asyncrat | hxxps://solutionhub[.]cc/download/ZharkBOT[.]exe

Analysis

max time kernel
443s
max time network
440s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://solutionhub.cc/download/ZharkBOT.exe

Score

10^/10

asyncrat persistence rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

34vgn892c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	34vgn892c.exe

Executes dropped EXE 5 IoCs

Processes:

ZharkBOT.exeZharkBOT.exe34vgn892c.exe34vgn892c.exeFRaqbC8wSA1XvpFVjCRGryWt.exe

pid process

3416 ZharkBOT.exe
4152 ZharkBOT.exe
736 34vgn892c.exe
2908 34vgn892c.exe
1576 FRaqbC8wSA1XvpFVjCRGryWt.exe

pid	process
3416	ZharkBOT.exe
4152	ZharkBOT.exe
736	34vgn892c.exe
2908	34vgn892c.exe
1576	FRaqbC8wSA1XvpFVjCRGryWt.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

34vgn892c.exe34vgn892c.exeFRaqbC8wSA1XvpFVjCRGryWt.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3v82v2vcc2 = "C:\\ProgramData\\34vgn892c.exe"	34vgn892c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3v82v2vcc2 = "C:\\ProgramData\\34vgn892c.exe"	34vgn892c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Uqwgg = "C:\\Users\\Admin\\AppData\\Local\\Uqwgg.exe"	FRaqbC8wSA1XvpFVjCRGryWt.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

FRaqbC8wSA1XvpFVjCRGryWt.exe

description pid process target process

PID 1576 set thread context of 3244 1576 FRaqbC8wSA1XvpFVjCRGryWt.exe cvtres.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 1576 set thread context of 3244	1576	FRaqbC8wSA1XvpFVjCRGryWt.exe	cvtres.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133643494082548010"	chrome.exe

Modifies registry class 9 IoCs

Processes:

cvtres.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\ms-settings\shell	cvtres.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\ms-settings\shell	cvtres.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\ms-settings	cvtres.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\ms-settings\shell\open\command	cvtres.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\ms-settings	cvtres.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\ms-settings\shell\open	cvtres.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\ms-settings\shell\open\command\	cvtres.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\ms-settings\shell\open\command	cvtres.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\ms-settings\shell\open	cvtres.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

chrome.exeZharkBOT.exeZharkBOT.exe34vgn892c.exe34vgn892c.exechrome.exe

pid	process
3164	chrome.exe
3164	chrome.exe
3416	ZharkBOT.exe
3416	ZharkBOT.exe
3416	ZharkBOT.exe
3416	ZharkBOT.exe
3416	ZharkBOT.exe
3416	ZharkBOT.exe
4152	ZharkBOT.exe
4152	ZharkBOT.exe
4152	ZharkBOT.exe
4152	ZharkBOT.exe
4152	ZharkBOT.exe
4152	ZharkBOT.exe
736	34vgn892c.exe
736	34vgn892c.exe
736	34vgn892c.exe
736	34vgn892c.exe
736	34vgn892c.exe
736	34vgn892c.exe
2908	34vgn892c.exe
2908	34vgn892c.exe
2908	34vgn892c.exe
2908	34vgn892c.exe
2908	34vgn892c.exe
2908	34vgn892c.exe
920	chrome.exe
920	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

3164 chrome.exe
3164 chrome.exe
3164 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	process
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3164 wrote to memory of 4360	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 4360	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 5000	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 5000	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 5000	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 5000	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 5000	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 5000	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 5000	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 5000	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 5000	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 5000	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 5000	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 5000	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 5000	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 5000	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 5000	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 5000	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 5000	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 5000	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 5000	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 5000	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 5000	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 5000	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 5000	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 5000	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 5000	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 5000	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 5000	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 5000	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 5000	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 5000	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 5000	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 1700	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 1700	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 4800	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 4800	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 4800	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 4800	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 4800	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 4800	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 4800	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 4800	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 4800	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 4800	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 4800	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 4800	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 4800	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 4800	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 4800	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 4800	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 4800	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 4800	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 4800	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 4800	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 4800	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 4800	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 4800	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 4800	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 4800	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 4800	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 4800	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 4800	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 4800	3164	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://solutionhub.cc/download/ZharkBOT.exe
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8be90ab58,0x7ff8be90ab68,0x7ff8be90ab78
2⤵
PID:4360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1840 --field-trial-handle=1896,i,8328993916761525045,3268471887603621692,131072 /prefetch:2
2⤵
PID:5000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1896,i,8328993916761525045,3268471887603621692,131072 /prefetch:8
2⤵
PID:1700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2240 --field-trial-handle=1896,i,8328993916761525045,3268471887603621692,131072 /prefetch:8
2⤵
PID:4800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2244 --field-trial-handle=1896,i,8328993916761525045,3268471887603621692,131072 /prefetch:1
2⤵
PID:3368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3028 --field-trial-handle=1896,i,8328993916761525045,3268471887603621692,131072 /prefetch:1
2⤵
PID:1904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4388 --field-trial-handle=1896,i,8328993916761525045,3268471887603621692,131072 /prefetch:8
2⤵
PID:3816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4528 --field-trial-handle=1896,i,8328993916761525045,3268471887603621692,131072 /prefetch:8
2⤵
PID:1284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4388 --field-trial-handle=1896,i,8328993916761525045,3268471887603621692,131072 /prefetch:8
2⤵
PID:2440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4900 --field-trial-handle=1896,i,8328993916761525045,3268471887603621692,131072 /prefetch:8
2⤵
PID:3520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 --field-trial-handle=1896,i,8328993916761525045,3268471887603621692,131072 /prefetch:8
2⤵
PID:440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4612 --field-trial-handle=1896,i,8328993916761525045,3268471887603621692,131072 /prefetch:8
2⤵
PID:2368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4708 --field-trial-handle=1896,i,8328993916761525045,3268471887603621692,131072 /prefetch:8
2⤵
PID:4472

C:\Users\Admin\Downloads\ZharkBOT.exe
"C:\Users\Admin\Downloads\ZharkBOT.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3416

C:\ProgramData\34vgn892c.exe
"C:\ProgramData\34vgn892c.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2908

C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe
"C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
5⤵
- Modifies registry class
PID:3244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4404 --field-trial-handle=1896,i,8328993916761525045,3268471887603621692,131072 /prefetch:1
2⤵
PID:5100

C:\Users\Admin\Downloads\ZharkBOT.exe
"C:\Users\Admin\Downloads\ZharkBOT.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4152

C:\ProgramData\34vgn892c.exe
"C:\ProgramData\34vgn892c.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3884 --field-trial-handle=1896,i,8328993916761525045,3268471887603621692,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:920

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3752

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe
Filesize
296KB

MD5
4de07fa106d917b74e44bd624f3eeaef

SHA1
dace1725097a94f1fdfad54f0eb2a2fbeab13a72

SHA256
99f566b150282334d980ba5d41138ff81b88375ccac6a0ad366b3de194c63053

SHA512
0c4524e7ee31d4ef11fd8a954e0ff02be57def4dc9c5550232338a07f7d27e3f8219d45b6e230f963ccdcd9b7b7daab5e0e3b60b45f8cab143159672398181c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize
1KB

MD5
2365869258df7a66a2121b802ca4afd9

SHA1
73acc30a2edeb9d6830de559bb8a74f35168135d

SHA256
d6b1932822bbd72a8e78c771717d992142348f67d625a42393719fefbe59b0ed

SHA512
795004bab536e128dbd81c188976d37c7b650efbfa5a80374df4c65a1049c27658f4620b7605583928eb167fcb69b4c99e4c8730c507b824a7bde9c7fb0e21f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
Filesize
436B

MD5
1bfe0a81db078ea084ff82fe545176fe

SHA1
50b116f578bd272922fa8eae94f7b02fd3b88384

SHA256
5ba8817f13eee00e75158bad93076ab474a068c6b52686579e0f728fda68499f

SHA512
37c582f3f09f8d80529608c09041295d1644bcc9de6fb8c4669b05339b0dd870f9525abc5eed53ad06a94b51441275504bc943c336c5beb63b53460ba836ca8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize
174B

MD5
419ff7f66f5baa6a48bae9623254f0b9

SHA1
7d042f981a2b62bdf129b2be49ac69d41992742a

SHA256
00952c1bdfd21c2b86562b631d21a3ea89a8512b292ba49ff4cac67551b7a33f

SHA512
d04fe034cbe3c77778095a2fe99767836db2583d6e127f520337fbed3b5769a8c1f04a3ba6bdf69245c30784c2b5ce0a9a20cdad5f1423be0a1e530f189448e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize
170B

MD5
a9ae5b97b090f3e2021dd829b50b0537

SHA1
c0153e199048ab0b8329538b7e6480a07e62c7ff

SHA256
c5e89ee28840a822039be20709213c55f50dd0a3de12869299e31b38ebe63376

SHA512
34eb91e7331ca5b93e1669e97514d11f392df4440cc1952f618c7200551f9b6c95310d59e6ffc67a9d6bbf09d766523ebe34f8b38172894bf383a1ed457969a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\714f570a-6170-4151-b015-7ae593433bbf.tmp
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
d37207d3b02956364ebf978afb14aae0

SHA1
3d84160a429ee898c0d3428295d89c1e1457d9b2

SHA256
a979e94a87fe355dca3108890b40b6131e4fc6fcba0c5247f85ab8ecb98a7af2

SHA512
0c99d7f1bbe7f52e402fa4381f145de68af3f5e338e42992c0f380764df2d47fbc99564ac9686f18a2d681d96485764cfa1cf1952701f91e77c2e021ea136899

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
ad03193b71807abbd74ac5b3ceb35405

SHA1
bd2f88339278d46216ce81300783a0430e0479d7

SHA256
742fd572eb1584b3c90b011e9b3aabd5d7bbaf1b29d2b00ddafbb212ed42a48c

SHA512
af1266b4c2e23ea43d6b83d19e57310e9cf766e9bc8db2d4727ff085cd8efa76262c5e59e5cc2809742136314fa922621d65dee51bdbb4ea2456757dcbd43d11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
9db96ee7a86f274c0f9218c4d5358235

SHA1
ad425b81406eee8308ee5fac52815310359654f4

SHA256
5b708e4bc0e4c9506ed6f6e4e3a19c1b689c1b7571643f44970d863756848c8d

SHA512
8bbe77aa55232bb0e6020f0b187b77ea6c3286ed68f59497470338b38066d9b224fbcfb0d385778b8b114f9ad7b8d65b804e7b0044f553f884d94c1a6dea75ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
129KB

MD5
d951739260dc13b2f89a9ca6d60a1c2a

SHA1
2183e94d0ab3fa721989ea0e90cfbe03352fb806

SHA256
50d628a4eb4567b802472b7c7e0dc2170c9194bd34af5aba7655fe379b659c9e

SHA512
5e9c19cae1ceec6b06e9bc5be4a23bc154c05e4aaffe0666ca7e64c35e18fc88369394d5fd283bfcd08520c405b2c9372bb568fa15f46e24a1e031827027ec81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
129KB

MD5
df27033e5763b24d9f8eafec16bc0a96

SHA1
449da8dbcb9d7c54c265557a66d8316299fa805f

SHA256
e0e57e15043875c536a347d2fd261ecc0132f6260b03f18bb37dcf26031f6f3b

SHA512
9d4c8da446c16bb6e39860cacaebc17bb883ec08f36dc3fa591d90812172b4393e83749d636818cdc94bba3685c68894f4fba9169a873f5cb82075af10324828

Download Submit
C:\Users\Admin\Downloads\ZharkBOT.exe
Filesize
1.2MB

MD5
339271af2bbdad0395a479c3ef2a714a

SHA1
4f38b94fdb7f3cc4cf9f79bbb4d4311b85f0e14b

SHA256
71769ebf723749783f5e79f7b8a43d6ef03582fca2d1d26cad69157b73004f2b

SHA512
b93d038fd8159cf46f9568f60a22080b0a6e7b383028b47983465dd0c5fe1611a0e0eb99e141c2ee1604b29df6530605f489e05389904eff51048bd9d2e4eb0e

Download Submit
\??\pipe\crashpad_3164_HKQNDLJBVCDBDMKL
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/736-122-0x0000000003BA0000-0x0000000003C77000-memory.dmp

Filesize
860KB

Download
memory/736-153-0x0000000003BA0000-0x0000000003C77000-memory.dmp

Filesize
860KB

Download
memory/1576-168-0x0000000007C30000-0x0000000007E6E000-memory.dmp

Filesize
2.2MB

Download
memory/1576-202-0x0000000007C30000-0x0000000007E6E000-memory.dmp

Filesize
2.2MB

Download
memory/1576-155-0x0000000008420000-0x00000000089C4000-memory.dmp

Filesize
5.6MB

Download
memory/1576-156-0x0000000007F50000-0x0000000007FE2000-memory.dmp

Filesize
584KB

Download
memory/1576-158-0x0000000007C30000-0x0000000007E6E000-memory.dmp

Filesize
2.2MB

Download
memory/1576-162-0x0000000007C30000-0x0000000007E6E000-memory.dmp

Filesize
2.2MB

Download
memory/1576-170-0x0000000007C30000-0x0000000007E6E000-memory.dmp

Filesize
2.2MB

Download
memory/1576-180-0x0000000007C30000-0x0000000007E6E000-memory.dmp

Filesize
2.2MB

Download
memory/1576-178-0x0000000007C30000-0x0000000007E6E000-memory.dmp

Filesize
2.2MB

Download
memory/1576-176-0x0000000007C30000-0x0000000007E6E000-memory.dmp

Filesize
2.2MB

Download
memory/1576-174-0x0000000007C30000-0x0000000007E6E000-memory.dmp

Filesize
2.2MB

Download
memory/1576-172-0x0000000007C30000-0x0000000007E6E000-memory.dmp

Filesize
2.2MB

Download
memory/1576-166-0x0000000007C30000-0x0000000007E6E000-memory.dmp

Filesize
2.2MB

Download
memory/1576-140-0x0000000000FA0000-0x0000000000FEE000-memory.dmp

Filesize
312KB

Download
memory/1576-160-0x0000000007C30000-0x0000000007E6E000-memory.dmp

Filesize
2.2MB

Download
memory/1576-164-0x0000000007C30000-0x0000000007E6E000-memory.dmp

Filesize
2.2MB

Download
memory/1576-157-0x0000000007C30000-0x0000000007E6E000-memory.dmp

Filesize
2.2MB

Download
memory/1576-182-0x0000000007C30000-0x0000000007E6E000-memory.dmp

Filesize
2.2MB

Download
memory/1576-184-0x0000000007C30000-0x0000000007E6E000-memory.dmp

Filesize
2.2MB

Download
memory/1576-188-0x0000000007C30000-0x0000000007E6E000-memory.dmp

Filesize
2.2MB

Download
memory/1576-186-0x0000000007C30000-0x0000000007E6E000-memory.dmp

Filesize
2.2MB

Download
memory/1576-154-0x0000000007C30000-0x0000000007E74000-memory.dmp

Filesize
2.3MB

Download
memory/1576-198-0x0000000007C30000-0x0000000007E6E000-memory.dmp

Filesize
2.2MB

Download
memory/1576-210-0x0000000007C30000-0x0000000007E6E000-memory.dmp

Filesize
2.2MB

Download
memory/1576-220-0x0000000007C30000-0x0000000007E6E000-memory.dmp

Filesize
2.2MB

Download
memory/1576-218-0x0000000007C30000-0x0000000007E6E000-memory.dmp

Filesize
2.2MB

Download
memory/1576-216-0x0000000007C30000-0x0000000007E6E000-memory.dmp

Filesize
2.2MB

Download
memory/1576-214-0x0000000007C30000-0x0000000007E6E000-memory.dmp

Filesize
2.2MB

Download
memory/1576-208-0x0000000007C30000-0x0000000007E6E000-memory.dmp

Filesize
2.2MB

Download
memory/1576-206-0x0000000007C30000-0x0000000007E6E000-memory.dmp

Filesize
2.2MB

Download
memory/1576-204-0x0000000007C30000-0x0000000007E6E000-memory.dmp

Filesize
2.2MB

Download
memory/1576-200-0x0000000007C30000-0x0000000007E6E000-memory.dmp

Filesize
2.2MB

Download
memory/1576-212-0x0000000007C30000-0x0000000007E6E000-memory.dmp

Filesize
2.2MB

Download
memory/1576-196-0x0000000007C30000-0x0000000007E6E000-memory.dmp

Filesize
2.2MB

Download
memory/1576-194-0x0000000007C30000-0x0000000007E6E000-memory.dmp

Filesize
2.2MB

Download
memory/1576-192-0x0000000007C30000-0x0000000007E6E000-memory.dmp

Filesize
2.2MB

Download
memory/1576-190-0x0000000007C30000-0x0000000007E6E000-memory.dmp

Filesize
2.2MB

Download
memory/1576-5019-0x00000000060C0000-0x0000000006142000-memory.dmp

Filesize
520KB

Download
memory/1576-5020-0x00000000065F0000-0x000000000663C000-memory.dmp

Filesize
304KB

Download
memory/1576-5021-0x0000000006640000-0x0000000006694000-memory.dmp

Filesize
336KB

Download
memory/3244-5025-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3244-5026-0x0000000005C10000-0x0000000005CAC000-memory.dmp

Filesize
624KB

Download
memory/3244-5027-0x0000000005CB0000-0x0000000005D16000-memory.dmp

Filesize
408KB

Download