URL:

https://dark-heaven.com/

Full analysis: https://app.any.run/tasks/9e7994a0-e7bd-46ef-bd04-f68ff67b4c29
Verdict: Malicious activity
Threats:

MicroStealer is a rapidly emerging infostealer first prominently observed in late 2025. It specializes in stealing browser credentials, active session data, screenshots, cryptocurrency wallets, and system information. It spreads quickly with low detection rates thanks to a sophisticated multi-stage delivery chain and exfiltrates data via Discord webhooks and attacker-controlled servers.

Malware Trends Tracker     >>>
Analysis date: March 20, 2026, 02:17:34
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
discord
stealer
microstealer
arch-doc
anti-evasion
Indicators:
MD5:

AED31C0432F8CBB8EE61EEC40CAA5B20

SHA1:

B3163E4C2F84121DAF3D37037342F74CC323051F

SHA256:

B192E9E2EDD945CE238BEC7C21C091A74817B297DEEC486469EB9881DF2E9CDF

SSDEEP:

3:N8cm3:2cC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 5632)

    • Uses Task Scheduler to autorun other applications

      • microsoft.exe (PID: 8632)

    • MICROSTEALER has been detected (SURICATA)

      • microsoft.exe (PID: 8632)

    • Actions looks like stealing of personal data

      • microsoft.exe (PID: 8632)

    • Attempting to use instant messaging service

      • microsoft.exe (PID: 8632)

    • MICROSTEALER has been detected (YARA)

      • microsoft.exe (PID: 8632)

    • Steals credentials from Web Browsers

      • microsoft.exe (PID: 8632)

    • Antivirus name has been found in the command line (generic signature)

      • taskkill.exe (PID: 8908)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • DarkHeavenSetupV3.exe (PID: 3352)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • DarkHeavenSetupV3.exe (PID: 3352)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 6140)
      • cmd.exe (PID: 5632)

    • Get information on the list of running processes

      • DarkHeavenSetupV3.exe (PID: 3352)
      • cmd.exe (PID: 6140)
      • microsoft.exe (PID: 8632)

    • Executable content was dropped or overwritten

      • DarkHeavenSetupV3.exe (PID: 3352)
      • DarkHeavenSetupV4.exe (PID: 8524)
      • microsoft.exe (PID: 8632)

    • Drops 7-zip archiver for unpacking

      • DarkHeavenSetupV3.exe (PID: 3352)

    • Starts CMD.EXE with AutoRun commands disabled

      • cmd.exe (PID: 5632)

    • Starts CMD.EXE with special quote handling

      • cmd.exe (PID: 5632)

    • The process hide an interactive prompt from the user

      • cmd.exe (PID: 5632)

    • The process executes Powershell scripts

      • powershell.exe (PID: 204)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 204)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 5632)

    • The process drops C-runtime libraries

      • DarkHeavenSetupV4.exe (PID: 8524)

    • Uses WMIC.EXE to obtain Windows Installer data

      • microsoft.exe (PID: 8632)

    • Application launched itself

      • DarkHeavenSetupV4.exe (PID: 6076)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 5632)

    • Creates scheduled task with highest privileges

      • schtasks.exe (PID: 8896)
      • schtasks.exe (PID: 8992)

    • Uses TASKKILL.EXE to kill process

      • microsoft.exe (PID: 8632)

    • Uses TASKKILL.EXE to kill Browsers

      • microsoft.exe (PID: 8632)

    • Loads DLL from Mozilla Firefox

      • microsoft.exe (PID: 8632)

    • Possible stealing from crypto wallets

      • microsoft.exe (PID: 8632)

    • Creates file in the systems drive root

      • mmc.exe (PID: 1304)

  • INFO

    • Checks supported languages

      • DarkHeavenSetupV3.exe (PID: 3352)
      • DarkHeavenSetupV4.exe (PID: 6076)
      • DarkHeavenSetupV4.exe (PID: 7556)
      • DarkHeavenSetupV4.exe (PID: 8524)
      • DarkHeavenSetupV4.exe (PID: 2328)
      • microsoft.exe (PID: 8632)
      • identity_helper.exe (PID: 8428)

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 7776)

    • Application launched itself

      • chrome.exe (PID: 7776)
      • msedge.exe (PID: 7352)

    • Reads Environment values

      • DarkHeavenSetupV4.exe (PID: 6076)
      • DarkHeavenSetupV4.exe (PID: 8524)
      • identity_helper.exe (PID: 8428)

    • Reads the computer name

      • DarkHeavenSetupV3.exe (PID: 3352)
      • DarkHeavenSetupV4.exe (PID: 6076)
      • DarkHeavenSetupV4.exe (PID: 2328)
      • DarkHeavenSetupV4.exe (PID: 7556)
      • microsoft.exe (PID: 8632)
      • identity_helper.exe (PID: 8428)

    • The sample compiled with english language support

      • DarkHeavenSetupV3.exe (PID: 3352)
      • DarkHeavenSetupV4.exe (PID: 8524)

    • Create files in a temporary directory

      • DarkHeavenSetupV3.exe (PID: 3352)
      • DarkHeavenSetupV4.exe (PID: 6076)
      • microsoft.exe (PID: 8632)

    • Creates files or folders in the user directory

      • DarkHeavenSetupV3.exe (PID: 3352)
      • DarkHeavenSetupV4.exe (PID: 8524)
      • microsoft.exe (PID: 8632)

    • Creates a software uninstall entry

      • DarkHeavenSetupV3.exe (PID: 3352)

    • Reads product name

      • DarkHeavenSetupV4.exe (PID: 6076)
      • DarkHeavenSetupV4.exe (PID: 8524)

    • Reads security settings of Internet Explorer

      • DarkHeavenSetupV3.exe (PID: 3352)
      • WMIC.exe (PID: 8732)
      • WMIC.exe (PID: 8944)
      • WMIC.exe (PID: 8472)
      • WMIC.exe (PID: 8260)
      • WMIC.exe (PID: 8336)
      • WMIC.exe (PID: 8760)
      • WMIC.exe (PID: 9132)
      • WMIC.exe (PID: 5160)
      • WMIC.exe (PID: 4704)
      • WMIC.exe (PID: 8612)
      • WMIC.exe (PID: 8972)
      • WMIC.exe (PID: 8732)
      • WMIC.exe (PID: 9052)
      • WMIC.exe (PID: 9140)
      • WMIC.exe (PID: 3352)
      • WMIC.exe (PID: 8280)
      • WMIC.exe (PID: 8444)
      • WMIC.exe (PID: 8036)
      • WMIC.exe (PID: 5708)
      • WMIC.exe (PID: 4944)
      • WMIC.exe (PID: 8876)
      • WMIC.exe (PID: 8812)
      • WMIC.exe (PID: 8752)
      • WMIC.exe (PID: 5584)
      • WMIC.exe (PID: 8224)
      • WMIC.exe (PID: 8604)
      • WMIC.exe (PID: 8332)
      • WMIC.exe (PID: 8980)
      • WMIC.exe (PID: 7892)
      • WMIC.exe (PID: 7052)
      • WMIC.exe (PID: 7380)
      • WMIC.exe (PID: 2988)
      • WMIC.exe (PID: 7392)
      • WMIC.exe (PID: 8784)
      • WMIC.exe (PID: 3264)
      • WMIC.exe (PID: 6116)
      • mmc.exe (PID: 1304)
      • Taskmgr.exe (PID: 6732)

    • Manual execution by a user

      • DarkHeavenSetupV4.exe (PID: 6076)
      • mmc.exe (PID: 7844)
      • Taskmgr.exe (PID: 8304)
      • Taskmgr.exe (PID: 6732)
      • mmc.exe (PID: 1304)
      • msedge.exe (PID: 7352)

    • Reads the machine GUID from the registry

      • DarkHeavenSetupV4.exe (PID: 6076)
      • microsoft.exe (PID: 8632)

    • The executable file from the user directory is run by the Powershell process

      • DarkHeavenSetupV4.exe (PID: 8524)

    • Attempting to use instant messaging service

      • microsoft.exe (PID: 8632)

    • There is functionality for taking screenshot (YARA)

      • microsoft.exe (PID: 8632)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
450
Monitored processes
298
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs darkheavensetupv3.exe chrome.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs darkheavensetupv4.exe no specs cmd.exe no specs conhost.exe no specs darkheavensetupv4.exe no specs darkheavensetupv4.exe no specs powershell.exe no specs darkheavensetupv4.exe #MICROSTEALER microsoft.exe wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs mmc.exe no specs mmc.exe taskmgr.exe no specs taskmgr.exe msedge.exe msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
144\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
204powershell -ExecutionPolicy Bypass -NoProfile -NonInteractive -File "C:\Users\admin\AppData\Local\Temp\z9_1773973092500.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
352tasklist.exeC:\Windows\System32\tasklist.exemicrosoft.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
352taskkill /F /IM sleipnir.exeC:\Windows\System32\taskkill.exemicrosoft.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
672\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetasklist.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
932taskkill /F /IM vivaldi.exeC:\Windows\System32\taskkill.exemicrosoft.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
996\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1304"C:\WINDOWS\system32\mmc.exe" "C:\WINDOWS\system32\taskschd.msc" /sC:\Windows\System32\mmc.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Management Console
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mmc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1536tasklist.exeC:\Windows\System32\tasklist.exemicrosoft.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1656\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetasklist.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
26 955
Read events
26 908
Write events
45
Delete events
2

Modification events

(PID) Process:(3352) DarkHeavenSetupV3.exeKey:HKEY_CURRENT_USER\SOFTWARE\1df4a8e4-3234-5ac4-abdd-35d6b18192ba
Operation:writeName:InstallLocation
Value:
C:\Users\admin\AppData\Local\Programs\GameLauncher
(PID) Process:(3352) DarkHeavenSetupV3.exeKey:HKEY_CURRENT_USER\SOFTWARE\1df4a8e4-3234-5ac4-abdd-35d6b18192ba
Operation:writeName:KeepShortcuts
Value:
true
(PID) Process:(3352) DarkHeavenSetupV3.exeKey:HKEY_CURRENT_USER\SOFTWARE\1df4a8e4-3234-5ac4-abdd-35d6b18192ba
Operation:writeName:ShortcutName
Value:
DarkHeavenSetupV4
(PID) Process:(3352) DarkHeavenSetupV3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1df4a8e4-3234-5ac4-abdd-35d6b18192ba
Operation:writeName:DisplayName
Value:
DarkHeavenSetupV4 2.0.0
(PID) Process:(3352) DarkHeavenSetupV3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1df4a8e4-3234-5ac4-abdd-35d6b18192ba
Operation:writeName:UninstallString
Value:
"C:\Users\admin\AppData\Local\Programs\GameLauncher\Uninstall DarkHeavenSetupV4.exe" /currentuser
(PID) Process:(3352) DarkHeavenSetupV3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1df4a8e4-3234-5ac4-abdd-35d6b18192ba
Operation:writeName:QuietUninstallString
Value:
"C:\Users\admin\AppData\Local\Programs\GameLauncher\Uninstall DarkHeavenSetupV4.exe" /currentuser /S
(PID) Process:(3352) DarkHeavenSetupV3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1df4a8e4-3234-5ac4-abdd-35d6b18192ba
Operation:writeName:DisplayVersion
Value:
2.0.0
(PID) Process:(3352) DarkHeavenSetupV3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1df4a8e4-3234-5ac4-abdd-35d6b18192ba
Operation:writeName:DisplayIcon
Value:
C:\Users\admin\AppData\Local\Programs\GameLauncher\DarkHeavenSetupV4.exe,0
(PID) Process:(3352) DarkHeavenSetupV3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1df4a8e4-3234-5ac4-abdd-35d6b18192ba
Operation:writeName:Publisher
Value:
DarkHeavenSetupV4
(PID) Process:(3352) DarkHeavenSetupV3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1df4a8e4-3234-5ac4-abdd-35d6b18192ba
Operation:writeName:NoModify
Value:
1
Executable files
166
Suspicious files
475
Text files
210
Unknown types
0

Dropped files

PID
Process
Filename
Type
7776chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ClientCertificates\LOG.old~RFe000b.TMP
MD5:
SHA256:
7776chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
7776chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old~RFe001b.TMP
MD5:
SHA256:
7776chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old
MD5:
SHA256:
7776chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old~RFe002a.TMP
MD5:
SHA256:
7776chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\LOG.old~RFe001b.TMP
MD5:
SHA256:
7776chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\LOG.old~RFe002a.TMP
MD5:
SHA256:
7776chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old~RFe002a.TMP
MD5:
SHA256:
7776chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
7776chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RFe002a.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
131
TCP/UDP connections
121
DNS requests
118
Threats
27

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6576
chrome.exe
GET
200
142.250.201.74:443
https://safebrowsingohttpgateway.googleapis.com/v1/ohttp/hpkekeyconfig?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE
US
binary
41 b
whitelisted
6576
chrome.exe
GET
200
142.251.127.138:80
http://clients2.google.com/time/1/current?cup2key=8:Omv6iN3mqCATbD3nIH1puXcfv_7grT3NNtaP8Ja1IXY&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
US
text
107 b
whitelisted
6576
chrome.exe
POST
200
142.251.127.84:443
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard
US
text
17 b
whitelisted
6576
chrome.exe
GET
200
142.251.141.131:443
https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=133
US
compressed
91.4 Kb
whitelisted
6576
chrome.exe
GET
200
142.251.141.106:443
https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&family=Outfit:wght@600;700;800;900&family=Pixelify+Sans:wght@400;700&family=Press+Start+2P&display=swap
US
text
17.0 Kb
whitelisted
6576
chrome.exe
GET
200
104.21.85.180:443
https://dark-heaven.com/script.js
US
text
7.91 Kb
unknown
6576
chrome.exe
GET
200
104.21.85.180:443
https://dark-heaven.com/about.jpg
US
image
2.14 Mb
unknown
6576
chrome.exe
GET
200
104.21.85.180:443
https://dark-heaven.com/
US
html
13.1 Kb
unknown
6576
chrome.exe
GET
200
104.21.85.180:443
https://dark-heaven.com/styles.css
US
text
30.5 Kb
unknown
6576
chrome.exe
GET
200
142.251.141.106:443
https://fonts.googleapis.com/css2?family=Pixelify+Sans:wght@400;500;600;700&family=Press+Start+2P&display=swap
US
text
6.44 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
8140
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
5276
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
128.24.231.65:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
6576
chrome.exe
142.251.127.138:80
clients2.google.com
GOOGLE
US
whitelisted
6576
chrome.exe
142.251.141.131:443
clientservices.googleapis.com
GOOGLE
US
whitelisted
6576
chrome.exe
142.250.201.74:443
safebrowsingohttpgateway.googleapis.com
GOOGLE
US
whitelisted
6576
chrome.exe
104.21.85.180:443
dark-heaven.com
CLOUDFLARENET
US
whitelisted
6576
chrome.exe
142.251.127.84:443
accounts.google.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
activation-v2.sls.microsoft.com
  • 128.24.231.65
whitelisted
google.com
  • 142.251.208.174
whitelisted
clients2.google.com
  • 142.251.127.138
  • 142.251.127.100
  • 142.251.127.101
  • 142.251.127.113
  • 142.251.127.139
  • 142.251.127.102
whitelisted
safebrowsingohttpgateway.googleapis.com
  • 142.250.201.74
  • 216.58.206.42
  • 142.251.141.106
  • 142.251.37.10
  • 172.217.16.170
  • 142.251.36.106
  • 142.251.208.170
  • 142.251.127.95
  • 142.251.143.106
  • 172.217.20.138
  • 142.251.140.170
whitelisted
clientservices.googleapis.com
  • 142.251.141.131
whitelisted
dark-heaven.com
  • 104.21.85.180
  • 172.67.208.224
unknown
accounts.google.com
  • 142.251.127.84
whitelisted
fonts.googleapis.com
  • 142.251.141.106
whitelisted
fonts.gstatic.com
  • 172.217.16.195
whitelisted

Threats

PID
Process
Class
Message
6576
chrome.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
6576
chrome.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
6576
chrome.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain (ipapi .co in DNS lookup)
6576
chrome.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
6576
chrome.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
6576
chrome.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain (ipapi .co in DNS lookup)
6576
chrome.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
6576
chrome.exe
Misc activity
ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
6576
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
6576
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
Process
Message
mmc.exe
Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://dark-heaven.com/