It seems VirusTotal spins up a virtual machine/container to run the program, and monitors what happens inside that environment. And it further seems that during that time syslog (or something else, probably the distribution) reloaded itself. And some other process tried to connect to the TOR IPs.
And since we're all amateurs here who don't understand what VirusTotal is doing, some of us think "ZOMG yt-dlp compromised?!?".
If you look at the process tree, the process that reloaded rsyslog wasn't spawned from the yt-dlp_linux process.
And since we're all amateurs here who don't understand what VirusTotal is doing, some of us think "ZOMG yt-dlp compromised?!?".
If you look at the process tree, the process that reloaded rsyslog wasn't spawned from the yt-dlp_linux process.