» produpd.exe
Overview
Analysis
File Details
Behaviors (1)
Network (8)

produpd.exe

Vested Development, Inc

The executable produpd.exe has been detected as malware by 2 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘produpd’. While running, it connects to the Internet address interviewder.net on port 8000.

File name:

produpd.exe

Publisher:

Vested Development, Inc

Product:

produpd.exe

Version:

2.2.1.23

MD5:

299c1a7062b3dbba42731f971ca7635a

SHA-1:

529a35554292695eaa155a7ed8ca637750de2777

SHA-256:

51731f558c6d48a0a35f7d47f7304941782696dc7be6bc68fee5689029568a45

Scanner detections:

2 / 68

Status:

Malware

Analysis date:

4/27/2024 12:47:33 PM UTC (today)

Scan engine

Detection

Engine version

ESET NOD32

Win32/Glupteba.AU trojan

6.3.12010.0

F-Secure

Variant.Zusy.214304

5.15.154

File size:

511.5 KB (523,776 bytes)

Product version:

2.2.0.2

Original file name:

produpd.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\roaming\vdi\shared\product updater\produpd.exe

File PE Metadata

Compilation timestamp:

2/18/2017 1:01:09 AM

OS version:

6.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

14.0

Entry address:

0x1DC21

Entry point:

E8, F5, 09, 00, 00, E9, 8E, FE, FF, FF, FF, 25, 84, 72, 45, 00, 8B, 4D, F4, 64, 89, 0D, 00, 00, 00, 00, 59, 5F, 5F, 5E, 5B, 8B, E5, 5D, 51, F2, C3, 8B, 4D, F0, 33, CD, F2, E8, 6E, F8, FF, FF, F2, E9, DA, FF, FF, FF, 8B, 4D, EC, 33, CD, F2, E8, 5D, F8, FF, FF, F2, E9, C9, FF, FF, FF, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B, E8, A1, 78, 20, 47, 00, 33, C5, 50, FF, 75, FC, C7, 45, FC, FF, FF, FF, FF, 8D, 45, F4, 64, A3, 00, 00, 00, 00, F2, C3, 50, 64, FF, 35, 00... 
[+]

Code size:

340.5 KB (348,672 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

produpd

Command:

"C:\users\{user}\appdata\roaming\vdi\shared\product updater\produpd.exe" \20506

The executing file has been seen to make the following network communications in live environments.

TCP (WHOIS):

Connects to whois-casa.localnet (213.248.242.105:43)

TCP (HTTP):

Connects to server-54-230-15-250.ams1.r.cloudfront.net (54.230.15.250:80)

TCP (WHOIS):

Connects to mailrelay.48.website.ws (64.70.19.48:43)

TCP (HTTP SSL):

Connects to server-54-192-98-169.arn1.r.cloudfront.net (54.192.98.169:443)

TCP (HTTP SSL):

Connects to server-54-192-98-163.arn1.r.cloudfront.net (54.192.98.163:443)

TCP:

Connects to interviewder.net (91.203.5.26:8000)

TCP (WHOIS):

Connects to whois.sjl.rightside.co (198.147.209.137:43)

TCP (WHOIS):

Connects to whois.sea1.verisign.com (199.7.74.74:43)

Remove produpd.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.