home

vdu_uninstall_13cdd59.exe

Proxy Video Downloader

Link64 GmbH

The application vdu_uninstall_13cdd59.exe, “Updater [ProxyVideoDownloader]” by Link64 GmbH has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from gsf-cf.softonic.com and multiple other hosts. While running, it connects to the Internet address pc164.nero.com on port 443.
Publisher:
Link64 GmbH  (signed and verified)

Product:
Proxy Video Downloader

Description:
Updater [ProxyVideoDownloader]

Version:
1.0.1.18

MD5:
d1ac727df6c3e5d2c0a05be490456278

SHA-1:
5c3ab7583d90ffb39171f4785a63dac0228177f9

SHA-256:
fad142934b8b164faf09feef0f3f09387ab843f58bf7db780c6ff95a506fa0f2

Scanner detections:
1 / 68

Status:
Potentially unwanted

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
4/26/2024 10:00:45 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Link64GmbH
15.2.11.8

File size:
1.1 MB (1,164,920 bytes)

Product version:
1.0.1.18

Copyright:
(c) 2014 Link64 GmbH. All rights reserved.

Original file name:
ProxyVideoDownloader_Install.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\vdu_uninstall_13cdd59.exe

Digital Signature
Signed by:
Link64 GmbH

Authority:
Thawte, Inc.

Valid from:
2/20/2013 5:00:00 AM

Valid to:
3/23/2015 4:59:59 AM

Subject:
CN=Link64 GmbH, OU=Secure Application Development, O=Link64 GmbH, L=Karlsruhe, S=Baden-Wuerttemberg, C=DE

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
70B8C92A22236AF8064642CFE2790458

File PE Metadata
Compilation timestamp:
8/12/2014 8:59:18 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
24576:582PT83ZjK31RbntixPQ4T+DTwAUkZ4RC:K2PT83VK3TgxPiTlUkGk

Entry address:
0x667C

Entry point:
E8, C4, 6A, 00, 00, E9, 17, FE, FF, FF, 55, 8B, EC, 83, EC, 18, 53, 56, FF, 75, 0C, 8D, 4D, E8, E8, 56, E6, FF, FF, 8B, 5D, 08, BE, 00, 01, 00, 00, 3B, DE, 73, 54, 8B, 4D, E8, 83, B9, AC, 00, 00, 00, 01, 7E, 14, 8D, 45, E8, 50, 6A, 01, 53, E8, 3C, 41, 00, 00, 8B, 4D, E8, 83, C4, 0C, EB, 0D, 8B, 81, C8, 00, 00, 00, 0F, B6, 04, 58, 83, E0, 01, 85, C0, 74, 0F, 8B, 81, CC, 00, 00, 00, 0F, B6, 04, 18, E9, A7, 00, 00, 00, 80, 7D, F4, 00, 74, 07, 8B, 45, F0, 83, 60, 70, FD, 8B, C3, E9, A0, 00, 00, 00, 8B, 45, E8...
 
[+]

Entropy:
6.4811

Code size:
208 KB (212,992 bytes)

The file vdu_uninstall_13cdd59.exe has been seen being distributed by the following 2 URLs.

http://gsf-cf.softonic.com/5c3/ab7/.../vdu18.exe

blob:http://sd-web.softonic.com/436fcf99-ae5b-4dc9-b9fc-b8a95c95ea8b

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP SSL):
Connects to pc164.nero.com  (82.98.209.164:443)

Remove vdu_uninstall_13cdd59.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.