Zharkbot is a C++ downloader with extensive anti-analysis and anti-sandbox features. It uses in-line string encryption and API calls, making static and emulation analysis challenging. The malware performs sandbox detection by checking for specific usernames and hypervisors. It installs itself in the TEMP directory as 'explert.exe' and establishes persistence via the RUNONCE registry key. Zharkbot builds its C2 data and communicates with the server at solutionhub.cc:443/socket/. The analysis reveals the malware's build version as 1.2.5B and provides insights into its installation, persistence, and network communication methods.