Play interactive tour

Edit tour

Windows Analysis Report https://github.com/nicehash/NHM_MinerPluginsDownloads/releases/download/v16.x/CryptoDredge_v16.0_mptoolkitV1_e294f620-94eb-11ea-a64d-17be303ea466.zip

Overview

General Information

Sample URL:	https://github.com/nicehash/NHM_MinerPluginsDownloads/releases/download/v16.x/CryptoDredge_v16.0_mptoolkitV1_e294f620-94eb-11ea-a64d-17be303ea466.zip
Analysis ID:	479875
Infos:
Most interesting Screenshot:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Found inlined nop instructions (likely shell or obfuscated code)

PE file does not import any functions

Drops PE files

May sleep (evasive loops) to hinder dynamic analysis

Binary contains a suspicious time stamp

Detected potential crypto function

Found dropped PE file which has not been started or loaded

Creates a process in suspended mode (likely to inject code)

Contains long sleeps (>= 3 min)

Classification

Process Tree

System is w10x64

chrome.exe (PID: 5632 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation 'https://github.com/nicehash/NHM_MinerPluginsDownloads/releases/download/v16.x/CryptoDredge_v16.0_mptoolkitV1_e294f620-94eb-11ea-a64d-17be303ea466.zip' MD5: C139654B5C1438A95B321BB01AD63EF6)

chrome.exe (PID: 2916 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1616,11712432474224128058,11765405648561526018,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1712 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)

chrome.exe (PID: 6836 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1616,11712432474224128058,11765405648561526018,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=4852 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)

unarchiver.exe (PID: 6468 cmdline: 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Downloads\CryptoDredge_v16.0_mptoolkitV1_e294f620-94eb-11ea-a64d-17be303ea466.zip' MD5: DB55139D9DD29F24AE8EA8F0E5606901)

7za.exe (PID: 6940 cmdline: 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\hee0gukh.eki' 'C:\Users\user\Downloads\CryptoDredge_v16.0_mptoolkitV1_e294f620-94eb-11ea-a64d-17be303ea466.zip' MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 5988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\hee0gukh.eki\MP.CryptoDredge.dll	Virustotal: Detection: 28%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\hee0gukh.eki\MP.CryptoDredge.dll	Metadefender: Detection: 17%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\hee0gukh.eki\MP.CryptoDredge.dll	ReversingLabs: Detection: 37%

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic			Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source:	Binary string: C:\Programming\nicehash\NiceHashMiner\src\Miners\CryptoDredge\obj\Release\netstandard2.0\MP.CryptoDredge.pdb source: MP.CryptoDredge.dll.6.dr
Source:	Binary string: C:\Programming\nicehash\NiceHashMiner\src\Miners\CryptoDredge\obj\Release\netstandard2.0\MP.CryptoDredge.pdbSHA256 source: MP.CryptoDredge.dll.6.dr

Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 4x nop then jmp 04B4099Bh		5_2_04B402A8
Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 4x nop then jmp 04B4099Ah		5_2_04B402A8

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: Ruleset Data.0.dr	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: Ruleset Data.0.dr	String found in binary or memory: www.facebook.com/ajax/ads/ equals www.facebook.com (Facebook)

Source: manifest.json0.0.dr, 43a58191-4e79-4070-8703-44dfe9c58b35.tmp.1.dr, f101569a-bf7d-4a06-bec9-b8cb74a95d8f.tmp.1.dr	String found in binary or memory: https://accounts.google.com
Source: manifest.json0.0.dr, 43a58191-4e79-4070-8703-44dfe9c58b35.tmp.1.dr, f101569a-bf7d-4a06-bec9-b8cb74a95d8f.tmp.1.dr	String found in binary or memory: https://apis.google.com
Source: 43a58191-4e79-4070-8703-44dfe9c58b35.tmp.1.dr, f101569a-bf7d-4a06-bec9-b8cb74a95d8f.tmp.1.dr	String found in binary or memory: https://clients2.google.com
Source: manifest.json1.0.dr	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 43a58191-4e79-4070-8703-44dfe9c58b35.tmp.1.dr, f101569a-bf7d-4a06-bec9-b8cb74a95d8f.tmp.1.dr	String found in binary or memory: https://clients2.googleusercontent.com
Source: manifest.json0.0.dr	String found in binary or memory: https://content.googleapis.com
Source: Reporting and NEL.1.dr	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/IdentityListAccountsHttp/external
Source: 894ab119-5f77-4d31-87bf-3f3e83eed5ff.tmp.1.dr, fa216826-8e74-4cfb-b79b-be68cbbf5cd7.tmp.1.dr, 43a58191-4e79-4070-8703-44dfe9c58b35.tmp.1.dr, f101569a-bf7d-4a06-bec9-b8cb74a95d8f.tmp.1.dr	String found in binary or memory: https://dns.google
Source: manifest.json0.0.dr	String found in binary or memory: https://feedback.googleusercontent.com
Source: 43a58191-4e79-4070-8703-44dfe9c58b35.tmp.1.dr, f101569a-bf7d-4a06-bec9-b8cb74a95d8f.tmp.1.dr	String found in binary or memory: https://fonts.googleapis.com
Source: manifest.json0.0.dr	String found in binary or memory: https://fonts.googleapis.com;
Source: 43a58191-4e79-4070-8703-44dfe9c58b35.tmp.1.dr, f101569a-bf7d-4a06-bec9-b8cb74a95d8f.tmp.1.dr	String found in binary or memory: https://fonts.gstatic.com
Source: manifest.json0.0.dr	String found in binary or memory: https://fonts.gstatic.com;
Source: 000003.log3.0.dr, CryptoDredge_v16.0_mptoolkitV1_e294f620-94eb-11ea-a64d-17be303ea466.zip_Zone.Identifier.4.dr	String found in binary or memory: https://github-releases.githubusercontent.com/195045184/49908900-9c5e-11eb-9897-9484750f4979?X-Amz-A
Source: History.0.dr	String found in binary or memory: https://github.com/nicehash/NHM_MinerPluginsDownloads/releases/download/v16.x/CryptoDredge_v16.0_mpt
Source: MP.CryptoDredge.dll.6.dr	String found in binary or memory: https://github.com/technobyl/CryptoDredge/releases/download/v0.26.0/CryptoDredge_0.26.0_cuda_11.2_wi
Source: manifest.json0.0.dr	String found in binary or memory: https://hangouts.google.com/
Source: 43a58191-4e79-4070-8703-44dfe9c58b35.tmp.1.dr, f101569a-bf7d-4a06-bec9-b8cb74a95d8f.tmp.1.dr	String found in binary or memory: https://ogs.google.com
Source: manifest.json1.0.dr	String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: 43a58191-4e79-4070-8703-44dfe9c58b35.tmp.1.dr	String found in binary or memory: https://r1---sn-5hnekn7s.gvt1.com
Source: 43a58191-4e79-4070-8703-44dfe9c58b35.tmp.1.dr	String found in binary or memory: https://redirector.gvt1.com
Source: manifest.json1.0.dr	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: 43a58191-4e79-4070-8703-44dfe9c58b35.tmp.1.dr, f101569a-bf7d-4a06-bec9-b8cb74a95d8f.tmp.1.dr	String found in binary or memory: https://ssl.gstatic.com
Source: messages.json41.0.dr	String found in binary or memory: https://support.google.com/chromecast/answer/2998456
Source: messages.json41.0.dr	String found in binary or memory: https://support.google.com/chromecast/troubleshooter/2995236
Source: manifest.json0.0.dr, 43a58191-4e79-4070-8703-44dfe9c58b35.tmp.1.dr, f101569a-bf7d-4a06-bec9-b8cb74a95d8f.tmp.1.dr	String found in binary or memory: https://www.google.com
Source: manifest.json1.0.dr	String found in binary or memory: https://www.google.com/
Source: manifest.json0.0.dr	String found in binary or memory: https://www.google.com;
Source: 43a58191-4e79-4070-8703-44dfe9c58b35.tmp.1.dr, f101569a-bf7d-4a06-bec9-b8cb74a95d8f.tmp.1.dr	String found in binary or memory: https://www.googleapis.com
Source: manifest.json1.0.dr	String found in binary or memory: https://www.googleapis.com/
Source: manifest.json0.0.dr	String found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
Source: manifest.json0.0.dr	String found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
Source: manifest.json1.0.dr	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: manifest.json1.0.dr	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: manifest.json0.0.dr	String found in binary or memory: https://www.googleapis.com/auth/clouddevices
Source: manifest.json0.0.dr	String found in binary or memory: https://www.googleapis.com/auth/hangouts
Source: manifest.json0.0.dr	String found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
Source: manifest.json0.0.dr	String found in binary or memory: https://www.googleapis.com/auth/meetings
Source: manifest.json0.0.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
Source: manifest.json1.0.dr	String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: manifest.json1.0.dr	String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: manifest.json0.0.dr	String found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: 43a58191-4e79-4070-8703-44dfe9c58b35.tmp.1.dr, f101569a-bf7d-4a06-bec9-b8cb74a95d8f.tmp.1.dr	String found in binary or memory: https://www.gstatic.com
Source: manifest.json0.0.dr	String found in binary or memory: https://www.gstatic.com;

Source: unknown

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: unknown

DNS traffic detected: queries for: github.com

Source: global traffic	HTTP traffic detected: GET /nicehash/NHM_MinerPluginsDownloads/releases/download/v16.x/CryptoDredge_v16.0_mptoolkitV1_e294f620-94eb-11ea-a64d-17be303ea466.zip HTTP/1.1Host: github.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-85.0.4183.121Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /195045184/49908900-9c5e-11eb-9897-9484750f4979?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210908%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210908T134658Z&X-Amz-Expires=300&X-Amz-Signature=091b604827ca9250a0758b5a479d50b8598f2606cf741abe791905c7afbbc61f&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=195045184&response-content-disposition=attachment%3B%20filename%3DCryptoDredge_v16.0_mptoolkitV1_e294f620-94eb-11ea-a64d-17be303ea466.zip&response-content-type=application%2Foctet-stream HTTP/1.1Host: github-releases.githubusercontent.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /crx/blobs/Acy1k0bLIjHsvnKaKN_oRpVaYYvFs25d7GKYF1WXrT6yizCMksBO0c_ggE0B6tx6HPRHe6q1GOEe3_NcIbSiGG8kXeLMUY0sAKVvC6R89zvKM13s5VqoAMZSmuUgjQL5vlygJuArQghXXE_qTL7NlQ/extension_8520_615_0_5.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: MP.CryptoDredge.dll.6.dr

Static PE information: No import functions for PE file found

Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 5_2_04B402A8		5_2_04B402A8
Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 5_2_04B40299		5_2_04B40299

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation 'https://github.com/nicehash/NHM_MinerPluginsDownloads/releases/download/v16.x/CryptoDredge_v16.0_mptoolkitV1_e294f620-94eb-11ea-a64d-17be303ea466.zip'
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1616,11712432474224128058,11765405648561526018,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1712 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1616,11712432474224128058,11765405648561526018,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=4852 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Downloads\CryptoDredge_v16.0_mptoolkitV1_e294f620-94eb-11ea-a64d-17be303ea466.zip'
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\hee0gukh.eki' 'C:\Users\user\Downloads\CryptoDredge_v16.0_mptoolkitV1_e294f620-94eb-11ea-a64d-17be303ea466.zip'
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1616,11712432474224128058,11765405648561526018,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1712 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1616,11712432474224128058,11765405648561526018,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=4852 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Downloads\CryptoDredge_v16.0_mptoolkitV1_e294f620-94eb-11ea-a64d-17be303ea466.zip'	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\hee0gukh.eki' 'C:\Users\user\Downloads\CryptoDredge_v16.0_mptoolkitV1_e294f620-94eb-11ea-a64d-17be303ea466.zip'	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5988:120:WilError_01

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\Google\Chrome\Application\Dictionaries

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-61393D5C-1600.pma

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user~1\AppData\Local\Temp\3e3f8d37-5341-46a8-acb7-375f529408a6.tmp

Jump to behavior

Source: classification engine

Classification label: mal48.win@47/279@5/8

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic			Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source:	Binary string: C:\Programming\nicehash\NiceHashMiner\src\Miners\CryptoDredge\obj\Release\netstandard2.0\MP.CryptoDredge.pdb source: MP.CryptoDredge.dll.6.dr
Source:	Binary string: C:\Programming\nicehash\NiceHashMiner\src\Miners\CryptoDredge\obj\Release\netstandard2.0\MP.CryptoDredge.pdbSHA256 source: MP.CryptoDredge.dll.6.dr

Source: MP.CryptoDredge.dll.6.dr

Static PE information: 0xE9E63BD3 [Sat May 8 17:58:43 2094 UTC]

Source: C:\Windows\SysWOW64\7za.exe

File created: C:\Users\user\AppData\Local\Temp\hee0gukh.eki\MP.CryptoDredge.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe TID: 384

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\7za.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\hee0gukh.eki\MP.CryptoDredge.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\unarchiver.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Code function: 5_2_00A5B0F2 GetSystemInfo,

5_2_00A5B0F2

Source: C:\Windows\SysWOW64\unarchiver.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Process created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\hee0gukh.eki' 'C:\Users\user\Downloads\CryptoDredge_v16.0_mptoolkitV1_e294f620-94eb-11ea-a64d-17be303ea466.zip'

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection11	Masquerading3	OS Credential Dumping	Security Software Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Virtualization/Sandbox Evasion21	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion21	Security Account Manager	System Information Discovery3	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol4	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection11	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Ingress Tool Transfer1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Timestomp1	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report https://github.com/nicehash/NHM_MinerPluginsDownloads/releases/download/v16.x/CryptoDredge_v16.0_mptoolkitV1_e294f620-94eb-11ea-a64d-17be303ea466.zip

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph