File name:

Velostrap.exe

Full analysis: https://app.any.run/tasks/f39bde30-b918-48ff-9657-ed25febc399e
Verdict: Malicious activity
Analysis date: February 02, 2026, 21:28:26
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
nuitka
python
pyinstaller
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows, 12 sections
MD5:

3457467BB5E5BA58A09549E16FD6062D

SHA1:

C385DA6EC61889EAD01DAEE7A484BF75E1CEA505

SHA256:

061DB0A99EB8F6E9E62638DB767D33EBE11C92A2A58A08263432E192F2EAA1A2

SSDEEP:

196608:6fJAdN4P/wMAlD3hpPtEiyxrVxxk/R/3rcUBShR:eJAdN4HkpEiyD+R/3YVR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Velostrap.exe (PID: 4304)

    • NUITKA compiler has been detected

      • Velostrap.exe (PID: 4304)

    • Process drops python dynamic module

      • Velostrap.exe (PID: 4304)

    • The process drops C-runtime libraries

      • Velostrap.exe (PID: 4304)

    • Process drops legitimate windows executable

      • Velostrap.exe (PID: 4304)

    • Application launched itself

      • Velostrap.exe (PID: 4304)

    • Loads Python modules

      • Velostrap.exe (PID: 2432)

    • Starts CMD.EXE for commands execution

      • Velostrap.exe (PID: 2432)

    • Reads Microsoft Outlook installation path

      • Velostrap.exe (PID: 2432)

    • Reads Internet Explorer settings

      • Velostrap.exe (PID: 2432)

  • INFO

    • Checks supported languages

      • Velostrap.exe (PID: 4304)
      • Velostrap.exe (PID: 2432)

    • The sample compiled with english language support

      • Velostrap.exe (PID: 4304)

    • Create files in a temporary directory

      • Velostrap.exe (PID: 4304)

    • Drops script file

      • Velostrap.exe (PID: 4304)
      • Velostrap.exe (PID: 2432)

    • Checks proxy server information

      • Velostrap.exe (PID: 2432)
      • slui.exe (PID: 6756)

    • Checks operating system version

      • Velostrap.exe (PID: 2432)

    • Reads the computer name

      • Velostrap.exe (PID: 2432)

    • Reads security settings of Internet Explorer

      • Velostrap.exe (PID: 2432)

    • Reads the machine GUID from the registry

      • Velostrap.exe (PID: 2432)

    • PyInstaller has been detected (YARA)

      • Velostrap.exe (PID: 2432)

    • There is functionality for taking screenshot (YARA)

      • Velostrap.exe (PID: 2432)

    • Creates files or folders in the user directory

      • Velostrap.exe (PID: 2432)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2026:02:02 17:12:21+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.43
CodeSize: 128000
InitializedDataSize: 18450432
UninitializedDataSize: 163328
EntryPoint: 0x1125
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
148
Monitored processes
5
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start velostrap.exe conhost.exe no specs velostrap.exe cmd.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
824\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeVelostrap.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2432C:\Users\admin\Desktop\Velostrap.exeC:\Users\admin\Desktop\Velostrap.exe
Velostrap.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\velostrap.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
2912C:\WINDOWS\system32\cmd.exe /c "ver"C:\Windows\System32\cmd.exeVelostrap.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
4304"C:\Users\admin\Desktop\Velostrap.exe" C:\Users\admin\Desktop\Velostrap.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\velostrap.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
6756C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
7 623
Read events
7 619
Write events
4
Delete events
0

Modification events

(PID) Process:(2432) Velostrap.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_96DPI_PIXEL
Operation:writeName:python.exe
Value:
1
(PID) Process:(2432) Velostrap.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2432) Velostrap.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2432) Velostrap.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
44
Suspicious files
69
Text files
933
Unknown types
0

Dropped files

PID
Process
Filename
Type
4304Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_4304_134145413189565578\Velostrap.dll
MD5:
SHA256:
4304Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_4304_134145413189565578\_brotli.pydexecutable
MD5:D9FC15CAF72E5D7F9A09B675E309F71D
SHA256:1FCD75B03673904D9471EC03C0EF26978D25135A2026020E679174BDEF976DCF
4304Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_4304_134145413189565578\_hashlib.pydexecutable
MD5:DE4D104EA13B70C093B07219D2EFF6CB
SHA256:39BC615842A176DB72D4E0558F3CDCAE23AB0623AD132F815D21DCFBFD4B110E
4304Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_4304_134145413189565578\_cffi_backend.pydexecutable
MD5:D73E60E5DDD70625FD0092677CFF5628
SHA256:8100F667A3F64EEB37B9326D0C53A931E0EA3CEA4ADE5DBDC638C368355C0948
4304Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_4304_134145413189565578\_queue.pydexecutable
MD5:FF8300999335C939FCCE94F2E7F039C0
SHA256:2F71046891BA279B00B70EB031FE90B379DBE84559CF49CE5D1297EA6BF47A78
4304Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_4304_134145413189565578\_overlapped.pydexecutable
MD5:01AD7CA8BC27F92355FD2895FC474157
SHA256:A083E83F609ED7A2FC18A95D44D8F91C9DC74842F33E19E91988E84DB94C3B5B
4304Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_4304_134145413189565578\_socket.pydexecutable
MD5:8140BDC5803A4893509F0E39B67158CE
SHA256:39715EF8D043354F0AB15F62878530A38518FB6192BC48DA6A098498E8D35769
4304Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_4304_134145413189565578\_uuid.pydexecutable
MD5:9A4957BDC2A783ED4BA681CBA2C99C5C
SHA256:F7F57807C15C21C5AA9818EDF3993D0B94AEF8AF5808E1AD86A98637FC499D44
4304Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_4304_134145413189565578\_multiprocessing.pydexecutable
MD5:1386DBC6DCC5E0BE6FEF05722AE572EC
SHA256:0AE3BF383FF998886F97576C55D6BF0A076C24395CF6FCD2265316E9A6E8C007
4304Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_4304_134145413189565578\_ctypes.pydexecutable
MD5:6A9CA97C039D9BBB7ABF40B53C851198
SHA256:E662D2B35BB48C5F3432BDE79C0D20313238AF800968BA0FAA6EA7E7E5EF4535
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
186
TCP/UDP connections
48
DNS requests
22
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
8360
SIHClient.exe
GET
304
135.233.95.144:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
whitelisted
2328
RUXIMICS.exe
GET
200
23.216.77.25:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
8360
SIHClient.exe
GET
200
20.165.94.54:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
whitelisted
8124
svchost.exe
GET
200
23.216.77.25:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
8360
SIHClient.exe
GET
200
135.233.95.144:443
https://slscr.update.microsoft.com/sls/ping
unknown
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
23.216.77.25:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
8360
SIHClient.exe
GET
304
135.233.95.144:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
whitelisted
POST
200
20.190.160.64:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
unknown
POST
200
20.190.160.64:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
unknown
356
svchost.exe
POST
200
20.190.160.5:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
2328
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8124
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
2328
RUXIMICS.exe
23.216.77.25:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
8124
svchost.exe
23.216.77.25:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6768
MoUsoCoreWorker.exe
23.216.77.25:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
356
svchost.exe
20.190.160.5:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
self.events.data.microsoft.com
  • 20.189.173.11
  • 40.79.141.154
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 23.216.77.25
  • 23.216.77.29
  • 23.216.77.22
  • 23.216.77.21
  • 23.216.77.39
  • 23.216.77.32
  • 23.216.77.35
  • 23.216.77.26
  • 23.216.77.28
  • 2.16.164.49
  • 2.16.164.120
whitelisted
login.live.com
  • 20.190.160.5
  • 20.190.160.3
  • 20.190.160.67
  • 40.126.32.140
  • 20.190.160.130
  • 20.190.160.132
  • 20.190.160.66
  • 20.190.160.20
whitelisted
slscr.update.microsoft.com
  • 135.233.95.144
whitelisted
www.microsoft.com
  • 23.52.181.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.165.94.54
whitelisted
github.com
  • 140.82.121.4
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Observed UA-CPU Header
2432
Velostrap.exe
Misc activity
ET INFO Observed UA-CPU Header
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Velostrap.exe