File name:

Receipt.zip

Full analysis: https://app.any.run/tasks/a930bcbd-323d-4b1b-a480-677a195cef9a
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Malware Trends Tracker     >>>
Analysis date: May 19, 2025, 11:54:37
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
evasion
snake
keylogger
netreactor
stealer
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

76697E9CBDFF5E43416E254EADDD9856

SHA1:

01A34F692513ECD5C3971EFFF9169627FC7AF174

SHA256:

68A827BC763C5D9B6BE2E111421C62CD39135E24C33CC09A40C1CDAC8A429421

SSDEEP:

24576:EsIkDhtFMtoz1qL8j9RY0AEOw5iXSZR6jQbxHY0cOJxiHk3sXxTnvE3:EsIkDhtFMtoz1qLQ9RY0AEOw5iXSZEjo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • SNAKEKEYLOGGER has been detected (SURICATA)

      • Receipt.exe (PID: 6040)

    • Steals credentials from Web Browsers

      • Receipt.exe (PID: 6040)

    • Actions looks like stealing of personal data

      • Receipt.exe (PID: 6040)

  • SUSPICIOUS

    • Application launched itself

      • Receipt.exe (PID: 7996)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • Receipt.exe (PID: 6040)

    • The process verifies whether the antivirus software is installed

      • Receipt.exe (PID: 6040)

  • INFO

    • Manual execution by a user

      • Receipt.exe (PID: 7996)

    • Reads the machine GUID from the registry

      • Receipt.exe (PID: 7996)
      • Receipt.exe (PID: 6040)

    • Checks supported languages

      • Receipt.exe (PID: 6040)
      • Receipt.exe (PID: 7996)

    • Reads the computer name

      • Receipt.exe (PID: 6040)
      • Receipt.exe (PID: 7996)

    • .NET Reactor protector has been detected

      • Receipt.exe (PID: 7996)

    • Disables trace logs

      • Receipt.exe (PID: 6040)

    • Checks proxy server information

      • Receipt.exe (PID: 6040)
      • slui.exe (PID: 7564)

    • Reads the software policy settings

      • Receipt.exe (PID: 6040)
      • slui.exe (PID: 7564)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2025:05:12 05:23:44
ZipCRC: 0x4fe96206
ZipCompressedSize: 486236
ZipUncompressedSize: 545792
ZipFileName: Receipt.exe
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs receipt.exe no specs #SNAKEKEYLOGGER receipt.exe svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6040"C:\Users\admin\Desktop\Receipt.exe"C:\Users\admin\Desktop\Receipt.exe
Receipt.exe
User:
admin
Company:
云梦数智
Integrity Level:
MEDIUM
Description:
灵智·星辰
Version:
0.0.0.0
Modules
Images
c:\users\admin\desktop\receipt.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
7564C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7860"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\Receipt.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
7996"C:\Users\admin\Desktop\Receipt.exe" C:\Users\admin\Desktop\Receipt.exeexplorer.exe
User:
admin
Company:
云梦数智
Integrity Level:
MEDIUM
Description:
灵智·星辰
Exit code:
0
Version:
0.0.0.0
Modules
Images
c:\users\admin\desktop\receipt.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
8 830
Read events
8 800
Write events
30
Delete events
0

Modification events

(PID) Process:(7860) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(7860) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7860) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7860) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Receipt.zip
(PID) Process:(7860) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7860) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7860) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7860) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6040) Receipt.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Receipt_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6040) Receipt.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Receipt_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
47
DNS requests
15
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
8148
SIHClient.exe
GET
200
23.216.77.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
8148
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
8148
SIHClient.exe
GET
200
23.216.77.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
8148
SIHClient.exe
GET
200
23.216.77.19:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
8148
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
8148
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
8148
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
8148
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
6040
Receipt.exe
GET
504
193.122.130.0:80
http://checkip.dyndns.org/
unknown
whitelisted
6040
Receipt.exe
GET
504
193.122.130.0:80
http://checkip.dyndns.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
20.190.159.23:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
8148
SIHClient.exe
172.202.163.200:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
8148
SIHClient.exe
23.216.77.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
8148
SIHClient.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
8148
SIHClient.exe
13.85.23.206:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 172.217.18.14
whitelisted
login.live.com
  • 20.190.159.23
  • 20.190.159.130
  • 20.190.159.2
  • 20.190.159.131
  • 40.126.31.67
  • 20.190.159.129
  • 20.190.159.64
  • 40.126.31.69
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
crl.microsoft.com
  • 23.216.77.19
  • 23.216.77.18
  • 23.216.77.10
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
checkip.dyndns.org
  • 193.122.130.0
  • 132.226.8.169
  • 158.101.44.242
  • 193.122.6.168
  • 132.226.247.73
whitelisted
reallyfreegeoip.org
  • 104.21.64.1
  • 104.21.80.1
  • 104.21.32.1
  • 104.21.16.1
  • 104.21.96.1
  • 104.21.112.1
  • 104.21.48.1
malicious
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Device Retrieving External IP Address Detected
ET DYN_DNS External IP Lookup Domain in DNS Query (checkip .dyndns .org)
6040
Receipt.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
6040
Receipt.exe
Device Retrieving External IP Address Detected
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Address Lookup Domain (reallyfreegeoip .org)
2196
svchost.exe
Misc activity
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
6040
Receipt.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
6040
Receipt.exe
Misc activity
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Receipt.zip