smu.exe

W

Search Module Ltd.

The application smu.exe, “Search Module Update Service” has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a separate (within the context of its own process) windows Service named “Search Module Update”. While running, it connects to the Internet address server-54-192-130-17.ams50.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
Search Module Ltd.

Product:
W

Description:
Search Module Update Service

Version:
2, 6, 8, 5595

MD5:
3fd7283f34a9ff2f91c9704e443fa075

SHA-1:
c13a34df7d51205d506a5c0a2872060745f73d4b

SHA-256:
6a8f98c1be91059f9b250922b52378086885353cd94e89924d9c9e3b53224cec

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
11/30/2024 10:24:56 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Search.Toolbar (M)
17.2.2.12

File size:
3 MB (3,109,888 bytes)

Product version:
2, 6, 8, 5595

Copyright:
Copyright (C) 2014

Original file name:
smu.exe

File type:
Executable application (Win64 EXE)

Language:
English (United States)

Common path:
C:\Program Files\common files\noobzo\gnupdate\smu.exe

File PE Metadata
Compilation timestamp:
2/2/2017 6:46:44 PM

OS version:
5.2

OS bitness:
Win64

Subsystem:
Windows Console

Linker version:
14.0

Entry address:
0x12AC90

Entry point:
48, 83, EC, 28, E8, 57, 09, 00, 00, 48, 83, C4, 28, E9, 66, FE, FF, FF, CC, CC, 48, 8B, C4, 48, 89, 58, 18, 48, 89, 70, 20, 48, 89, 50, 10, 48, 89, 48, 08, 57, 41, 56, 41, 57, 48, 83, EC, 30, 49, 8B, F1, 4D, 8B, F8, 4C, 8B, F2, 48, 8B, F9, 33, DB, 48, 89, 58, E0, 88, 58, D8, 49, 3B, DF, 74, 1F, 48, 8B, CE, E8, AA, 04, 00, 00, 48, 8B, CF, FF, D6, 49, 03, FE, 48, 89, 7C, 24, 50, 48, FF, C3, 48, 89, 5C, 24, 28, EB, DC, C6, 44, 24, 20, 01, 48, 8B, 5C, 24, 60, 48, 8B, 74, 24, 68, 48, 83, C4, 30, 41, 5F, 41, 5E...
 
[+]

Entropy:
6.2439

Code size:
2.1 MB (2,196,480 bytes)

Service
Display name:
Search Module Update

Service name:
SMUpd

Type:
Win32OwnProcess


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-205-251-219-14.arn1.r.cloudfront.net  (205.251.219.14:80)

TCP (HTTP):
Connects to server-54-230-191-238.maa3.r.cloudfront.net  (54.230.191.238:80)

TCP (HTTP):
Connects to server-54-192-230-197.waw50.r.cloudfront.net  (54.192.230.197:80)

TCP (HTTP):
Connects to server-52-84-174-74.gru50.r.cloudfront.net  (52.84.174.74:80)

TCP (HTTP):
Connects to server-52-84-102-71.del51.r.cloudfront.net  (52.84.102.71:80)

TCP (HTTP):
Connects to server-54-192-230-122.waw50.r.cloudfront.net  (54.192.230.122:80)

TCP (HTTP):
Connects to server-54-192-130-17.ams50.r.cloudfront.net  (54.192.130.17:80)

TCP (HTTP):
Connects to server-52-85-151-50.hkg51.r.cloudfront.net  (52.85.151.50:80)

TCP (HTTP):
Connects to server-52-85-151-248.hkg51.r.cloudfront.net  (52.85.151.248:80)

TCP (HTTP):
Connects to server-205-251-219-80.arn1.r.cloudfront.net  (205.251.219.80:80)

TCP (HTTP):
Connects to server-205-251-219-214.arn1.r.cloudfront.net  (205.251.219.214:80)

Remove smu.exe - Powered by Reason Core Security