» explorer.exe
Overview
Analysis
File Details
Behaviors (1)

explorer.exe

TOLGA KAPLAN

The executable explorer.exe has been detected as malware by 19 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘explorer’. Although this file uses the name explorer.exe, this is NOT the File Explorer program distributed with the Windows OS that is found in C:\Windows.

File name:

explorer.exe

Publisher:

TOLGA KAPLAN (signed and verified)

Version:

1.0.0.0

MD5:

e02579de514389f6495aba0f060e8516

SHA-1:

8d730527241adfbbcf239af651b1882440ad890c

SHA-256:

141fc85474b2f328b82cc74d2e5d0c99c46c1d70990d03972f9789904930b9d8

Scanner detections:

19 / 68

Status:

Malware

Analysis date:

11/27/2024 11:58:18 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.GenericKD.1773946

404

Avira AntiVirus

TR/Dropper.MSIL.69420

7.11.164.150

AVG

Generic

2016.0.2882

Bitdefender

Trojan.GenericKD.1773946

1.0.20.1805

Comodo Security

UnclassifiedMalware

19026

Emsisoft Anti-Malware

Trojan.GenericKD.1773946

8.15.12.27.09

ESET NOD32

MSIL/StartPage.AN (variant)

9.10177

F-Secure

Trojan.GenericKD.1773946

11.2015-27-12_1

G Data

Trojan.GenericKD.1773946

15.12.24

IKARUS anti.virus

Trojan.MSIL.StartPage

t3scan.1.6.1.0

K7 AntiVirus

Trojan

13.181.12898

McAfee

Artemis!E02579DE5143

5600.6538

MicroWorld eScan

Trojan.GenericKD.1773946

16.0.0.1083

nProtect

Trojan.GenericKD.1773946

14.07.30.01

Qihoo 360 Security

Win32/Trojan.Dropper.2d1

1.0.0.1015

Sophos

Mal/Generic-S

4.98

SUPERAntiSpyware

Trojan.Agent/Gen-Malagent

9421

Trend Micro House Call

Suspicious_GEN.F47V0723

7.2.361

VIPRE Antivirus

Trojan.Win32.Generic

31752

File size:

91.7 KB (93,936 bytes)

Product version:

1.0.0.0

Original file name:

csrss.exe

File type:

Executable application (Win32 EXE)

Language:

Turkish (Turkey)

Common path:

C:\ProgramData\explorer.exe

Digital Signature

Signed by:

TOLGA KAPLAN

Authority:

COMODO CA Limited

Valid from:

6/27/2014 3:00:00 AM

Valid to:

6/28/2015 2:59:59 AM

Subject:

CN=TOLGA KAPLAN, O=TOLGA KAPLAN, STREET=mecidiye mah. dereboyu cad. lozan sok., STREET=akgun apart. no:15/3, L=istanbul, S=besiktas, PostalCode=34347, C=TR

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

0166B65038D61E5435B48204CAE4795A

File PE Metadata

Compilation timestamp:

7/11/2014 12:54:35 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

.NET CLR dependent:

Yes

CTPH (ssdeep):

1536:o3ubODLSNFzjHpY5DIaJ53LdBw+xonnALW1b9gLdlRNTPqpF3Ovopc:o3kOiNFzzp+J5H0nALWfgL3nTDopc

Entry address:

0x16C8E

Entry point:

FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Developed / compiled with:

Microsoft Visual C# / Basic .NET

Code size:

83.5 KB (85,504 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

explorer

Command:

C:\ProgramData\explorer.exe

Remove explorer.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.