iexplore.exe
- File Path:
C:\Program Files\Internet Explorer\iexplore.exe - Description: Internet Explorer
Screenshot
Hashes
| Type | Hash |
|---|---|
| MD5 | 6BFE7CA23C89FD5809A48355EC5625EE |
| SHA1 | 9ED866E14BB54406C075929183524039AB851A25 |
| SHA256 | F76F00939F1BE76152809C37591EF75D3C150745232E35697D99CAE09E31C2BC |
| SHA384 | 240E65EEB92B1AF5A641C9D7622EC2A624ECCE762B528B95A0360BBD5E5DA1EBE8E7833C9D29255D43B3A6F6BC838617 |
| SHA512 | 505159C8C6C1341043215D0C91E663A2366ED14C68DE61DE639736E549ABC764D7589F53D972A8B2CC1DE40B23CF5AAD6565EEE9D988522CF8BD6A9B2CF0BF05 |
| SSDEEP | 24576:h/4lGLbMMHMMMvMMZMMMKzb6XmMMMiMMMz8JMMHMMM6MMZMMMeXNMMzMMMUMMVMH:hlMMHMMMvMMZMMMlmMMMiMMMYJMMHMMY |
| IMP | 8C797F2A2A97DA90C7A8F1CF249ADBEB |
| PESHA1 | 1555A9CACD92190FA33292F1DE8F0153257EBDE3 |
| PE256 | 49AF5EF7E46F9C7CBD9969222611AF8E088331268C74734149B72BB62C2E5AB7 |
Runtime Data
Child Processes:
iexplore.exe
Window Title:
Cant reach this page - Internet Explorer
Open Handles:
| Path | Type |
|---|---|
| (—) C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active{F538A955-0656-11EB-882E-00155DD100FD}.dat | File |
| (—) C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F3BFF526-0656-11EB-882E-00155DD100FD}.dat | File |
| (—) C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F538A953-0656-11EB-882E-00155DD100FD}.dat | File |
| (R-D) C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui | File |
| (R-D) C:\Windows\Fonts\StaticCache.dat | File |
| (R-D) C:\Windows\System32\en-US\ieframe.dll.mui | File |
| (R-D) C:\Windows\SystemResources\ieframe.dll.mun | File |
| (RW-) C:\Users\user\Desktop | File |
| (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.488_none_4238de57f6b64d28 | File |
| (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21 | File |
| (RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db | File |
| (RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db | File |
| (RWD) C:\Users\user\AppData\Local\Temp~DF075DFF15BF8C0FDD.TMP | File |
| (RWD) C:\Users\user\AppData\Local\Temp~DFD59A797D5ED3FDA7.TMP | File |
| (RWD) C:\Users\user\AppData\Local\Temp~DFE2F6E6743AB4CC71.TMP | File |
| \BaseNamedObjects__ComCatalogCache__ | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000006.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 | Section |
| \BaseNamedObjects\F932B6C7-3A20-46A0-B8A0-8894AA421973 | Section |
| \BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 | Section |
| \BaseNamedObjects\NLS_CodePage_437_3_2_0_0 | Section |
| \BaseNamedObjects\windows_shell_global_counters | Section |
| \Sessions\1\BaseNamedObjects\57cHWNDInterface:1d030a | Section |
| \Sessions\1\BaseNamedObjects\57cHWNDInterface:360414 | Section |
| \Sessions\1\BaseNamedObjects\57cHWNDInterface:b0196 | Section |
| \Sessions\1\BaseNamedObjects\57cHWNDInterface:b025c | Section |
| \Sessions\1\BaseNamedObjects\57cHWNDInterface:b0332 | Section |
| \Sessions\1\BaseNamedObjects\57cHWNDInterface:b034e | Section |
| \Sessions\1\BaseNamedObjects\ie_ias_0000057C-0000-0000-0000-000000000000 | Section |
| \Sessions\1\BaseNamedObjects\IsoScope_57c_IEFrame!GetAsyncKeyStateSharedMem | Section |
| \Sessions\1\BaseNamedObjects\IsoScope_57c_IsoSpaceV2_ScopeTrusted | Section |
| \Sessions\1\BaseNamedObjects\IsoScope_57c_IsoSpaceV2_ScopeTrusted_0:3_3 | Section |
| \Sessions\1\BaseNamedObjects\IsoScope_57c_IsoSpaceV2_ScopeTrusted_0:3_4 | Section |
| \Sessions\1\BaseNamedObjects\IsoScope_57c_IsoSpaceV2_ScopeTrusted_0:3_5 | Section |
| \Sessions\1\BaseNamedObjects\IsoScope_57c_IsoSpaceV2_ScopeTrusted_0:6_2 | Section |
| \Sessions\1\BaseNamedObjects\IsoScope_57c_IsoSpaceV2_ScopeTrusted_0:7_1 | Section |
| \Sessions\1\BaseNamedObjects\IsoSpaceV2_LogonHighx64 | Section |
| \Sessions\1\BaseNamedObjects\IsoSpaceV2_LogonMediumx64 | Section |
| \Sessions\1\BaseNamedObjects\UrlZonesSM_user | Section |
| \Sessions\1\BaseNamedObjects\VERMGMTSharedMemory | Section |
| \Sessions\1\BaseNamedObjects\windows_ie_global_counters | Section |
| \Sessions\1\BaseNamedObjects\windows_shell_global_counters | Section |
| \Sessions\1\BaseNamedObjects\windows_webcache_counters_{9B6AB5B3-91BC-4097-835C-EA2DEC95E9CC}_S-1-5-21-2047949552-857980807-821054962-504 | Section |
| \Sessions\1\Windows\Theme64749523 | Section |
| \Windows\Theme1120315852 | Section |
Loaded Modules:
| Path |
|---|
| C:\Program Files\Internet Explorer\iexplore.exe |
| C:\Windows\SYSTEM32\apphelp.dll |
| C:\Windows\System32\KERNEL32.DLL |
| C:\Windows\System32\KERNELBASE.dll |
| C:\Windows\SYSTEM32\ntdll.dll |
Signature
- Status: Signature verified.
- Serial:
330000023241FB59996DCC4DFF000000000232 - Thumbprint:
FF82BC38E1DA5E596DF374C53E3617F7EDA36B06 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: IEXPLORE.EXE.MUI
- Product Name: Internet Explorer
- Company Name: Microsoft Corporation
- File Version: 11.00.19041.1 (WinBuild.160101.0800)
- Product Version: 11.00.19041.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/71
- VirusTotal Link: https://www.virustotal.com/gui/file/f76f00939f1be76152809c37591ef75d3c150745232e35697d99cae09e31c2bc/detection/
File Similarity (ssdeep match)
Possible Misuse
The following table contains possible examples of iexplore.exe being misused. While iexplore.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | sysmon_suspicious_remote_thread.yml | - '\iexplore.exe' |
DRL 1.0 |
| sigma | dns_query_win_susp_ipify.yml | - \iexplore.exe |
DRL 1.0 |
| sigma | image_load_abusing_azure_browser_sso.yml | - '\iexplore.exe' |
DRL 1.0 |
| sigma | proc_creation_win_exploit_cve_2019_1388.yml | Image\|endswith: '\iexplore.exe' |
DRL 1.0 |
| sigma | proc_creation_win_run_executable_invalid_extension.yml | ParentImage\|endswith: ':\Program Files\Internet Explorer\iexplore.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_powershell_parent_process.yml | - '\iexplore.exe' |
DRL 1.0 |
| sigma | sysmon_dcom_iertutil_dll_hijack.yml | Image\|endswith: '\Internet Explorer\iexplore.exe' |
DRL 1.0 |
| malware-ioc | rtm | IExplore |
© ESET 2014-2018 |
| malware-ioc | rtm | iexplore.exe |
© ESET 2014-2018 |
| atomic-red-team | T1134.004.md | Upon execution, “Process C:\Program Files\Internet Explorer\iexplore.exe is spawned with pid ####” will be displayed and | MIT License. © 2018 Red Canary |
| atomic-red-team | T1134.004.md | | spawnto_process_path | Path of the process to spawn | Path | C:\Program Files\Internet Explorer\iexplore.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1134.004.md | | spawnto_process_name | Name of the process to spawn | String | iexplore| | MIT License. © 2018 Red Canary |
| signature-base | apt_apt30_backspace.yar | $s10 = “iexplore.” ascii | CC BY-NC 4.0 |
| signature-base | apt_apt30_backspace.yar | $s8 = “iexplore.” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_apt30_backspace.yar | $s1 = “iexplore.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_bronze_butler.yar | $s4 = “iexplore.exe” ascii fullword | CC BY-NC 4.0 |
| signature-base | apt_eternalblue_non_wannacry.yar | $s1 = “\Program Files\Internet Explorer\iexplore.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_unit78020_malware.yar | $s1 = “%ProgramFiles%\Internet Explorer\iexplore.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | crime_dexter_trojan.yar | $s3 = “\Internet Explorer\iexplore.exe” fullword wide | CC BY-NC 4.0 |
| signature-base | generic_anomalies.yar | description = “Detects uncommon file size of iexplore.exe” | CC BY-NC 4.0 |
| signature-base | generic_anomalies.yar | and filename == “iexplore.exe” | CC BY-NC 4.0 |
| signature-base | gen_malware_set_qa.yar | $s5 = “\Internet Explorer\iexplore.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | thor-hacktools.yar | $s5 = “!&start iexplore http://www.crsky.com/soft/4818.html)” fullword ascii | CC BY-NC 4.0 |
| signature-base | thor_inverse_matches.yar | description = “Abnormal iexplore.exe - typical strings not found in file” | CC BY-NC 4.0 |
| signature-base | thor_inverse_matches.yar | $win2003_win7_u1 = “IEXPLORE.EXE” wide nocase | CC BY-NC 4.0 |
| signature-base | thor_inverse_matches.yar | filename == “iexplore.exe” | CC BY-NC 4.0 |
MIT License. Copyright (c) 2020-2021 Strontic.