File name:

Velostrap.exe

Full analysis: https://app.any.run/tasks/f39bde30-b918-48ff-9657-ed25febc399e
Verdict: Malicious activity
Analysis date: February 02, 2026, 21:28:26
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
nuitka
python
pyinstaller
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows, 12 sections
MD5:

3457467BB5E5BA58A09549E16FD6062D

SHA1:

C385DA6EC61889EAD01DAEE7A484BF75E1CEA505

SHA256:

061DB0A99EB8F6E9E62638DB767D33EBE11C92A2A58A08263432E192F2EAA1A2

SSDEEP:

196608:6fJAdN4P/wMAlD3hpPtEiyxrVxxk/R/3rcUBShR:eJAdN4HkpEiyD+R/3YVR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • The process drops C-runtime libraries

      • Velostrap.exe (PID: 4304)
    • Process drops python dynamic module

      • Velostrap.exe (PID: 4304)
    • NUITKA compiler has been detected

      • Velostrap.exe (PID: 4304)
    • Executable content was dropped or overwritten

      • Velostrap.exe (PID: 4304)
    • Process drops legitimate windows executable

      • Velostrap.exe (PID: 4304)
    • Starts CMD.EXE for commands execution

      • Velostrap.exe (PID: 2432)
    • Application launched itself

      • Velostrap.exe (PID: 4304)
    • Loads Python modules

      • Velostrap.exe (PID: 2432)
    • Reads Internet Explorer settings

      • Velostrap.exe (PID: 2432)
    • Reads Microsoft Outlook installation path

      • Velostrap.exe (PID: 2432)
  • INFO

    • Checks supported languages

      • Velostrap.exe (PID: 4304)
      • Velostrap.exe (PID: 2432)
    • The sample compiled with english language support

      • Velostrap.exe (PID: 4304)
    • Create files in a temporary directory

      • Velostrap.exe (PID: 4304)
    • Drops script file

      • Velostrap.exe (PID: 4304)
      • Velostrap.exe (PID: 2432)
    • Checks operating system version

      • Velostrap.exe (PID: 2432)
    • Reads the computer name

      • Velostrap.exe (PID: 2432)
    • Checks proxy server information

      • Velostrap.exe (PID: 2432)
      • slui.exe (PID: 6756)
    • Reads security settings of Internet Explorer

      • Velostrap.exe (PID: 2432)
    • Reads the machine GUID from the registry

      • Velostrap.exe (PID: 2432)
    • Creates files or folders in the user directory

      • Velostrap.exe (PID: 2432)
    • PyInstaller has been detected (YARA)

      • Velostrap.exe (PID: 2432)
    • There is functionality for taking screenshot (YARA)

      • Velostrap.exe (PID: 2432)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2026:02:02 17:12:21+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.43
CodeSize: 128000
InitializedDataSize: 18450432
UninitializedDataSize: 163328
EntryPoint: 0x1125
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
148
Monitored processes
5
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details

Process information

PID
CMD
Path
Indicators
Parent process
824\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeVelostrap.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2432C:\Users\admin\Desktop\Velostrap.exeC:\Users\admin\Desktop\Velostrap.exe
Velostrap.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\velostrap.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
2912C:\WINDOWS\system32\cmd.exe /c "ver"C:\Windows\System32\cmd.exeVelostrap.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
4304"C:\Users\admin\Desktop\Velostrap.exe" C:\Users\admin\Desktop\Velostrap.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\velostrap.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
6756C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
7 623
Read events
7 619
Write events
4
Delete events
0

Modification events

(PID) Process:(2432) Velostrap.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_96DPI_PIXEL
Operation:writeName:python.exe
Value:
1
(PID) Process:(2432) Velostrap.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2432) Velostrap.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2432) Velostrap.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
44
Suspicious files
69
Text files
933
Unknown types
0

Dropped files

PID
Process
Filename
Type
4304Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_4304_134145413189565578\Velostrap.dll
MD5:
SHA256:
4304Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_4304_134145413189565578\_tkinter.pydexecutable
MD5:442304CE4AD2D40E0D85A89B52B6D272
SHA256:6FF6CC788F1AB19DE383810DDBD15ECD5FC8216FAF5E1E406BBF9A608FBB9991
4304Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_4304_134145413189565578\_hashlib.pydexecutable
MD5:DE4D104EA13B70C093B07219D2EFF6CB
SHA256:39BC615842A176DB72D4E0558F3CDCAE23AB0623AD132F815D21DCFBFD4B110E
4304Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_4304_134145413189565578\_ctypes.pydexecutable
MD5:6A9CA97C039D9BBB7ABF40B53C851198
SHA256:E662D2B35BB48C5F3432BDE79C0D20313238AF800968BA0FAA6EA7E7E5EF4535
4304Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_4304_134145413189565578\_multiprocessing.pydexecutable
MD5:1386DBC6DCC5E0BE6FEF05722AE572EC
SHA256:0AE3BF383FF998886F97576C55D6BF0A076C24395CF6FCD2265316E9A6E8C007
4304Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_4304_134145413189565578\_ssl.pydexecutable
MD5:069BCCC9F31F57616E88C92650589BDD
SHA256:CB42E8598E3FA53EEEBF63F2AF1730B9EC64614BDA276AB2CD1F1C196B3D7E32
4304Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_4304_134145413189565578\_asyncio.pydexecutable
MD5:2859C39887921DAD2FF41FEDA44FE174
SHA256:AEBC378DB08617EA81A0A3A3BC044BCC7E6303E314630392DD51BAB12F879BD9
4304Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_4304_134145413189565578\_bz2.pydexecutable
MD5:4101128E19134A4733028CFAAFC2F3BB
SHA256:5843872D5E2B08F138A71FE9BA94813AFEE59C8B48166D4A8EB0F606107A7E80
4304Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_4304_134145413189565578\_overlapped.pydexecutable
MD5:01AD7CA8BC27F92355FD2895FC474157
SHA256:A083E83F609ED7A2FC18A95D44D8F91C9DC74842F33E19E91988E84DB94C3B5B
4304Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_4304_134145413189565578\pyexpat.pydexecutable
MD5:1C0A578249B658F5DCD4B539EEA9A329
SHA256:D97F3E27130C267E7D3287D1B159F65559E84EAD9090D02A01B4C7DC663CD509
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
186
TCP/UDP connections
48
DNS requests
22
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
8360
SIHClient.exe
GET
304
135.233.95.144:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
8124
svchost.exe
GET
200
23.216.77.25:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
8360
SIHClient.exe
GET
200
20.165.94.54:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
whitelisted
POST
200
20.190.160.64:443
https://login.live.com/RST2.srf
US
xml
10.3 Kb
unknown
8360
SIHClient.exe
GET
200
135.233.95.144:443
https://slscr.update.microsoft.com/sls/ping
US
whitelisted
356
svchost.exe
POST
200
20.190.160.5:443
https://login.live.com/RST2.srf
US
xml
10.3 Kb
whitelisted
8360
SIHClient.exe
GET
304
135.233.95.144:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
POST
200
20.190.160.64:443
https://login.live.com/RST2.srf
US
xml
10.3 Kb
unknown
356
svchost.exe
POST
200
20.190.160.5:443
https://login.live.com/RST2.srf
US
xml
10.3 Kb
whitelisted
POST
200
20.190.160.4:443
https://login.live.com/RST2.srf
US
xml
10.3 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
2328
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8124
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
2328
RUXIMICS.exe
23.216.77.25:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
8124
svchost.exe
23.216.77.25:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6768
MoUsoCoreWorker.exe
23.216.77.25:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
356
svchost.exe
20.190.160.5:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
self.events.data.microsoft.com
  • 20.189.173.11
  • 40.79.141.154
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 23.216.77.25
  • 23.216.77.29
  • 23.216.77.22
  • 23.216.77.21
  • 23.216.77.39
  • 23.216.77.32
  • 23.216.77.35
  • 23.216.77.26
  • 23.216.77.28
  • 2.16.164.49
  • 2.16.164.120
whitelisted
login.live.com
  • 20.190.160.5
  • 20.190.160.3
  • 20.190.160.67
  • 40.126.32.140
  • 20.190.160.130
  • 20.190.160.132
  • 20.190.160.66
  • 20.190.160.20
whitelisted
slscr.update.microsoft.com
  • 135.233.95.144
whitelisted
www.microsoft.com
  • 23.52.181.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.165.94.54
whitelisted
github.com
  • 140.82.121.4
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Observed UA-CPU Header
2432
Velostrap.exe
Misc activity
ET INFO Observed UA-CPU Header
No debug info