home

smu.exe

W

Search Module Ltd.

The application smu.exe, “Search Module Update Service” has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a separate (within the context of its own process) windows Service named “Search Module Update”. While running, it connects to the Internet address server-54-192-130-32.ams50.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
Search Module Ltd.

Product:
W

Description:
Search Module Update Service

Version:
2, 6, 8, 5747

MD5:
fe937528dd99bfe3c1e5bc226747bf28

SHA-1:
f3388f4aea1426f989909d69e94cf573f40aaaeb

SHA-256:
c0cf0dbea473177bc27e592e0f10263d6076b7dde01e1741da4f7c4e877adddb

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
4/25/2024 1:58:06 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Search.Toolbar (M)
17.2.11.15

File size:
3 MB (3,109,888 bytes)

Product version:
2, 6, 8, 5747

Copyright:
Copyright (C) 2014

Original file name:
smu.exe

File type:
Executable application (Win64 EXE)

Language:
English (United States)

Common path:
C:\Program Files\common files\noobzo\gnupdate\smu.exe

File PE Metadata
Compilation timestamp:
2/11/2017 9:46:12 PM

OS version:
5.2

OS bitness:
Win64

Subsystem:
Windows Console

Linker version:
14.0

Entry address:
0x12AC90

Entry point:
48, 83, EC, 28, E8, 57, 09, 00, 00, 48, 83, C4, 28, E9, 66, FE, FF, FF, CC, CC, 48, 8B, C4, 48, 89, 58, 18, 48, 89, 70, 20, 48, 89, 50, 10, 48, 89, 48, 08, 57, 41, 56, 41, 57, 48, 83, EC, 30, 49, 8B, F1, 4D, 8B, F8, 4C, 8B, F2, 48, 8B, F9, 33, DB, 48, 89, 58, E0, 88, 58, D8, 49, 3B, DF, 74, 1F, 48, 8B, CE, E8, AA, 04, 00, 00, 48, 8B, CF, FF, D6, 49, 03, FE, 48, 89, 7C, 24, 50, 48, FF, C3, 48, 89, 5C, 24, 28, EB, DC, C6, 44, 24, 20, 01, 48, 8B, 5C, 24, 60, 48, 8B, 74, 24, 68, 48, 83, C4, 30, 41, 5F, 41, 5E...
 
[+]

Entropy:
6.2439

Code size:
2.1 MB (2,196,480 bytes)

Service
Display name:
Search Module Update

Service name:
SMUpd

Type:
Win32OwnProcess


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-52-85-151-246.hkg51.r.cloudfront.net  (52.85.151.246:80)

TCP (HTTP):
Connects to server-54-230-11-40.lhr3.r.cloudfront.net  (54.230.11.40:80)

TCP (HTTP):
Connects to server-54-230-11-224.lhr3.r.cloudfront.net  (54.230.11.224:80)

TCP (HTTP):
Connects to server-54-192-19-123.iad12.r.cloudfront.net  (54.192.19.123:80)

TCP (HTTP):
Connects to server-54-192-130-32.ams50.r.cloudfront.net  (54.192.130.32:80)

TCP (HTTP):
Connects to server-52-85-63-11.lhr50.r.cloudfront.net  (52.85.63.11:80)

TCP (HTTP):
Connects to server-52-85-151-34.hkg51.r.cloudfront.net  (52.85.151.34:80)

TCP (HTTP):
Connects to server-54-230-191-138.maa3.r.cloudfront.net  (54.230.191.138:80)

TCP (HTTP):
Connects to server-54-192-55-134.jfk6.r.cloudfront.net  (54.192.55.134:80)

Remove smu.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.