Windows Analysis Report
prevhost.exe

Overview

General Information

Sample name: prevhost.exe
Analysis ID: 1592539
MD5: ef917f8e0dab8500f8bf201c3dcc9ea7
SHA1: a6949bd943e11c032f3e0f420badb75519eb169a
SHA256: 531942d43420fe260b4dd4279920fc31c6c6bd0a9c64b61be3fad36cb7507482

Detection

Score: 1
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Binary contains a suspicious time stamp
Program does not show much activity (idle)
Uses 32bit PE files

Classification

Uses 32bit PE files
Source: prevhost.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: prevhost.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: prevhost.pdb source: prevhost.exe
Source: Binary string: prevhost.pdbGCTL source: prevhost.exe
Uses 32bit PE files
Source: prevhost.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: clean1.winEXE@1/0@0/0
Source: prevhost.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\prevhost.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\prevhost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\prevhost.exe Section loaded: uxtheme.dll Jump to behavior
Source: prevhost.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: prevhost.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: prevhost.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: prevhost.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: prevhost.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: prevhost.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: prevhost.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: prevhost.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: prevhost.pdb source: prevhost.exe
Source: Binary string: prevhost.pdbGCTL source: prevhost.exe
Binary contains a suspicious time stamp
Source: prevhost.exe Static PE information: 0xC0C8E170 [Wed Jun 29 01:46:24 2072 UTC]
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1592539 Sample: prevhost.exe Startdate: 16/01/2025 Architecture: WINDOWS Score: 1 4 prevhost.exe 2->4         started       
No contacted IP infos