File name:

sm-online.exe

Full analysis: https://app.any.run/tasks/63e055f5-4da1-4fd6-9354-846c099c41f6
Verdict: Malicious activity
Analysis date: May 15, 2024, 09:53:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

547033D2FD726AA9195DAB524AAD2B33

SHA1:

434D3ED3616F4BCAA9A3F63BFEB369068A077BBF

SHA256:

1EDFC686CC3621E8ACFB7C97585E597CD2D6518991F0E18684115D0F7AE247CD

SSDEEP:

98304:Ak5uFN7i57aVKmgpOwBiX7WiKsqRnnrCvJlNaz6Z6RLnIyJRS8jNMECXlEi/lWV1:e3mTrH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • sm-online.exe (PID: 3968)
      • sm-online.exe (PID: 1036)
      • sm_x86.exe (PID: 1704)
      • sm_x86.tmp (PID: 2064)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • sm-online.exe (PID: 3968)
      • sm-online.exe (PID: 1036)
      • OnlineInstall.exe (PID: 112)

    • Reads the Internet Settings

      • sm-online.exe (PID: 3968)
      • sm-online.exe (PID: 1036)
      • OnlineInstall.exe (PID: 112)

    • Application launched itself

      • sm-online.exe (PID: 3968)

    • Executable content was dropped or overwritten

      • sm_x86.exe (PID: 1704)
      • sm-online.exe (PID: 1036)
      • sm_x86.tmp (PID: 2064)

    • Process drops legitimate windows executable

      • sm_x86.tmp (PID: 2064)

    • Drops 7-zip archiver for unpacking

      • sm_x86.tmp (PID: 2064)

    • Reads the Windows owner or organization settings

      • sm_x86.tmp (PID: 2064)

    • The process drops C-runtime libraries

      • sm_x86.tmp (PID: 2064)

    • Drops a system driver (possible attempt to evade defenses)

      • sm_x86.tmp (PID: 2064)

    • Uses TASKKILL.EXE to kill process

      • sm_x86.tmp (PID: 2064)

  • INFO

    • Checks supported languages

      • sm-online.exe (PID: 3968)
      • sm-online.exe (PID: 1036)
      • OnlineInstall.exe (PID: 112)
      • sm_x86.exe (PID: 1704)
      • sm_x86.tmp (PID: 2064)

    • Reads the computer name

      • sm-online.exe (PID: 3968)
      • sm-online.exe (PID: 1036)
      • OnlineInstall.exe (PID: 112)
      • sm_x86.tmp (PID: 2064)

    • Create files in a temporary directory

      • sm_x86.exe (PID: 1704)
      • sm-online.exe (PID: 1036)
      • OnlineInstall.exe (PID: 112)
      • sm_x86.tmp (PID: 2064)

    • Creates files in the program directory

      • OnlineInstall.exe (PID: 112)
      • sm_x86.tmp (PID: 2064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:12:31 00:38:38+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 89600
InitializedDataSize: 172032
UninitializedDataSize: -
EntryPoint: 0x1638f
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 4.4.0.0
ProductVersionNumber: 4.4.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Unknown (0009)
CharacterSet: Unicode
CompanyName: MiniTool Software Limited
FileDescription: MiniTool ShadowMaker Online Setup
FileVersion: 4.4.0.0
InternalName: MiniTool ShadowMaker Online Setup
LegalCopyright: (C) 2024, MiniTool Software Limited. All rights reserved.
OriginalFileName: sm-trial-online.exe
PrivateBuild: January 25, 2024
ProductName: MiniTool ShadowMaker
ProductVersion: 4.4.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
7
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start sm-online.exe no specs sm-online.exe onlineinstall.exe sm_x86.exe sm_x86.tmp taskkill.exe no specs taskkill.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
112"C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\OnlineInstall.exe" C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\OnlineInstall.exe
sm-online.exe
User:
admin
Company:
MiniTool
Integrity Level:
HIGH
Description:
MiniTool ShadowMaker Setup
Version:
4.2.0.0
Modules
Images
c:\users\admin\appdata\local\temp\7zipsfx.000\onlineinstall.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1036"C:\Users\admin\Desktop\sm-online.exe" -sfxelevation C:\Users\admin\Desktop\sm-online.exe
sm-online.exe
User:
admin
Company:
MiniTool Software Limited
Integrity Level:
HIGH
Description:
MiniTool ShadowMaker Online Setup
Version:
4.4.0.0
Modules
Images
c:\users\admin\desktop\sm-online.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1132"taskkill.exe" /f /im "SchedulerService.exe"C:\Windows\System32\taskkill.exesm_x86.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
1704"C:\Users\admin\Downloads\sm_x86.exe" /progress="C:\Users\admin\AppData\Local\Temp\progress.txt" /VERYSILENT /LOG="C:\Program Files (x86)\MiniTool ShadowMaker\Innosetuplog.txt" /NORESTART /DIR="C:\Program Files (x86)\MiniTool ShadowMaker" /LANG=en agreeImprove=1 /onlineC:\Users\admin\Downloads\sm_x86.exe
OnlineInstall.exe
User:
admin
Company:
MiniTool Software Limited
Integrity Level:
HIGH
Description:
MiniTool ShadowMaker Setup
Version:
4.4.0.3333
Modules
Images
c:\users\admin\downloads\sm_x86.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2064"C:\Users\admin\AppData\Local\Temp\is-NGA6L.tmp\sm_x86.tmp" /SL5="$30136,184804547,268800,C:\Users\admin\Downloads\sm_x86.exe" /progress="C:\Users\admin\AppData\Local\Temp\progress.txt" /VERYSILENT /LOG="C:\Program Files (x86)\MiniTool ShadowMaker\Innosetuplog.txt" /NORESTART /DIR="C:\Program Files (x86)\MiniTool ShadowMaker" /LANG=en agreeImprove=1 /onlineC:\Users\admin\AppData\Local\Temp\is-NGA6L.tmp\sm_x86.tmp
sm_x86.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-nga6l.tmp\sm_x86.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2236"taskkill.exe" /f /im "AgentService.exe"C:\Windows\System32\taskkill.exesm_x86.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
3968"C:\Users\admin\Desktop\sm-online.exe" C:\Users\admin\Desktop\sm-online.exeexplorer.exe
User:
admin
Company:
MiniTool Software Limited
Integrity Level:
MEDIUM
Description:
MiniTool ShadowMaker Online Setup
Version:
4.4.0.0
Modules
Images
c:\users\admin\desktop\sm-online.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
9 407
Read events
9 376
Write events
31
Delete events
0

Modification events

(PID) Process:(3968) sm-online.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3968) sm-online.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3968) sm-online.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3968) sm-online.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1036) sm-online.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1036) sm-online.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1036) sm-online.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1036) sm-online.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(112) OnlineInstall.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
Operation:writeName:C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\OnlineInstall.exe
Value:
1
(PID) Process:(112) OnlineInstall.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
367
Suspicious files
429
Text files
1 199
Unknown types
24

Dropped files

PID
Process
Filename
Type
1036sm-online.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\skin_anima\Check_Nomal.pngimage
MD5:A544F7599747B3B04CDD4BEB2C27C603
SHA256:DCE573C01333549B06149934C4B5E81FC75BE62DBBBE7E4F4806B029C6E9567A
1036sm-online.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\skin_anima\Combo_Filepath_over.pngimage
MD5:562A972E707EC634AD4CD043F0C75F2E
SHA256:47C3D3D6C0A66BD4C2DB2838EB8AC3D637FF378601C3E2FDCEC5626EBCCE4D71
1036sm-online.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\skin_anima\Download_Pic4.pngimage
MD5:BFC3C508FCE989C7E7DBA31CED81643D
SHA256:43EE936EB96F297344363179B43D84A78C3A3518428A53E271709CDBD7E98E49
1036sm-online.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\skin_anima\Close_Pre.pngimage
MD5:D68A848882BBFF4430F4BEE8435AA113
SHA256:1821FDFF02AB26FD09A3E04FD21C740994AFD5AC80F1D5775B79D7F10290EB0D
1036sm-online.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\skin_anima\Close_Nomal.pngimage
MD5:99FCFF2ACA703823E083CB90A3192146
SHA256:CBE96210DC6C28E21625C01DB80E510152EECBF4DDBC75A30FEEEFB9FFA318EF
1036sm-online.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\skin_anima\Combo_Language_over.pngimage
MD5:99A401D81C0DA59154CA9C3472DCD593
SHA256:2C33349BBCC93417480D9B4E0A5B2D47E54E49CAB3D209E38BCFB222EE566EE5
1036sm-online.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\skin_anima\Close_Selected.pngimage
MD5:A92D5384258CB858E13377E09AD3B40A
SHA256:9FCF6087956D95E1122D42AA8FCD2CB413501D123DCA7E48377DB942640AC27E
1036sm-online.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\skin_anima\Combo_Language_nor.pngimage
MD5:6F7C7C68F52238EB76C3AB5A59ABFCDE
SHA256:05CF0EE11D237F8EB6BD1766B149793DDAF7A917BBE4330D5D2F47B2A3BD9FA5
1036sm-online.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\skin_anima\Download_Pic3.pngimage
MD5:2E69D0A6A8C3097FC43EC3BBFEBFDB6F
SHA256:30672B629B0909F68C1E463BA36440C0A13AB40E0CC8AAA761B324EA9D8BC73B
1036sm-online.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\skin_anima\Config.initext
MD5:EBC1E705794CB3B3B4DA6A202615DFF4
SHA256:F679FB8DF3A97D0980856470DC5B46E473D2FDFF1D5CAF76728C0A150E77DA71
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
13
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
112
OnlineInstall.exe
104.18.21.178:443
www.minitool.com
CLOUDFLARENET
unknown
112
OnlineInstall.exe
104.18.20.178:443
www.minitool.com
CLOUDFLARENET
unknown

DNS requests

Domain
IP
Reputation
www.minitool.com
  • 104.18.21.178
  • 104.18.20.178
unknown
cdn2.minitool.com
  • 104.18.20.178
  • 104.18.21.178
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
sm-online.exe