File name:

sm-online.exe

Full analysis: https://app.any.run/tasks/63e055f5-4da1-4fd6-9354-846c099c41f6
Verdict: Malicious activity
Analysis date: May 15, 2024, 09:53:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

547033D2FD726AA9195DAB524AAD2B33

SHA1:

434D3ED3616F4BCAA9A3F63BFEB369068A077BBF

SHA256:

1EDFC686CC3621E8ACFB7C97585E597CD2D6518991F0E18684115D0F7AE247CD

SSDEEP:

98304:Ak5uFN7i57aVKmgpOwBiX7WiKsqRnnrCvJlNaz6Z6RLnIyJRS8jNMECXlEi/lWV1:e3mTrH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • sm-online.exe (PID: 3968)
      • sm_x86.exe (PID: 1704)
      • sm-online.exe (PID: 1036)
      • sm_x86.tmp (PID: 2064)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • sm-online.exe (PID: 3968)
      • OnlineInstall.exe (PID: 112)
      • sm-online.exe (PID: 1036)

    • Application launched itself

      • sm-online.exe (PID: 3968)

    • Reads the Internet Settings

      • OnlineInstall.exe (PID: 112)
      • sm-online.exe (PID: 1036)
      • sm-online.exe (PID: 3968)

    • Reads the Windows owner or organization settings

      • sm_x86.tmp (PID: 2064)

    • Uses TASKKILL.EXE to kill process

      • sm_x86.tmp (PID: 2064)

    • Executable content was dropped or overwritten

      • sm_x86.exe (PID: 1704)
      • sm-online.exe (PID: 1036)
      • sm_x86.tmp (PID: 2064)

    • Process drops legitimate windows executable

      • sm_x86.tmp (PID: 2064)

    • Drops a system driver (possible attempt to evade defenses)

      • sm_x86.tmp (PID: 2064)

    • Drops 7-zip archiver for unpacking

      • sm_x86.tmp (PID: 2064)

    • The process drops C-runtime libraries

      • sm_x86.tmp (PID: 2064)

  • INFO

    • Reads the computer name

      • sm-online.exe (PID: 3968)
      • OnlineInstall.exe (PID: 112)
      • sm-online.exe (PID: 1036)
      • sm_x86.tmp (PID: 2064)

    • Checks supported languages

      • sm-online.exe (PID: 1036)
      • sm_x86.exe (PID: 1704)
      • sm-online.exe (PID: 3968)
      • OnlineInstall.exe (PID: 112)
      • sm_x86.tmp (PID: 2064)

    • Creates files in the program directory

      • OnlineInstall.exe (PID: 112)
      • sm_x86.tmp (PID: 2064)

    • Create files in a temporary directory

      • OnlineInstall.exe (PID: 112)
      • sm_x86.exe (PID: 1704)
      • sm-online.exe (PID: 1036)
      • sm_x86.tmp (PID: 2064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:12:31 00:38:38+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 89600
InitializedDataSize: 172032
UninitializedDataSize: -
EntryPoint: 0x1638f
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 4.4.0.0
ProductVersionNumber: 4.4.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Unknown (0009)
CharacterSet: Unicode
CompanyName: MiniTool Software Limited
FileDescription: MiniTool ShadowMaker Online Setup
FileVersion: 4.4.0.0
InternalName: MiniTool ShadowMaker Online Setup
LegalCopyright: (C) 2024, MiniTool Software Limited. All rights reserved.
OriginalFileName: sm-trial-online.exe
PrivateBuild: January 25, 2024
ProductName: MiniTool ShadowMaker
ProductVersion: 4.4.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
7
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start sm-online.exe no specs sm-online.exe onlineinstall.exe sm_x86.exe sm_x86.tmp taskkill.exe no specs taskkill.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
112"C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\OnlineInstall.exe" C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\OnlineInstall.exe
sm-online.exe
User:
admin
Company:
MiniTool
Integrity Level:
HIGH
Description:
MiniTool ShadowMaker Setup
Version:
4.2.0.0
Modules
Images
c:\users\admin\appdata\local\temp\7zipsfx.000\onlineinstall.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1036"C:\Users\admin\Desktop\sm-online.exe" -sfxelevation C:\Users\admin\Desktop\sm-online.exe
sm-online.exe
User:
admin
Company:
MiniTool Software Limited
Integrity Level:
HIGH
Description:
MiniTool ShadowMaker Online Setup
Version:
4.4.0.0
Modules
Images
c:\users\admin\desktop\sm-online.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1132"taskkill.exe" /f /im "SchedulerService.exe"C:\Windows\System32\taskkill.exesm_x86.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
1704"C:\Users\admin\Downloads\sm_x86.exe" /progress="C:\Users\admin\AppData\Local\Temp\progress.txt" /VERYSILENT /LOG="C:\Program Files (x86)\MiniTool ShadowMaker\Innosetuplog.txt" /NORESTART /DIR="C:\Program Files (x86)\MiniTool ShadowMaker" /LANG=en agreeImprove=1 /onlineC:\Users\admin\Downloads\sm_x86.exe
OnlineInstall.exe
User:
admin
Company:
MiniTool Software Limited
Integrity Level:
HIGH
Description:
MiniTool ShadowMaker Setup
Version:
4.4.0.3333
Modules
Images
c:\users\admin\downloads\sm_x86.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2064"C:\Users\admin\AppData\Local\Temp\is-NGA6L.tmp\sm_x86.tmp" /SL5="$30136,184804547,268800,C:\Users\admin\Downloads\sm_x86.exe" /progress="C:\Users\admin\AppData\Local\Temp\progress.txt" /VERYSILENT /LOG="C:\Program Files (x86)\MiniTool ShadowMaker\Innosetuplog.txt" /NORESTART /DIR="C:\Program Files (x86)\MiniTool ShadowMaker" /LANG=en agreeImprove=1 /onlineC:\Users\admin\AppData\Local\Temp\is-NGA6L.tmp\sm_x86.tmp
sm_x86.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-nga6l.tmp\sm_x86.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2236"taskkill.exe" /f /im "AgentService.exe"C:\Windows\System32\taskkill.exesm_x86.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
3968"C:\Users\admin\Desktop\sm-online.exe" C:\Users\admin\Desktop\sm-online.exeexplorer.exe
User:
admin
Company:
MiniTool Software Limited
Integrity Level:
MEDIUM
Description:
MiniTool ShadowMaker Online Setup
Version:
4.4.0.0
Modules
Images
c:\users\admin\desktop\sm-online.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
9 407
Read events
9 376
Write events
31
Delete events
0

Modification events

(PID) Process:(3968) sm-online.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3968) sm-online.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3968) sm-online.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3968) sm-online.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1036) sm-online.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1036) sm-online.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1036) sm-online.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1036) sm-online.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(112) OnlineInstall.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
Operation:writeName:C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\OnlineInstall.exe
Value:
1
(PID) Process:(112) OnlineInstall.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
367
Suspicious files
429
Text files
1 199
Unknown types
24

Dropped files

PID
Process
Filename
Type
1036sm-online.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\skin_anima\Close_Pre.pngimage
MD5:D68A848882BBFF4430F4BEE8435AA113
SHA256:1821FDFF02AB26FD09A3E04FD21C740994AFD5AC80F1D5775B79D7F10290EB0D
1036sm-online.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\skin_anima\Combo_Language_nor.pngimage
MD5:6F7C7C68F52238EB76C3AB5A59ABFCDE
SHA256:05CF0EE11D237F8EB6BD1766B149793DDAF7A917BBE4330D5D2F47B2A3BD9FA5
1036sm-online.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\skin_anima\Download_Pic2.pngimage
MD5:CB41870B5CE652F67448F01EF5750DA1
SHA256:55A0F3452E9524F18E025747529D5540B901B75A5F1DB0F7CA298745ADDDD41A
1036sm-online.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\skin_anima\Combo_Filepath_over.pngimage
MD5:562A972E707EC634AD4CD043F0C75F2E
SHA256:47C3D3D6C0A66BD4C2DB2838EB8AC3D637FF378601C3E2FDCEC5626EBCCE4D71
1036sm-online.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\skin_anima\Check_Selected.pngimage
MD5:6D116DCCAAC5056D7D1F4A593D5AC0DB
SHA256:0946EFEE104652F084C6FB2F271B06FCDFB50DE893D64CD4287CC8E64DECED92
1036sm-online.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\skin_anima\Close_btn_Selected.pngimage
MD5:0E1DCA29392623FBA0595893C2CD61E3
SHA256:661BF75AC6285788E5B3E5B12B72158978C4BE201F944CCC099F7D8CA795C201
1036sm-online.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\skin_anima\CloseUI.xmlxml
MD5:27EAA1D85785C069EF143FEFA5DDB0E5
SHA256:7E03D5B51424C8ED9E988B5A48655BCAC12C47101238FB33937E1DF0015BEC57
1036sm-online.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\skin_anima\Download_Pic4.pngimage
MD5:BFC3C508FCE989C7E7DBA31CED81643D
SHA256:43EE936EB96F297344363179B43D84A78C3A3518428A53E271709CDBD7E98E49
1036sm-online.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\skin_anima\Close_Nomal.pngimage
MD5:99FCFF2ACA703823E083CB90A3192146
SHA256:CBE96210DC6C28E21625C01DB80E510152EECBF4DDBC75A30FEEEFB9FFA318EF
1036sm-online.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\skin_anima\Config.initext
MD5:EBC1E705794CB3B3B4DA6A202615DFF4
SHA256:F679FB8DF3A97D0980856470DC5B46E473D2FDFF1D5CAF76728C0A150E77DA71
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
13
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
112
OnlineInstall.exe
104.18.21.178:443
www.minitool.com
CLOUDFLARENET
unknown
112
OnlineInstall.exe
104.18.20.178:443
www.minitool.com
CLOUDFLARENET
unknown

DNS requests

Domain
IP
Reputation
www.minitool.com
  • 104.18.21.178
  • 104.18.20.178
unknown
cdn2.minitool.com
  • 104.18.20.178
  • 104.18.21.178
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
sm-online.exe