» handover-44.exe
Overview
Analysis
File Details
Behaviors (1)

handover-44.exe

Kaspersky Lab

The executable handover-44.exe has been detected as malware by 4 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘handover-57’.

File name:

handover-44.exe

Publisher:

Kaspersky Lab (signed and verified)

MD5:

ea2aa2aeac82796c6750cd52dd5bdbc5

SHA-1:

d09eafc8b2195f4cbf6828d6c5b7b6fd73c33eaf

SHA-256:

eb0e72b894e89e4a6ef3efb95ed7c8180dece26875020a856f7cad06a2e92d72

Scanner detections:

4 / 68

Status:

Malware

Analysis date:

11/27/2024 2:46:57 PM UTC (today)

Scan engine

Detection

Engine version

avast!

Win32:Trojan-gen

160917-0

Dr.Web

Trojan.Nymaim.36

9.0.1.05190

ESET NOD32

Win32/TrojanDownloader.Nymaim.BA trojan

6.3.12010.0

Microsoft Security Essentials

Trojan:Win32/Pennelas.I!cl

1.237.629.0

File size:

383.8 KB (392,968 bytes)

File type:

Executable application (Win32 EXE)

Language:

Language Neutral

Common path:

C:\ProgramData\handover-80\handover-44.exe

Digital Signature

Signed by:

Kaspersky Lab

Authority:

VeriSign, Inc.

Valid from:

2/21/2008 1:00:00 AM

Valid to:

3/14/2009 12:59:59 AM

Subject:

CN=Kaspersky Lab, OU=Technical dept, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Kaspersky Lab, L=Moscow, S=Moscow, C=RU

Issuer:

CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www.verisign.com/rpa (c)04, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

778BD7E8BB927CA96511908AD941D028

File PE Metadata

Compilation timestamp:

12/4/2013 7:06:20 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

Entry address:

0x1000

Entry point:

6A, 01, 6A, 02, EB, 04, FF, D0, 50, C3, E8, 02, 00, 00, 00, 50, C3, 68, 08, 02, 00, 00, 68, 6D, A4, 45, 00, FF, 15, BD, 9C, 45, 00, 8B, F8, 68, 6D, A4, 45, 00, FF, 15, C1, 9C, 45, 00, 0A, C0, 0F, 85, 34, 11, 01, 00, 8B, EC, 81, EC, 84, 0C, 00, 00, FF, 35, E7, BE, 45, 00, FF, 15, 9D, 9C, 45, 00, 89, 85, 24, FA, FF, FF, E9, AC, 27, 00, 00, 00, 57, 00, 69, 00, 6E, 00, 64, 00, 6F, 00, 77, 00, 73, B8, 01, 00, 00, 00, A3, DA, A3, 45, 00, A1, BF, A1, 45, 00, 89, 85, 48, FC, FF, FF, 89, 85, 98, FD, FF, FF, 8D, 1D... 
[+]

Code size:

22 KB (22,528 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

handover-57

Command:

C:\ProgramData\handover-80\handover-44.exe -1

Remove handover-44.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.