home

EXPLORER.EXE

Windows Explorer

Microsoft Corporation

It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘AKiku’. This is the uninstaller utility registered in the Windows Control Panel for the program gorillaprice. The file has been seen being downloaded from downloads.ziddu.com and multiple other hosts.
Publisher:
Microsoft Corporation

Product:
Microsoft® Windows® Operating System

Description:
Windows Explorer

Version:
6.00.2900.5512 (xpsp.080413-2105)

MD5:
12896823fb95bfb3dc9b46bcaedc9923

SHA-1:
9d2bf84874abc5b6e9a2744b7865c193c08d362f

SHA-256:
1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455

Scanner detections:
0 / 68

Status:
Clean (as of last analysis)

Analysis date:
4/26/2024 9:51:37 AM UTC  (today)

File size:
1009.5 KB (1,033,728 bytes)

Product version:
6.00.2900.5512

Copyright:
© Microsoft Corporation. All rights reserved.

Original file name:
EXPLORER.EXE

File type:
Executable application (Win32 EXE)

Common path:
C:\windows\explorer.exe

File PE Metadata
Compilation timestamp:
4/13/2008 10:17:04 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
7.10

CTPH (ssdeep):
12288:HHmcoCUyZtwAvAs4wTCyrPTloHWYUrkf8w0Vnzac1/g/J/vMS:nmfty/wAvN7lrvbkf8w0VnH1/g/J/k

Entry address:
0x1A55F

Entry point:
8B, FF, 55, 8B, EC, 83, EC, 44, 56, 57, 6A, 10, 68, D8, A5, 01, 01, E8, 1E, 55, FF, FF, E8, E2, FB, FF, FF, 6A, 01, FF, 15, 1C, 11, 00, 01, FF, 15, 18, 11, 00, 01, 50, E8, 69, FB, FF, FF, 6A, 10, 8B, F0, 59, 33, C0, 8D, 7D, C0, F3, AB, 8D, 45, BC, 50, C7, 45, BC, 44, 00, 00, 00, FF, 15, 14, 11, 00, 01, F6, 45, E8, 01, 74, 22, 0F, B7, 45, EC, 50, 56, 33, F6, 56, 56, FF, 15, 58, 12, 00, 01, 50, E8, 26, 00, 00, 00, 8B, F8, E8, E0, 09, 02, 00, E9, 2D, 8E, 00, 00, 6A, 0A, 58, EB, DD, 45, 78, 70, 6C, 6F, 72, 65...
 
[+]

Entropy:
6.7440

Code size:
275.5 KB (282,112 bytes)

3 Autoplay Handlers
Display name:
MSCDBurningOnArrival

CLSID name:
Notes Link

Display name:
MSOpenFolder

CLSID name:
Notes Link

Display name:
TweakUIAutoplay_6328590


Ini File Mappings System INI
Name:
Shell


3 Program Uninstaller
Program name:
gorillaprice

Uninstall string:
explorer.exe http://uninstaller.gorillaprice.com/uninstaller.php

Program name:
FindingDiscount

Uninstall string:
explorer.exe http://uninstall.finding.discount

Program name:
grillaprice

Uninstall string:
explorer.exe http://uninstaller.gorillaprice.com/uninstaller.php


Shell Open Command
Open type:
SHCmdFile

Command:
explorer.exe


2 Startup Files (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
AKiku

Command:
\windows\explorer.exe

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
ISO Checker

Command:
\windows\explorer.exe


3 Startup Files (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
AKiku

Command:
\windows\explorer.exe

Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
ISO Checker

Command:
\windows\explorer.exe

Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Windows Explorer

Command:
"C:\windows\explorer.exe" \idlist,:2100:724,\s


User Start Menu Item
Name:
explorer.exe


5 Windows Firewall Allowed Programs
Name:
C:\WINDOWS\Explorer.EXE

Name:
C:\SYSTEM\explorer.exe

Name:
F:\WINDOWS\Explorer.EXE

Name:
D:\WINDOWS\explorer.exe

Name:
%windir%\explorer.exe


The file EXPLORER.EXE has been seen being distributed by the following 3 URLs.

http://downloads.ziddu.com/downloadfiless/.../explorer.exe

temp:explorer.exe

http://downloads.ziddu.com/downloadfiles/.../explorer.exe

Scan EXPLORER.EXE - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.