× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 16a2fc48dff04ea218f834cef7e09fe5b81e412f8a3db41a695c59a630befd40
File name: Nthandle
Detection ratio: 0 / 65
Analysis date: 2019-03-13 14:17:25 UTC ( 5 days, 3 hours ago )
Antivirus Result Update
Acronis 20190313
Ad-Aware 20190313
AegisLab 20190313
AhnLab-V3 20190313
Alibaba 20190306
ALYac 20190313
Antiy-AVL 20190313
Arcabit 20190313
Avast 20190313
Avast-Mobile 20190313
AVG 20190313
Avira (no cloud) 20190313
Babable 20180918
Baidu 20190306
BitDefender 20190313
Bkav 20190313
CAT-QuickHeal 20190313
ClamAV 20190313
CMC 20190313
Comodo 20190313
Cybereason 20190109
Cyren 20190313
DrWeb 20190313
eGambit 20190313
Emsisoft 20190313
Endgame 20190215
ESET-NOD32 20190313
F-Secure 20190313
Fortinet 20190313
GData 20190313
Ikarus 20190313
Sophos ML 20181128
Jiangmin 20190313
K7AntiVirus 20190313
K7GW 20190313
Kaspersky 20190313
Kingsoft 20190313
Malwarebytes 20190313
MAX 20190313
McAfee 20190313
McAfee-GW-Edition 20190313
Microsoft 20190313
eScan 20190313
NANO-Antivirus 20190313
Palo Alto Networks (Known Signatures) 20190313
Panda 20190313
Qihoo-360 20190313
Rising 20190313
SentinelOne (Static ML) 20190311
Sophos AV 20190313
SUPERAntiSpyware 20190307
Symantec Mobile Insight 20190220
TACHYON 20190313
Tencent 20190313
TheHacker 20190308
TotalDefense 20190313
Trapmine 20190301
TrendMicro-HouseCall 20190313
Trustlook 20190313
VBA32 20190313
VIPRE 20190313
ViRobot 20190313
Yandex 20190312
Zillya 20190313
ZoneAlarm by Check Point 20190313
Zoner 20190313
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows command line subsystem that targets 64bit architectures.
Authenticode signature block and FileVersionInfo properties
Copyright
Copyright (C) 1997-2016 Mark Russinovich

Product Sysinternals Handle
Original name Nthandle.exe
Internal name Nthandle
File version 4.1
Description Handle viewer
Signature verification Signed file, verified signature
Signing date 6:03 PM 7/1/2016
Signers
[+] Microsoft Corporation
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Code Signing PCA
Valid from 04:42 PM 06/04/2015
Valid to 04:42 PM 09/04/2016
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint 3BDA323E552DB1FDE5F4FBEE75D6D5B2B187EEDC
Serial number 33 00 00 01 0A 2C 79 AE D7 79 7B A6 AC 00 01 00 00 01 0A
[+] Microsoft Code Signing PCA
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 09:19 PM 08/31/2010
Valid to 09:29 PM 08/31/2020
Valid usage All
Algorithm sha1RSA
Thumbprint 3CAF9BA2DB5570CAF76942FF99101B993888E257
Serial number 61 33 26 1A 00 00 00 00 00 31
[+] Microsoft Root Certificate Authority
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 10:19 PM 05/09/2001
Valid to 10:28 PM 05/09/2021
Valid usage All
Algorithm sha1RSA
Thumbprint CDD4EEAE6000AC7F40C3802C171E30148030C072
Serial number 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65
Counter signers
[+] Microsoft Time-Stamp Service
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Time-Stamp PCA
Valid from 06:21 PM 03/30/2016
Valid to 06:21 PM 06/30/2017
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint A1F3FE643CAC735D7976F27DE33004BE9A309A87
Serial number 33 00 00 00 99 AA C5 81 9F 8C A2 7D 8A 00 00 00 00 00 99
[+] Microsoft Time-Stamp PCA
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 11:53 AM 04/03/2007
Valid to 12:03 PM 04/03/2021
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 375FCB825C3DC3752A02E34EB70993B4997191EF
Serial number 61 16 68 34 00 00 00 00 00 1C
[+] Microsoft Root Certificate Authority
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 10:19 PM 05/09/2001
Valid to 10:28 PM 05/09/2021
Valid usage All
Algorithm sha1RSA
Thumbrint CDD4EEAE6000AC7F40C3802C171E30148030C072
Serial number 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65
PE header basic information
Target machine x64
Compilation timestamp 2016-07-01 17:03:28
Entry Point 0x0000830C
Number of sections 5
PE sections
Overlays
MD5 a6c5eaba41a0a80fed264c97b5b9c6a8
File type data
Offset 210432
Size 16032
Entropy 7.43
PE imports
GetTokenInformation
RegCloseKey
LookupAccountSidW
OpenProcessToken
RegSetValueExW
RegOpenKeyExW
RegCreateKeyW
AdjustTokenPrivileges
LookupPrivilegeValueW
RegOpenKeyW
RegDeleteKeyW
RegQueryValueExW
PrintDlgW
GetDeviceCaps
EndPage
EndDoc
StartPage
StartDocW
SetMapMode
GetStdHandle
GetDriveTypeW
WaitForSingleObject
EncodePointer
GetFileAttributesW
DeleteCriticalSection
GetCurrentProcess
GetConsoleMode
LocalAlloc
FreeEnvironmentStringsW
SetStdHandle
GetCPInfo
WriteFile
GetSystemTimeAsFileTime
HeapReAlloc
GetStringTypeW
GetOEMCP
LocalFree
FormatMessageW
OutputDebugStringW
TlsGetValue
SetLastError
DeviceIoControl
ReadConsoleInputA
LoadResource
GetModuleFileNameW
IsDebuggerPresent
HeapAlloc
SetThreadErrorMode
RtlVirtualUnwind
UnhandledExceptionFilter
LoadLibraryExW
MultiByteToWideChar
SetFilePointerEx
CreateThread
GetSystemDirectoryW
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
ExitThread
DecodePointer
TerminateProcess
GetVersion
GetModuleHandleExW
ReadConsoleW
GetCurrentThreadId
WriteConsoleW
InitializeCriticalSectionAndSpinCount
HeapFree
EnterCriticalSection
TerminateThread
LoadLibraryW
SetEvent
QueryPerformanceCounter
TlsAlloc
FlushFileBuffers
OpenProcess
GetStartupInfoW
DeleteFileW
GetProcAddress
GetConsoleScreenBufferInfo
GetProcessHeap
ExpandEnvironmentStringsW
RtlLookupFunctionEntry
DuplicateHandle
RtlUnwindEx
CreateEventW
CreateFileW
GetFileType
TlsSetValue
ExitProcess
LeaveCriticalSection
GetLastError
LCMapStringW
GetConsoleCP
GetEnvironmentStringsW
SizeofResource
GetCurrentProcessId
LockResource
GetCommandLineW
WideCharToMultiByte
HeapSize
SetEndOfFile
TlsFree
ReadFile
RtlCaptureContext
CloseHandle
GetACP
GetModuleHandleW
IsValidCodePage
SetConsoleMode
FindResourceW
CreateProcessW
Sleep
SendMessageW
DialogBoxIndirectParamW
EndDialog
SetWindowTextW
GetSysColorBrush
InflateRect
LoadCursorW
GetDlgItem
SetCursor
VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW
Number of PE resources by type
BINRES 1
RT_VERSION 1
RT_MANIFEST 1
Number of PE resources by language
ENGLISH US 3
PE resources
ExifTool file metadata
UninitializedDataSize
0

LinkerVersion
12.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
4.1.0.0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

FileDescription
Handle viewer

ImageFileCharacteristics
No relocs, Executable, Large address aware

CharacterSet
Unicode

InitializedDataSize
174592

EntryPoint
0x830c

OriginalFileName
Nthandle.exe

MIMEType
application/octet-stream

LegalCopyright
Copyright (C) 1997-2016 Mark Russinovich

FileVersion
4.1

TimeStamp
2016:07:01 19:03:28+02:00

FileType
Win64 EXE

PEType
PE32+

InternalName
Nthandle

ProductVersion
4.1

SubsystemVersion
5.2

OSVersion
5.2

FileOS
Windows NT 32-bit

Subsystem
Windows command line

MachineType
AMD AMD64

CompanyName
Sysinternals - www.sysinternals.com

CodeSize
95744

ProductName
Sysinternals Handle

ProductVersionNumber
4.1.0.0

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
Execution parents
PE resource-wise parents
Overlay parents
Compressed bundles
File identification
MD5 6ecaa375a1fc2e1ab2884703ce295a32
SHA1 eb8ea3cdcda0570401b15069513f934743c93eb2
SHA256 16a2fc48dff04ea218f834cef7e09fe5b81e412f8a3db41a695c59a630befd40
ssdeep
3072:EVBGG/pk/stkuh02TpIkVC2XT8Dl0D5kf5UF97hVNG2YxRR1eeE1KhD6LF4exEkl:KB7ftk2pJpXT8DOSi9x/jK8l

authentihash 5cee2ed868cac328737fd97abd884b560b5d8cb56eb101958adba5d1004aa319
imphash c65ef661ea959d7dcb4db41c3d4e5284
File size 221.2 KB ( 226464 bytes )
File type Win32 EXE
Magic literal
PE32+ executable for MS Windows (console) Mono/.Net assembly

TrID Win64 Executable (generic) (82.0%)
OS/2 Executable (generic) (6.0%)
Generic Win/DOS Executable (5.9%)
DOS Executable Generic (5.9%)
Tags
peexe assembly overlay signed via-tor 64bits

VirusTotal metadata
First submission 2016-07-02 16:03:53 UTC ( 2 years, 8 months ago )
Last submission 2018-05-28 17:19:24 UTC ( 9 months, 3 weeks ago )
File names Nthandle
36533a5b81d3d52f!155-36533a5b81d3d52f!9309-36533a5b81d3d52f!30867-eb8ea3cdcda0570401b15069513f9347.temp
handle64.exe
handle64.exe
16A2FC48DFF04EA218F834CEF7E09FE5B81E412F8A3DB41A695C59A630BEFD40
handle641.exe
handle64.exe
handle64.exe
handle64.exe
handle64.exe
handle64.exe
handle64.exe
merge.exe
handle64.exe
tmp81rzgy
handle64.exe
handle64.exe
handle64.exe
Nthandle.exe
7040.tmp
emb5b82.tmp
D__C1_SysinternalsSuite_handle64.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!