iexplore.exe

  • File Path: C:\Program Files\internet explorer\iexplore.exe
  • Description: Internet Explorer

Screenshot

iexplore.exe

Hashes

Type Hash
MD5 F640445694FD65DEC07CA3A84F560534
SHA1 5D5586E4273110D48F2CD8B19A91E8853DE5E02C
SHA256 28FD5F83C7A2ED53C284BA791F0668C309E287576744530B6E9FC4C228D4B33B
SHA384 CABCDE4FD38229744066BD781BECACCA7727B250E6966AEFFD961147A9B77495B40D4ACC42D40F9E7090F910E68432B9
SHA512 9746AE0953377DBB6541D0DCC9CCB0DA1845C98CB167103C0B9F484D496BD659C7B9E5E5D244E527B30F9F04A736C5BD4043B8DC5E9BEFFA0C7AD879C2C1CE17
SSDEEP 24576:J4lGLbMMHMMMvMMZMMMKzb6XmMMMiMMMz8JMMHMMM6MMZMMMeXNMMzMMMUMMVMMr:3MMHMMMvMMZMMMlmMMMiMMMYJMMHMMMP
IMP BF1B4238FCDBB117EDF39418CA0D205C
PESHA1 45B4E014D8BA963572F9BA85450D35B6C4B1717A
PE256 E5D6E53256D536EBD6EE4568093D4B5E3965AFD6060C696E0D7DD1FC74B81AFA

Runtime Data

Child Processes:

iexplore.exe

Window Title:

http://–help/ - Internet Explorer

Open Handles:

Path Type
(—) C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active{CB5585C6-1260-11EB-829E-0A8C8577B1EA}.dat File
(—) C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CB5585C4-1260-11EB-829E-0A8C8577B1EA}.dat File
(R-D) C:\Program Files\internet explorer\en-US\iexplore.exe.mui File
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\ieframe.dll.mui File
(RW-) C:\Users\user\Desktop File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.17763.1518_none_6d08fefc59f73326 File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.1518_none_de6e2bd0534e2567 File
(RWD) C:\Users\ADMINI~1\AppData\Local\Temp\2~DF0DC33E760EC90AF6.TMP File
(RWD) C:\Users\ADMINI~1\AppData\Local\Temp\2~DFA726461E236BAC58.TMP File
...!PrivacIE!SharedMem!Settings Section
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\BaseNamedObjects\F932B6C7-3A20-46A0-B8A0-8894AA421973 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\BaseNamedObjects\windows_shell_global_counters Section
\RPC Control\DSEC558 Section
\Sessions\2\BaseNamedObjects\558HWNDInterface:2074a Section
\Sessions\2\BaseNamedObjects\558HWNDInterface:20750 Section
\Sessions\2\BaseNamedObjects\558HWNDInterface:2076a Section
\Sessions\2\BaseNamedObjects\558HWNDInterface:6079c Section
\Sessions\2\BaseNamedObjects\558HWNDInterface:607be Section
\Sessions\2\BaseNamedObjects\558HWNDInterface:70780 Section
\Sessions\2\BaseNamedObjects\ie_ias_00000558-0000-0000-0000-000000000000 Section
\Sessions\2\BaseNamedObjects\IsoScope_558_IEFrame!GetAsyncKeyStateSharedMem Section
\Sessions\2\BaseNamedObjects\IsoScope_558_IsoSpaceV2_ScopeTrusted Section
\Sessions\2\BaseNamedObjects\IsoScope_558_IsoSpaceV2_ScopeTrusted_0:3_3 Section
\Sessions\2\BaseNamedObjects\IsoScope_558_IsoSpaceV2_ScopeTrusted_0:3_4 Section
\Sessions\2\BaseNamedObjects\IsoScope_558_IsoSpaceV2_ScopeTrusted_0:6_2 Section
\Sessions\2\BaseNamedObjects\IsoScope_558_IsoSpaceV2_ScopeTrusted_0:7_1 Section
\Sessions\2\BaseNamedObjects\IsoSpaceV2_LogonMediumx64 Section
\Sessions\2\BaseNamedObjects\UrlZonesSM_Administrator Section
\Sessions\2\BaseNamedObjects\VERMGMTSharedMemory Section
\Sessions\2\BaseNamedObjects\windows_ie_global_counters Section
\Sessions\2\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\2\BaseNamedObjects\windows_webcache_counters_{9B6AB5B3-91BC-4097-835C-EA2DEC95E9CC}_S-1-5-21-4075667164-670084373-454571106-500 Section
\Sessions\2\Windows\Theme2131664586 Section
\Windows\Theme966197582 Section

Loaded Modules:

Path
C:\Program Files\internet explorer\IEShims.dll
C:\Program Files\internet explorer\iexplore.exe
C:\Windows\System32\ADVAPI32.dll
C:\Windows\SYSTEM32\apphelp.dll
C:\Windows\System32\bcrypt.dll
C:\Windows\System32\bcryptPrimitives.dll
C:\Windows\System32\cfgmgr32.dll
C:\Windows\System32\clbcatq.dll
C:\Windows\System32\combase.dll
C:\Windows\System32\comdlg32.dll
C:\Windows\System32\coml2.dll
C:\Windows\System32\CRYPT32.dll
C:\Windows\SYSTEM32\CRYPTBASE.DLL
C:\Windows\System32\cryptsp.dll
C:\Windows\system32\d3d11.dll
C:\Windows\system32\dataexchange.dll
C:\Windows\system32\dcomp.dll
C:\Windows\SYSTEM32\dhcpcsvc.DLL
C:\Windows\SYSTEM32\dhcpcsvc6.DLL
C:\Windows\System32\DPAPI.dll
C:\Windows\system32\dwmapi.dll
C:\Windows\system32\dxgi.dll
C:\Windows\system32\explorerframe.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\SYSTEM32\ieapfltr.dll
C:\Windows\SYSTEM32\IEFRAME.dll
C:\Windows\System32\ieproxy.dll
C:\Windows\SYSTEM32\iertutil.dll
C:\Windows\SYSTEM32\IEUI.dll
C:\Windows\System32\IMM32.DLL
C:\Windows\SYSTEM32\IPHLPAPI.DLL
C:\Windows\System32\kernel.appcore.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\MSASN1.dll
C:\Windows\System32\MSCTF.dll
C:\Windows\SYSTEM32\MSIMG32.dll
C:\Windows\SYSTEM32\msIso.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\system32\mswsock.dll
C:\Windows\SYSTEM32\NETAPI32.dll
C:\Windows\SYSTEM32\NETUTILS.DLL
C:\Windows\System32\NSI.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\ole32.dll
C:\Windows\System32\oleacc.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\SYSTEM32\ondemandconnroutehelper.dll
C:\Windows\System32\powrprof.dll
C:\Windows\System32\profapi.dll
C:\Windows\system32\RMCLIENT.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\system32\rsaenh.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\shcore.dll
C:\Windows\System32\SHELL32.dll
C:\Windows\System32\SHLWAPI.dll
C:\Windows\SYSTEM32\SspiCli.dll
C:\Windows\SYSTEM32\TOKENBINDING.dll
C:\Windows\system32\twinapi.appcore.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\SYSTEM32\urlmon.dll
C:\Windows\System32\USER32.dll
C:\Windows\SYSTEM32\USERENV.dll
C:\Windows\system32\uxtheme.dll
C:\Windows\SYSTEM32\VERSION.dll
C:\Windows\System32\win32u.dll
C:\Windows\System32\windows.storage.dll
C:\Windows\system32\windowscodecs.dll
C:\Windows\SYSTEM32\WINHTTP.dll
C:\Windows\SYSTEM32\WININET.dll
C:\Windows\SYSTEM32\WINNSI.DLL
C:\Windows\SYSTEM32\WKSCLI.DLL
C:\Windows\System32\WS2_32.dll
C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.1518_none_de6e2bd0534e2567\comctl32.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: IEXPLORE.EXE.MUI
  • Product Name: Internet Explorer
  • Company Name: Microsoft Corporation
  • File Version: 11.00.17763.1 (WinBuild.160101.0800)
  • Product Version: 11.00.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/70
  • VirusTotal Link: https://www.virustotal.com/gui/file/28fd5f83c7a2ed53c284ba791f0668c309e287576744530b6e9fc4c228d4b33b/detection/

File Similarity (ssdeep match)

File Score
C:\Program Files (x86)\Internet Explorer\iexplore.exe 97
C:\Program Files (x86)\Internet Explorer\iexplore.exe 93
C:\Program Files (x86)\Internet Explorer\iexplore.exe 93
C:\Program Files\Internet Explorer\iexplore.exe 96
C:\Program Files\Internet Explorer\iexplore.exe 94

Possible Misuse

The following table contains possible examples of iexplore.exe being misused. While iexplore.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_suspicious_remote_thread.yml - '\iexplore.exe' DRL 1.0
sigma dns_query_win_susp_ipify.yml - \iexplore.exe DRL 1.0
sigma image_load_abusing_azure_browser_sso.yml - '\iexplore.exe' DRL 1.0
sigma proc_creation_win_exploit_cve_2019_1388.yml Image\|endswith: '\iexplore.exe' DRL 1.0
sigma proc_creation_win_run_executable_invalid_extension.yml ParentImage\|endswith: ':\Program Files\Internet Explorer\iexplore.exe' DRL 1.0
sigma proc_creation_win_susp_powershell_parent_process.yml - '\iexplore.exe' DRL 1.0
sigma sysmon_dcom_iertutil_dll_hijack.yml Image\|endswith: '\Internet Explorer\iexplore.exe' DRL 1.0
malware-ioc rtm IExplore © ESET 2014-2018
malware-ioc rtm iexplore.exe © ESET 2014-2018
atomic-red-team T1134.004.md Upon execution, “Process C:\Program Files\Internet Explorer\iexplore.exe is spawned with pid ####” will be displayed and MIT License. © 2018 Red Canary
atomic-red-team T1134.004.md | spawnto_process_path | Path of the process to spawn | Path | C:\Program Files\Internet Explorer\iexplore.exe| MIT License. © 2018 Red Canary
atomic-red-team T1134.004.md | spawnto_process_name | Name of the process to spawn | String | iexplore| MIT License. © 2018 Red Canary
signature-base apt_apt30_backspace.yar $s10 = “iexplore.” ascii CC BY-NC 4.0
signature-base apt_apt30_backspace.yar $s8 = “iexplore.” fullword ascii CC BY-NC 4.0
signature-base apt_apt30_backspace.yar $s1 = “iexplore.exe” fullword ascii CC BY-NC 4.0
signature-base apt_bronze_butler.yar $s4 = “iexplore.exe” ascii fullword CC BY-NC 4.0
signature-base apt_eternalblue_non_wannacry.yar $s1 = “\Program Files\Internet Explorer\iexplore.exe” fullword ascii CC BY-NC 4.0
signature-base apt_unit78020_malware.yar $s1 = “%ProgramFiles%\Internet Explorer\iexplore.exe” fullword ascii CC BY-NC 4.0
signature-base crime_dexter_trojan.yar $s3 = “\Internet Explorer\iexplore.exe” fullword wide CC BY-NC 4.0
signature-base generic_anomalies.yar description = “Detects uncommon file size of iexplore.exe” CC BY-NC 4.0
signature-base generic_anomalies.yar and filename == “iexplore.exe” CC BY-NC 4.0
signature-base gen_malware_set_qa.yar $s5 = “\Internet Explorer\iexplore.exe” fullword ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $s5 = “!&start iexplore http://www.crsky.com/soft/4818.html)” fullword ascii CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Abnormal iexplore.exe - typical strings not found in file” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $win2003_win7_u1 = “IEXPLORE.EXE” wide nocase CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “iexplore.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.