File name:

bootstrapper.exe

Full analysis: https://app.any.run/tasks/c9b573d1-0bf5-4f66-937c-2c9eae859b41
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 29, 2025, 20:15:11
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
loader
discord
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows, 2 sections
MD5:

EB0238C75323D39C4AA3D82A0B480657

SHA1:

4E37C6515A180CDAA304BC21E45AE10BF73544CB

SHA256:

7E0B74459E898EAB08492209812F9D1B2036055FE97880B1B4386E31F6638505

SSDEEP:

49152:M/WdvQwnD51SzWiGsfEAy0g/rRfBnJxHocKVK90fSKz1WzKcDxuCU514NXbFzlNl:xdvBnD51S4sfEIg/rXflB2bz14buCU5j

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • bootstrapper.exe (PID: 8020)

    • Reads the BIOS version

      • SirHurt V5.exe (PID: 5352)
      • SirHurt V5.exe (PID: 7380)

    • Reads security settings of Internet Explorer

      • SirHurt V5.exe (PID: 7380)

    • Executes application which crashes

      • SirHurt V5.exe (PID: 7380)

  • INFO

    • Reads the computer name

      • bootstrapper.exe (PID: 8020)
      • SirHurt V5.exe (PID: 7380)
      • SirHurt V5.exe (PID: 5352)

    • Checks proxy server information

      • bootstrapper.exe (PID: 8020)
      • SirHurt V5.exe (PID: 7380)
      • slui.exe (PID: 7236)

    • Manual execution by a user

      • SirHurt V5.exe (PID: 8172)
      • SirHurt V5.exe (PID: 7380)
      • SirHurt V5.exe (PID: 7444)
      • SirHurt V5.exe (PID: 5352)

    • Reads the machine GUID from the registry

      • bootstrapper.exe (PID: 8020)
      • SirHurt V5.exe (PID: 7380)
      • SirHurt V5.exe (PID: 5352)

    • Checks supported languages

      • SirHurt V5.exe (PID: 7380)
      • bootstrapper.exe (PID: 8020)
      • SirHurt V5.exe (PID: 5352)

    • Reads the software policy settings

      • bootstrapper.exe (PID: 8020)
      • slui.exe (PID: 7236)
      • SirHurt V5.exe (PID: 7380)

    • Process checks whether UAC notifications are on

      • SirHurt V5.exe (PID: 7380)
      • SirHurt V5.exe (PID: 5352)

    • Reads Environment values

      • bootstrapper.exe (PID: 8020)

    • Disables trace logs

      • bootstrapper.exe (PID: 8020)
      • SirHurt V5.exe (PID: 7380)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 7416)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2051:01:04 13:14:33+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 48
CodeSize: 1378614
InitializedDataSize: 138536
UninitializedDataSize: -
EntryPoint: 0x0000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: HP Inc.
FileDescription: SirHurt V2 GUI Bootstrapper
FileVersion: 1.0.0.0
InternalName: SirHurt V2 GUI Bootstrapper.exe
LegalCopyright: Copyright © HP Inc. 2019
LegalTrademarks: -
OriginalFileName: SirHurt V2 GUI Bootstrapper.exe
ProductName: SirHurt V2 GUI Bootstrapper
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
8
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start bootstrapper.exe sirhurt v5.exe no specs sirhurt v5.exe sirhurt v5.exe no specs sirhurt v5.exe werfault.exe no specs slui.exe bootstrapper.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
5352"C:\Users\admin\Desktop\SirHurt V5.exe" C:\Users\admin\Desktop\SirHurt V5.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
SirHurtUI
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\sirhurt v5.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\mscoree.dll
7236C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7380"C:\Users\admin\Desktop\SirHurt V5.exe" C:\Users\admin\Desktop\SirHurt V5.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
SirHurtUI
Exit code:
3762504530
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\sirhurt v5.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\mscoree.dll
7416C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7380 -s 2980C:\Windows\SysWOW64\WerFault.exeSirHurt V5.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7444"C:\Users\admin\Desktop\SirHurt V5.exe" C:\Users\admin\Desktop\SirHurt V5.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
SirHurtUI
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\sirhurt v5.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7916"C:\Users\admin\Desktop\bootstrapper.exe" C:\Users\admin\Desktop\bootstrapper.exeexplorer.exe
User:
admin
Company:
HP Inc.
Integrity Level:
MEDIUM
Description:
SirHurt V2 GUI Bootstrapper
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\bootstrapper.exe
c:\windows\system32\ntdll.dll
8020"C:\Users\admin\Desktop\bootstrapper.exe" C:\Users\admin\Desktop\bootstrapper.exe
explorer.exe
User:
admin
Company:
HP Inc.
Integrity Level:
HIGH
Description:
SirHurt V2 GUI Bootstrapper
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\bootstrapper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
8172"C:\Users\admin\Desktop\SirHurt V5.exe" C:\Users\admin\Desktop\SirHurt V5.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
SirHurtUI
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\sirhurt v5.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
13 837
Read events
13 798
Write events
36
Delete events
3

Modification events

(PID) Process:(8020) bootstrapper.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments
Operation:writeName:SaveZoneInformation
Value:
1
(PID) Process:(8020) bootstrapper.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments
Operation:writeName:SaveZoneInformation
Value:
1
(PID) Process:(8020) bootstrapper.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\bootstrapper_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(8020) bootstrapper.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\bootstrapper_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(8020) bootstrapper.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\bootstrapper_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(8020) bootstrapper.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\bootstrapper_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(8020) bootstrapper.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\bootstrapper_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(8020) bootstrapper.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\bootstrapper_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(8020) bootstrapper.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\bootstrapper_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(8020) bootstrapper.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\bootstrapper_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
Executable files
2
Suspicious files
1
Text files
6
Unknown types
1

Dropped files

PID
Process
Filename
Type
7416WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SirHurt V5.exe_3841d4975fb69758b62c577d4a3d6a3d7eeff73b_69af2549_66fc3c0f-ce07-4f01-a3a7-5423384a6280\Report.wer
MD5:
SHA256:
7416WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\SirHurt V5.exe.7380.dmp
MD5:
SHA256:
8020bootstrapper.exeC:\Users\admin\Desktop\sirhurt.zip
MD5:
SHA256:
8020bootstrapper.exeC:\Users\admin\Desktop\sirhurt.exe
MD5:
SHA256:
8020bootstrapper.exeC:\Users\admin\Desktop\binmd5.txttext
MD5:07FBC176616AF93AF4A10A8AEA1F742A
SHA256:16583661C0FE97149182686046AE5654B9256EDB51B5D30DDB3C151B22BED020
7380SirHurt V5.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\WPF101B.tmpimage
MD5:7E9CE91391848DBE6F3500031322C60B
SHA256:CB7BB16916EE2A8E15DD5D4BE06C9C1590231FBFB074D372ECCED84D5F235CB8
7416WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER1616.tmp.WERInternalMetadata.xmlxml
MD5:4684A2ECAE9338B311C17D867B4BBC71
SHA256:592041F6A18443086768214C233597EE46B1649EF6CE990B79A19F2C83A189C8
7416WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER13D3.tmp.dmpdmp
MD5:D63C9DA60FBD1A3789EBE8D7D1E79B4F
SHA256:CD60A25F1582E43984C2CF4C6B798F2D8B1408F0DA2DA2E01DF21F4E7BAABF7A
8020bootstrapper.exeC:\Users\admin\Desktop\SirHurt V5.exeexecutable
MD5:3EC419E1A5C0ACAE07028CE0E88194B9
SHA256:947B7281370A147997AAFAA39736D73007639E76A0784B5565D80F5892E722A4
8020bootstrapper.exeC:\Users\admin\Desktop\sirhurt.dllexecutable
MD5:EA46AE64C2E105FC781451F15EEC0B49
SHA256:FEBEED0B1A319DB3179266DCE9DD2547893DA409AD5219BE2DD4A73FBC241DEA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
38
TCP/UDP connections
51
DNS requests
19
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
104.21.95.242:443
https://sirhurt.net/asshurt/update/v5/ProtectFile.php?file=SirHurt%20UI.zip
unknown
text
7.95 Mb
GET
200
104.21.95.242:443
https://sirhurt.net/asshurt/update/v5/fetch_bootstrapper_list.php?version=V1.11&timestamp%20=%201748549732
unknown
POST
200
20.190.160.67:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
GET
200
172.67.149.166:443
https://sirhurt.net/asshurt/update/v5/ProtectFile.php?customversion=LIVE&file=sirhurt.zip
unknown
text
74.1 Mb
GET
200
172.67.149.166:443
https://sirhurt.net/asshurt/update/v5/fetch_version.php?customversion=LIVE&timestamp=1748549732
unknown
GET
200
162.159.129.233:443
https://cdn.discordapp.com/avatars/347199810392293376/a_4a2a965dfc19bb8476aa8860740e4875.gif
unknown
image
378 Kb
whitelisted
GET
304
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
5112
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
GET
200
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
162.159.133.233:443
https://cdn.discordapp.com/avatars/822996243717292084/69bf566508fb50a78cac6312446bbc48?size=1024
unknown
image
178 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
8020
bootstrapper.exe
172.67.149.166:443
sirhurt.net
CLOUDFLARENET
US
unknown
6544
svchost.exe
20.190.159.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7380
SirHurt V5.exe
162.159.133.233:443
cdn.discordapp.com
CLOUDFLARENET
whitelisted
5112
SIHClient.exe
52.149.20.212:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.206
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
sirhurt.net
  • 172.67.149.166
  • 104.21.95.242
unknown
login.live.com
  • 20.190.159.2
  • 20.190.159.131
  • 40.126.31.131
  • 20.190.159.64
  • 40.126.31.71
  • 20.190.159.71
  • 20.190.159.75
  • 20.190.159.23
whitelisted
www.sirhurt.net
  • 172.67.149.166
  • 104.21.95.242
unknown
cdn.discordapp.com
  • 162.159.133.233
  • 162.159.130.233
  • 162.159.129.233
  • 162.159.134.233
  • 162.159.135.233
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2196
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
7380
SirHurt V5.exe
Misc activity
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
7380
SirHurt V5.exe
Misc activity
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
bootstrapper.exe