asyncrat | hxxps://solutionhub[.]cc/download/ZharkBOT[.]exe

Analysis

max time kernel
441s
max time network
440s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
01-07-2024 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://solutionhub.cc/download/ZharkBOT.exe

Score

10^/10

asyncrat persistence rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Executes dropped EXE 5 IoCs

Processes:

ZharkBOT.exe34vgn892c.exeFRaqbC8wSA1XvpFVjCRGryWt.exeZharkBOT.exe34vgn892c.exe

pid process

2848 ZharkBOT.exe
3532 34vgn892c.exe
768 FRaqbC8wSA1XvpFVjCRGryWt.exe
2556 ZharkBOT.exe
4232 34vgn892c.exe

pid	process
2848	ZharkBOT.exe
3532	34vgn892c.exe
768	FRaqbC8wSA1XvpFVjCRGryWt.exe
2556	ZharkBOT.exe
4232	34vgn892c.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

34vgn892c.exeFRaqbC8wSA1XvpFVjCRGryWt.exe34vgn892c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Windows\CurrentVersion\Run\3v82v2vcc2 = "C:\\ProgramData\\34vgn892c.exe"	34vgn892c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uqwgg = "C:\\Users\\Admin\\AppData\\Local\\Uqwgg.exe"	FRaqbC8wSA1XvpFVjCRGryWt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Windows\CurrentVersion\Run\3v82v2vcc2 = "C:\\ProgramData\\34vgn892c.exe"	34vgn892c.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

FRaqbC8wSA1XvpFVjCRGryWt.exe

description pid process target process

PID 768 set thread context of 1224 768 FRaqbC8wSA1XvpFVjCRGryWt.exe cvtres.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 768 set thread context of 1224	768	FRaqbC8wSA1XvpFVjCRGryWt.exe	cvtres.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133643494072418072"	chrome.exe

Modifies registry class 9 IoCs

Processes:

cvtres.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\ms-settings\shell	cvtres.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\ms-settings\shell\open	cvtres.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\ms-settings	cvtres.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\ms-settings\shell	cvtres.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\ms-settings\shell\open\command	cvtres.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\ms-settings	cvtres.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\ms-settings\shell\open\command\	cvtres.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\ms-settings\shell\open\command	cvtres.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\ms-settings\shell\open	cvtres.exe

NTFS ADS 2 IoCs

Processes:

ZharkBOT.exechrome.exe

description	ioc	process
File created	C:\ProgramData\34vgn892c.exe\:Zone.Identifier:$DATA	ZharkBOT.exe
File opened for modification	C:\Users\Admin\Downloads\ZharkBOT.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

chrome.exeZharkBOT.exe34vgn892c.exechrome.exeZharkBOT.exe34vgn892c.exe

pid	process
248	chrome.exe
248	chrome.exe
2848	ZharkBOT.exe
2848	ZharkBOT.exe
2848	ZharkBOT.exe
2848	ZharkBOT.exe
2848	ZharkBOT.exe
2848	ZharkBOT.exe
3532	34vgn892c.exe
3532	34vgn892c.exe
3532	34vgn892c.exe
3532	34vgn892c.exe
3532	34vgn892c.exe
3532	34vgn892c.exe
1924	chrome.exe
1924	chrome.exe
2556	ZharkBOT.exe
2556	ZharkBOT.exe
2556	ZharkBOT.exe
2556	ZharkBOT.exe
2556	ZharkBOT.exe
2556	ZharkBOT.exe
4232	34vgn892c.exe
4232	34vgn892c.exe
4232	34vgn892c.exe
4232	34vgn892c.exe
4232	34vgn892c.exe
4232	34vgn892c.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

248 chrome.exe
248 chrome.exe
248 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	process
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	process
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 248 wrote to memory of 244	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 244	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 1696	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 1696	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 1696	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 1696	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 1696	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 1696	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 1696	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 1696	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 1696	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 1696	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 1696	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 1696	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 1696	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 1696	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 1696	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 1696	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 1696	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 1696	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 1696	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 1696	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 1696	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 1696	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 1696	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 1696	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 1696	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 1696	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 1696	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 1696	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 1696	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 1696	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 1696	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 2196	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 2196	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 3928	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 3928	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 3928	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 3928	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 3928	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 3928	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 3928	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 3928	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 3928	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 3928	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 3928	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 3928	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 3928	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 3928	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 3928	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 3928	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 3928	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 3928	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 3928	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 3928	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 3928	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 3928	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 3928	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 3928	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 3928	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 3928	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 3928	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 3928	248	chrome.exe	chrome.exe
PID 248 wrote to memory of 3928	248	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://solutionhub.cc/download/ZharkBOT.exe
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffff154ab58,0x7ffff154ab68,0x7ffff154ab78
2⤵
PID:244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1504 --field-trial-handle=1780,i,13125388264315982989,17915629702150275319,131072 /prefetch:2
2⤵
PID:1696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 --field-trial-handle=1780,i,13125388264315982989,17915629702150275319,131072 /prefetch:8
2⤵
PID:2196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2168 --field-trial-handle=1780,i,13125388264315982989,17915629702150275319,131072 /prefetch:8
2⤵
PID:3928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2980 --field-trial-handle=1780,i,13125388264315982989,17915629702150275319,131072 /prefetch:1
2⤵
PID:4748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3012 --field-trial-handle=1780,i,13125388264315982989,17915629702150275319,131072 /prefetch:1
2⤵
PID:1160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3800 --field-trial-handle=1780,i,13125388264315982989,17915629702150275319,131072 /prefetch:8
2⤵
PID:4652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4444 --field-trial-handle=1780,i,13125388264315982989,17915629702150275319,131072 /prefetch:8
2⤵
PID:2276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4528 --field-trial-handle=1780,i,13125388264315982989,17915629702150275319,131072 /prefetch:8
2⤵
PID:2700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4772 --field-trial-handle=1780,i,13125388264315982989,17915629702150275319,131072 /prefetch:8
2⤵
PID:3172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4784 --field-trial-handle=1780,i,13125388264315982989,17915629702150275319,131072 /prefetch:8
2⤵
PID:4716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2972 --field-trial-handle=1780,i,13125388264315982989,17915629702150275319,131072 /prefetch:8
2⤵
- NTFS ADS
PID:3152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4796 --field-trial-handle=1780,i,13125388264315982989,17915629702150275319,131072 /prefetch:8
2⤵
PID:2172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3428 --field-trial-handle=1780,i,13125388264315982989,17915629702150275319,131072 /prefetch:8
2⤵
PID:764

C:\Users\Admin\Downloads\ZharkBOT.exe
"C:\Users\Admin\Downloads\ZharkBOT.exe"
2⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2848

C:\ProgramData\34vgn892c.exe
"C:\ProgramData\34vgn892c.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:3532

C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe
"C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
5⤵
- Modifies registry class
PID:1224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1780,i,13125388264315982989,17915629702150275319,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=1716 --field-trial-handle=1780,i,13125388264315982989,17915629702150275319,131072 /prefetch:1
2⤵
PID:1716

C:\Users\Admin\Downloads\ZharkBOT.exe
"C:\Users\Admin\Downloads\ZharkBOT.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2556

C:\ProgramData\34vgn892c.exe
"C:\ProgramData\34vgn892c.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:4232

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4968

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe
Filesize
296KB

MD5
4de07fa106d917b74e44bd624f3eeaef

SHA1
dace1725097a94f1fdfad54f0eb2a2fbeab13a72

SHA256
99f566b150282334d980ba5d41138ff81b88375ccac6a0ad366b3de194c63053

SHA512
0c4524e7ee31d4ef11fd8a954e0ff02be57def4dc9c5550232338a07f7d27e3f8219d45b6e230f963ccdcd9b7b7daab5e0e3b60b45f8cab143159672398181c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize
1KB

MD5
2365869258df7a66a2121b802ca4afd9

SHA1
73acc30a2edeb9d6830de559bb8a74f35168135d

SHA256
d6b1932822bbd72a8e78c771717d992142348f67d625a42393719fefbe59b0ed

SHA512
795004bab536e128dbd81c188976d37c7b650efbfa5a80374df4c65a1049c27658f4620b7605583928eb167fcb69b4c99e4c8730c507b824a7bde9c7fb0e21f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
Filesize
436B

MD5
1bfe0a81db078ea084ff82fe545176fe

SHA1
50b116f578bd272922fa8eae94f7b02fd3b88384

SHA256
5ba8817f13eee00e75158bad93076ab474a068c6b52686579e0f728fda68499f

SHA512
37c582f3f09f8d80529608c09041295d1644bcc9de6fb8c4669b05339b0dd870f9525abc5eed53ad06a94b51441275504bc943c336c5beb63b53460ba836ca8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize
174B

MD5
07505e3fc4a3b912e4508b77814a61f7

SHA1
4348f99250bad6564884dad8cf99243818a7fcb5

SHA256
81852acb2c660027276de58661404819b71cc45f78067ae43bff5d076818cd11

SHA512
9befde1e19e0b5cb1b4aff37012f8d5894daa06ac96704f85db07a2886e174dcd4bc25b592e8ac916509bd266cda7c6e3e4b1b23013ed4149d4db13591f66db5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize
170B

MD5
01f559e094633ee9c2057ade88388111

SHA1
e2b54cf8a3507086522f5e100a8b28cf6e40e666

SHA256
531c2c8954126ceefe31b35a01774437d59578e0f5d9f060b17aace8aa0aa1fb

SHA512
72f04445b90a883f913e2e6c28afd4896953618aeeca2496260ba4c177a1676f19575cffeff51ece86b77a300ff692f7ada26aa34c4efd0e32d5ba09402c851e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\5e42b0e4-4d90-4668-9fe0-6c3406f313b1.tmp
Filesize
138KB

MD5
aff1d93b671e2802ac05758f76e4739b

SHA1
761bdada8e9293064302b2091abc83880b367cfc

SHA256
cc5867437749e85c32b5550970374b3bd13a30e63c0b43ba2ab0f4ba8b01b4f6

SHA512
5c73a4569fa17f3e10ef9adef434d1c9a577224f9cf1e8dbbfc21e93378c5ebdd86682775acc422760282a490be9c1ef5be7571755a2fcf8e96490b2c9377a07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
cb83b6a4c538e6b22dfff2a2132d7a20

SHA1
9f2196e822ac18bac56f63ed7467865558a61fa7

SHA256
1a9140a5d327eb4ad1ae6a3263d76d2ecdbf9ca94346768048a2362074af4a88

SHA512
de805dbc14fe27638fc28000c2f04d18918339a93f36e090cfbf465d577ccf4783f90db8ee44da79800c0e755ff702e0a4eaf163f6f3c899bafa8afd4c02b28b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
1b8813d6a3b54cdc53057413b4553e51

SHA1
af73280cc48f4db74d090fd4a1c22f067b2b9cff

SHA256
499bae0579deda1af2032b833408e73a0832fb2a5028e16d8df72045ce1e27e0

SHA512
e5928ab279049ece1a3d4470190c3e63d2c4c8bb169b3dcbfce53ade7ca3d1e49a4f4a23b66b0b78054f7ba8c2523e4506535dec540ae607cae958ea9f612b7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
6ad33be36b785182e49efe422c87c47f

SHA1
23f67ce9e5b952a5eb5d9361901aad45ffdcddc3

SHA256
6d6c1d168a20ffaae14c4a475bb9ce6db6b485856e79b6882183b60bbf9da06c

SHA512
c97a21bae1ad61f788959657101ed38d391d3a138eafd7bda27b1ed3087e81f2d4a622c3296927bc46685d2230269efc0ba2e6dd2720cc5e7bd3f9a78ba4e188

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
21bde9ba043659ca5fa65a4a71425663

SHA1
77b69f269b8e4bc2f31549ec62db0b3c32481fa5

SHA256
01c8516205bb2f3f42c1f18329e1944cbd614ca0ba1d5b3e925af1a718677303

SHA512
15fb2cb208345b47a4f9427c260ea1cdec90e3b593c4be85baf38f430c7c0512bcb1c187bd530c63ee8d6e28098ddf32984784d795d6c19ecf5ea548801560ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
138KB

MD5
f08679ed7634d4403a038e931169d544

SHA1
432ec95e9af340001331e3763418a785665e4c53

SHA256
40ad6b1f96d72e857f77e079031611326da17a82b4263387c0895f94a6d18305

SHA512
cc02f6bb0ec9ebc5954e59fde859c48b60489a5d8765c8b3d15934fc06c4352371b07c1cad7a6ce1c43712fe4594d0c55789f1aef3b6aafd10c27eaece6ff881

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
98KB

MD5
a4c93c59adcb41a17ff924e397cf3854

SHA1
620d2c256b3eea722c91a944a1117940de609ed7

SHA256
f20cabeb89ee2b0200b9cfeb1c158941e9cb0ee5e7f25486983b4992b8d09ae7

SHA512
18f20c0252828fd813abcafef36c844422e65ce94c2028ad6cc58e1216848d43faee4760d720a4d24aa3a55b8781a2165c63b641f8b211523d862da9997c79db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57d467.TMP
Filesize
83KB

MD5
4a9949410fd85e1c9570b678f44ec2cf

SHA1
8613757ab6bdaa1fa256425f0b3d7833c8c35292

SHA256
3dcd9a5a366c4652d66071a73ec861f7a5f87f99bac906cccb48d9dcc9422e92

SHA512
b1bd84412e69ca379377666942a03dcce51328f8bb0065134e0b2394f51d506176ba4b3fca1b9029bb778cd6b5a5fb08a478582202112a073183a1d042381566

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 158545.crdownload
Filesize
1.2MB

MD5
339271af2bbdad0395a479c3ef2a714a

SHA1
4f38b94fdb7f3cc4cf9f79bbb4d4311b85f0e14b

SHA256
71769ebf723749783f5e79f7b8a43d6ef03582fca2d1d26cad69157b73004f2b

SHA512
b93d038fd8159cf46f9568f60a22080b0a6e7b383028b47983465dd0c5fe1611a0e0eb99e141c2ee1604b29df6530605f489e05389904eff51048bd9d2e4eb0e

Download Submit
C:\Users\Admin\Downloads\ZharkBOT.exe:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\pipe\crashpad_248_JZVIHGAPFAPTKNPA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/768-200-0x00000000079C0000-0x0000000007BFE000-memory.dmp

Filesize
2.2MB

Download
memory/768-204-0x00000000079C0000-0x0000000007BFE000-memory.dmp

Filesize
2.2MB

Download
memory/768-156-0x00000000079C0000-0x0000000007BFE000-memory.dmp

Filesize
2.2MB

Download
memory/768-168-0x00000000079C0000-0x0000000007BFE000-memory.dmp

Filesize
2.2MB

Download
memory/768-170-0x00000000079C0000-0x0000000007BFE000-memory.dmp

Filesize
2.2MB

Download
memory/768-166-0x00000000079C0000-0x0000000007BFE000-memory.dmp

Filesize
2.2MB

Download
memory/768-164-0x00000000079C0000-0x0000000007BFE000-memory.dmp

Filesize
2.2MB

Download
memory/768-162-0x00000000079C0000-0x0000000007BFE000-memory.dmp

Filesize
2.2MB

Download
memory/768-161-0x00000000079C0000-0x0000000007BFE000-memory.dmp

Filesize
2.2MB

Download
memory/768-174-0x00000000079C0000-0x0000000007BFE000-memory.dmp

Filesize
2.2MB

Download
memory/768-172-0x00000000079C0000-0x0000000007BFE000-memory.dmp

Filesize
2.2MB

Download
memory/768-182-0x00000000079C0000-0x0000000007BFE000-memory.dmp

Filesize
2.2MB

Download
memory/768-196-0x00000000079C0000-0x0000000007BFE000-memory.dmp

Filesize
2.2MB

Download
memory/768-159-0x00000000079C0000-0x0000000007BFE000-memory.dmp

Filesize
2.2MB

Download
memory/768-218-0x00000000079C0000-0x0000000007BFE000-memory.dmp

Filesize
2.2MB

Download
memory/768-216-0x00000000079C0000-0x0000000007BFE000-memory.dmp

Filesize
2.2MB

Download
memory/768-212-0x00000000079C0000-0x0000000007BFE000-memory.dmp

Filesize
2.2MB

Download
memory/768-210-0x00000000079C0000-0x0000000007BFE000-memory.dmp

Filesize
2.2MB

Download
memory/768-209-0x00000000079C0000-0x0000000007BFE000-memory.dmp

Filesize
2.2MB

Download
memory/768-206-0x00000000079C0000-0x0000000007BFE000-memory.dmp

Filesize
2.2MB

Download
memory/768-202-0x00000000079C0000-0x0000000007BFE000-memory.dmp

Filesize
2.2MB

Download
memory/768-198-0x00000000079C0000-0x0000000007BFE000-memory.dmp

Filesize
2.2MB

Download
memory/768-214-0x00000000079C0000-0x0000000007BFE000-memory.dmp

Filesize
2.2MB

Download
memory/768-155-0x00000000079C0000-0x0000000007BFE000-memory.dmp

Filesize
2.2MB

Download
memory/768-194-0x00000000079C0000-0x0000000007BFE000-memory.dmp

Filesize
2.2MB

Download
memory/768-192-0x00000000079C0000-0x0000000007BFE000-memory.dmp

Filesize
2.2MB

Download
memory/768-190-0x00000000079C0000-0x0000000007BFE000-memory.dmp

Filesize
2.2MB

Download
memory/768-188-0x00000000079C0000-0x0000000007BFE000-memory.dmp

Filesize
2.2MB

Download
memory/768-186-0x00000000079C0000-0x0000000007BFE000-memory.dmp

Filesize
2.2MB

Download
memory/768-184-0x00000000079C0000-0x0000000007BFE000-memory.dmp

Filesize
2.2MB

Download
memory/768-180-0x00000000079C0000-0x0000000007BFE000-memory.dmp

Filesize
2.2MB

Download
memory/768-178-0x00000000079C0000-0x0000000007BFE000-memory.dmp

Filesize
2.2MB

Download
memory/768-176-0x00000000079C0000-0x0000000007BFE000-memory.dmp

Filesize
2.2MB

Download
memory/768-154-0x0000000007E20000-0x0000000007EB2000-memory.dmp

Filesize
584KB

Download
memory/768-153-0x00000000081C0000-0x0000000008766000-memory.dmp

Filesize
5.6MB

Download
memory/768-5040-0x0000000005E40000-0x0000000005EC2000-memory.dmp

Filesize
520KB

Download
memory/768-5041-0x0000000005F90000-0x0000000005FDC000-memory.dmp

Filesize
304KB

Download
memory/768-5042-0x0000000005FE0000-0x0000000006034000-memory.dmp

Filesize
336KB

Download
memory/768-145-0x00000000009C0000-0x0000000000A0E000-memory.dmp

Filesize
312KB

Download
memory/768-152-0x00000000079C0000-0x0000000007C04000-memory.dmp

Filesize
2.3MB

Download
memory/1224-5050-0x00000000056E0000-0x0000000005746000-memory.dmp

Filesize
408KB

Download
memory/1224-5049-0x0000000005C20000-0x0000000005CBC000-memory.dmp

Filesize
624KB

Download
memory/1224-5046-0x0000000000600000-0x000000000066E000-memory.dmp

Filesize
440KB

Download
memory/3532-151-0x00000000048D0000-0x00000000049A7000-memory.dmp

Filesize
860KB

Download
memory/3532-125-0x00000000048D0000-0x00000000049A7000-memory.dmp

Filesize
860KB

Download