home

produpd.exe

VDI Shared Product Update Tools

VDI

The executable produpd.exe, “Product updater system service” has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘produpd’. While running, it connects to the Internet address 167.208.244.195.unassigned.gibconnect.com on port 443.
Publisher:
VDI

Product:
VDI Shared Product Update Tools

Description:
Product updater system service

Version:
2, 0, 0, 163

MD5:
e349bcce7aa8510d057f80529755e349

SHA-1:
d6b73c41c0e8a0f89bebd9190e2b87a3ca518067

SHA-256:
9509ef0655005e8ffe6d6a5065b9d47513bf41199ea3ca2702440cd3b113bcd0

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
4/25/2024 3:36:06 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Trojan.Glupteba (M)
17.3.1.1

File size:
910 KB (931,802 bytes)

Product version:
2.0.0.1

Copyright:
Copyright (C) 2016

Original file name:
produpd.exe

File type:
Executable application (Win32 EXE)

Language:
Russian (Russia)

Common path:
C:\users\{user}\appdata\roaming\vdi\shared\product updater\produpd.exe

File PE Metadata
Compilation timestamp:
1/7/1999 11:31:16 AM

OS version:
6.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
14.0

Entry address:
0x92000

Entry point:
60, E8, 00, 00, 00, 00, 5D, 8B, C5, 81, ED, A8, A6, 01, 20, 2B, 85, 0F, AE, 01, 20, 89, 85, 0B, AE, 01, 20, B0, 00, 86, 85, 40, B0, 01, 20, 3C, 01, 0F, 85, BC, 01, 00, 00, 83, BD, 3B, AF, 01, 20, 00, 74, 33, 83, BD, 3F, AF, 01, 20, 00, 74, 2A, 8B, 85, 0B, AE, 01, 20, 2B, 85, 3B, AF, 01, 20, 8B, 00, 89, 85, 78, AF, 01, 20, 8B, 85, 0B, AE, 01, 20, 2B, 85, 3F, AF, 01, 20, 8B, 00, 89, 85, 7C, AF, 01, 20, EB, 61, 83, BD, 43, AF, 01, 20, 00, 74, 58, 8B, 85, 0B, AE, 01, 20, 2B, 85, 43, AF, 01, 20, FF, 30, 8D, 85...
 
[+]

Packer / compiler:
ASPack v1.08.04

Code size:
333.5 KB (341,504 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
produpd

Command:
C:\users\{user}\appdata\roaming\vdi\shared\product updater\produpd.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to 167.208.244.195.unassigned.gibconnect.com  (195.244.208.167:443)

TCP (HTTP SSL):
Connects to signin.ea.com  (159.153.228.140:443)

Remove produpd.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.