home

SMSetup.exe

Architecture Software

The application SMSetup.exe by Architecture Software has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘SMSetup’. While running, it connects to the Internet address ir1.fp.vip.sg3.yahoo.com on port 80 using the HTTP protocol.
Publisher:
Architecture Software  (signed and verified)

MD5:
a9de0cc810754468545139dcfb9a4dc6

SHA-1:
0e38579ccc31257524e0382c46b025f28d7a152d

SHA-256:
dc3c9817035b09f0f5d0ef21a33b3c296f30e09822612fc355f2110a8b06b093

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
1/11/2025 12:02:55 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Spigot (M)
17.3.3.14

File size:
868.9 KB (889,784 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\smsetup.exe

Digital Signature
Signed by:
Architecture Software

Authority:
GlobalSign nv-sa

Valid from:
6/15/2016 2:34:24 AM

Valid to:
6/16/2017 2:34:24 AM

Subject:
CN=Architecture Software, O=Architecture Software, S=Nevada, C=US

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:
028094FCE9B35E88B20F0C27

File PE Metadata
Compilation timestamp:
2/25/2012 2:19:59 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

Entry address:
0x39E3

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 91, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B8, 80, 40, 00, 55, FF, 15, C0, 82, 40, 00, 6A, 08, A3, B8, 2E, 47, 00, E8, 37, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, D0, 2D, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 1C, 93, 40, 00, FF, 15, 84, 81, 40, 00, 68, 04, 93, 40, 00, 68, C0, AD, 46, 00, E8, 19, 27, 00, 00, FF, 15, B4, 80, 40, 00, 50, BF, A0, 30, 4C, 00, 57, E8, 07, 27, 00, 00...
 
[+]

Entropy:
7.9785

Packer / compiler:
Nullsoft install system v2.x

Code size:
28 KB (28,672 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
SMSetup

Command:
"C:\users\{user}\appdata\local\temp\{random}.tmp\smsetup.exe" \s \cnid 715483 \dsie \dsff \dsgc \hp \wait \ntp_ie \ms \restart


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ir2.fp.vip.ir2.yahoo.com  (46.228.47.114:80)

TCP (HTTP):
Connects to ir2.fp.vip.sg3.yahoo.com  (106.10.138.240:80)

TCP (HTTP):
Connects to ir2.fp.vip.bf1.yahoo.com  (98.139.183.24:80)

TCP (HTTP):
Connects to a23-46-43-27.deploy.static.akamaitechnologies.com  (23.46.43.27:80)

TCP (HTTP):
Connects to ir1.fp.vip.ir2.yahoo.com  (46.228.47.115:80)

TCP (HTTP):
Connects to 7b.f5.25ae.ip4.static.sl-reverse.com  (174.37.245.123:80)

TCP (HTTP):
Connects to a23-55-155-27.deploy.static.akamaitechnologies.com  (23.55.155.27:80)

TCP (HTTP):
Connects to ir1.fp.vip.sg3.yahoo.com  (106.10.139.246:80)

TCP (HTTP):
Connects to e2.ycpi.vip.bra.yahoo.com  (200.152.162.161:80)

TCP (HTTP):
Connects to ir1.fp.vip.gq1.yahoo.com  (206.190.36.45:80)

TCP (HTTP):
Connects to ir1.fp.vip.bf1.yahoo.com  (98.139.180.149:80)

TCP (HTTP):
Connects to a23-4-43-27.deploy.static.akamaitechnologies.com  (23.4.43.27:80)

Remove SMSetup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.