home

produpd.exe

produpd.exe

Vested Development, Inc

The executable produpd.exe has been detected as malware by 2 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘produpd’. While running, it connects to the Internet address www.poludnie.eu on port 80 using the HTTP protocol.
Publisher:
Vested Development, Inc

Product:
produpd.exe

Version:
2.2.1.23

MD5:
59adabcbc527bfb4525306b7af6c5370

SHA-1:
97e871d36b3d40f0022b15a325ba70aa45b503dd

SHA-256:
2508da6ba1ef4e260dd0960ef63fa70fa25510e9bbf8ab5e69256746251c0f90

Scanner detections:
2 / 68

Status:
Malware

Analysis date:
4/18/2024 9:54:52 AM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/Glupteba.AT trojan
6.3.12010.0

F-Secure
Variant.Razy.84351
5.15.154

File size:
502 KB (514,048 bytes)

Product version:
2.2.0.2

Copyright:
Copyright © 2016

Original file name:
produpd.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\vdi\shared\product updater\produpd.exe

File PE Metadata
Compilation timestamp:
12/17/2016 7:05:22 AM

OS version:
6.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
14.0

Entry address:
0x1C39E

Entry point:
E8, D8, 09, 00, 00, E9, 8E, FE, FF, FF, FF, 25, B0, 52, 45, 00, 8B, 4D, F4, 64, 89, 0D, 00, 00, 00, 00, 59, 5F, 5F, 5E, 5B, 8B, E5, 5D, 51, F2, C3, 8B, 4D, F0, 33, CD, F2, E8, 71, F8, FF, FF, F2, E9, DA, FF, FF, FF, 8B, 4D, EC, 33, CD, F2, E8, 60, F8, FF, FF, F2, E9, C9, FF, FF, FF, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B, E8, A1, 78, F0, 46, 00, 33, C5, 50, FF, 75, FC, C7, 45, FC, FF, FF, FF, FF, 8D, 45, F4, 64, A3, 00, 00, 00, 00, F2, C3, 50, 64, FF, 35, 00...
 
[+]

Code size:
333.5 KB (341,504 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
produpd

Command:
"C:\users\{user}\appdata\roaming\vdi\shared\product updater\produpd.exe" \8175


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.poludnie.eu  (195.191.249.131:80)

TCP (HTTP):
Connects to g1.formy.net  (195.191.248.36:80)

TCP (HTTP):
Connects to mail.atomintersoft.com  (89.208.212.2:80)

TCP (HTTP SSL):
Connects to signin.g.ebay.com  (66.211.185.47:443)

TCP (HTTP SSL):
Connects to server-54-192-98-199.arn1.r.cloudfront.net  (54.192.98.199:443)

TCP (HTTP):
Connects to s1.datanet.pl  (109.199.20.7:80)

TCP:
Connects to dedic915.hidehost.net  (178.159.37.63:8000)

TCP (HTTP SSL):
Connects to connect.secure.wellsfargo.com  (159.45.2.156:443)

TCP (HTTP SSL):
Connects to a104-86-233-120.deploy.static.akamaitechnologies.com  (104.86.233.120:443)

TCP (HTTP):
Connects to www.whitepages.com  (64.124.61.10:80)

TCP (HTTP):
Connects to 161.47.197.104.bc.googleusercontent.com  (104.197.47.161:80)

TCP (HTTP):
Connects to static.205.85.9.176.clients.your-server.de  (176.9.85.205:80)

TCP (HTTP SSL):
Connects to o2.mail.ru  (217.69.139.61:443)

TCP (HTTP):
Connects to ip248.152.odnoklassniki.ru  (217.20.152.248:80)

TCP (HTTP SSL):
Connects to a104-81-104-99.deploy.static.akamaitechnologies.com  (104.81.104.99:443)

TCP (HTTP SSL):
Connects to a104-81-102-77.deploy.static.akamaitechnologies.com  (104.81.102.77:443)

TCP (SMTP):
Connects to 62.36.20.20.static.abi.uni2.es  (62.36.20.20:25)

TCP (HTTP):
Connects to webmaster.yandex.ru  (93.158.134.62:80)

TCP:
Connects to secure.mpcustomer.com  (67.212.237.77:4321)

TCP:
Connects to mail.yandex.ru  (80.80.109.251:4899)

Remove produpd.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.