| File name: | Velostrap.exe |
| Full analysis: | https://app.any.run/tasks/0c5b9ad8-d79a-40da-80e3-52af74359ae5 |
| Verdict: | Malicious activity |
| Analysis date: | January 16, 2026, 12:53:30 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows, 12 sections |
| MD5: | BB4955947ADB2A3149BEC064FB5D95E2 |
| SHA1: | 2F41482A8C9CBEB5C6D267F4185ACC9AB904C326 |
| SHA256: | 8C494DBD107A295C0EDEDD573E93DBEFB19DDDCEEDF8189908A22DADF1848435 |
| SSDEEP: | 98304:Ybw/g6GeUIGmUHof18EK5NmlvgciR2U0CyHoPQMEy+Al71J3GIWqSqmS/EwJay8r:79SRmWXppJYLjYssPnFq/VH9R6p0F |
MALICIOUS
No malicious indicators.SUSPICIOUS
The process drops C-runtime libraries
- Velostrap.exe (PID: 7556)
Process drops python dynamic module
- Velostrap.exe (PID: 7556)
NUITKA compiler has been detected
- Velostrap.exe (PID: 7556)
Reads security settings of Internet Explorer
- Velostrap.exe (PID: 7556)
Application launched itself
- Velostrap.exe (PID: 7556)
Loads Python modules
- Velostrap.exe (PID: 3220)
Executable content was dropped or overwritten
- Velostrap.exe (PID: 7556)
Process drops legitimate windows executable
- Velostrap.exe (PID: 7556)
INFO
Checks supported languages
- Velostrap.exe (PID: 7556)
- Velostrap.exe (PID: 3220)
Create files in a temporary directory
- Velostrap.exe (PID: 7556)
Reads the computer name
- Velostrap.exe (PID: 7556)
Drops script file
- Velostrap.exe (PID: 7556)
The sample compiled with english language support
- Velostrap.exe (PID: 7556)
Checks proxy server information
- slui.exe (PID: 5284)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2026:01:16 07:46:07+00:00 |
| ImageFileCharacteristics: | Executable, No line numbers, No symbols, Large address aware, No debug |
| PEType: | PE32+ |
| LinkerVersion: | 2.43 |
| CodeSize: | 128000 |
| InitializedDataSize: | 19173376 |
| UninitializedDataSize: | 163328 |
| EntryPoint: | 0x1125 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 5.2 |
| Subsystem: | Windows command line |
Total processes
144
Monitored processes
4
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 3220 | C:\Users\admin\Desktop\Velostrap.exe | C:\Users\admin\Desktop\Velostrap.exe | — | Velostrap.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 5284 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7556 | "C:\Users\admin\Desktop\Velostrap.exe" | C:\Users\admin\Desktop\Velostrap.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 7564 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | Velostrap.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
3 989
Read events
3 989
Write events
0
Delete events
0
Modification events
Executable files
46
Suspicious files
3
Text files
928
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7556 | Velostrap.exe | C:\Users\admin\AppData\Local\Temp\onefile_7556_134130416225861816\Velostrap-obf.dll | — | |
MD5:— | SHA256:— | |||
| 7556 | Velostrap.exe | C:\Users\admin\AppData\Local\Temp\onefile_7556_134130416225861816\libssl-1_1.dll | executable | |
MD5:8769ADAFCA3A6FC6EF26F01FD31AFA84 | SHA256:2AEBB73530D21A2273692A5A3D57235B770DAF1C35F60C74E01754A5DAC05071 | |||
| 7556 | Velostrap.exe | C:\Users\admin\AppData\Local\Temp\onefile_7556_134130416225861816\_multiprocessing.pyd | executable | |
MD5:1386DBC6DCC5E0BE6FEF05722AE572EC | SHA256:0AE3BF383FF998886F97576C55D6BF0A076C24395CF6FCD2265316E9A6E8C007 | |||
| 7556 | Velostrap.exe | C:\Users\admin\AppData\Local\Temp\onefile_7556_134130416225861816\_socket.pyd | executable | |
MD5:8140BDC5803A4893509F0E39B67158CE | SHA256:39715EF8D043354F0AB15F62878530A38518FB6192BC48DA6A098498E8D35769 | |||
| 7556 | Velostrap.exe | C:\Users\admin\AppData\Local\Temp\onefile_7556_134130416225861816\_overlapped.pyd | executable | |
MD5:01AD7CA8BC27F92355FD2895FC474157 | SHA256:A083E83F609ED7A2FC18A95D44D8F91C9DC74842F33E19E91988E84DB94C3B5B | |||
| 7556 | Velostrap.exe | C:\Users\admin\AppData\Local\Temp\onefile_7556_134130416225861816\_elementtree.pyd | executable | |
MD5:63629A705BFFCA85CE6A4539BFBDD760 | SHA256:DF71D64818CFECD61AD0122BEA23B685D01BD241F1B06879A2999917818B0787 | |||
| 7556 | Velostrap.exe | C:\Users\admin\AppData\Local\Temp\onefile_7556_134130416225861816\_hashlib.pyd | executable | |
MD5:DE4D104EA13B70C093B07219D2EFF6CB | SHA256:39BC615842A176DB72D4E0558F3CDCAE23AB0623AD132F815D21DCFBFD4B110E | |||
| 7556 | Velostrap.exe | C:\Users\admin\AppData\Local\Temp\onefile_7556_134130416225861816\_cffi_backend.pyd | executable | |
MD5:D73E60E5DDD70625FD0092677CFF5628 | SHA256:8100F667A3F64EEB37B9326D0C53A931E0EA3CEA4ADE5DBDC638C368355C0948 | |||
| 7556 | Velostrap.exe | C:\Users\admin\AppData\Local\Temp\onefile_7556_134130416225861816\_lzma.pyd | executable | |
MD5:337B0E65A856568778E25660F77BC80A | SHA256:613DE58E4A9A80EFF8F8BC45C350A6EAEBF89F85FFD2D7E3B0B266BF0888A60A | |||
| 7556 | Velostrap.exe | C:\Users\admin\AppData\Local\Temp\onefile_7556_134130416225861816\_asyncio.pyd | executable | |
MD5:2859C39887921DAD2FF41FEDA44FE174 | SHA256:AEBC378DB08617EA81A0A3A3BC044BCC7E6303E314630392DD51BAB12F879BD9 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
41
TCP/UDP connections
40
DNS requests
17
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6768 | MoUsoCoreWorker.exe | GET | 200 | 23.216.77.42:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1188 | svchost.exe | GET | 200 | 23.216.77.42:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
356 | RUXIMICS.exe | GET | 200 | 23.216.77.42:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1188 | svchost.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
6768 | MoUsoCoreWorker.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
356 | RUXIMICS.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | POST | 200 | 20.190.160.65:443 | https://login.live.com/RST2.srf | unknown | xml | 11.1 Kb | unknown |
8056 | SIHClient.exe | GET | 200 | 52.165.164.15:443 | https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping | unknown | — | — | whitelisted |
— | — | POST | 200 | 40.126.32.140:443 | https://login.live.com/RST2.srf | unknown | xml | 10.3 Kb | unknown |
8056 | SIHClient.exe | GET | 200 | 74.179.77.204:443 | https://slscr.update.microsoft.com/sls/ping | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | Not routed | — | whitelisted |
1188 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
356 | RUXIMICS.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
6768 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:138 | — | Not routed | — | whitelisted |
— | — | 172.211.123.249:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
1188 | svchost.exe | 23.216.77.42:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
6768 | MoUsoCoreWorker.exe | 23.216.77.42:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
356 | RUXIMICS.exe | 23.216.77.42:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
1188 | svchost.exe | 88.221.169.152:80 | www.microsoft.com | AKAMAI-AS | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |