File name:

DOCUMENTOS_680065571836633470065186_098320934.zip

Full analysis: https://app.any.run/tasks/4a79c5b6-d2fb-426b-95b9-23e50d64e30e
Verdict: Malicious activity
Analysis date: March 26, 2026, 17:42:16
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-scr
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

AA0A5C4BDD674DC51BC88712DD3B3E89

SHA1:

3F856F9B8A6A245302A3BF3047A1413394B7CD21

SHA256:

7E89F4C16E1FC3A09B83967EC1FDEE22DDE55FCD529AE954B0D5B6297C2D4C2C

SSDEEP:

192:EOFHejia5s1OM794beYurKgeMm/Kivy5MUKDSRYMC8arlJz4N2oi0VHPrKoIRyqh:EOUWa5U3BceygeMmlUo2Az8PLMyg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Gets script object from HTTP/HTTPS (SCRIPT)

      • wscript.exe (PID: 8104)

  • SUSPICIOUS

    • The process executes VB scripts

      • wscript.exe (PID: 8104)

  • INFO

    • Manual execution by a user

      • vlc.exe (PID: 2680)
      • wscript.exe (PID: 8104)

    • Generic archive extractor

      • WinRAR.exe (PID: 2676)

    • Reads the computer name

      • vlc.exe (PID: 2680)

    • Checks supported languages

      • vlc.exe (PID: 2680)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2026:03:26 14:10:48
ZipCRC: 0x1f930790
ZipCompressedSize: 298
ZipUncompressedSize: 772
ZipFileName: 0065186_098320934.vbs
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
3
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs vlc.exe wscript.exe

Process information

PID
CMD
Path
Indicators
Parent process
2676"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\DOCUMENTOS_680065571836633470065186_098320934.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2680"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\admin\Desktop\0065186_098320934.mp3"C:\Program Files\VideoLAN\VLC\vlc.exe
explorer.exe
User:
admin
Company:
VideoLAN
Integrity Level:
MEDIUM
Description:
VLC media player
Exit code:
0
Version:
3.0.11
Modules
Images
c:\program files\videolan\vlc\vlc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
8104"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\Desktop\0065186_098320934.vbs" C:\Windows\System32\wscript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
7 080
Read events
7 066
Write events
14
Delete events
0

Modification events

(PID) Process:(2676) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2676) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2676) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(2676) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(2676) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Downloads\chromium_build 1.zip
(PID) Process:(2676) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\DOCUMENTOS_680065571836633470065186_098320934.zip
(PID) Process:(2676) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2676) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2676) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2676) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
4
Suspicious files
9
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
2680vlc.exe
MD5:
SHA256:
2676WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2676.8620\0065186_098320934.mp3binary
MD5:42D71A498067877EF66D322991ECD3FF
SHA256:501161CB1E62848B3DDB0BB177E222F40AFF2778B82F4D732E6CBE398EE5A5C2
2680vlc.exeC:\Users\admin\AppData\Roaming\vlc\vlc-qt-interface.initext
MD5:9E18434FD257827DA8F56D441093DDA0
SHA256:C22FC70382947A1F08A2446F05D9597E16A91D165E72528C7D55D3C0EEC5AC55
2680vlc.exeC:\Users\admin\AppData\Roaming\vlc\vlc-qt-interface.ini.MO2680text
MD5:9E18434FD257827DA8F56D441093DDA0
SHA256:C22FC70382947A1F08A2446F05D9597E16A91D165E72528C7D55D3C0EEC5AC55
2680vlc.exeC:\Users\admin\AppData\Roaming\vlc\vlc-qt-interface.ini.locktext
MD5:DD4F51ADEEA840C1457AB2BE4F1589FB
SHA256:A6981285E09DB5770A1C7F49E80B7F890C9C693E7909C9885598F79EA51B9399
2680vlc.exeC:\Users\admin\AppData\Roaming\vlc\vlc-qt-interface.ini.qx2680text
MD5:56950980AC44F317338FF3D7D102A635
SHA256:06E32DC6D8EC8FA44D39B18F3DD1F1C43937336E8D7880F4172376A946C7AF0C
8104wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:4F53605EE73BF1920F9E0FBA0D5AD6E1
SHA256:70361FC5BD4A7FBFA22050CCD859760C6116CF7D33BDE25CB161D909D05030DC
2680vlc.exeC:\Users\admin\AppData\Roaming\vlc\ml.xspfxml
MD5:781602441469750C3219C8C38B515ED4
SHA256:81970DBE581373D14FBD451AC4B3F96E5F69B79645F1EE1CA715CFF3AF0BF20D
2676WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2676.8620\0065186_098320934.vbstext
MD5:165AB64D3A885C3EB7C812E4CFB08686
SHA256:DEDB29D7203E1C45432D6CA5A720117FBEFEC97627CCF5FB757AA0B4AFED9215
2680vlc.exeC:\Users\admin\AppData\Roaming\vlc\ml.xspf.tmp2680xml
MD5:781602441469750C3219C8C38B515ED4
SHA256:81970DBE581373D14FBD451AC4B3F96E5F69B79645F1EE1CA715CFF3AF0BF20D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
30
DNS requests
24
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
680
svchost.exe
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
US
whitelisted
8104
wscript.exe
GET
302
188.114.96.3:443
https://stramancil.rotinaevolutiva.sbs/?1/
US
unknown
8104
wscript.exe
GET
301
142.251.208.174:443
https://www.youtube.com.br/
US
unknown
8104
wscript.exe
GET
302
142.251.110.93:443
https://www.youtube.com/?gl=BR
US
whitelisted
4236
SIHClient.exe
GET
304
74.178.240.61:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
4236
SIHClient.exe
GET
200
74.178.76.54:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
whitelisted
4236
SIHClient.exe
GET
200
74.178.240.61:443
https://slscr.update.microsoft.com/sls/ping
US
whitelisted
4236
SIHClient.exe
GET
304
74.178.240.61:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
5276
MoUsoCoreWorker.exe
GET
200
23.55.110.193:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
5276
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
680
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5276
MoUsoCoreWorker.exe
23.55.110.193:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
48.192.1.65:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5276
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5532
SearchApp.exe
2.16.241.222:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
23.11.41.157:80
ocsp.digicert.com
AKAMAI-AMS
NL
whitelisted
204.79.197.203:80
oneocsp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 23.55.110.193
  • 23.55.110.211
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.65
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 72.246.29.11
whitelisted
google.com
  • 142.251.110.113
  • 142.251.110.100
  • 142.251.110.102
  • 142.251.110.139
  • 142.251.110.138
  • 142.251.110.101
whitelisted
www.bing.com
  • 2.16.241.222
  • 2.16.241.207
  • 2.16.241.201
  • 2.16.241.218
  • 2.16.241.205
whitelisted
ocsp.digicert.com
  • 23.11.41.157
whitelisted
oneocsp.microsoft.com
  • 204.79.197.203
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 40.126.31.1
  • 40.126.31.3
  • 20.190.159.131
  • 40.126.31.69
  • 40.126.31.67
  • 20.190.159.0
  • 20.190.159.64
  • 20.190.159.4
whitelisted

Threats

PID
Process
Class
Message
680
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
8104
wscript.exe
Misc activity
ET INFO Observed UA-CPU Header
Process
Message
vlc.exe
main libvlc debug: VLC media player - 3.0.11 Vetinari
vlc.exe
main libvlc debug: Copyright © 1996-2020 the VideoLAN team
vlc.exe
main libvlc debug: revision 3.0.11-0-gdc0c5ced72
vlc.exe
main libvlc debug: configured with ../extras/package/win32/../../../configure '--enable-update-check' '--enable-lua' '--enable-faad' '--enable-flac' '--enable-theora' '--enable-avcodec' '--enable-merge-ffmpeg' '--enable-dca' '--enable-mpc' '--enable-libass' '--enable-schroedinger' '--enable-realrtsp' '--enable-live555' '--enable-dvdread' '--enable-shout' '--enable-goom' '--enable-caca' '--enable-qt' '--enable-skins2' '--enable-sse' '--enable-mmx' '--enable-libcddb' '--enable-zvbi' '--disable-telx' '--enable-nls' '--host=x86_64-w64-mingw32' '--with-breakpad=https://win.crashes.videolan.org' 'host_alias=x86_64-w64-mingw32' 'PKG_CONFIG_LIBDIR=/home/jenkins/workspace/vlc-release/windows/vlc-release-win32-x64/contrib/x86_64-w64-mingw32/lib/pkgconfig'
vlc.exe
main libvlc debug: using multimedia timers as clock source
vlc.exe
main libvlc debug: min period: 1 ms, max period: 1000000 ms
vlc.exe
main libvlc debug: searching plug-in modules
vlc.exe
main libvlc debug: loading plugins cache file C:\Program Files\VideoLAN\VLC\plugins\plugins.dat
vlc.exe
main libvlc debug: recursively browsing `C:\Program Files\VideoLAN\VLC\plugins'
vlc.exe
main libvlc debug: plug-ins loaded: 494 modules
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
DOCUMENTOS_680065571836633470065186_098320934.zip