» explorer.exe
Overview
Analysis
File Details
Behaviors (1)

explorer.exe

TOLGA KAPLAN

The application explorer.exe by TOLGA KAPLAN has been detected as a potentially unwanted program by 9 anti-malware scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘explorer’. Although this file uses the name explorer.exe, this is NOT the File Explorer program distributed with the Windows OS that is found in C:\Windows.

File name:

explorer.exe

Publisher:

TOLGA KAPLAN (signed and verified)

Version:

1.0.0

MD5:

2d23306336de9a700d4356fab23934e8

SHA-1:

de2fec335a22e7911fbd042b5533e056640cfcad

SHA-256:

dfec0869effa17ed6cbdc159451789251185fd7349be490503c1ff911fbaee5f

Scanner detections:

9 / 68

Status:

Potentially unwanted

Analysis date:

4/23/2025 7:15:39 PM UTC (today)

Scan engine

Detection

Engine version

Avira AntiVirus

TR/Dropper.MSIL.64540

7.11.158.148

avast!

Win32:Malware-gen

2014.9-140711

AVG

Generic

2015.0.3417

Comodo Security

UnclassifiedMalware

18771

Emsisoft Anti-Malware

Adware.Win32.StartPage

8.14.07.11.12

ESET NOD32

MSIL/StartPage.AN (variant)

8.10048

IKARUS anti.virus

Trojan.Win32.StartPage

t3scan.1.6.1.0

Malwarebytes

Trojan.MSIL.Injector

v2014.07.11.12

Trend Micro House Call

Suspicious_GEN.F47V0704

7.2.192

File size:

107.2 KB (109,808 bytes)

Product version:

1.0.0

Original file name:

csrss.exe

File type:

Executable application (Win32 EXE)

Language:

Turkish (Turkey)

Common path:

C:\ProgramData\explorer.exe

Digital Signature

Signed by:

TOLGA KAPLAN

Authority:

COMODO CA Limited

Valid from:

6/27/2014 3:00:00 AM

Valid to:

6/28/2015 2:59:59 AM

Subject:

CN=TOLGA KAPLAN, O=TOLGA KAPLAN, STREET=mecidiye mah. dereboyu cad. lozan sok., STREET=akgun apart. no:15/3, L=istanbul, S=besiktas, PostalCode=34347, C=TR

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

0166B65038D61E5435B48204CAE4795A

File PE Metadata

Compilation timestamp:

6/29/2014 2:51:00 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

.NET CLR dependent:

Yes

CTPH (ssdeep):

3072:wgRMwiTmTPHF3ghOwFAvQg+h9lX8mWFgtggx4TwNpe:wcriTi/F33CAv/02mhtggxsJ

Entry address:

0x1AC8E

Entry point:

FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Developed / compiled with:

Microsoft Visual C# / Basic .NET

Code size:

99.5 KB (101,888 bytes)

Startup File (All Users Run)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

explorer

Command:

C:\ProgramData\explorer.exe

Remove explorer.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.