.hpu.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	23.216.77.25:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5376	RUXIMICS.exe	GET	200	23.216.77.25:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2104	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5376	RUXIMICS.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	—	104.22.68.199:443	https://pastebin.com/raw/NgUUDZd9	unknown	—	—	—
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
2104	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5376	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	23.216.77.25:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5376	RUXIMICS.exe	23.216.77.25:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2104	svchost.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5376	RUXIMICS.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
7808	explorer.exe	54.37.232.103:10343	xmr-eu1.nanopool.org	OVH SAS	FR	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2	whitelisted
google.com	142.250.185.142	whitelisted
crl.microsoft.com	23.216.77.25 23.216.77.19	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
xmr-eu1.nanopool.org	51.15.58.224 141.94.23.83 162.19.224.121 54.37.232.103 51.15.193.130 51.15.65.182 146.59.154.106 212.47.253.124 51.89.23.91 54.37.137.114 163.172.154.142	whitelisted
pastebin.com	104.22.69.199 104.22.68.199 172.67.25.94	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

PID	Process	Class	Message
2196	svchost.exe	Potential Corporate Privacy Violation	ET INFO Observed DNS Query to Coin Mining Domain (nanopool .org)
2196	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Online Pastebin Text Storage

General Info

thi.exe

CB1AB881DF77D5E59C9CD71A042489DD

948C65951D6F888DACB567D9938BB21492D82097

23FA323EEA0A8A6367E810996A54337197C1750A9A0A53C306C8C4022DD94780

98304:WiGUZDIMGpNQVgB6W9Yj1FbFKGZkZk0a51wYKZpptRA3x9JEY0UiHO5RcrNkj6:NGpNfB8pFbFK1G0a5k7A3LJGUiu5WJk+

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

GENERIC has been found (auto)

Executing a file with an untrusted certificate

Changes Windows Defender settings

Adds extension to the Windows Defender exclusion list

Uninstalls Malicious Software Removal Tool (MRT)

Vulnerable driver has been detected

XORed URL has been found (YARA)

MINER has been detected (SURICATA)

XMRIG has been detected (YARA)

SUSPICIOUS

Starts POWERSHELL.EXE for commands execution

Starts process via Powershell

Manipulates environment variables

Script adds exclusion extension to Windows Defender

Script adds exclusion path to Windows Defender

Starts CMD.EXE for commands execution

Stops a currently running service

Process uninstalls Windows update

Executable content was dropped or overwritten

Windows service management via SC.EXE

Starts SC.EXE for service management

Modifies hosts file to alter network resolution

Uses powercfg.exe to modify the power settings

Creates a new Windows service

Executes as Windows Service

Drops a system driver (possible attempt to evade defenses)

Potential Corporate Privacy Violation

Connects to unusual port

INFO

Checks supported languages

The sample compiled with english language support

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)

Creates files in the program directory

The sample compiled with japanese language support

UPX packer has been detected

Reads the software policy settings

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules