iexplore.exe

  • File Path: C:\Program Files\Internet Explorer\iexplore.exe
  • Description: Internet Explorer

Screenshot

iexplore.exe

Hashes

Type Hash
MD5 AA094DE5B8EF17848A5926C13EB67E26
SHA1 72DF0E64AD124EF9BDFA0ED66B3AFE62D4364192
SHA256 9C530F1306AA1312FDA938169E208A033341BC49FF956695C7616AD6C5D4BC94
SHA384 82711791E9D598AB579656AFE6A4D94BF9C47589E8B6AF7AE8BDDAE221A9387BBE74F72E238BC2D4B64EBB2B245E9439
SHA512 C2FA9B5141EFBBA11345E3E4565DDF63B3C9446BB711267A69ABEB52117B0EB35CE6C563D97CF0CED03C3C3C9EA8DBD94C2A31D579D4888F03654A75BD5E3B7B
SSDEEP 24576:SUf4lGLbMMHMMMvMMZMMMKzb6XmMMMiMMMz8JMMHMMM6MMZMMMeXNMMzMMMUMMVW:SKMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM
IMP 8D62B7253079493D3B3CC9D2D3D32A62
PESHA1 06D45702B94A217E5853AAF7A389F8C371E77EF3
PE256 6CB088C769C986DDF57F75762AD5AEECC527BE2FA20DF26D08B827754964C0A8

Runtime Data

Open Handles:

Path Type
(—) C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active{228019E2-3F5E-11EC-9EB1-00155D9611FE}.dat File
(—) C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{228019E0-3F5E-11EC-9EB1-00155D9611FE}.dat File
(R-D) C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui File
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\ieframe.dll.mui File
(R-D) C:\Windows\SystemResources\ieframe.dll.mun File
(RW-) C:\Users\user\Desktop File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_792d1c772443f647 File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e File
(RWD) C:\Users\user\AppData\Local\Temp~DFA69C84736EF0AF08.TMP File
(RWD) C:\Users\user\AppData\Local\Temp~DFE5AF7A8FD446548E.TMP File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\F932B6C7-3A20-46A0-B8A0-8894AA421973 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\BaseNamedObjects\ie_ias_00001D84-0000-0000-0000-000000000000 Section
\Sessions\1\BaseNamedObjects\IsoScope_1d84_IEFrame!GetAsyncKeyStateSharedMem Section
\Sessions\1\BaseNamedObjects\IsoScope_1d84_IsoSpaceV2_ScopeTrusted Section
\Sessions\1\BaseNamedObjects\IsoScope_1d84_IsoSpaceV2_ScopeTrusted_0:6_2 Section
\Sessions\1\BaseNamedObjects\IsoScope_1d84_IsoSpaceV2_ScopeTrusted_0:7_1 Section
\Sessions\1\BaseNamedObjects\IsoSpaceV2_LogonMediumx64 Section
\Sessions\1\BaseNamedObjects\UrlZonesSM_user Section
\Sessions\1\BaseNamedObjects\VERMGMTSharedMemory Section
\Sessions\1\BaseNamedObjects\windows_ie_global_counters Section
\Sessions\1\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\1\BaseNamedObjects\windows_webcache_counters_{9B6AB5B3-91BC-4097-835C-EA2DEC95E9CC}_S-1-5-21-2047949552-857980807-821054962-504 Section
\Sessions\1\Windows\Theme449731986 Section
\Windows\Theme1396518710 Section

Loaded Modules:

Path
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\SYSTEM32\apphelp.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002EC6579AD1E670890130000000002EC
  • Thumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: IEXPLORE.EXE.MUI
  • Product Name: Internet Explorer
  • Company Name: Microsoft Corporation
  • File Version: 11.00.19041.1 (WinBuild.160101.0800)
  • Product Version: 11.00.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/9c530f1306aa1312fda938169e208a033341bc49ff956695c7616ad6c5d4bc94/detection

File Similarity (ssdeep match)

File Score
C:\Program Files (x86)\Internet Explorer\iexplore.exe 94
C:\Program Files (x86)\Internet Explorer\iexplore.exe 93
C:\Program Files (x86)\Internet Explorer\iexplore.exe 96
C:\Program Files\Internet Explorer\iexplore.exe 94
C:\Program Files\internet explorer\iexplore.exe 94

Possible Misuse

The following table contains possible examples of iexplore.exe being misused. While iexplore.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_suspicious_remote_thread.yml - '\iexplore.exe' DRL 1.0
sigma dns_query_win_susp_ipify.yml - \iexplore.exe DRL 1.0
sigma image_load_abusing_azure_browser_sso.yml - '\iexplore.exe' DRL 1.0
sigma proc_creation_win_exploit_cve_2019_1388.yml Image\|endswith: '\iexplore.exe' DRL 1.0
sigma proc_creation_win_run_executable_invalid_extension.yml ParentImage\|endswith: ':\Program Files\Internet Explorer\iexplore.exe' DRL 1.0
sigma proc_creation_win_susp_powershell_parent_process.yml - '\iexplore.exe' DRL 1.0
sigma sysmon_dcom_iertutil_dll_hijack.yml Image\|endswith: '\Internet Explorer\iexplore.exe' DRL 1.0
malware-ioc rtm IExplore © ESET 2014-2018
malware-ioc rtm iexplore.exe © ESET 2014-2018
atomic-red-team T1134.004.md Upon execution, “Process C:\Program Files\Internet Explorer\iexplore.exe is spawned with pid ####” will be displayed and MIT License. © 2018 Red Canary
atomic-red-team T1134.004.md | spawnto_process_path | Path of the process to spawn | Path | C:\Program Files\Internet Explorer\iexplore.exe| MIT License. © 2018 Red Canary
atomic-red-team T1134.004.md | spawnto_process_name | Name of the process to spawn | String | iexplore| MIT License. © 2018 Red Canary
signature-base apt_apt30_backspace.yar $s10 = “iexplore.” ascii CC BY-NC 4.0
signature-base apt_apt30_backspace.yar $s8 = “iexplore.” fullword ascii CC BY-NC 4.0
signature-base apt_apt30_backspace.yar $s1 = “iexplore.exe” fullword ascii CC BY-NC 4.0
signature-base apt_bronze_butler.yar $s4 = “iexplore.exe” ascii fullword CC BY-NC 4.0
signature-base apt_eternalblue_non_wannacry.yar $s1 = “\Program Files\Internet Explorer\iexplore.exe” fullword ascii CC BY-NC 4.0
signature-base apt_unit78020_malware.yar $s1 = “%ProgramFiles%\Internet Explorer\iexplore.exe” fullword ascii CC BY-NC 4.0
signature-base crime_dexter_trojan.yar $s3 = “\Internet Explorer\iexplore.exe” fullword wide CC BY-NC 4.0
signature-base generic_anomalies.yar description = “Detects uncommon file size of iexplore.exe” CC BY-NC 4.0
signature-base generic_anomalies.yar and filename == “iexplore.exe” CC BY-NC 4.0
signature-base gen_malware_set_qa.yar $s5 = “\Internet Explorer\iexplore.exe” fullword ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $s5 = “!&start iexplore http://www.crsky.com/soft/4818.html)” fullword ascii CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Abnormal iexplore.exe - typical strings not found in file” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $win2003_win7_u1 = “IEXPLORE.EXE” wide nocase CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “iexplore.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.