home

smsetup.exe

Architecture Software

The application smsetup.exe by Architecture Software has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘SMSetup’. While running, it connects to the Internet address e1.ycpi.vip.bra.yahoo.com on port 80 using the HTTP protocol.
Publisher:
Architecture Software  (signed and verified)

MD5:
d03c6a7230c02a6d9ebf27882470ff7a

SHA-1:
05be2a63bb53e47d25a30dcc858e588720877883

SHA-256:
cb9884cd06a4f58091c6a13a05f7a628db86311bd059a8b2b4ce771e42bc7e43

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
1/10/2025 5:16:07 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Spigot (M)
17.1.30.16

File size:
867.8 KB (888,600 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\smsetup.exe

Digital Signature
Signed by:
Architecture Software

Authority:
GlobalSign nv-sa

Valid from:
6/15/2016 2:34:24 AM

Valid to:
6/16/2017 2:34:24 AM

Subject:
CN=Architecture Software, O=Architecture Software, S=Nevada, C=US

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:
028094FCE9B35E88B20F0C27

File PE Metadata
Compilation timestamp:
2/25/2012 2:19:59 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

Entry address:
0x39E3

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 91, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B8, 80, 40, 00, 55, FF, 15, C0, 82, 40, 00, 6A, 08, A3, B8, 2E, 47, 00, E8, 37, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, D0, 2D, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 1C, 93, 40, 00, FF, 15, 84, 81, 40, 00, 68, 04, 93, 40, 00, 68, C0, AD, 46, 00, E8, 19, 27, 00, 00, FF, 15, B4, 80, 40, 00, 50, BF, A0, 30, 4C, 00, 57, E8, 07, 27, 00, 00...
 
[+]

Entropy:
7.9785

Packer / compiler:
Nullsoft install system v2.x

Code size:
28 KB (28,672 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
SMSetup

Command:
"C:\users\{user}\appdata\local\temp\{random}.tmp\smsetup.exe" \s \cnid 715483 \dsie \dsff \dsgc \hp \wait \ntp_ie \ms \restart


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to ir2.fp.vip.ir2.yahoo.com  (46.228.47.114:443)

TCP (HTTP):
Connects to 7b.f5.25ae.ip4.static.sl-reverse.com  (174.37.245.123:80)

TCP (HTTP SSL):
Connects to ir1.fp.vip.ir2.yahoo.com  (46.228.47.115:443)

TCP (HTTP):
Connects to a23-15-155-27.deploy.static.akamaitechnologies.com  (23.15.155.27:80)

TCP (HTTP):
Connects to e1.ycpi.vip.bra.yahoo.com  (200.152.162.135:80)

TCP (HTTP SSL):
Connects to ir1.fp.vip.sg3.yahoo.com  (106.10.139.246:443)

TCP (HTTP):
Connects to a23-55-155-27.deploy.static.akamaitechnologies.com  (23.55.155.27:80)

TCP (HTTP):
Connects to e2.ycpi.vip.bra.yahoo.com  (200.152.162.161:80)

TCP (HTTP SSL):
Connects to ir2.fp.vip.bf1.yahoo.com  (98.139.183.24:443)

TCP (HTTP SSL):
Connects to ir1.fp.vip.ne1.yahoo.com  (98.138.253.109:443)

TCP (HTTP SSL):
Connects to ir2.fp.vip.sg3.yahoo.com  (106.10.138.240:443)

TCP (HTTP SSL):
Connects to ir2.fp.vip.gq1.yahoo.com  (206.190.36.105:443)

TCP (HTTP SSL):
Connects to ir1.fp.vip.tp2.yahoo.com  (116.214.12.74:443)

TCP (HTTP SSL):
Connects to ir1.fp.vip.bf1.yahoo.com  (98.139.180.149:443)

Remove smsetup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.