File name:

Velostrap.exe

Full analysis: https://app.any.run/tasks/f5d0c8bb-f9f0-479c-8981-0de33a4cfce1
Verdict: Malicious activity
Analysis date: February 20, 2026, 17:03:53
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
nuitka
python
pyinstaller
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows, 12 sections
MD5:

5ED7A45AA936A7095E1D077EE30083EA

SHA1:

48C9F985DBD06A6C86B454A813F820F9C6F0F521

SHA256:

0B0755559D2B31FDA01598F79E361B7DF8E5F9161FAFEB3711F8D26EFF23D7D4

SSDEEP:

196608:YQ64K8pMhHdiWFCUtu1GJMmiXoDFq9EKjO:YaK8pMfiWFRA1GJdiwq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • Velostrap.exe (PID: 5184)

    • Executable content was dropped or overwritten

      • Velostrap.exe (PID: 5184)

    • NUITKA compiler has been detected

      • Velostrap.exe (PID: 5184)

    • Loads Python modules

      • Velostrap.exe (PID: 1868)

    • Application launched itself

      • Velostrap.exe (PID: 5184)

    • Process drops python dynamic module

      • Velostrap.exe (PID: 5184)

    • Reads Internet Explorer settings

      • Velostrap.exe (PID: 1868)

    • Reads Microsoft Outlook installation path

      • Velostrap.exe (PID: 1868)

  • INFO

    • Create files in a temporary directory

      • Velostrap.exe (PID: 5184)

    • The sample compiled with english language support

      • Velostrap.exe (PID: 5184)

    • Checks supported languages

      • Velostrap.exe (PID: 5184)
      • Velostrap.exe (PID: 1868)

    • Reads the computer name

      • Velostrap.exe (PID: 1868)

    • Drops script file

      • Velostrap.exe (PID: 5184)
      • Velostrap.exe (PID: 1868)

    • Checks operating system version

      • Velostrap.exe (PID: 1868)

    • Checks proxy server information

      • Velostrap.exe (PID: 1868)
      • slui.exe (PID: 8284)

    • Reads security settings of Internet Explorer

      • Velostrap.exe (PID: 1868)

    • Creates files or folders in the user directory

      • Velostrap.exe (PID: 1868)

    • Reads the machine GUID from the registry

      • Velostrap.exe (PID: 1868)

    • There is functionality for taking screenshot (YARA)

      • Velostrap.exe (PID: 1868)

    • PyInstaller has been detected (YARA)

      • Velostrap.exe (PID: 1868)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2026:02:20 05:43:44+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.43
CodeSize: 128000
InitializedDataSize: 19198464
UninitializedDataSize: 163328
EntryPoint: 0x1125
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
7
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start velostrap.exe conhost.exe no specs velostrap.exe cmd.exe no specs slui.exe updater.exe no specs updater.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1868C:\Users\admin\Desktop\Velostrap.exeC:\Users\admin\Desktop\Velostrap.exe
Velostrap.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\velostrap.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
4144C:\WINDOWS\system32\cmd.exe /c "ver"C:\Windows\System32\cmd.exeVelostrap.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
5184"C:\Users\admin\Desktop\Velostrap.exe" C:\Users\admin\Desktop\Velostrap.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\velostrap.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
5788"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x139c460,0x139c46c,0x139c478C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
7956"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --wake --systemC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exesvchost.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
8284C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
8352\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeVelostrap.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
7 675
Read events
7 671
Write events
4
Delete events
0

Modification events

(PID) Process:(1868) Velostrap.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_96DPI_PIXEL
Operation:writeName:python.exe
Value:
1
(PID) Process:(1868) Velostrap.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1868) Velostrap.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1868) Velostrap.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
47
Suspicious files
67
Text files
941
Unknown types
0

Dropped files

PID
Process
Filename
Type
5184Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_5184_134160806455196379\Velostrap.dll
MD5:
SHA256:
5184Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_5184_134160806455196379\_hashlib.pydexecutable
MD5:DE4D104EA13B70C093B07219D2EFF6CB
SHA256:39BC615842A176DB72D4E0558F3CDCAE23AB0623AD132F815D21DCFBFD4B110E
5184Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_5184_134160806455196379\_brotli.pydexecutable
MD5:D9FC15CAF72E5D7F9A09B675E309F71D
SHA256:1FCD75B03673904D9471EC03C0EF26978D25135A2026020E679174BDEF976DCF
5184Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_5184_134160806455196379\_decimal.pydexecutable
MD5:D47E6ACF09EAD5774D5B471AB3AB96FF
SHA256:D0DF57988A74ACD50B2D261E8B5F2C25DA7B940EC2AAFBEE444C277552421E6E
5184Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_5184_134160806455196379\_cffi_backend.pydexecutable
MD5:D73E60E5DDD70625FD0092677CFF5628
SHA256:8100F667A3F64EEB37B9326D0C53A931E0EA3CEA4ADE5DBDC638C368355C0948
5184Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_5184_134160806455196379\_asyncio.pydexecutable
MD5:2859C39887921DAD2FF41FEDA44FE174
SHA256:AEBC378DB08617EA81A0A3A3BC044BCC7E6303E314630392DD51BAB12F879BD9
5184Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_5184_134160806455196379\_ctypes.pydexecutable
MD5:6A9CA97C039D9BBB7ABF40B53C851198
SHA256:E662D2B35BB48C5F3432BDE79C0D20313238AF800968BA0FAA6EA7E7E5EF4535
5184Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_5184_134160806455196379\_queue.pydexecutable
MD5:FF8300999335C939FCCE94F2E7F039C0
SHA256:2F71046891BA279B00B70EB031FE90B379DBE84559CF49CE5D1297EA6BF47A78
5184Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_5184_134160806455196379\_bz2.pydexecutable
MD5:4101128E19134A4733028CFAAFC2F3BB
SHA256:5843872D5E2B08F138A71FE9BA94813AFEE59C8B48166D4A8EB0F606107A7E80
5184Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_5184_134160806455196379\_elementtree.pydexecutable
MD5:63629A705BFFCA85CE6A4539BFBDD760
SHA256:DF71D64818CFECD61AD0122BEA23B685D01BD241F1B06879A2999917818B0787
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
198
TCP/UDP connections
53
DNS requests
24
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7644
SIHClient.exe
GET
304
135.233.95.144:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
whitelisted
7644
SIHClient.exe
GET
200
20.165.94.54:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
whitelisted
POST
200
20.190.159.4:443
https://login.live.com/RST2.srf
unknown
text
11.1 Kb
whitelisted
9088
svchost.exe
GET
200
184.24.77.11:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.159.2:443
https://login.live.com/RST2.srf
unknown
text
10.3 Kb
whitelisted
7644
SIHClient.exe
GET
200
135.233.95.144:443
https://slscr.update.microsoft.com/sls/ping
unknown
whitelisted
POST
200
20.190.159.23:443
https://login.live.com/RST2.srf
unknown
text
10.3 Kb
whitelisted
7644
SIHClient.exe
GET
304
74.178.76.128:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
whitelisted
356
svchost.exe
POST
200
40.126.32.74:443
https://login.live.com/RST2.srf
unknown
text
10.3 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
9088
svchost.exe
184.24.77.11:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
184.24.77.11:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6768
MoUsoCoreWorker.exe
184.24.77.11:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
9088
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
6768
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
self.events.data.microsoft.com
  • 40.79.141.152
  • 13.69.116.105
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
google.com
  • 142.251.141.142
whitelisted
crl.microsoft.com
  • 184.24.77.11
  • 184.24.77.6
  • 184.24.77.35
  • 184.24.77.37
  • 184.24.77.42
  • 2.16.164.106
  • 2.16.164.88
  • 2.16.164.34
  • 2.16.164.66
  • 2.16.164.75
  • 2.16.164.83
  • 2.16.164.98
  • 2.16.164.73
  • 2.16.164.90
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 23.52.181.212
whitelisted
login.live.com
  • 40.126.32.74
  • 40.126.32.138
  • 20.190.160.20
  • 20.190.160.65
  • 20.190.160.3
  • 20.190.160.66
  • 20.190.160.17
  • 20.190.160.4
  • 20.190.159.4
  • 40.126.31.131
  • 40.126.31.0
  • 40.126.31.1
  • 40.126.31.130
  • 40.126.31.2
  • 20.190.159.130
  • 20.190.159.23
whitelisted
slscr.update.microsoft.com
  • 135.233.95.144
  • 74.178.76.128
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.165.94.54
whitelisted
imtheo.lol
  • 188.114.96.3
  • 188.114.97.3
unknown

Threats

PID
Process
Class
Message
1868
Velostrap.exe
Misc activity
ET INFO Observed UA-CPU Header
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Velostrap.exe