» explorer.exe
Overview
Analysis
File Details
Behaviors (21)
Downloads (2)

explorer.exe

Windows Explorer

Microsoft Corporation

This is the core UI for Windows, a resource-browsing and management application that provides the ability to taverse the operating system, manage files and the desktop. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Windows Explorer’. This is the uninstaller utility registered in the Windows Control Panel for the program gorillaprice. It is included with the Windows 7 OS. The file has been seen being downloaded from e.mail.ru and multiple other hosts.

File name:

explorer.exe

Publisher:

Microsoft Corporation

Product:

Microsoft® Windows® Operating System

Description:

Windows Explorer

Part of the Windows 7 Operating System

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

MD5:

332feab1435662fc6c672e25beb37be3

SHA-1:

5a49d7390ee87519b9d69d3e4aa66ca066cc8255

SHA-256:

6bed1a3a956a859ef4420feb2466c040800eaf01ef53214ef9dab53aeff1cff0

Scanner detections:

0 / 68

Status:

Clean (as of last analysis)
Whitelisted (by digital signature)

Analysis date:

4/20/2024 1:50:22 AM UTC (today)

File size:

2.7 MB (2,871,808 bytes)

Product version:

6.1.7600.16385

Original file name:

EXPLORER.EXE.MUI

File type:

Executable application (Win64 EXE)

Language:

English (United States)

Common path:

C:\windows\explorer.exe

File PE Metadata

Compilation timestamp:

2/24/2011 11:24:04 PM

OS version:

6.1

OS bitness:

Win64

Subsystem:

Windows GUI

Linker version:

9.0

.NET CLR dependent:

Yes

CTPH (ssdeep):

49152:S/Co9niu04mHTaSk1EeC72ZbhvYYYYYYYYYYYRYYYYYYYYYYE3iA7/eFUJN9ojoI:uC0iscClvYYYYYYYYYYYRYYYYYYYYYY9

Entry address:

0x2B754

Entry point:

48, 83, EC, 28, E8, 47, F0, FF, FF, 48, 83, C4, 28, EB, 09, 90, 90, 90, 90, 90, 90, 90, 90, 90, 48, 8B, C4, 48, 89, 58, 08, 48, 89, 78, 10, 4C, 89, 60, 18, 41, 55, 48, 81, EC, B0, 00, 00, 00, 33, DB, 89, 5C, 24, 20, 48, 8D, 48, 88, FF, 15, DC, DA, 08, 00, 90, 65, 48, 8B, 04, 25, 30, 00, 00, 00, 48, 8B, 78, 08, 44, 8B, E3, 33, C0, F0, 48, 0F, B1, 3D, 60, C9, 0B, 00, 0F, 85, 75, 9D, 04, 00, 8B, 05, F0, C9, 0B, 00, 83, F8, 01, 0F, 84, 86, 9D, 04, 00, 8B, 05, E1, C9, 0B, 00, 3B, C3, 0F, 85, 8F, 9D, 04, 00, C7... 
[+]

Entropy:

5.8748

Code size:

735 KB (752,640 bytes)

12 Autoplay Handlers

Display name:

MSOpenFolder

CLSID name:

{EBEB87A4-E151-4054-AB45-A6E094C5334B}

Display name:

AutoPlayCustomHandler_20130620082835

Display name:

AutoPlayCustomHandler_20130620083335

Display name:

AutoPlayCustomHandler_20130620084425

Display name:

AutoPlayCustomHandler_20130620084619

Display name:

AutoPlayCustomHandler_20130620085805

Ini File Mappings System INI

Name:

Shell

5 Program Uninstaller

Program name:

gorillaprice

Uninstall string:

explorer.exe http://uninstaller.gorillaprice.com/uninstaller.php

Program name:

grillaprice

Uninstall string:

explorer.exe http://uninstaller.gorillaprice.com/uninstaller.php

Program name:

Jsip

Uninstall string:

explorer.exe http://198.72.123.232/JsipUninstaller.html

Program name:

FindingDiscount

Uninstall string:

explorer.exe http://uninstall.finding.discount

Program name:

MySafeSavings

Display version:

1.0.3.2

Uninstall string:

explorer.exe http://uninstall.mysafesavings.com

4 Scheduled Tasks

Task name:

{285BCC42-6469-45B6-ABCA-50BFF3FDA4E8}

Trigger:

Registration (Runs on registration)

Task name:

OS (c

Trigger:

Daily (Runs daily at 20:42)

Task name:

Bomgar Task 294358

Trigger:

Registration (Runs on registration)

Action:

explorer.exe \n,::{21ec2020-3aea-1069-a2dd-08002b30309d}

Task name:

RunAsStdUser_Task

Trigger:

Registration (Runs on registration)

2 Shell Open Commands

Open type:

SHCmdFile

Command:

C:\windows\explorer.exe

Open type:

ftp

Command:

"C:\windows\explorer.exe" %1

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Windows Explorer

Command:

C:\windows\explorer.exe

User Start Menu Item

Name:

explorer.exe

Windows Firewall Allowed Program

Name:

C:\Windows\explorer.exe

The file explorer.exe has been seen being distributed by the following 2 URLs.

https://e.mail.ru/cgi-bin/.../x-msdownload&cn=explorer (2).exe&cte=binary&notype=1&file=explorer (2).exe&mode=attachment&channel

http://www.deletevirus.net/.../explorer_seven_sp1.exe

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.