explorer.exe

Win

The executable explorer.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘Explorer’. Although this file uses the name explorer.exe, this is NOT the File Explorer program distributed with the Windows OS that is found in C:\Windows. While running, it connects to the Internet address mpdedicated.com on port 80 using the HTTP protocol.
Publisher:
Microsoft*  (Invalid match)

Product:
Win

Version:
1.00

MD5:
ce1fb86c6b5921c73117e6f85bce9e64

SHA-1:
2d67c0487dac8f72e4958de1166a03a1d63bb898

SHA-256:
d7ed0a0986d5a254d8fababa624ab25f9b05527803b100236d74d02698454834

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
11/23/2024 12:44:59 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Trojan.Agent,VB (M)
17.2.27.18

File size:
207 KB (211,993 bytes)

Product version:
1.00

Original file name:
Win.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Windows\System32\explorer.exe

File PE Metadata
Compilation timestamp:
10/5/2012 3:38:39 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

Entry address:
0x36A0

Entry point:
68, 04, 3F, 40, 00, E8, F0, FF, FF, FF, 00, 00, 40, 00, 00, 00, 30, 00, 00, 00, 38, 00, 00, 00, 00, 00, 00, 00, 01, CB, C1, C7, 66, 39, 96, 46, 9F, FC, 3A, A3, E4, 2A, 39, E1, 00, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 00, F0, 81, FC, 00, 57, 69, 6E, 00, 88, 28, FB, 00, 00, C1, 40, 00, 08, C1, 40, 00, 00, 00, 00, 00, 88, 00, 00, 00, 00, 00, 00, 00, 02, 00, 00, 00, 07, 00, 00, 00, 24, 09, 2B, 7B, 9A, 46, 32, 43, 88, 43, 50, 96, 47, EE, BB, 24, 01, 00, 00, 00, 98, 00, 00, 00, A8, 00, 00, 00, 01, 00, 00, 00...
 
[+]

Entropy:
6.1176

Developed / compiled with:
Microsoft Visual Basic v5.0/v6.0

Code size:
172 KB (176,128 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Explorer

Command:
C:\Windows\System32\explorer.exe ru


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to a-0001.a-msedge.net  (204.79.197.200:80)

TCP (HTTP):
Connects to mpdedicated.com  (173.192.48.97:80)

TCP (HTTP):
Connects to host.1unlimited.com  (207.244.72.197:80)

TCP (HTTP SSL):
Connects to a104-93-210-154.deploy.static.akamaitechnologies.com  (104.93.210.154:443)

TCP (HTTP):
Connects to forums.winamp.com  (176.31.226.182:80)

TCP (HTTP SSL):
Connects to ec2-52-2-10-61.compute-1.amazonaws.com  (52.2.10.61:443)

TCP (HTTP SSL):
Connects to 203.130.48.149-BJ-CNC  (203.130.48.149:443)

Remove explorer.exe - Powered by Reason Core Security