vshosts.exe

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.gfids
section	*C (l)

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 28, 2021, 5:59 p.m.	process_identifier: 6200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section	{u'size_of_data': u'0x00687000', u'virtual_address': u'0x0076c000', u'entropy': 7.963587088816464, u'name': u'*C (l)', u'virtual_size': u'0x00686fb0'}				entropy	7.96358708882				description	A section with a high entropy has been found
entropy	0.970524175984				description	Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 28, 2021, 5:59 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW June 28, 2021, 5:59 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1	0

Communicates with host for which no DNS query was performed (2 events)

host	172.217.25.14
host	185.158.113.59

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation June 28, 2021, 5:59 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

vshosts.exe tried to sleep 19097650 seconds, actually delayed analysis time by 19097648 seconds

Installs an hook procedure to monitor for mouse events (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW June 28, 2021, 5:59 p.m.	thread_identifier: 0 callback_function: 0x0050fc98 hook_identifier: 14 (WH_MOUSE_LL) module_address: 0x00000000	1	223347321	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW June 28, 2021, 5:59 p.m.	thread_identifier: 0 callback_function: 0x004cb66b hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00000000	1	52101833	0

File has been identified by 15 AntiVirus engines on VirusTotal as malicious (15 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.fa0b6d3c4c059a04
Cylance	Unsafe
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Sophos	Generic ML PUA (PUA)
McAfee-GW-Edition	BehavesLike.Win32.Generic.vc
Gridinsoft	Trojan.Heur!.02214421
Microsoft	Trojan:Win32/Tnega!ml
AhnLab-V3	Malware/Win32.Generic.C4290342
BitDefenderTheta	Gen:NN.ZexaF.34758.@J0@a8BTE1cG
Malwarebytes	Malware.AI.3827194098
Rising	Malware.Heuristic!ET#92% (RDMK:cmRtazrV7gfZrgWZGJXWiKJcIz6B)
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.300983.susgen

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (10 events)

dead_host	185.158.113.59:45324
dead_host	192.168.56.102:49813
dead_host	192.168.56.102:49816
dead_host	192.168.56.102:49810
dead_host	192.168.56.102:49817
dead_host	192.168.56.102:49811
dead_host	192.168.56.102:49808
dead_host	192.168.56.102:49809
dead_host	192.168.56.102:49821
dead_host	192.168.56.102:49815