» vmhost.exe
Overview
Analysis
File Details
Network (27)

vmhost.exe

vm file module

The application vmhost.exe has been detected as a potentially unwanted program by 21 anti-malware scanners. This setup program installs potentially unwanted software on the user's PC at the same time as the expected/marketing software, without adequate consent. The program is typically installed via a form of malvertising

File name:

vmhost.exe

Product:

vm file module

Version:

1, 0, 0, 1

MD5:

7f57c0a27b922789a10023d04b3f668b

SHA-1:

aa836149c2697ae9afa3c7892f203ce3f1b42297

SHA-256:

d2a4322d3ae66fde08bf81a0162ae5465ee5a53772a0b6c8af38e19f9c8eef25

Scanner detections:

21 / 68

Status:

Potentially unwanted

Analysis date:

4/20/2024 1:28:40 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Adware.Agent.OGH

704

Agnitum Outpost

PUA.Downware

7.1.1

AhnLab V3 Security

PUP/Win32.Generic

2014.09.06

Avira AntiVirus

APPL/Tool.SquareNet.43

7.11.170.240

Bitdefender

Adware.Agent.OGH

1.0.20.310

Dr.Web

Adware.Downware.6245

9.0.1.062

Emsisoft Anti-Malware

Adware.Agent.OGH

8.15.03.03.09

ESET NOD32

Win32/SquareNet (variant)

9.10372

F-Secure

Adware.Agent.OGH

11.2015-03-03_3

G Data

Adware.Agent.OGH

15.3.24

IKARUS anti.virus

PUA.Win32.SquareNet

t3scan.1.7.5.0

K7 AntiVirus

Riskware

13.183.13286

McAfee

Artemis!7F57C0A27B92

5600.6838

Microsoft Security Essentials

SoftwareBundler:Win32/SquareNet

1.10904

MicroWorld eScan

Adware.Agent.OGH

16.0.0.186

NANO AntiVirus

Riskware.Win32.Downware.ddjzgr

0.28.2.61942

nProtect

Adware.Agent.OGH

14.09.05.01

Panda Antivirus

Trj/Chgt.D

15.03.03.09

Sophos

Square Network Installer

4.98

Trend Micro House Call

ADW_SQUAREN

7.2.62

Trend Micro

ADW_SQUAREN

10.465.03

File size:

345.5 KB (353,792 bytes)

Product version:

1, 0, 0, 1

Original file name:

vmfile.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\ProgramData\updatetask\vmhost.exe

File PE Metadata

Compilation timestamp:

7/11/2014 1:01:46 PM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

9.0

CTPH (ssdeep):

6144:t7xLbpIcGp5zddKY8VgH6C6rcBr5+7MDtOokRaLhoG7XG3Snj4I:1xLbpW5zeY8VgH6C5BdDtOokRaWG7XGs

Entry address:

0x2EDF1

Entry point:

E8, CF, B2, 00, 00, E9, 79, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, EC, 10, 53, 56, FF, 75, 10, 8D, 4D, F0, E8, AC, D3, FF, FF, 8B, 5D, 08, 33, F6, 3B, DE, 75, 2F, E8, 90, 22, 00, 00, 56, 56, 56, 56, 56, C7, 00, 16, 00, 00, 00, E8, EB, D7, FF, FF, 83, C4, 14, 80, 7D, FC, 00, 74, 07, 8B, 45, F8, 83, 60, 70, FD, B8, FF, FF, FF, 7F, E9, C0, 00, 00, 00, 57, 8B, 7D, 0C, 3B, FE, 75, 2F, E8, 59, 22, 00, 00, 56, 56, 56, 56, 56, C7, 00, 16, 00, 00, 00, E8, B4, D7, FF, FF, 83, C4, 14, 80, 7D, FC, 00, 74, 07, 8B, 45, F8... 
[+]

Entropy:

6.4744

Code size:

273 KB (279,552 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):

Connects to t.mookie1.com (208.71.122.1:443)

TCP (HTTP):

Connects to sta-204-144-141-26.rockynet.com (204.144.141.26:80)

TCP (HTTP):

Connects to network.realmedia.com (208.71.121.192:80)

TCP (HTTP):

Connects to li45-152.members.linode.com (72.14.182.152:80)

TCP (HTTP SSL):

Connects to lhr14s24-in-f20.1e100.net (74.125.230.116:443)

TCP (HTTP SSL):

Connects to lax17s02-in-f27.1e100.net (74.125.224.91:443)

TCP (HTTP):

Connects to lax17s01-in-f26.1e100.net (74.125.224.58:80)

TCP (HTTP SSL):

Connects to lax02s19-in-f27.1e100.net (74.125.224.123:443)

TCP (HTTP):

Connects to lax02s19-in-f25.1e100.net (74.125.224.121:80)

TCP (HTTP):

Connects to lax02s02-in-f13.1e100.net (74.125.224.205:80)

TCP (HTTP):

Connects to float.2005.bm-impbus.prod.ams1.adnexus.net (37.252.162.15:80)

TCP (HTTP):

Connects to float.1808.bm-impbus.prod.fra1.adnexus.net (37.252.170.119:80)

TCP (HTTP):

Connects to falcon503.startdedicated.de (199.217.115.186:80)

TCP (HTTP):

Connects to ec2-54-85-82-173.compute-1.amazonaws.com (54.85.82.173:80)

TCP (HTTP):

Connects to ec2-54-84-100-246.compute-1.amazonaws.com (54.84.100.246:80)

TCP (HTTP):

Connects to ec2-54-214-35-174.us-west-2.compute.amazonaws.com (54.214.35.174:80)

TCP (HTTP):

Connects to ec2-54-200-85-111.us-west-2.compute.amazonaws.com (54.200.85.111:80)

TCP (HTTP):

Connects to ec2-23-23-163-110.compute-1.amazonaws.com (23.23.163.110:80)

TCP (HTTP):

Connects to ec2-23-21-123-254.compute-1.amazonaws.com (23.21.123.254:80)

TCP (HTTP):

Connects to ec2-174-129-201-174.compute-1.amazonaws.com (174.129.201.174:80)

Remove vmhost.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.