iexplore.exe

  • File Path: C:\Program Files\Internet Explorer\iexplore.exe
  • Description: Internet Explorer

Screenshot

iexplore.exe

Hashes

Type Hash
MD5 6BFE7CA23C89FD5809A48355EC5625EE
SHA1 9ED866E14BB54406C075929183524039AB851A25
SHA256 F76F00939F1BE76152809C37591EF75D3C150745232E35697D99CAE09E31C2BC
SHA384 240E65EEB92B1AF5A641C9D7622EC2A624ECCE762B528B95A0360BBD5E5DA1EBE8E7833C9D29255D43B3A6F6BC838617
SHA512 505159C8C6C1341043215D0C91E663A2366ED14C68DE61DE639736E549ABC764D7589F53D972A8B2CC1DE40B23CF5AAD6565EEE9D988522CF8BD6A9B2CF0BF05
SSDEEP 24576:h/4lGLbMMHMMMvMMZMMMKzb6XmMMMiMMMz8JMMHMMM6MMZMMMeXNMMzMMMUMMVMH:hlMMHMMMvMMZMMMlmMMMiMMMYJMMHMMY
IMP 8C797F2A2A97DA90C7A8F1CF249ADBEB
PESHA1 1555A9CACD92190FA33292F1DE8F0153257EBDE3
PE256 49AF5EF7E46F9C7CBD9969222611AF8E088331268C74734149B72BB62C2E5AB7

Runtime Data

Child Processes:

iexplore.exe

Window Title:

Cant reach this page - Internet Explorer

Open Handles:

Path Type
(—) C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active{F538A955-0656-11EB-882E-00155DD100FD}.dat File
(—) C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F3BFF526-0656-11EB-882E-00155DD100FD}.dat File
(—) C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F538A953-0656-11EB-882E-00155DD100FD}.dat File
(R-D) C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui File
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\ieframe.dll.mui File
(R-D) C:\Windows\SystemResources\ieframe.dll.mun File
(RW-) C:\Users\user\Desktop File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.488_none_4238de57f6b64d28 File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21 File
(RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db File
(RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db File
(RWD) C:\Users\user\AppData\Local\Temp~DF075DFF15BF8C0FDD.TMP File
(RWD) C:\Users\user\AppData\Local\Temp~DFD59A797D5ED3FDA7.TMP File
(RWD) C:\Users\user\AppData\Local\Temp~DFE2F6E6743AB4CC71.TMP File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000006.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\F932B6C7-3A20-46A0-B8A0-8894AA421973 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\1\BaseNamedObjects\57cHWNDInterface:1d030a Section
\Sessions\1\BaseNamedObjects\57cHWNDInterface:360414 Section
\Sessions\1\BaseNamedObjects\57cHWNDInterface:b0196 Section
\Sessions\1\BaseNamedObjects\57cHWNDInterface:b025c Section
\Sessions\1\BaseNamedObjects\57cHWNDInterface:b0332 Section
\Sessions\1\BaseNamedObjects\57cHWNDInterface:b034e Section
\Sessions\1\BaseNamedObjects\ie_ias_0000057C-0000-0000-0000-000000000000 Section
\Sessions\1\BaseNamedObjects\IsoScope_57c_IEFrame!GetAsyncKeyStateSharedMem Section
\Sessions\1\BaseNamedObjects\IsoScope_57c_IsoSpaceV2_ScopeTrusted Section
\Sessions\1\BaseNamedObjects\IsoScope_57c_IsoSpaceV2_ScopeTrusted_0:3_3 Section
\Sessions\1\BaseNamedObjects\IsoScope_57c_IsoSpaceV2_ScopeTrusted_0:3_4 Section
\Sessions\1\BaseNamedObjects\IsoScope_57c_IsoSpaceV2_ScopeTrusted_0:3_5 Section
\Sessions\1\BaseNamedObjects\IsoScope_57c_IsoSpaceV2_ScopeTrusted_0:6_2 Section
\Sessions\1\BaseNamedObjects\IsoScope_57c_IsoSpaceV2_ScopeTrusted_0:7_1 Section
\Sessions\1\BaseNamedObjects\IsoSpaceV2_LogonHighx64 Section
\Sessions\1\BaseNamedObjects\IsoSpaceV2_LogonMediumx64 Section
\Sessions\1\BaseNamedObjects\UrlZonesSM_user Section
\Sessions\1\BaseNamedObjects\VERMGMTSharedMemory Section
\Sessions\1\BaseNamedObjects\windows_ie_global_counters Section
\Sessions\1\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\1\BaseNamedObjects\windows_webcache_counters_{9B6AB5B3-91BC-4097-835C-EA2DEC95E9CC}_S-1-5-21-2047949552-857980807-821054962-504 Section
\Sessions\1\Windows\Theme64749523 Section
\Windows\Theme1120315852 Section

Loaded Modules:

Path
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\SYSTEM32\apphelp.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: IEXPLORE.EXE.MUI
  • Product Name: Internet Explorer
  • Company Name: Microsoft Corporation
  • File Version: 11.00.19041.1 (WinBuild.160101.0800)
  • Product Version: 11.00.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/f76f00939f1be76152809c37591ef75d3c150745232e35697d99cae09e31c2bc/detection/

File Similarity (ssdeep match)

File Score
C:\Program Files (x86)\Internet Explorer\iexplore.exe 94
C:\Program Files (x86)\Internet Explorer\iexplore.exe 93
C:\Program Files (x86)\Internet Explorer\iexplore.exe 93
C:\Program Files\Internet Explorer\iexplore.exe 94
C:\Program Files\internet explorer\iexplore.exe 96

Possible Misuse

The following table contains possible examples of iexplore.exe being misused. While iexplore.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_suspicious_remote_thread.yml - '\iexplore.exe' DRL 1.0
sigma dns_query_win_susp_ipify.yml - \iexplore.exe DRL 1.0
sigma image_load_abusing_azure_browser_sso.yml - '\iexplore.exe' DRL 1.0
sigma proc_creation_win_exploit_cve_2019_1388.yml Image\|endswith: '\iexplore.exe' DRL 1.0
sigma proc_creation_win_run_executable_invalid_extension.yml ParentImage\|endswith: ':\Program Files\Internet Explorer\iexplore.exe' DRL 1.0
sigma proc_creation_win_susp_powershell_parent_process.yml - '\iexplore.exe' DRL 1.0
sigma sysmon_dcom_iertutil_dll_hijack.yml Image\|endswith: '\Internet Explorer\iexplore.exe' DRL 1.0
malware-ioc rtm IExplore © ESET 2014-2018
malware-ioc rtm iexplore.exe © ESET 2014-2018
atomic-red-team T1134.004.md Upon execution, “Process C:\Program Files\Internet Explorer\iexplore.exe is spawned with pid ####” will be displayed and MIT License. © 2018 Red Canary
atomic-red-team T1134.004.md | spawnto_process_path | Path of the process to spawn | Path | C:\Program Files\Internet Explorer\iexplore.exe| MIT License. © 2018 Red Canary
atomic-red-team T1134.004.md | spawnto_process_name | Name of the process to spawn | String | iexplore| MIT License. © 2018 Red Canary
signature-base apt_apt30_backspace.yar $s10 = “iexplore.” ascii CC BY-NC 4.0
signature-base apt_apt30_backspace.yar $s8 = “iexplore.” fullword ascii CC BY-NC 4.0
signature-base apt_apt30_backspace.yar $s1 = “iexplore.exe” fullword ascii CC BY-NC 4.0
signature-base apt_bronze_butler.yar $s4 = “iexplore.exe” ascii fullword CC BY-NC 4.0
signature-base apt_eternalblue_non_wannacry.yar $s1 = “\Program Files\Internet Explorer\iexplore.exe” fullword ascii CC BY-NC 4.0
signature-base apt_unit78020_malware.yar $s1 = “%ProgramFiles%\Internet Explorer\iexplore.exe” fullword ascii CC BY-NC 4.0
signature-base crime_dexter_trojan.yar $s3 = “\Internet Explorer\iexplore.exe” fullword wide CC BY-NC 4.0
signature-base generic_anomalies.yar description = “Detects uncommon file size of iexplore.exe” CC BY-NC 4.0
signature-base generic_anomalies.yar and filename == “iexplore.exe” CC BY-NC 4.0
signature-base gen_malware_set_qa.yar $s5 = “\Internet Explorer\iexplore.exe” fullword ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $s5 = “!&start iexplore http://www.crsky.com/soft/4818.html)” fullword ascii CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Abnormal iexplore.exe - typical strings not found in file” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $win2003_win7_u1 = “IEXPLORE.EXE” wide nocase CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “iexplore.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.