File name:

Velostrap.exe

Full analysis: https://app.any.run/tasks/1c6c4f38-a015-4a4d-b6fc-5a7b46dcc4c4
Verdict: Malicious activity
Analysis date: February 16, 2026, 19:24:16
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
nuitka
github
python
pyinstaller
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows, 12 sections
MD5:

9B6E5AA60223394E5F8B952A22615D20

SHA1:

FBB6E0B87B79010142B76FFD583334B409516F5A

SHA256:

F73882011B0A3C42A4B1616C1E17D66BF3FA0A804BC904A862ACA8D5BEBD1829

SSDEEP:

196608:xMWhmFgwGDLrMGirF5M04gKoW4CPu1HT60m6QG:GWUmwWMFF5MsB8PyW0pQG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops python dynamic module

      • Velostrap.exe (PID: 6336)

    • Process drops legitimate windows executable

      • Velostrap.exe (PID: 6336)

    • Application launched itself

      • Velostrap.exe (PID: 6336)

    • Starts CMD.EXE for commands execution

      • Velostrap.exe (PID: 8852)

    • Reads Microsoft Outlook installation path

      • Velostrap.exe (PID: 8852)

    • Reads Internet Explorer settings

      • Velostrap.exe (PID: 8852)

    • Executable content was dropped or overwritten

      • Velostrap.exe (PID: 6336)

    • NUITKA compiler has been detected

      • Velostrap.exe (PID: 6336)

    • The process drops C-runtime libraries

      • Velostrap.exe (PID: 6336)

    • Loads Python modules

      • Velostrap.exe (PID: 8852)

  • INFO

    • The sample compiled with english language support

      • Velostrap.exe (PID: 6336)

    • Checks supported languages

      • Velostrap.exe (PID: 6336)
      • Velostrap.exe (PID: 8852)

    • Drops script file

      • Velostrap.exe (PID: 6336)
      • Velostrap.exe (PID: 8852)

    • Reads the computer name

      • Velostrap.exe (PID: 8852)

    • Checks operating system version

      • Velostrap.exe (PID: 8852)

    • Reads the machine GUID from the registry

      • Velostrap.exe (PID: 8852)

    • Reads security settings of Internet Explorer

      • Velostrap.exe (PID: 8852)

    • Creates files or folders in the user directory

      • Velostrap.exe (PID: 8852)

    • There is functionality for taking screenshot (YARA)

      • Velostrap.exe (PID: 8852)

    • PyInstaller has been detected (YARA)

      • Velostrap.exe (PID: 8852)

    • Checks proxy server information

      • slui.exe (PID: 2220)
      • Velostrap.exe (PID: 8852)

    • Create files in a temporary directory

      • Velostrap.exe (PID: 6336)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2026:02:16 11:42:56+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.43
CodeSize: 128000
InitializedDataSize: 19215360
UninitializedDataSize: 163328
EntryPoint: 0x1125
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
143
Monitored processes
5
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start velostrap.exe conhost.exe no specs velostrap.exe cmd.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2220C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6336"C:\Users\admin\Desktop\Velostrap.exe" C:\Users\admin\Desktop\Velostrap.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\velostrap.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
6852\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeVelostrap.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
8708C:\WINDOWS\system32\cmd.exe /c "ver"C:\Windows\System32\cmd.exeVelostrap.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
8852C:\Users\admin\Desktop\Velostrap.exeC:\Users\admin\Desktop\Velostrap.exe
Velostrap.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\velostrap.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
Total events
7 626
Read events
7 622
Write events
4
Delete events
0

Modification events

(PID) Process:(8852) Velostrap.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_96DPI_PIXEL
Operation:writeName:python.exe
Value:
1
(PID) Process:(8852) Velostrap.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(8852) Velostrap.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(8852) Velostrap.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
47
Suspicious files
57
Text files
950
Unknown types
0

Dropped files

PID
Process
Filename
Type
6336Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_6336_134157434698613205\Velostrap.dll
MD5:
SHA256:
6336Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_6336_134157434698613205\_asyncio.pydexecutable
MD5:2859C39887921DAD2FF41FEDA44FE174
SHA256:AEBC378DB08617EA81A0A3A3BC044BCC7E6303E314630392DD51BAB12F879BD9
6336Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_6336_134157434698613205\_queue.pydexecutable
MD5:FF8300999335C939FCCE94F2E7F039C0
SHA256:2F71046891BA279B00B70EB031FE90B379DBE84559CF49CE5D1297EA6BF47A78
6336Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_6336_134157434698613205\_ctypes.pydexecutable
MD5:6A9CA97C039D9BBB7ABF40B53C851198
SHA256:E662D2B35BB48C5F3432BDE79C0D20313238AF800968BA0FAA6EA7E7E5EF4535
6336Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_6336_134157434698613205\_bz2.pydexecutable
MD5:4101128E19134A4733028CFAAFC2F3BB
SHA256:5843872D5E2B08F138A71FE9BA94813AFEE59C8B48166D4A8EB0F606107A7E80
6336Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_6336_134157434698613205\_multiprocessing.pydexecutable
MD5:1386DBC6DCC5E0BE6FEF05722AE572EC
SHA256:0AE3BF383FF998886F97576C55D6BF0A076C24395CF6FCD2265316E9A6E8C007
6336Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_6336_134157434698613205\_decimal.pydexecutable
MD5:D47E6ACF09EAD5774D5B471AB3AB96FF
SHA256:D0DF57988A74ACD50B2D261E8B5F2C25DA7B940EC2AAFBEE444C277552421E6E
6336Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_6336_134157434698613205\_elementtree.pydexecutable
MD5:63629A705BFFCA85CE6A4539BFBDD760
SHA256:DF71D64818CFECD61AD0122BEA23B685D01BD241F1B06879A2999917818B0787
6336Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_6336_134157434698613205\_overlapped.pydexecutable
MD5:01AD7CA8BC27F92355FD2895FC474157
SHA256:A083E83F609ED7A2FC18A95D44D8F91C9DC74842F33E19E91988E84DB94C3B5B
6336Velostrap.exeC:\Users\admin\AppData\Local\Temp\onefile_6336_134157434698613205\_lzma.pydexecutable
MD5:337B0E65A856568778E25660F77BC80A
SHA256:613DE58E4A9A80EFF8F8BC45C350A6EAEBF89F85FFD2D7E3B0B266BF0888A60A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
165
TCP/UDP connections
28
DNS requests
15
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
8852
Velostrap.exe
GET
302
104.26.2.143:443
https://cdn.tailwindcss.com/
unknown
unknown
2328
svchost.exe
GET
200
23.48.23.11:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.48.23.11:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
302
104.26.2.143:443
https://cdn.tailwindcss.com/
unknown
6768
MoUsoCoreWorker.exe
GET
200
23.48.23.11:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
104.26.3.143:443
https://cdn.tailwindcss.com/3.4.17
unknown
text
397 Kb
unknown
8852
Velostrap.exe
GET
200
104.26.2.143:443
https://cdn.tailwindcss.com/3.4.17
unknown
text
397 Kb
unknown
8852
Velostrap.exe
GET
200
142.250.180.234:443
https://fonts.googleapis.com/css2?family=Inter:wght@300;400;500;600&display=swap
unknown
text
233 b
whitelisted
GET
200
142.250.180.234:443
https://fonts.googleapis.com/css2?family=Inter:wght@300;400;500;600&display=swap
unknown
text
233 b
unknown
GET
200
142.250.180.234:443
https://fonts.googleapis.com/css2?family=Material+Symbols+Rounded:opsz,wght,FILL,GRAD@20..48,100..700,0..1,-50..200
unknown
text
20.1 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
92.123.104.29:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
2328
svchost.exe
23.48.23.11:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
23.48.23.11:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6768
MoUsoCoreWorker.exe
23.48.23.11:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
2328
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8852
Velostrap.exe
185.199.111.133:443
raw.githubusercontent.com
FASTLY
US
whitelisted
8852
Velostrap.exe
104.26.2.143:443
cdn.tailwindcss.com
CLOUDFLARENET
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
self.events.data.microsoft.com
  • 20.44.10.122
  • 51.105.71.136
whitelisted
www.bing.com
  • 92.123.104.29
  • 92.123.104.24
  • 92.123.104.30
  • 92.123.104.31
  • 92.123.104.21
  • 92.123.104.23
  • 92.123.104.32
  • 92.123.104.37
  • 92.123.104.34
whitelisted
google.com
  • 142.250.203.142
whitelisted
crl.microsoft.com
  • 23.48.23.11
  • 23.48.23.9
  • 23.48.23.29
  • 23.48.23.60
  • 23.48.23.13
  • 23.48.23.57
  • 23.48.23.50
  • 23.48.23.51
  • 23.48.23.58
  • 23.48.23.38
whitelisted
raw.githubusercontent.com
  • 185.199.111.133
  • 185.199.110.133
  • 185.199.109.133
  • 185.199.108.133
whitelisted
cdn.tailwindcss.com
  • 104.26.2.143
  • 172.67.68.11
  • 104.26.3.143
whitelisted
fonts.googleapis.com
  • 142.250.180.234
whitelisted
fonts.gstatic.com
  • 142.250.180.195
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.64
whitelisted

Threats

PID
Process
Class
Message
2292
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
Misc activity
ET INFO Observed UA-CPU Header
8852
Velostrap.exe
Misc activity
ET INFO Observed UA-CPU Header
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Velostrap.exe