File name:

Velocity.exe

Full analysis: https://app.any.run/tasks/74b910b8-4dc8-44be-8932-ff18dd650b05
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 06, 2026, 18:07:11
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
salatstealer
stealer
ms-smartcard
susp-powershell
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

AF72DAB66D68AAADF72C1A7BD0463F2C

SHA1:

6BE37CD136BEFA1A6B26613A104F6B4F972020A4

SHA256:

269FF13DA1AA1A02D4CBA7A817053DB0FE6C1C224FEDB1AF40250155363C8DBC

SSDEEP:

98304:LUCk/mD6u3SRaOTGSGNSGqYrIAnOdY9I/vVRZs4vOaeefz6XwpB18RinXHW0hK20:4+Pb4t5gCpS66gpxtwc0QGFCl8Cqu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • VeIocity.exe (PID: 6628)
      • VeIocity.exe (PID: 4712)
      • UserOOBEBroker.exe (PID: 1724)
      • UserOOBEBroker.exe (PID: 3120)
      • UserOOBEBroker.exe (PID: 3420)

    • SALATSTEALER mutex has been found

      • VeIocity.exe (PID: 4712)
      • UserOOBEBroker.exe (PID: 1724)

    • SALATSTEALER has been detected (SURICATA)

      • UserOOBEBroker.exe (PID: 1724)
      • VeIocity.exe (PID: 4712)

    • Steals credentials from Web Browsers

      • UserOOBEBroker.exe (PID: 1724)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • Velocity.exe (PID: 6884)

    • Application launched itself

      • VeIocity.exe (PID: 6628)

    • Starts itself from another location

      • VeIocity.exe (PID: 4712)
      • UserOOBEBroker.exe (PID: 1724)

    • The process creates files with name similar to system file names

      • VeIocity.exe (PID: 4712)
      • UserOOBEBroker.exe (PID: 1724)

    • The process executes files with name similar to system file names

      • VeIocity.exe (PID: 4712)

    • Starts POWERSHELL.EXE for commands execution

      • UserOOBEBroker.exe (PID: 1724)

    • Possible stealing of messenger data

      • UserOOBEBroker.exe (PID: 1724)

    • Possible stealing from crypto wallets

      • UserOOBEBroker.exe (PID: 1724)

    • Gets path to any of the special folders (POWERSHELL)

      • powershell.exe (PID: 4704)

    • Multiple wallet extension IDs have been found

      • UserOOBEBroker.exe (PID: 1724)

  • INFO

    • Creates files or folders in the user directory

      • Velocity.exe (PID: 6884)
      • VeIocity.exe (PID: 4712)

    • Reads the computer name

      • Velocity.exe (PID: 6884)
      • Velocity.exe (PID: 2136)
      • VeIocity.exe (PID: 6628)
      • VeIocity.exe (PID: 4712)
      • UserOOBEBroker.exe (PID: 1724)
      • UserOOBEBroker.exe (PID: 3420)
      • UserOOBEBroker.exe (PID: 3120)

    • Reads the machine GUID from the registry

      • Velocity.exe (PID: 6884)
      • VeIocity.exe (PID: 4712)
      • UserOOBEBroker.exe (PID: 1724)
      • UserOOBEBroker.exe (PID: 3420)
      • UserOOBEBroker.exe (PID: 3120)

    • Checks supported languages

      • Velocity.exe (PID: 6884)
      • Velocity.exe (PID: 2136)
      • VeIocity.exe (PID: 6628)
      • VeIocity.exe (PID: 4712)
      • UserOOBEBroker.exe (PID: 1724)
      • UserOOBEBroker.exe (PID: 3420)
      • UserOOBEBroker.exe (PID: 3120)

    • Process checks computer location settings

      • Velocity.exe (PID: 6884)
      • VeIocity.exe (PID: 6628)

    • Reads security settings of Internet Explorer

      • VeIocity.exe (PID: 6628)
      • Velocity.exe (PID: 6884)

    • Create files in a temporary directory

      • VeIocity.exe (PID: 4712)
      • UserOOBEBroker.exe (PID: 1724)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • UserOOBEBroker.exe (PID: 1724)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4704)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 4704)

    • Found Base64 encoded access to Windows Defender via PowerShell (YARA)

      • UserOOBEBroker.exe (PID: 1724)

    • Found Base64 encoded access to environment variables via PowerShell (YARA)

      • UserOOBEBroker.exe (PID: 1724)

    • Checks current location (POWERSHELL)

      • powershell.exe (PID: 4704)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2026:03:03 16:42:08+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 16183808
InitializedDataSize: 75264
UninitializedDataSize: -
EntryPoint: 0xf7115e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: VelocityLite
FileDescription: VelocityLite
FileVersion: 1.0.0.0
InternalName: Velocity.exe
LegalCopyright:
OriginalFileName: Velocity.exe
ProductName: VelocityLite
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
151
Monitored processes
10
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start velocity.exe no specs velocity.exe no specs velocity.exe veiocity.exe no specs #SALATSTEALER veiocity.exe #SALATSTEALER useroobebroker.exe powershell.exe no specs conhost.exe no specs useroobebroker.exe no specs useroobebroker.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1724C:\Users\admin\AppData\Local\Google\UserOOBEBroker.exeC:\Users\admin\AppData\Local\Google\UserOOBEBroker.exe
VeIocity.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\google\useroobebroker.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2136"C:\Users\admin\AppData\Roaming\Velocity.exe" C:\Users\admin\AppData\Roaming\Velocity.exe
Velocity.exe
User:
admin
Company:
VelocityLite
Integrity Level:
HIGH
Description:
VelocityLite
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\velocity.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
3120"C:\Program Files\Google\Chrome\Application\UserOOBEBroker.exe" -C:\Program Files\Google\Chrome\Application\UserOOBEBroker.exeUserOOBEBroker.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\google\chrome\application\useroobebroker.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3420"C:\Program Files (x86)\Microsoft\Edge\Application\UserOOBEBroker.exe" -C:\Program Files (x86)\Microsoft\Edge\Application\UserOOBEBroker.exeUserOOBEBroker.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files (x86)\microsoft\edge\application\useroobebroker.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4704powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeUserOOBEBroker.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4712"C:\Users\admin\VeIocity.exe" C:\Users\admin\VeIocity.exe
VeIocity.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\veiocity.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6108\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6628"C:\Users\admin\VeIocity.exe" C:\Users\admin\VeIocity.exeVelocity.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\veiocity.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6884"C:\Users\admin\Desktop\Velocity.exe" C:\Users\admin\Desktop\Velocity.exeexplorer.exe
User:
admin
Company:
VelocityLite
Integrity Level:
MEDIUM
Description:
VelocityLite
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\velocity.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
8116"C:\Users\admin\AppData\Roaming\Velocity.exe" C:\Users\admin\AppData\Roaming\Velocity.exeVelocity.exe
User:
admin
Company:
VelocityLite
Integrity Level:
MEDIUM
Description:
VelocityLite
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\velocity.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
8 349
Read events
8 349
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
4
Unknown types
7

Dropped files

PID
Process
Filename
Type
6884Velocity.exeC:\Users\admin\AppData\Roaming\Velocity.exe
MD5:
SHA256:
4712VeIocity.exeC:\Users\admin\AppData\Local\Google\UserOOBEBroker.exebinary
MD5:9D2805E236077C04E19F8A43C850CF62
SHA256:D446216E859C3FFF2B4E6481FD8FA05C539449B9556B6F435719ECF0BC616796
6884Velocity.exeC:\Users\admin\VeIocity.exebinary
MD5:9D2805E236077C04E19F8A43C850CF62
SHA256:D446216E859C3FFF2B4E6481FD8FA05C539449B9556B6F435719ECF0BC616796
4712VeIocity.exeC:\Users\admin\AppData\Local\Temp\payload_debug.logbinary
MD5:AA346778D4BFB8D769EE48F233013B27
SHA256:3C340ED96EB7266ACA4E57C99791C0B8C6699E8C78ED33DDC0EFB0485CC914B8
4712VeIocity.exeC:\Program Files (x86)\Microsoft\winlogon.exebinary
MD5:9D2805E236077C04E19F8A43C850CF62
SHA256:D446216E859C3FFF2B4E6481FD8FA05C539449B9556B6F435719ECF0BC616796
1724UserOOBEBroker.exeC:\Program Files (x86)\Microsoft\Edge\Application\UserOOBEBroker.exebinary
MD5:9D2805E236077C04E19F8A43C850CF62
SHA256:D446216E859C3FFF2B4E6481FD8FA05C539449B9556B6F435719ECF0BC616796
4704powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_aat1bbbe.be2.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4704powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hnzrzrf4.qkw.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4704powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3fscii3o.1hx.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1724UserOOBEBroker.exeC:\Program Files\Google\Chrome\Application\UserOOBEBroker.exebinary
MD5:9D2805E236077C04E19F8A43C850CF62
SHA256:D446216E859C3FFF2B4E6481FD8FA05C539449B9556B6F435719ECF0BC616796
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
28
DNS requests
10
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3044
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
572
slui.exe
POST
500
128.24.231.64:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
binary
512 b
whitelisted
3280
svchost.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl
US
binary
814 b
whitelisted
572
slui.exe
POST
500
128.24.231.64:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
binary
512 b
whitelisted
3280
svchost.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl
US
binary
400 b
whitelisted
3280
svchost.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
US
binary
400 b
whitelisted
3280
svchost.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
US
binary
813 b
whitelisted
3044
svchost.exe
GET
200
23.55.110.211:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
3280
svchost.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
NL
binary
824 b
whitelisted
3280
svchost.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl
US
binary
813 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
5276
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
128.24.231.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2.16.241.218:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
3044
svchost.exe
23.55.110.211:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
3044
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
572
slui.exe
128.24.231.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5208
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
activation-v2.sls.microsoft.com
  • 128.24.231.64
whitelisted
www.bing.com
  • 2.16.241.218
  • 2.16.241.222
  • 2.16.241.207
  • 2.16.241.206
  • 2.16.241.204
  • 2.16.241.211
whitelisted
google.com
  • 172.217.20.142
whitelisted
crl.microsoft.com
  • 23.55.110.211
  • 23.55.110.193
  • 2.16.164.49
  • 2.16.164.120
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 23.59.18.102
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
dns.google
  • 8.8.4.4
  • 8.8.8.8
whitelisted
self.events.data.microsoft.com
  • 20.42.65.85
whitelisted

Threats

PID
Process
Class
Message
2232
svchost.exe
Misc activity
INFO [ANY.RUN] Google DNS-over-HTTPS service requested (dns. google)
4712
VeIocity.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/Salatstealer JA3 hash observed
4712
VeIocity.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/Salatstealer JA3 hash observed
4712
VeIocity.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/Salatstealer JA3 hash observed
4712
VeIocity.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Salatstealer related domain (salator .es)
4712
VeIocity.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/Salatstealer JA3 hash observed
1724
UserOOBEBroker.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/Salatstealer JA3 hash observed
1724
UserOOBEBroker.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/Salatstealer JA3 hash observed
1724
UserOOBEBroker.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/Salatstealer JA3 hash observed
1724
UserOOBEBroker.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Salatstealer related domain (salator .es)
Process
Message
Velocity.exe
You must install .NET to run this application. App: C:\Users\admin\AppData\Roaming\Velocity.exe Architecture: x86 App host version: 10.0.0 .NET location: Not found The following locations were searched: Application directory: C:\Users\admin\AppData\Roaming\ Environment variable: DOTNET_ROOT_X86 = <not set> DOTNET_ROOT = <not set> Registered location: HKLM\SOFTWARE\dotnet\Setup\InstalledVersions\x86\InstallLocation = <not set> Default location: C:\Program Files (x86)\dotnet Learn more: https://aka.ms/dotnet/app-launch-failed Download the .NET runtime: https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x86&rid=win-x86&os=win10&apphost_version=10.0.0
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Velocity.exe