home

criticalsupdates.exe

WindowsApplication1

The executable criticalsupdates.exe has been detected as malware by 13 anti-virus scanners. This is a setup program which is used to install the application. The file has been seen being downloaded from feidowns.com and multiple other hosts. While running, it connects to the Internet address 209-99-40-221.fwd.datafoundry.com on port 80 using the HTTP protocol.
Product:
WindowsApplication1

Version:
1.0.0.0

MD5:
5fe8ae2b2597e0a6ff2516b711dd9b75

SHA-1:
b1288c67b607887b665d822e18558036978c4f10

SHA-256:
30bb9bdee82e3d3d1e4ea64a5c95d92c9f164d396aae43ad5f6b52c6befaf03f

Scanner detections:
13 / 68

Status:
Malware

Analysis date:
1/13/2025 2:40:10 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Kazy.607553
626

Agnitum Outpost
Trojan.DownLoader
7.1.1

avast!
Win32:Malware-gen
2014.9-150520

Bitdefender
Gen:Variant.Kazy.607553
1.0.20.700

Dr.Web
Trojan.DownLoader13.2023
9.0.1.0140

Emsisoft Anti-Malware
Gen:Variant.Kazy.607553
8.15.05.20.02

F-Secure
Gen:Variant.Kazy.607553
11.2015-20-05_4

G Data
Gen:Variant.Kazy.607553
15.5.25

McAfee
Artemis!5FE8AE2B2597
5600.6760

MicroWorld eScan
Gen:Variant.Kazy.607553
16.0.0.420

Panda Antivirus
Trj/CI.A
15.05.20.02

Qihoo 360 Security
HEUR/QVM03.0.Malware.Gen
1.0.0.1015

Trend Micro House Call
TROJ_GEN.R02KH05E715
7.2.140

File size:
28 KB (28,672 bytes)

Product version:
1.0.0.0

Copyright:
Copyright © 2015

Original file name:
WindowsApplication2.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\roaming\criticalsupdates.exe

File PE Metadata
Compilation timestamp:
4/20/2015 7:14:40 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
384:3yQB/TYSwGFnBCgBJYYUrdWayJLk245+uom/N5T5qVkVJls7fBM:3yCY/enBZnMrkNR0ns7fB

Entry address:
0x57AE

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 34, 35, 55, 00, 00, 00, 00, 02, 00, 00, 00, 1C, 01, 00, 00, 1C, 60, 00, 00, 1C, 3C, 00, 00, 52, 53, 44, 53, 33, 1A, 82, A9, 0E, A1, 78, 4A, 91, 91, AD, 7D, 76, 7D...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
14 KB (14,336 bytes)

Startup File (User Run Once)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:
winsnr

Command:
C:\users\{user}\appdata\roaming\criticalsupdates.exe


The file criticalsupdates.exe has been seen being distributed by the following 3 URLs.

http://feidowns.com/feiallahliks.exe

http://feidowns.com/qqweqw.exe

http://feidowns.com/winsnrs.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to 209-99-40-221.fwd.datafoundry.com  (209.99.40.221:80)

Remove criticalsupdates.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.