URL:

http://dl.i-funbox.com/ifunbox_v4106_setup.exe

Full analysis: https://app.any.run/tasks/8c918e88-3612-440d-b3b0-3648543c3c82
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 11, 2018, 01:25:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MD5:

A97BD116B149D60FB88E5E65D8F8A46B

SHA1:

2FAE6A6FCE58C91170750698CFB2EBF30D264292

SHA256:

38343C0E2D741E25ADB7A778198627992B5C03D01BA5778B34C0EFBAF3F86387

SSDEEP:

3:N1KaJ5dybKmlVx0u4A:CaJ5d+KmlVB4A

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Downloads executable files from the Internet

      • iexplore.exe (PID: 3220)
      • ifunbox_v4106_setup[1].tmp (PID: 128)

    • Application was dropped or rewritten from another process

      • OperaSetup.exe (PID: 4008)
      • OperaSetup.exe (PID: 568)
      • OperaSetup.exe (PID: 1668)
      • OperaSetup.exe (PID: 900)
      • gafuna.exe (PID: 3372)
      • ifunbox.exe (PID: 3152)
      • installer.exe (PID: 3032)
      • opera.exe (PID: 2960)
      • opera.exe (PID: 1352)
      • launcher.exe (PID: 2000)
      • opera.exe (PID: 4076)
      • opera.exe (PID: 948)
      • opera.exe (PID: 2728)
      • opera.exe (PID: 2476)
      • opera.exe (PID: 3460)
      • opera_crashreporter.exe (PID: 2304)
      • opera.exe (PID: 2524)
      • opera_crashreporter.exe (PID: 3004)
      • opera.exe (PID: 3424)
      • opera.exe (PID: 2544)
      • opera.exe (PID: 3280)
      • opera.exe (PID: 3888)
      • gafuna.exe (PID: 3932)
      • gafuna.exe (PID: 2948)
      • opera.exe (PID: 2392)
      • opera.exe (PID: 3060)
      • opera.exe (PID: 2364)
      • opera_autoupdate.exe (PID: 2320)
      • opera.exe (PID: 4036)
      • installer.exe (PID: 1816)
      • opera_autoupdate.exe (PID: 3252)
      • launcher.exe (PID: 1896)
      • opera.exe (PID: 3972)

    • Changes settings of System certificates

      • OperaSetup.exe (PID: 4008)

    • Loads dropped or rewritten executable

      • OperaSetup.exe (PID: 1668)
      • OperaSetup.exe (PID: 4008)
      • OperaSetup.exe (PID: 900)
      • OperaSetup.exe (PID: 568)
      • installer.exe (PID: 3032)
      • opera.exe (PID: 2728)
      • ifunbox.exe (PID: 3152)
      • installer.exe (PID: 1816)

    • Changes the autorun value in the registry

      • ifunbox.exe (PID: 3152)

    • Loads the Task Scheduler COM API

      • installer.exe (PID: 3032)
      • opera.exe (PID: 948)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • ifunbox_v4106_setup[1].exe (PID: 3036)
      • ifunbox_v4106_setup[1].tmp (PID: 128)
      • ifunbox_v4106_setup[1].exe (PID: 3232)
      • OperaSetup.exe (PID: 4008)
      • OperaSetup.exe (PID: 900)
      • OperaSetup.exe (PID: 568)
      • cmd.exe (PID: 3468)
      • installer.exe (PID: 3032)
      • launcher.exe (PID: 1896)

    • Reads Windows owner settings

      • ifunbox_v4106_setup[1].tmp (PID: 128)

    • Reads the Windows organization settings

      • ifunbox_v4106_setup[1].tmp (PID: 128)

    • Reads the machine GUID from the registry

      • ifunbox_v4106_setup[1].tmp (PID: 128)

    • Reads CPU info

      • ifunbox_v4106_setup[1].tmp (PID: 128)

    • Reads productID from registry

      • ifunbox_v4106_setup[1].tmp (PID: 128)

    • Reads internet explorer settings

      • ifunbox_v4106_setup[1].tmp (PID: 128)
      • ifunbox.exe (PID: 3152)

    • Reads the date of Windows installation

      • ifunbox_v4106_setup[1].tmp (PID: 128)

    • Starts itself from another location

      • OperaSetup.exe (PID: 4008)

    • Application launched itself

      • OperaSetup.exe (PID: 4008)
      • cmd.exe (PID: 1272)
      • opera.exe (PID: 948)
      • gafuna.exe (PID: 3372)
      • cmd.exe (PID: 2896)

    • Adds / modifies Windows certificates

      • OperaSetup.exe (PID: 4008)

    • Starts CMD.EXE for commands execution

      • ifunbox_v4106_setup[1].tmp (PID: 128)
      • cmd.exe (PID: 1272)
      • gafuna.exe (PID: 3372)
      • cmd.exe (PID: 2896)

    • Searches for installed software

      • ifunbox.exe (PID: 3152)

    • Creates files in the program directory

      • installer.exe (PID: 3032)
      • OperaSetup.exe (PID: 900)
      • opera_autoupdate.exe (PID: 3252)

    • Reads Internet Cache Settings

      • ifunbox.exe (PID: 3152)

    • Modifies the open verb of a shell class

      • installer.exe (PID: 3032)

    • Creates a software uninstall entry

      • installer.exe (PID: 3032)
      • gafuna.exe (PID: 3372)

    • Creates files in the user directory

      • installer.exe (PID: 3032)
      • opera.exe (PID: 2960)
      • gafuna.exe (PID: 3372)
      • opera.exe (PID: 948)
      • ifunbox.exe (PID: 3152)
      • opera_autoupdate.exe (PID: 2320)

    • Connects to unusual port

      • opera.exe (PID: 948)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 3196)

    • Dropped object may contain URL's

      • iexplore.exe (PID: 3196)
      • iexplore.exe (PID: 3220)
      • ifunbox_v4106_setup[1].tmp (PID: 128)
      • ifunbox.exe (PID: 3152)
      • installer.exe (PID: 3032)
      • OperaSetup.exe (PID: 4008)
      • gafuna.exe (PID: 3372)
      • OperaSetup.exe (PID: 900)
      • opera.exe (PID: 948)
      • opera_autoupdate.exe (PID: 3252)

    • Application was dropped or rewritten from another process

      • ifunbox_v4106_setup[1].tmp (PID: 2060)
      • ifunbox_v4106_setup[1].tmp (PID: 128)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3220)

    • Loads dropped or rewritten executable

      • ifunbox_v4106_setup[1].tmp (PID: 128)

    • Creates files in the program directory

      • ifunbox_v4106_setup[1].tmp (PID: 128)

    • Reads settings of System Certificates

      • OperaSetup.exe (PID: 4008)
      • ifunbox.exe (PID: 3152)

    • Creates a software uninstall entry

      • ifunbox_v4106_setup[1].tmp (PID: 128)

    • Dropped object may contain Bitcoin addresses

      • OperaSetup.exe (PID: 900)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
89
Monitored processes
47
Malicious processes
12
Suspicious processes
8

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start iexplore.exe iexplore.exe ifunbox_v4106_setup[1].exe ifunbox_v4106_setup[1].tmp no specs ifunbox_v4106_setup[1].exe ifunbox_v4106_setup[1].tmp operasetup.exe operasetup.exe operasetup.exe no specs operasetup.exe cmd.exe no specs timeout.exe no specs cmd.exe cmd.exe no specs cmd.exe no specs gafuna.exe ifunbox.exe installer.exe launcher.exe no specs opera.exe no specs opera_crashreporter.exe no specs opera.exe no specs opera.exe opera_crashreporter.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs gafuna.exe no specs gafuna.exe no specs cmd.exe no specs timeout.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs cmd.exe no specs opera_autoupdate.exe launcher.exe installer.exe no specs opera_autoupdate.exe opera.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
128"C:\Users\admin\AppData\Local\Temp\is-AM0PL.tmp\ifunbox_v4106_setup[1].tmp" /SL5="$D0206,35712690,121344,C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LM4BD81N\ifunbox_v4106_setup[1].exe" /SPAWNWND=$90236 /NOTIFYWND=$80196 C:\Users\admin\AppData\Local\Temp\is-AM0PL.tmp\ifunbox_v4106_setup[1].tmp
ifunbox_v4106_setup[1].exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-am0pl.tmp\ifunbox_v4106_setup[1].tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
568"C:\Users\admin\AppData\Local\Temp\ns58125F0A\OperaSetup.exe" --silent --allusers=0 --crash-reporter-parent-id=4008C:\Users\admin\AppData\Local\Temp\ns58125F0A\OperaSetup.exe
OperaSetup.exe
User:
admin
Company:
Opera Software
Integrity Level:
HIGH
Description:
Opera Installer
Exit code:
0
Version:
53.0.2907.68
Modules
Images
c:\users\admin\appdata\local\temp\ns58125f0a\operasetup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
900"C:\Users\admin\AppData\Local\Temp\ns58125F0A\OperaSetup.exe" --backend --install --import-browser-data=1 --enable-stats=1 --enable-installer-stats=1 --launchopera=1 --installfolder="C:\Program Files\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --startmenushortcut=1 --desktopshortcut=1 --quicklaunchshortcut=1 --pintotaskbar=1 --server-tracking-data=server_tracking_data --initial-pid=4008 --crash-reporter-pid=568 --package-dir-prefix="C:\Users\admin\AppData\Local\Temp\Opera Installer\opera_package_20180611022736" --session-guid=06e8d54d-1aec-4c94-a0b0-b6c1f0d7739c --server-tracking-blob="NjQ2MjI1NDJjZTA5OTZlNjg4NmE1NmZmYjc4MmZlMTg3OTk1YmM4MzU1MWRlYzc3ZGRiOTEyZThjODQ4MTAwYzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGU/dXRtX21lZGl1bT1wYmMmdXRtX3NvdXJjZT1haXMmdXRtX2NhbXBhaWduPW5jJnV0bV9pZD1hOHUxS3l1UTVDSXVrdVZYWCUyQmJqSnkyVTVTRTQwYlZpSTVEaEp5YVM1eWN2a3VNa0tKZm5KeWVSOTNsNHhMUmtJJTJCMmhjMnpEazJSeDFhSnpiSVN5WkgyUjR5c21rZVFqTHBUZ0x5ZiUyQlRRQUFBQjZpMFJZJTNEIiwidGltZXN0YW1wIjoiMTUyODY4MDQ1NS41NzgyIiwidXNlcmFnZW50IjoiTW96aWxsYS80LjAgKGNvbXBhdGlibGU7IE1TSUUgOC4wOyBXaW5kb3dzIE5UIDYuMTsgVHJpZGVudC80LjA7IFNMQ0MyOyAuTkVUIENMUiAyLjAuNTA3Mjc7IC5ORVQgQ0xSIDMuNS4zMDcyOTsgLk5FVCBDTFIgMy4wLjMwNzI5OyBNZWRpYSBDZW50ZXIgUEMgNi4wOyAuTkVUNC4wQzsgLk5FVDQuMEUpIiwidXRtIjp7ImNhbXBhaWduIjoibmMiLCJpZCI6ImE4dTFLeXVRNUNJdWt1VlhYK2JqSnkyVTVTRTQwYlZpSTVEaEp5YVM1eWN2a3VNa0tKZm5KeWVSOTNsNHhMUmtJKzJoYzJ6RGsyUngxYUp6YklTeVpIMlI0eXNta2VRakxwVGdMeWYrVFFBQUFCNmkwUlk9IiwibWVkaXVtIjoicGJjIiwic291cmNlIjoiYWlzIn0sInV1aWQiOiJjMDIwODlmOC02MmI0LTQ0MjAtYTExOS1jNDYwMTBmZTI2ZjAifQ== " --silent --wait-for-package --initial-proc-handle=F802000000000000C:\Users\admin\AppData\Local\Temp\ns58125F0A\OperaSetup.exe
OperaSetup.exe
User:
admin
Company:
Opera Software
Integrity Level:
HIGH
Description:
Opera Installer
Exit code:
0
Version:
53.0.2907.68
Modules
Images
c:\users\admin\appdata\local\temp\ns58125f0a\operasetup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
948"C:\Program Files\Opera\53.0.2907.68\opera.exe" --start-maximized --ran-launcher --flag-switches-begin --flag-switches-end --use-turbo2 --enable-quic --lowered-browserC:\Program Files\Opera\53.0.2907.68\opera.exe
explorer.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera Internet Browser
Exit code:
0
Version:
53.0.2907.68
Modules
Images
c:\program files\opera\53.0.2907.68\opera.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1272/d /c TIMEOUT 1 & cmd /d /c copy /B /Y "C:\Users\admin\AppData\Local\Temp\D68717045226211.dat"+"C:\Users\admin\AppData\Local\Temp\D68717045226212.dat" "C:\Users\admin\AppData\Local\Temp\TMP752~1\gafuna.exe" & cmd /d /c del "C:\Users\admin\AppData\Local\Temp\D68717045226211.dat" & cmd /d /c del "C:\Users\admin\AppData\Local\Temp\D68717045226212.dat"C:\Windows\system32\cmd.exeifunbox_v4106_setup[1].tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1352"C:\Program Files\Opera\53.0.2907.68\opera.exe" --type=gpu-process --field-trial-handle=1064,11133406355130955749,4594008703783955788,131072 --with-feature:installer-experiment-test=off --with-feature:installer-use-minimal-package=off --crash-reporter-pid=2304 --gpu-preferences=KAAAAAAAAACAAwCAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --with-feature:installer-experiment-test=off --with-feature:installer-use-minimal-package=off --crash-reporter-pid=2304 --service-request-channel-token=6323E1E1E35219D414B5B6138377A54D --mojo-platform-channel-handle=1084 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Opera\53.0.2907.68\opera.exeopera.exe
User:
admin
Company:
Opera Software
Integrity Level:
LOW
Description:
Opera Internet Browser
Exit code:
0
Version:
53.0.2907.68
Modules
Images
c:\program files\opera\53.0.2907.68\opera.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
1668"C:\Users\admin\AppData\Local\Temp\Opera Installer\OperaSetup.exe" --versionC:\Users\admin\AppData\Local\Temp\Opera Installer\OperaSetup.exeOperaSetup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\opera installer\operasetup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1816"C:\Users\admin\AppData\Local\Temp\opera autoupdate\installer.exe" --versionC:\Users\admin\AppData\Local\Temp\opera autoupdate\installer.exelauncher.exe
User:
admin
Company:
Opera Software
Integrity Level:
HIGH
Description:
Opera Installer
Exit code:
0
Version:
53.0.2907.68
Modules
Images
c:\users\admin\appdata\local\temp\opera autoupdate\installer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
1844cmd /d /c del "C:\Users\admin\AppData\Local\Temp\D68717045226212.dat"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1896"C:\Program Files\Opera\launcher.exe" --scheduledautoupdate --autoupdaterequesttype=start --autoupdateoperaversion=53.0.2907.68C:\Program Files\Opera\launcher.exe
taskeng.exe
User:
admin
Company:
Opera Software
Integrity Level:
HIGH
Description:
Opera Internet Browser
Exit code:
0
Version:
53.0.2907.68
Modules
Images
c:\program files\opera\launcher.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
Total events
3 438
Read events
2 965
Write events
456
Delete events
17

Modification events

(PID) Process:(3196) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3196) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3196) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3196) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(3196) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3196) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000006B000000010000000000000000000000000000000000000000000000400C35B347C7D301000000000000000000000000020000001700000000000000FE80000000000000D45917EAB3ED3D860B000000000000001700000000000000FE80000000000000D45917EAB3ED3D860B000000000000001C00000000000000000000000000000000000000000000000000000000000000170000000000000000000000000000000000FFFFC0A8640B000000000000000002000000C0A801640000000000000000000000000000000000000000000000000C00000C37D0000010A73800D8703600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000081F800009000230090002300380023000000000000702C000A00000000000000F8412C00
(PID) Process:(3196) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{53446C05-6D16-11E8-B27F-5254004AAD21}
Value:
0
(PID) Process:(3196) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(3196) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
5
(PID) Process:(3196) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E207060001000B00010019001E006400
Executable files
59
Suspicious files
213
Text files
429
Unknown types
106

Dropped files

PID
Process
Filename
Type
3196iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2LKO8ICX\favicon[1].ico
MD5:
SHA256:
3196iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3196iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFCCB375FF0C4E662B.TMP
MD5:
SHA256:
3220iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WF2FXMJU\ifunbox_v4106_setup[1].exe
MD5:
SHA256:
3196iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LM4BD81N\ifunbox_v4106_setup[1].exe
MD5:
SHA256:
3196iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF9750F7F8CA65C574.TMP
MD5:
SHA256:
3196iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{53446C05-6D16-11E8-B27F-5254004AAD21}.dat
MD5:
SHA256:
128ifunbox_v4106_setup[1].tmpC:\Users\admin\AppData\Local\Temp\00154DDB.log
MD5:
SHA256:
3220iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012018061120180612\index.datdat
MD5:
SHA256:
3220iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
142
TCP/UDP connections
173
DNS requests
88
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
128
ifunbox_v4106_setup[1].tmp
POST
200
52.213.10.43:80
http://rp.cleartowerguard.com/
IE
malicious
3220
iexplore.exe
GET
200
209.160.42.34:80
http://dl.i-funbox.com/ifunbox_v4106_setup.exe
US
executable
34.4 Mb
suspicious
128
ifunbox_v4106_setup[1].tmp
POST
200
52.213.10.43:80
http://rp.cleartowerguard.com/
IE
malicious
128
ifunbox_v4106_setup[1].tmp
POST
200
52.213.10.43:80
http://rp.cleartowerguard.com/
IE
malicious
128
ifunbox_v4106_setup[1].tmp
POST
200
52.213.10.43:80
http://rp.cleartowerguard.com/
IE
malicious
128
ifunbox_v4106_setup[1].tmp
POST
200
52.213.10.43:80
http://rp.cleartowerguard.com/
IE
malicious
128
ifunbox_v4106_setup[1].tmp
POST
200
52.213.10.43:80
http://rp.cleartowerguard.com/
IE
malicious
128
ifunbox_v4106_setup[1].tmp
POST
200
52.213.172.218:80
http://os.cleartowerguard.com/FusionVshareFunbox/
IE
binary
593 Kb
malicious
128
ifunbox_v4106_setup[1].tmp
POST
200
52.213.10.43:80
http://rp.cleartowerguard.com/
IE
malicious
128
ifunbox_v4106_setup[1].tmp
GET
200
192.96.201.161:80
http://img.cleartowerguard.com/img/Jimomoromoj/Jimomoromoj_logo.png
US
image
2.10 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3152
ifunbox.exe
104.18.62.187:80
ifbstore.appholly.com
Cloudflare Inc
US
shared
3152
ifunbox.exe
216.58.214.98:80
pagead2.googlesyndication.com
Google Inc.
US
whitelisted
3196
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3220
iexplore.exe
209.160.42.34:80
dl.i-funbox.com
HopOne Internet Corporation
US
suspicious
128
ifunbox_v4106_setup[1].tmp
52.213.10.43:80
rp.cleartowerguard.com
Amazon.com, Inc.
IE
unknown
128
ifunbox_v4106_setup[1].tmp
52.213.172.218:80
os.cleartowerguard.com
Amazon.com, Inc.
IE
whitelisted
128
ifunbox_v4106_setup[1].tmp
192.96.201.161:80
img.cleartowerguard.com
Leaseweb USA, Inc.
US
malicious
128
ifunbox_v4106_setup[1].tmp
185.59.222.146:80
cdneu.cleartowerguard.com
Datacamp Limited
NL
malicious
128
ifunbox_v4106_setup[1].tmp
185.26.182.112:80
net.geo.opera.com
Opera Software AS
malicious
128
ifunbox_v4106_setup[1].tmp
199.201.110.78:80
cdnus.cleartowerguard.com
Namecheap, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
dl.i-funbox.com
  • 209.160.42.34
suspicious
rp.cleartowerguard.com
  • 52.213.10.43
  • 52.31.255.117
  • 54.72.212.121
  • 54.76.13.179
malicious
os.cleartowerguard.com
  • 52.213.172.218
  • 52.211.15.5
  • 52.48.96.210
malicious
img.cleartowerguard.com
  • 192.96.201.161
malicious
cdneu.cleartowerguard.com
  • 185.59.222.146
malicious
net.geo.opera.com
  • 185.26.182.112
  • 185.26.182.111
whitelisted
cdnus.cleartowerguard.com
  • 199.201.110.78
malicious
autoupdate.geo.opera.com
  • 185.26.182.117
whitelisted
desktop-netinstaller-sub.osp.opera.software
  • 82.145.217.121
whitelisted

Threats

PID
Process
Class
Message
3220
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
128
ifunbox_v4106_setup[1].tmp
Misc activity
[PT ADWARE] PUP.Optional.InstallCore Artifact M2
128
ifunbox_v4106_setup[1].tmp
Misc activity
[PT ADWARE] PUP.Optional.InstallCore Artifact M1
128
ifunbox_v4106_setup[1].tmp
Misc activity
[PT ADWARE] PUP.Optional.InstallCore Artifact M3
128
ifunbox_v4106_setup[1].tmp
Misc activity
[PT ADWARE] PUP.Optional.InstallCore Artifact M4
128
ifunbox_v4106_setup[1].tmp
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
128
ifunbox_v4106_setup[1].tmp
Misc activity
ET INFO EXE - Served Attached HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://dl.i-funbox.com/ifunbox_v4106_setup.exe