File name:

jingling-Soft By elF.exe

Full analysis: https://app.any.run/tasks/32138088-bc22-4c16-ad11-0726f138a9c6
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: February 24, 2021, 16:32:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
opendir
trojan
banker
gootkit
phishing
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

645D60825B362448151387D060593635

SHA1:

C670FD72229250249D736C924A10893D8D970F2F

SHA256:

0E6AB2A37F8C6486AAD5CAAB63B4AEDD6BE859BE47F85FC7B0951F517FE6D973

SSDEEP:

12288:Aywuzfu4RNcQ+JHspCU60o0EWRowQfplbR/aTrVccunF5SV60R10n7:AyhvcQIHspCU69nA7yztyTracunF5SV6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • jingling-Soft By elF.exe (PID: 3632)

    • Changes settings of System certificates

      • jingling-Soft By elF.exe (PID: 2968)
      • jingling-Soft By elF.exe (PID: 184)
      • jingling-Soft By elF.exe (PID: 3668)
      • jingling-Soft By elF.exe (PID: 536)
      • jingling-Soft By elF.exe (PID: 2416)
      • jingling-Soft By elF.exe (PID: 920)
      • jingling-Soft By elF.exe (PID: 5300)
      • jingling-Soft By elF.exe (PID: 4312)

    • Connects to CnC server

      • jingling-Soft By elF.exe (PID: 3632)
      • jingling-Soft By elF.exe (PID: 184)

    • GOOTKIT was detected

      • jingling-Soft By elF.exe (PID: 184)

  • SUSPICIOUS

    • Creates files in the user directory

      • jingling-Soft By elF.exe (PID: 3632)

    • Reads internet explorer settings

      • jingling-Soft By elF.exe (PID: 3632)
      • jingling-Soft By elF.exe (PID: 184)
      • jingling-Soft By elF.exe (PID: 2968)
      • jingling-Soft By elF.exe (PID: 3668)
      • jingling-Soft By elF.exe (PID: 536)
      • jingling-Soft By elF.exe (PID: 2416)
      • jingling-Soft By elF.exe (PID: 920)
      • jingling-Soft By elF.exe (PID: 5300)
      • jingling-Soft By elF.exe (PID: 2540)
      • jingling-Soft By elF.exe (PID: 1220)
      • jingling-Soft By elF.exe (PID: 4312)

    • Adds / modifies Windows certificates

      • jingling-Soft By elF.exe (PID: 2968)
      • jingling-Soft By elF.exe (PID: 184)
      • jingling-Soft By elF.exe (PID: 3668)
      • jingling-Soft By elF.exe (PID: 536)
      • jingling-Soft By elF.exe (PID: 920)
      • jingling-Soft By elF.exe (PID: 2416)
      • jingling-Soft By elF.exe (PID: 5300)
      • jingling-Soft By elF.exe (PID: 4312)

    • Application launched itself

      • jingling-Soft By elF.exe (PID: 3632)

    • Executed via COM

      • iexplore.exe (PID: 3124)

  • INFO

    • Reads settings of System Certificates

      • jingling-Soft By elF.exe (PID: 3632)
      • jingling-Soft By elF.exe (PID: 920)
      • iexplore.exe (PID: 3124)
      • jingling-Soft By elF.exe (PID: 184)
      • jingling-Soft By elF.exe (PID: 3668)
      • jingling-Soft By elF.exe (PID: 2968)
      • jingling-Soft By elF.exe (PID: 1220)
      • jingling-Soft By elF.exe (PID: 5300)
      • jingling-Soft By elF.exe (PID: 536)
      • jingling-Soft By elF.exe (PID: 2540)

    • Dropped object may contain Bitcoin addresses

      • jingling-Soft By elF.exe (PID: 2968)
      • jingling-Soft By elF.exe (PID: 184)
      • jingling-Soft By elF.exe (PID: 536)
      • jingling-Soft By elF.exe (PID: 2416)
      • jingling-Soft By elF.exe (PID: 1220)
      • jingling-Soft By elF.exe (PID: 2540)

    • Application launched itself

      • iexplore.exe (PID: 3124)

    • Changes internet zones settings

      • iexplore.exe (PID: 3124)

    • Creates files in the user directory

      • iexplore.exe (PID: 3124)

    • Changes settings of System certificates

      • iexplore.exe (PID: 3124)
      • iexplore.exe (PID: 2744)
      • iexplore.exe (PID: 3364)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2744)
      • iexplore.exe (PID: 3124)
      • iexplore.exe (PID: 3364)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (35.8)
.exe | Win64 Executable (generic) (31.7)
.scr | Windows screen saver (15)
.dll | Win32 Dynamic Link Library (generic) (7.5)
.exe | Win32 Executable (generic) (5.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:10:10 04:21:13+02:00
PEType: PE32
LinkerVersion: 8
CodeSize: 453632
InitializedDataSize: 195072
UninitializedDataSize: -
EntryPoint: 0x4d228
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2013.10.10.100
ProductVersionNumber: 4.0.3.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
Comments: 流量精灵(1094)
CompanyName: 精灵软件
FileDescription: 流量精灵
FileVersion: 2013.10.10.100
InternalName: jingling.exe
LegalCopyright: Copyright 2012 Spiritsoft All Rights Reserved.
OriginalFileName: jingling.exe
ProductName: 流量精灵
ProductVersion: 4.0.3.1

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 10-Oct-2013 02:21:13
Detected languages:
  • Chinese - PRC
  • English - United States
Debug artifacts:
  • d:\Code\urlsoft\trunk\product\win32\urlcore4.pdb
Comments: 流量精灵(1094)
CompanyName: 精灵软件
FileDescription: 流量精灵
FileVersion: 2013.10.10.100
InternalName: jingling.exe
LegalCopyright: Copyright 2012 Spiritsoft All Rights Reserved.
OriginalFilename: jingling.exe
ProductName: 流量精灵
ProductVersion: 4.0.3.1

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 10-Oct-2013 02:21:13
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0006EB99
0x0006EC00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.65919
.rdata
0x00070000
0x0001C904
0x0001CA00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.3212
.data
0x0008D000
0x00007E44
0x00003600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.5635
.rsrc
0x00095000
0x0000F808
0x0000FA00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.43341

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.01314
453
Latin 1 / Western European
English - United States
RT_MANIFEST
2
3.97532
2440
Latin 1 / Western European
Chinese - PRC
RT_ICON
3
3.77779
4264
Latin 1 / Western European
Chinese - PRC
RT_ICON
4
3.71653
9640
Latin 1 / Western European
Chinese - PRC
RT_ICON
9
6.25642
502
Latin 1 / Western European
Chinese - PRC
RT_STRING
10
6.15346
866
Latin 1 / Western European
Chinese - PRC
RT_STRING
128
2.62308
62
Latin 1 / Western European
Chinese - PRC
RT_GROUP_ICON
129
3.51253
530
Latin 1 / Western European
Chinese - PRC
RT_DIALOG
149
4.87878
28118
Latin 1 / Western European
Chinese - PRC
RT_BITMAP
202
4.51029
580
Latin 1 / Western European
Chinese - PRC
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
OLEAUT32.dll
PSAPI.DLL
RASAPI32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
58
Monitored processes
16
Malicious processes
9
Suspicious processes
0

Behavior graph

Click at the process to see the details
start jingling-soft  by elf.exe jingling-soft  by elf.exe #GOOTKIT jingling-soft  by elf.exe jingling-soft  by elf.exe jingling-soft  by elf.exe jingling-soft  by elf.exe jingling-soft  by elf.exe iexplore.exe iexplore.exe iexplore.exe no specs iexplore.exe iexplore.exe no specs jingling-soft  by elf.exe jingling-soft  by elf.exe jingling-soft  by elf.exe jingling-soft  by elf.exe

Process information

PID
CMD
Path
Indicators
Parent process
184"C:\Users\admin\AppData\Local\Temp\jingling-Soft By elF.exe" /idx=10C:\Users\admin\AppData\Local\Temp\jingling-Soft By elF.exe
jingling-Soft By elF.exe
User:
admin
Company:
精灵软件
Integrity Level:
MEDIUM
Description:
流量精灵
Exit code:
4294967295
Version:
2013.10.10.100
Modules
Images
c:\users\admin\appdata\local\temp\jingling-soft by elf.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
536"C:\Users\admin\AppData\Local\Temp\jingling-Soft By elF.exe" /idx=30C:\Users\admin\AppData\Local\Temp\jingling-Soft By elF.exe
jingling-Soft By elF.exe
User:
admin
Company:
精灵软件
Integrity Level:
MEDIUM
Description:
流量精灵
Exit code:
0
Version:
2013.10.10.100
Modules
Images
c:\users\admin\appdata\local\temp\jingling-soft by elf.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
920"C:\Users\admin\AppData\Local\Temp\jingling-Soft By elF.exe" /idx=50C:\Users\admin\AppData\Local\Temp\jingling-Soft By elF.exe
jingling-Soft By elF.exe
User:
admin
Company:
精灵软件
Integrity Level:
MEDIUM
Description:
流量精灵
Exit code:
88
Version:
2013.10.10.100
Modules
Images
c:\users\admin\appdata\local\temp\jingling-soft by elf.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
952"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3124 CREDAT:333058 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
3221225794
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
952"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3124 CREDAT:464130 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
3221225794
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\windows\system32\imm32.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\version.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sechost.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\kernelbase.dll
1220"C:\Users\admin\AppData\Local\Temp\jingling-Soft By elF.exe" /idx=20C:\Users\admin\AppData\Local\Temp\jingling-Soft By elF.exe
jingling-Soft By elF.exe
User:
admin
Company:
精灵软件
Integrity Level:
MEDIUM
Description:
流量精灵
Exit code:
0
Version:
2013.10.10.100
Modules
Images
c:\users\admin\appdata\local\temp\jingling-soft by elf.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wininet.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
2416"C:\Users\admin\AppData\Local\Temp\jingling-Soft By elF.exe" /idx=40C:\Users\admin\AppData\Local\Temp\jingling-Soft By elF.exe
jingling-Soft By elF.exe
User:
admin
Company:
精灵软件
Integrity Level:
MEDIUM
Description:
流量精灵
Exit code:
4294967295
Version:
2013.10.10.100
Modules
Images
c:\users\admin\appdata\local\temp\jingling-soft by elf.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
2540"C:\Users\admin\AppData\Local\Temp\jingling-Soft By elF.exe" /idx=50C:\Users\admin\AppData\Local\Temp\jingling-Soft By elF.exe
jingling-Soft By elF.exe
User:
admin
Company:
精灵软件
Integrity Level:
MEDIUM
Description:
流量精灵
Exit code:
0
Version:
2013.10.10.100
Modules
Images
c:\users\admin\appdata\local\temp\jingling-soft by elf.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
2744"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3124 CREDAT:144385 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
2968"C:\Users\admin\AppData\Local\Temp\jingling-Soft By elF.exe" /idx=0C:\Users\admin\AppData\Local\Temp\jingling-Soft By elF.exe
jingling-Soft By elF.exe
User:
admin
Company:
精灵软件
Integrity Level:
MEDIUM
Description:
流量精灵
Exit code:
88
Version:
2013.10.10.100
Modules
Images
c:\users\admin\appdata\local\temp\jingling-soft by elf.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
Total events
11 881
Read events
9 374
Write events
2 402
Delete events
105

Modification events

(PID) Process:(3632) jingling-Soft By elF.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:urlspace
Value:
C:\Users\admin\AppData\Local\Temp\jingling-Soft By elF.exe -h
(PID) Process:(3632) jingling-Soft By elF.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3632) jingling-Soft By elF.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3632) jingling-Soft By elF.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3632) jingling-Soft By elF.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3632) jingling-Soft By elF.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3632) jingling-Soft By elF.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3632) jingling-Soft By elF.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
46000000A5000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(3632) jingling-Soft By elF.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\jingling-Soft By elF_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3632) jingling-Soft By elF.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\jingling-Soft By elF_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
0
Suspicious files
564
Text files
3 992
Unknown types
371

Dropped files

PID
Process
Filename
Type
2968jingling-Soft By elF.exeC:\Users\admin\AppData\Local\Temp\CabD411.tmp
MD5:
SHA256:
2968jingling-Soft By elF.exeC:\Users\admin\AppData\Local\Temp\TarD412.tmp
MD5:
SHA256:
3632jingling-Soft By elF.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\url[1].htmhtml
MD5:
SHA256:
3632jingling-Soft By elF.exeC:\Users\admin\AppData\Roaming\Spiritsoft\urlspirit\product.dattext
MD5:
SHA256:
3632jingling-Soft By elF.exeC:\Users\admin\AppData\Roaming\Spiritsoft\urlspirit\bd.datini
MD5:
SHA256:
2968jingling-Soft By elF.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5887976EDAA817EEF5159B09F6FCD000_35673150FB44DAA99337A19E2291E035der
MD5:
SHA256:
2968jingling-Soft By elF.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619binary
MD5:
SHA256:
2968jingling-Soft By elF.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\3aocDjR[1].htmhtml
MD5:
SHA256:
2968jingling-Soft By elF.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5887976EDAA817EEF5159B09F6FCD000_35673150FB44DAA99337A19E2291E035binary
MD5:
SHA256:
2968jingling-Soft By elF.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\redirect[1].htmhtml
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1 156
TCP/UDP connections
2 983
DNS requests
746
Threats
125

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3632
jingling-Soft By elF.exe
GET
111.177.18.28:80
http://info.spiritsoft.cn/v4/js/main.js
CN
suspicious
2968
jingling-Soft By elF.exe
GET
302
151.139.128.11:80
http://xapi.juicyads.com/service_advanced.php?code=3474y2c4u2845674y2y23414s2&u=http%3A%2F%2Fwww.juicyads.rocks
US
whitelisted
2968
jingling-Soft By elF.exe
GET
302
54.236.132.5:80
http://redir.jads.co/pu_uu.php?cb=1614184388&uu=A64193B0-0986-321F-9342-7098A6CD2AA0
US
suspicious
2968
jingling-Soft By elF.exe
GET
200
172.64.142.28:80
http://adp13a.com/redirect?sid=83504
US
html
21.3 Kb
malicious
3632
jingling-Soft By elF.exe
GET
200
111.177.18.28:80
http://info.spiritsoft.cn/v4/url.html?v=4.0.3.1-1110
CN
html
2.47 Kb
suspicious
2968
jingling-Soft By elF.exe
GET
302
172.64.142.28:80
http://adp13a.com/redirect?cid=SkZXcKGDcG&http_referer=&sid=83504&subid=&s3=&7441846fa87b18047fc05209cfc1c72e=1&rr=1&id=&t=1614184374&hrf=pdz3uXsw3Y%2BIPBFU2F%2F0ES0w0A3eua9YY1QXnBhR5a6jIEofLok%3D&iwx=1264&iwy=673&owx=%3F&owy=%3F&isph=1&pbc=0&fp=null&hf=1&op=3&pd=%3F&tp=%3F&xd=96&yd=96&pl=0&mt=0&sw=1280&sh=692&fw=1280&fh=720&pw=0&ph=19&ow=%3Fx%3F&iw=1264x673&sd=32&ifr=0&coo=1&m=1&hr=0&ab=0&ua=undefined&npl=Win32&ncpu=x86&nhc=%3F&gtz=0&nba=0&nbt=0&nve=%3F&vapp=Microsoft+Internet+Explorer&napv=4.0+%28compatible%3B+MSIE+8.0%3B+Windows+NT+5.1%3B+Trident%2F4.0%3B+SLCC2%3B+.NET+CLR+2.0.50727%3B+.NET+CLR+3.5.30729%3B+.NET+CLR+3.0.30729%3B+Media+Center+PC+6.0%3B+.NET4.0C%3B+.NET4.0E%29&ss=1&ls=1&bl=&sl=undefined&dr=%3F&is=0&wc=undefined&msy=undefined&ddm=number&ps=%3F&st=0&sp=&mob=0&ifp1=0&ifp2=0&wn=&nap=%3F&ind=0&opd=0&dab=1&nsb=0&chk1=%3F&chk2=%3F&chk3=%3F&chk4=0
US
html
21.3 Kb
malicious
3632
jingling-Soft By elF.exe
POST
200
120.55.28.122:80
http://urlspirit.spiritsoft.cn/urlcore/svcreqe3012caab.xml
CN
text
1.29 Kb
suspicious
2968
jingling-Soft By elF.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
US
der
471 b
whitelisted
3632
jingling-Soft By elF.exe
GET
200
222.188.8.250:80
http://s11.cnzz.com/stat.php?id=1189654&web_id=1189654
CN
text
3.99 Kb
whitelisted
2968
jingling-Soft By elF.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3632
jingling-Soft By elF.exe
120.55.28.122:80
urlspirit.spiritsoft.cn
Hangzhou Alibaba Advertising Co.,Ltd.
CN
malicious
3632
jingling-Soft By elF.exe
111.177.18.28:80
info.spiritsoft.cn
No.31,Jin-rong Street
CN
malicious
2968
jingling-Soft By elF.exe
172.64.142.28:80
adp13a.com
Cloudflare Inc
US
unknown
2968
jingling-Soft By elF.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2968
jingling-Soft By elF.exe
43.128.7.189:80
dwz-1.ink
JP
unknown
2968
jingling-Soft By elF.exe
104.27.206.92:80
popcash.net
Cloudflare Inc
US
suspicious
2968
jingling-Soft By elF.exe
151.139.128.11:80
xapi.juicyads.com
Highwinds Network Group, Inc.
US
malicious
2968
jingling-Soft By elF.exe
52.201.162.15:80
ps.popcash.net
Amazon.com, Inc.
US
suspicious
2968
jingling-Soft By elF.exe
54.236.132.5:80
redir.jads.co
Amazon.com, Inc.
US
unknown
2968
jingling-Soft By elF.exe
67.199.248.10:443
bit.ly
Bitly Inc
US
shared

DNS requests

Domain
IP
Reputation
urlspirit.spiritsoft.cn
  • 120.55.28.122
suspicious
s1.spiritsoft.cn
malicious
info.spiritsoft.cn
  • 111.177.18.28
suspicious
s11.cnzz.com
  • 222.188.8.250
whitelisted
bit.ly
  • 67.199.248.10
  • 67.199.248.11
shared
ocsp.digicert.com
  • 93.184.220.29
whitelisted
adp13a.com
  • 172.64.142.28
  • 172.64.143.28
malicious
popcash.net
  • 104.27.206.92
  • 104.27.207.92
whitelisted
dwz-1.ink
  • 43.128.7.189
unknown
ps.popcash.net
  • 52.201.162.15
  • 52.203.234.71
  • 18.205.91.216
shared

Threats

PID
Process
Class
Message
3632
jingling-Soft By elF.exe
A Network Trojan was detected
SPYWARE [PTsecurity] Qakbot
3632
jingling-Soft By elF.exe
A Network Trojan was detected
SPYWARE [PTsecurity] Qakbot
3632
jingling-Soft By elF.exe
Misc activity
ADWARE [PTsecurity] Win32.FlowSpirit.a (v)
3632
jingling-Soft By elF.exe
Misc activity
ADWARE [PTsecurity] Win32/FlowSpirit.A potentially unsafe for improve web traffic
3632
jingling-Soft By elF.exe
A Network Trojan was detected
SPYWARE [PTsecurity] Qakbot
3632
jingling-Soft By elF.exe
A Network Trojan was detected
SPYWARE [PTsecurity] Qakbot
3632
jingling-Soft By elF.exe
Misc activity
ADWARE [PTsecurity] Win32.FlowSpirit.a (v)
3632
jingling-Soft By elF.exe
Misc activity
ADWARE [PTsecurity] Win32/FlowSpirit.A potentially unsafe for improve web traffic
3632
jingling-Soft By elF.exe
A Network Trojan was detected
SPYWARE [PTsecurity] Qakbot
3632
jingling-Soft By elF.exe
A Network Trojan was detected
SPYWARE [PTsecurity] Qakbot
16 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
jingling-Soft By elF.exe