File name:

Velostrap.exe

Full analysis: https://app.any.run/tasks/f39bde30-b918-48ff-9657-ed25febc399e
Verdict: Malicious activity
Analysis date: February 02, 2026, 21:28:26
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
nuitka
python
pyinstaller
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows, 12 sections
MD5:

3457467BB5E5BA58A09549E16FD6062D

SHA1:

C385DA6EC61889EAD01DAEE7A484BF75E1CEA505

SHA256:

061DB0A99EB8F6E9E62638DB767D33EBE11C92A2A58A08263432E192F2EAA1A2

SSDEEP:

196608:6fJAdN4P/wMAlD3hpPtEiyxrVxxk/R/3rcUBShR:eJAdN4HkpEiyD+R/3YVR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Velostrap.exe (PID: 4304)

    • The process drops C-runtime libraries

      • Velostrap.exe (PID: 4304)

    • Process drops python dynamic module

      • Velostrap.exe (PID: 4304)

    • NUITKA compiler has been detected

      • Velostrap.exe (PID: 4304)

    • Process drops legitimate windows executable

      • Velostrap.exe (PID: 4304)

    • Application launched itself

      • Velostrap.exe (PID: 4304)

    • Loads Python modules

      • Velostrap.exe (PID: 2432)

    • Starts CMD.EXE for commands execution

      • Velostrap.exe (PID: 2432)

    • Reads Microsoft Outlook installation path

      • Velostrap.exe (PID: 2432)

    • Reads Internet Explorer settings

      • Velostrap.exe (PID: 2432)

  • INFO

    • Checks supported languages

      • Velostrap.exe (PID: 4304)
      • Velostrap.exe (PID: 2432)

    • The sample compiled with english language support

      • Velostrap.exe (PID: 4304)

    • Create files in a temporary directory

      • Velostrap.exe (PID: 4304)

    • Drops script file

      • Velostrap.exe (PID: 4304)
      • Velostrap.exe (PID: 2432)

    • Checks operating system version

      • Velostrap.exe (PID: 2432)

    • Checks proxy server information

      • Velostrap.exe (PID: 2432)
      • slui.exe (PID: 6756)

    • Reads the computer name

      • Velostrap.exe (PID: 2432)

    • Reads security settings of Internet Explorer

      • Velostrap.exe (PID: 2432)

    • Reads the machine GUID from the registry

      • Velostrap.exe (PID: 2432)

    • Creates files or folders in the user directory

      • Velostrap.exe (PID: 2432)

    • PyInstaller has been detected (YARA)

      • Velostrap.exe (PID: 2432)

    • There is functionality for taking screenshot (YARA)

      • Velostrap.exe (PID: 2432)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2026:02:02 17:12:21+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.43
CodeSize: 128000
InitializedDataSize: 18450432
UninitializedDataSize: 163328
EntryPoint: 0x1125
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
148
Monitored processes
5
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start velostrap.exe conhost.exe no specs velostrap.exe cmd.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
824\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeVelostrap.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2432C:\Users\admin\Desktop\Velostrap.exeC:\Users\admin\Desktop\Velostrap.exe
Velostrap.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\velostrap.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
2912C:\WINDOWS\system32\cmd.exe /c "ver"C:\Windows\System32\cmd.exeVelostrap.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
4304"C:\Users\admin\Desktop\Velostrap.exe" C:\Users\admin\Desktop\Velostrap.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\velostrap.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
6756C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
7 623
Read events
7 619
Write events
4
Delete events
0

Modification events

(PID) Process:(2432) Velostrap.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_96DPI_PIXEL
Operation:writeName:python.exe
Value:
1
(PID) Process:(2432) Velostrap.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2432) Velostrap.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2432) Velostrap.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
44
Suspicious files
69
Text files
933
Unknown types
0

Dropped files

PID
Process
Filename
Type
4304Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_4304_134145413189565578\Velostrap.dll
MD5:
SHA256:
4304Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_4304_134145413189565578\pyexpat.pydexecutable
MD5:1C0A578249B658F5DCD4B539EEA9A329
SHA256:D97F3E27130C267E7D3287D1B159F65559E84EAD9090D02A01B4C7DC663CD509
4304Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_4304_134145413189565578\_tkinter.pydexecutable
MD5:442304CE4AD2D40E0D85A89B52B6D272
SHA256:6FF6CC788F1AB19DE383810DDBD15ECD5FC8216FAF5E1E406BBF9A608FBB9991
4304Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_4304_134145413189565578\libcrypto-1_1.dllexecutable
MD5:6F4B8EB45A965372156086201207C81F
SHA256:976CE72EFD0A8AEEB6E21AD441AA9138434314EA07F777432205947CDB149541
4304Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_4304_134145413189565578\_asyncio.pydexecutable
MD5:2859C39887921DAD2FF41FEDA44FE174
SHA256:AEBC378DB08617EA81A0A3A3BC044BCC7E6303E314630392DD51BAB12F879BD9
4304Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_4304_134145413189565578\python3.dllexecutable
MD5:34E49BB1DFDDF6037F0001D9AEFE7D61
SHA256:4055D1B9E553B78C244143AB6B48151604003B39A9BF54879DEE9175455C1281
4304Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_4304_134145413189565578\libssl-1_1.dllexecutable
MD5:8769ADAFCA3A6FC6EF26F01FD31AFA84
SHA256:2AEBB73530D21A2273692A5A3D57235B770DAF1C35F60C74E01754A5DAC05071
4304Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_4304_134145413189565578\libffi-8.dllexecutable
MD5:32D36D2B0719DB2B739AF803C5E1C2F5
SHA256:128A583E821E52B595EB4B3DDA17697D3CA456EE72945F7ECCE48EDEDAD0E93C
4304Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_4304_134145413189565578\_ssl.pydexecutable
MD5:069BCCC9F31F57616E88C92650589BDD
SHA256:CB42E8598E3FA53EEEBF63F2AF1730B9EC64614BDA276AB2CD1F1C196B3D7E32
4304Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_4304_134145413189565578\_uuid.pydexecutable
MD5:9A4957BDC2A783ED4BA681CBA2C99C5C
SHA256:F7F57807C15C21C5AA9818EDF3993D0B94AEF8AF5808E1AD86A98637FC499D44
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
186
TCP/UDP connections
48
DNS requests
22
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
8360
SIHClient.exe
GET
304
135.233.95.144:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
POST
200
20.190.160.4:443
https://login.live.com/RST2.srf
US
xml
10.3 Kb
unknown
8360
SIHClient.exe
GET
200
20.165.94.54:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
whitelisted
8124
svchost.exe
GET
200
23.216.77.25:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
8360
SIHClient.exe
GET
200
135.233.95.144:443
https://slscr.update.microsoft.com/sls/ping
US
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
23.216.77.25:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
8360
SIHClient.exe
GET
304
135.233.95.144:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
POST
200
20.190.160.64:443
https://login.live.com/RST2.srf
US
xml
10.3 Kb
unknown
356
svchost.exe
POST
200
20.190.160.5:443
https://login.live.com/RST2.srf
US
xml
10.3 Kb
whitelisted
POST
200
20.190.160.64:443
https://login.live.com/RST2.srf
US
xml
10.3 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
2328
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8124
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
2328
RUXIMICS.exe
23.216.77.25:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
8124
svchost.exe
23.216.77.25:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6768
MoUsoCoreWorker.exe
23.216.77.25:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
356
svchost.exe
20.190.160.5:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
self.events.data.microsoft.com
  • 20.189.173.11
  • 40.79.141.154
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 23.216.77.25
  • 23.216.77.29
  • 23.216.77.22
  • 23.216.77.21
  • 23.216.77.39
  • 23.216.77.32
  • 23.216.77.35
  • 23.216.77.26
  • 23.216.77.28
  • 2.16.164.49
  • 2.16.164.120
whitelisted
login.live.com
  • 20.190.160.5
  • 20.190.160.3
  • 20.190.160.67
  • 40.126.32.140
  • 20.190.160.130
  • 20.190.160.132
  • 20.190.160.66
  • 20.190.160.20
whitelisted
slscr.update.microsoft.com
  • 135.233.95.144
whitelisted
www.microsoft.com
  • 23.52.181.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.165.94.54
whitelisted
github.com
  • 140.82.121.4
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Observed UA-CPU Header
2432
Velostrap.exe
Misc activity
ET INFO Observed UA-CPU Header
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Velostrap.exe