URL:

https://dark-heaven.com/

Full analysis: https://app.any.run/tasks/52dce42f-cfdb-4459-a3b7-c0572c0a8ab0
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: March 20, 2026, 02:24:36
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
discord
stealer
microstealer
arch-doc
anti-evasion
arch-exec
obfuscated-js
github
Indicators:
MD5:

AED31C0432F8CBB8EE61EEC40CAA5B20

SHA1:

B3163E4C2F84121DAF3D37037342F74CC323051F

SHA256:

B192E9E2EDD945CE238BEC7C21C091A74817B297DEEC486469EB9881DF2E9CDF

SSDEEP:

3:N8cm3:2cC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 4960)

    • MICROSTEALER has been detected (SURICATA)

      • microsoft.exe (PID: 8120)

    • Actions looks like stealing of personal data

      • microsoft.exe (PID: 8120)

    • MICROSTEALER has been detected (YARA)

      • microsoft.exe (PID: 8120)

    • Steals credentials from Web Browsers

      • microsoft.exe (PID: 8120)

    • Antivirus name has been found in the command line (generic signature)

      • taskkill.exe (PID: 3536)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • DarkHeavenSetupV3.exe (PID: 3352)

    • The process creates files with name similar to system file names

      • DarkHeavenSetupV3.exe (PID: 3352)

    • Get information on the list of running processes

      • DarkHeavenSetupV3.exe (PID: 3352)
      • cmd.exe (PID: 7324)
      • microsoft.exe (PID: 8120)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 7324)
      • cmd.exe (PID: 4960)

    • Executable content was dropped or overwritten

      • DarkHeavenSetupV3.exe (PID: 3352)
      • DarkHeavenSetupV4.exe (PID: 2456)
      • microsoft.exe (PID: 8120)

    • Drops 7-zip archiver for unpacking

      • DarkHeavenSetupV3.exe (PID: 3352)

    • Starts CMD.EXE with special quote handling

      • cmd.exe (PID: 4960)

    • Starts CMD.EXE with AutoRun commands disabled

      • cmd.exe (PID: 4960)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 4960)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 5760)

    • The process hide an interactive prompt from the user

      • cmd.exe (PID: 4960)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 4960)

    • The process executes Powershell scripts

      • powershell.exe (PID: 5760)

    • Application launched itself

      • DarkHeavenSetupV4.exe (PID: 1140)

    • The process drops C-runtime libraries

      • DarkHeavenSetupV4.exe (PID: 2456)

    • Uses WMIC.EXE to obtain Windows Installer data

      • microsoft.exe (PID: 8120)

    • Creates scheduled task with highest privileges

      • schtasks.exe (PID: 7420)
      • schtasks.exe (PID: 5716)

    • Uses TASKKILL.EXE to kill process

      • microsoft.exe (PID: 8120)

    • Uses TASKKILL.EXE to kill Browsers

      • microsoft.exe (PID: 8120)

    • Loads DLL from Mozilla Firefox

      • microsoft.exe (PID: 8120)

    • Possible stealing from crypto wallets

      • microsoft.exe (PID: 8120)

  • INFO

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 5448)

    • Reads the computer name

      • DarkHeavenSetupV3.exe (PID: 3352)
      • DarkHeavenSetupV4.exe (PID: 1140)
      • DarkHeavenSetupV4.exe (PID: 7212)
      • DarkHeavenSetupV4.exe (PID: 4332)
      • microsoft.exe (PID: 8120)

    • Manual execution by a user

      • DarkHeavenSetupV3.exe (PID: 3352)
      • DarkHeavenSetupV4.exe (PID: 1140)
      • microsoft.exe (PID: 4112)
      • microsoft.exe (PID: 2340)
      • firefox.exe (PID: 8536)
      • WinRAR.exe (PID: 8844)

    • Application launched itself

      • chrome.exe (PID: 5448)
      • firefox.exe (PID: 4384)
      • firefox.exe (PID: 8536)

    • The sample compiled with english language support

      • DarkHeavenSetupV3.exe (PID: 3352)
      • DarkHeavenSetupV4.exe (PID: 2456)

    • Checks supported languages

      • DarkHeavenSetupV3.exe (PID: 3352)
      • DarkHeavenSetupV4.exe (PID: 1140)
      • DarkHeavenSetupV4.exe (PID: 7212)
      • DarkHeavenSetupV4.exe (PID: 4332)
      • DarkHeavenSetupV4.exe (PID: 2456)
      • microsoft.exe (PID: 8120)
      • microsoft.exe (PID: 4112)
      • microsoft.exe (PID: 2340)

    • Create files in a temporary directory

      • DarkHeavenSetupV3.exe (PID: 3352)
      • DarkHeavenSetupV4.exe (PID: 1140)
      • microsoft.exe (PID: 8120)
      • microsoft.exe (PID: 4112)
      • microsoft.exe (PID: 2340)

    • Reads security settings of Internet Explorer

      • DarkHeavenSetupV3.exe (PID: 3352)
      • WMIC.exe (PID: 3748)
      • WMIC.exe (PID: 7944)
      • WMIC.exe (PID: 4300)
      • WMIC.exe (PID: 6896)
      • WMIC.exe (PID: 7340)
      • WMIC.exe (PID: 7760)
      • WMIC.exe (PID: 7276)
      • WMIC.exe (PID: 1788)
      • WMIC.exe (PID: 8060)
      • WMIC.exe (PID: 3164)
      • WMIC.exe (PID: 4488)
      • WMIC.exe (PID: 5852)
      • WMIC.exe (PID: 6628)
      • WMIC.exe (PID: 8148)
      • WMIC.exe (PID: 3048)
      • WMIC.exe (PID: 552)
      • WMIC.exe (PID: 4104)
      • WMIC.exe (PID: 7428)
      • WMIC.exe (PID: 7724)
      • WMIC.exe (PID: 2588)
      • WMIC.exe (PID: 7500)
      • WMIC.exe (PID: 5392)
      • WMIC.exe (PID: 3580)
      • WMIC.exe (PID: 3536)
      • WMIC.exe (PID: 7188)
      • WMIC.exe (PID: 5760)
      • WMIC.exe (PID: 7880)
      • WMIC.exe (PID: 6696)
      • WMIC.exe (PID: 3416)
      • WMIC.exe (PID: 2100)
      • WMIC.exe (PID: 8332)
      • WMIC.exe (PID: 8904)
      • WMIC.exe (PID: 3200)
      • WMIC.exe (PID: 680)

    • Creates files or folders in the user directory

      • DarkHeavenSetupV3.exe (PID: 3352)
      • DarkHeavenSetupV4.exe (PID: 2456)
      • microsoft.exe (PID: 8120)

    • Creates a software uninstall entry

      • DarkHeavenSetupV3.exe (PID: 3352)

    • Reads product name

      • DarkHeavenSetupV4.exe (PID: 1140)
      • DarkHeavenSetupV4.exe (PID: 2456)

    • Reads Environment values

      • DarkHeavenSetupV4.exe (PID: 1140)
      • DarkHeavenSetupV4.exe (PID: 2456)

    • There is functionality for taking screenshot (YARA)

      • DarkHeavenSetupV3.exe (PID: 3352)
      • microsoft.exe (PID: 8120)

    • Reads the machine GUID from the registry

      • DarkHeavenSetupV4.exe (PID: 1140)
      • microsoft.exe (PID: 8120)

    • The executable file from the user directory is run by the Powershell process

      • DarkHeavenSetupV4.exe (PID: 2456)

    • Uses Task Scheduler to autorun other applications (AUTOMATE)

      • microsoft.exe (PID: 8120)

    • Launching a file from the Downloads directory

      • firefox.exe (PID: 4384)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
463
Monitored processes
320
Malicious processes
3
Suspicious processes
4

Behavior graph

Click at the process to see the details
start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs darkheavensetupv3.exe cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs darkheavensetupv4.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs darkheavensetupv4.exe no specs darkheavensetupv4.exe no specs darkheavensetupv4.exe #MICROSTEALER microsoft.exe wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs microsoft.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs microsoft.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs winrar.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
144"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --field-trial-handle=6488,i,12585064107407163281,1757076671136846872,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=6120 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
144\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetasklist.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
144taskkill /F /IM catalina.exeC:\Windows\System32\taskkill.exemicrosoft.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
420\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
420\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
488\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
508"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --field-trial-handle=6540,i,12585064107407163281,1757076671136846872,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=5996 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
552\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
552WMIC /Node:localhost /Namespace:\\root\CIMV2 Path Win32_ComputerSystemProduct Get UUID /Format:ListC:\Windows\System32\wbem\WMIC.exemicrosoft.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
672\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
22 208
Read events
22 177
Write events
31
Delete events
0

Modification events

(PID) Process:(3352) DarkHeavenSetupV3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1df4a8e4-3234-5ac4-abdd-35d6b18192ba
Operation:writeName:DisplayVersion
Value:
2.0.0
(PID) Process:(3352) DarkHeavenSetupV3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1df4a8e4-3234-5ac4-abdd-35d6b18192ba
Operation:writeName:DisplayIcon
Value:
C:\Users\admin\AppData\Local\Programs\GameLauncher\DarkHeavenSetupV4.exe,0
(PID) Process:(3352) DarkHeavenSetupV3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1df4a8e4-3234-5ac4-abdd-35d6b18192ba
Operation:writeName:Publisher
Value:
DarkHeavenSetupV4
(PID) Process:(3352) DarkHeavenSetupV3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1df4a8e4-3234-5ac4-abdd-35d6b18192ba
Operation:writeName:NoModify
Value:
1
(PID) Process:(3352) DarkHeavenSetupV3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1df4a8e4-3234-5ac4-abdd-35d6b18192ba
Operation:writeName:NoRepair
Value:
1
(PID) Process:(3352) DarkHeavenSetupV3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1df4a8e4-3234-5ac4-abdd-35d6b18192ba
Operation:writeName:EstimatedSize
Value:
372913
(PID) Process:(3352) DarkHeavenSetupV3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:GlobalAssocChangedCounter
Value:
141
(PID) Process:(3352) DarkHeavenSetupV3.exeKey:HKEY_CURRENT_USER\SOFTWARE\1df4a8e4-3234-5ac4-abdd-35d6b18192ba
Operation:writeName:InstallLocation
Value:
C:\Users\admin\AppData\Local\Programs\GameLauncher
(PID) Process:(3352) DarkHeavenSetupV3.exeKey:HKEY_CURRENT_USER\SOFTWARE\1df4a8e4-3234-5ac4-abdd-35d6b18192ba
Operation:writeName:KeepShortcuts
Value:
true
(PID) Process:(3352) DarkHeavenSetupV3.exeKey:HKEY_CURRENT_USER\SOFTWARE\1df4a8e4-3234-5ac4-abdd-35d6b18192ba
Operation:writeName:ShortcutName
Value:
DarkHeavenSetupV4
Executable files
147
Suspicious files
563
Text files
177
Unknown types
0

Dropped files

PID
Process
Filename
Type
5448chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RFdfb29.TMP
MD5:
SHA256:
5448chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ClientCertificates\LOG.old~RFdfb29.TMP
MD5:
SHA256:
5448chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\LOG.old~RFdfb29.TMP
MD5:
SHA256:
5448chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
5448chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old~RFdfb29.TMP
MD5:
SHA256:
5448chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\LOG.old
MD5:
SHA256:
5448chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old~RFdfb29.TMP
MD5:
SHA256:
5448chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old~RFdfb29.TMP
MD5:
SHA256:
5448chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
5448chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1 041
TCP/UDP connections
372
DNS requests
647
Threats
42

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.11.41.157:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAjTxtAB8my1oj8MfWpz%2F7Y%3D
unknown
whitelisted
GET
200
204.79.197.203:80
http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ3L3%2F%2Fa6ADK8NraY2GXzVaYrHG4AQUb6t%2B2v%2BXQ3LsO2d33oJhNYhHQoUCEzMAAAAGb6JMMcOVb6sAAAAAAAY%3D
unknown
whitelisted
7204
chrome.exe
GET
200
172.67.208.224:443
https://dark-heaven.com/
unknown
html
13.1 Kb
unknown
7204
chrome.exe
GET
200
142.251.140.174:80
http://clients2.google.com/time/1/current?cup2key=8:a9da9S4zrrNebzP3KWAhbTlu3iYSe212TY12KDofHkI&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
unknown
whitelisted
7204
chrome.exe
GET
200
172.67.208.224:443
https://dark-heaven.com/styles.css
unknown
text
30.5 Kb
unknown
7204
chrome.exe
GET
200
172.67.208.224:443
https://dark-heaven.com/about.jpg
unknown
image
2.14 Mb
unknown
7204
chrome.exe
GET
200
172.67.208.224:443
https://dark-heaven.com/hero.jpg
unknown
image
405 Kb
unknown
7204
chrome.exe
GET
200
172.67.208.224:443
https://dark-heaven.com/gal1.jpg
unknown
image
363 Kb
unknown
7204
chrome.exe
GET
200
172.67.208.224:443
https://dark-heaven.com/gal2.jpg
unknown
image
370 Kb
unknown
7204
chrome.exe
GET
200
172.67.208.224:443
https://dark-heaven.com/gal3.jpg
unknown
image
2.32 Mb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
6076
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5276
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
128.24.231.65:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5532
SearchApp.exe
2.16.241.201:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
23.11.41.157:80
ocsp.digicert.com
AKAMAI-AMS
NL
whitelisted
204.79.197.203:80
oneocsp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7204
chrome.exe
142.251.141.74:443
safebrowsingohttpgateway.googleapis.com
GOOGLE
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
7204
chrome.exe
142.251.140.174:80
clients2.google.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
  • 40.127.240.158
whitelisted
activation-v2.sls.microsoft.com
  • 128.24.231.65
whitelisted
google.com
  • 142.251.141.142
whitelisted
www.bing.com
  • 2.16.241.201
  • 2.16.241.218
whitelisted
ocsp.digicert.com
  • 23.11.41.157
whitelisted
oneocsp.microsoft.com
  • 204.79.197.203
whitelisted
clients2.google.com
  • 142.251.140.174
whitelisted
safebrowsingohttpgateway.googleapis.com
  • 142.251.141.74
  • 142.251.208.10
  • 142.251.127.95
  • 172.217.16.202
  • 142.250.201.170
  • 142.251.208.170
  • 142.251.143.106
  • 216.58.206.42
whitelisted
clientservices.googleapis.com
  • 142.251.140.163
whitelisted
dark-heaven.com
  • 172.67.208.224
  • 104.21.85.180
unknown

Threats

PID
Process
Class
Message
7204
chrome.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain (ipapi .co in DNS lookup)
7204
chrome.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain (ipapi .co in DNS lookup)
7204
chrome.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
7204
chrome.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
7204
chrome.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
7204
chrome.exe
Misc activity
ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
7204
chrome.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
7204
chrome.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
7204
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
7204
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://dark-heaven.com/