URL:

http://tplinkextender.net

Full analysis: https://app.any.run/tasks/a78fdf67-d934-4ed4-956d-60c0b429f9d0
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: April 22, 2020, 11:09:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
Indicators:
MD5:

653E77C3BDE15BD9B4882A4F27E43769

SHA1:

1E674D700C5B5A5071CDC1D23A326ECCDDED210A

SHA256:

81806E3024FD7834DA54178902421FB29AB92D21B75E3FF0475867659DD95F65

SSDEEP:

3:N1KKVCro:CKVYo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3684)

    • Changes internet zones settings

      • iexplore.exe (PID: 3684)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3684)
      • iexplore.exe (PID: 3028)

    • Creates files in the user directory

      • iexplore.exe (PID: 3028)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3028)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3684)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3684)

    • Changes settings of System certificates

      • iexplore.exe (PID: 3684)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3028"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3684 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3684"C:\Program Files\Internet Explorer\iexplore.exe" http://tplinkextender.netC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
4 882
Read events
332
Write events
3 046
Delete events
1 504

Modification events

(PID) Process:(3684) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
2652184406
(PID) Process:(3684) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30808214
(PID) Process:(3684) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3684) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3684) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3684) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3684) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3684) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
46000000A1000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(3684) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3684) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
0
Suspicious files
41
Text files
19
Unknown types
20

Dropped files

PID
Process
Filename
Type
3684iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3028iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab3CC.tmp
MD5:
SHA256:
3028iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar3CD.tmp
MD5:
SHA256:
3028iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\PJ5UD15E.txttext
MD5:
SHA256:
3028iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894binary
MD5:
SHA256:
3028iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\click[1].htm
MD5:
SHA256:
3028iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62binary
MD5:
SHA256:
3028iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894der
MD5:
SHA256:
3028iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\U7W4A8I1.txt
MD5:
SHA256:
3028iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62der
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
22
TCP/UDP connections
45
DNS requests
23
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3028
iexplore.exe
GET
200
143.204.208.108:80
http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D
US
der
1.51 Kb
whitelisted
3028
iexplore.exe
GET
200
2.21.242.197:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
NL
der
1.37 Kb
whitelisted
3028
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAGC%2BAmOouYmuRo7J4Qfua8%3D
US
der
1.47 Kb
whitelisted
3028
iexplore.exe
GET
200
143.204.208.90:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D
US
der
1.39 Kb
shared
3028
iexplore.exe
GET
200
2.21.242.197:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
NL
der
1.37 Kb
whitelisted
3028
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D
US
der
1.47 Kb
whitelisted
3028
iexplore.exe
GET
200
23.37.43.27:80
http://s.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEGMYDTj7gJd4qdA1oxYY%2BEA%3D
NL
der
1.71 Kb
shared
3028
iexplore.exe
GET
200
3.226.8.132:80
http://usd.shyama-jay.com/zcredirect?visitid=cb277c61-8489-11ea-b319-127453964271&type=js&browserWidth=1280&browserHeight=644&iframeDetected=false
US
html
1.75 Kb
shared
3028
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAyO4MkNaokViAQGHuJB%2Ba8%3D
US
der
471 b
whitelisted
3028
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAyO4MkNaokViAQGHuJB%2Ba8%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3028
iexplore.exe
5.79.68.108:80
tplinkextender.net
LeaseWeb Netherlands B.V.
NL
malicious
3028
iexplore.exe
18.210.89.69:443
sarah.ttnrd.com
US
unknown
5.79.68.108:80
tplinkextender.net
LeaseWeb Netherlands B.V.
NL
malicious
3028
iexplore.exe
143.204.208.79:80
o.ss2.us
US
whitelisted
3684
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3028
iexplore.exe
143.204.208.108:80
ocsp.rootg2.amazontrust.com
US
whitelisted
3028
iexplore.exe
143.204.208.90:80
ocsp.rootg2.amazontrust.com
US
whitelisted
3028
iexplore.exe
52.218.41.155:443
s3-eu-west-1.amazonaws.com
Amazon.com, Inc.
IE
unknown
3028
iexplore.exe
69.164.214.32:443
clkn.browserg.com
Linode, LLC
US
unknown
3028
iexplore.exe
143.204.208.145:80
ocsp.sca1b.amazontrust.com
US
whitelisted

DNS requests

Domain
IP
Reputation
tplinkextender.net
  • 5.79.68.108
whitelisted
sarah.ttnrd.com
  • 18.210.89.69
  • 34.237.17.143
  • 54.210.19.159
unknown
o.ss2.us
  • 143.204.208.79
  • 143.204.208.160
  • 143.204.208.165
  • 143.204.208.127
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ocsp.rootg2.amazontrust.com
  • 143.204.208.108
  • 143.204.208.192
  • 143.204.208.23
  • 143.204.208.90
whitelisted
ocsp.rootca1.amazontrust.com
  • 143.204.208.90
  • 143.204.208.23
  • 143.204.208.108
  • 143.204.208.192
shared
ocsp.sca1b.amazontrust.com
  • 143.204.208.145
  • 143.204.208.150
  • 143.204.208.79
  • 143.204.208.173
whitelisted
s3-eu-west-1.amazonaws.com
  • 52.218.41.155
shared
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

PID
Process
Class
Message
3028
iexplore.exe
Misc activity
ADWARE [PTsecurity] Redirecting.Zemot (RBN ZeroPark 0-Click)
1052
svchost.exe
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .icu Domain
3028
iexplore.exe
Potentially Bad Traffic
ET INFO Suspicious Domain (*.icu) in TLS SNI
3028
iexplore.exe
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.icu)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://tplinkextender.net