» explorer.exe
Overview
Analysis
File Details
Behaviors (1)

explorer.exe

TOLGA KAPLAN

The executable explorer.exe has been detected as malware by 20 anti-virus scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘explorer’. Although this file uses the name explorer.exe, this is NOT the File Explorer program distributed with the Windows OS that is found in C:\Windows.

File name:

explorer.exe

Publisher:

TOLGA KAPLAN (signed and verified)

Version:

1.0.0.0

MD5:

c5ff17752c9c8431e547269a4a9f871b

SHA-1:

847f64f9b420093d9b11474ce0f11a48bc731917

Scanner detections:

20 / 68

Status:

Malware

Analysis date:

6/27/2025 4:10:41 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.GenericKD.1765052

Avira AntiVirus

TR/Dropper.MSIL.68152

7.11.163.230

avast!

Win32:Malware-gen

2014.9-161203

AVG

Generic

2017.0.2540

Bitdefender

Trojan.GenericKD.1765052

1.0.20.1690

Comodo Security

UnclassifiedMalware

18961

Dr.Web

Trojan.DownLoader11.7633

9.0.1.0338

Emsisoft Anti-Malware

Trojan.GenericKD.1765052

8.16.12.03.02

ESET NOD32

MSIL/StartPage.AN (variant)

10.10149

F-Secure

Trojan.GenericKD.1765052

11.2016-03-12_7

G Data

Trojan.GenericKD.1765052

16.12.24

IKARUS anti.virus

Trojan.MSIL.StartPage

t3scan.1.6.1.0

K7 AntiVirus

Trojan

13.181.12834

McAfee

Artemis!C5FF17752C9C

5600.6196

MicroWorld eScan

Trojan.GenericKD.1765052

17.0.0.1014

Qihoo 360 Security

Win32/Trojan.Dropper.b03

1.0.0.1015

Sophos

Mal/Generic-S

4.98

SUPERAntiSpyware

Trojan.Agent/Gen-Malagent

8738

Trend Micro House Call

Suspicious_GEN.F47V0718

7.2.338

VIPRE Antivirus

Trojan.Win32.Generic

31570

File size:

129.7 KB (132,848 bytes)

Product version:

1.0.0.0

Original file name:

csrss.exe

File type:

Executable application (Win32 EXE)

Language:

Yansiz Dil

Common path:

C:\Documents and Settings\{user}\Application data\explorer.exe

Digital Signature

Signed by:

TOLGA KAPLAN

Authority:

COMODO CA Limited

Valid from:

6/27/2014 3:00:00 AM

Valid to:

6/28/2015 2:59:59 AM

Subject:

CN=TOLGA KAPLAN, O=TOLGA KAPLAN, STREET=mecidiye mah. dereboyu cad. lozan sok., STREET=akgun apart. no:15/3, L=istanbul, S=besiktas, PostalCode=34347, C=TR

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

0166B65038D61E5435B48204CAE4795A

File PE Metadata

Compilation timestamp:

7/11/2014 12:54:35 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

.NET CLR dependent:

Yes

CTPH (ssdeep):

3072:YBTze5b2Z4VZXYCVpP7JWWc5EWwaaaRHddl3CXKQbgOUp5e:S+NP7k2QZQbp

Entry address:

0x205CE

Entry point:

FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 78, A4, 6A, D7, 56, B7, C7, E8, DB, 70, 20, 24, EE, CE, BD, C1, AF, 0F, 7C, F5, 2A, C6, 87, 47, 13, 46, 30, A8, 01, 95, 46, FD, D8, 98, 80, 69, AF, F7, 44, 8B, B1, 5B, FF, FF, BE, D7, 5C, 89, 22, 11, 90, 6B, 93, 71, 98, FD, 8E, 43, 79, A6, 21, 08, B4, 49, 62, 25, 1E, F6, 40, B3, 40, C0, 51, 5A, 5E, 26, AA, C7... 
[+]

Developed / compiled with:

Microsoft Visual C# / Basic .NET

Code size:

121.5 KB (124,416 bytes)

Startup File (All Users Run)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

explorer

Command:

C:\Documents and Settings\{user}\Application data\explorer.exe

Remove explorer.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.