File name:

ReflectDLHF.exe

Full analysis: https://app.any.run/tasks/46270044-7a15-4f66-abf7-b7e616d50cda
Verdict: Malicious activity
Analysis date: February 01, 2024, 06:34:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

0EE42FD3581F8F47545EFBD463139D8D

SHA1:

B75679DF9BF4E2EE56BA193FE75E5DA990BF9FA5

SHA256:

73A33442DBBFE5129121E3B3333B33B0E0F21DC46A7FEDA403C61B605710DE87

SSDEEP:

98304:xGIR1cw6+alvPJPazuWASHmWTEjgMHHFlI30LqWstsx9ii8zJy/e2Agf05T7ShVD:vo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • ReflectDLHF.exe (PID: 752)

  • SUSPICIOUS

    • Reads the Internet Settings

      • ReflectDLHF.exe (PID: 752)
      • v8.0.7783_reflect_setup_free_x86.exe (PID: 1876)
      • msiexec.exe (PID: 4000)

    • Reads security settings of Internet Explorer

      • ReflectDLHF.exe (PID: 752)
      • v8.0.7783_reflect_setup_free_x86.exe (PID: 1876)

    • Reads settings of System Certificates

      • ReflectDLHF.exe (PID: 752)
      • v8.0.7783_reflect_setup_free_x86.exe (PID: 1876)

    • Checks Windows Trust Settings

      • ReflectDLHF.exe (PID: 752)
      • v8.0.7783_reflect_setup_free_x86.exe (PID: 1876)

    • Adds/modifies Windows certificates

      • v8.0.7783_reflect_setup_free_x86.exe (PID: 1876)
      • msiexec.exe (PID: 4000)

  • INFO

    • Checks proxy server information

      • ReflectDLHF.exe (PID: 752)
      • v8.0.7783_reflect_setup_free_x86.exe (PID: 1876)

    • Creates files in the program directory

      • ReflectDLHF.exe (PID: 752)
      • v8.0.7783_reflect_setup_free_x86.exe (PID: 1876)

    • Reads the computer name

      • ReflectDLHF.exe (PID: 752)
      • v8.0.7783_reflect_setup_free_x86.exe (PID: 1876)

    • Checks supported languages

      • ReflectDLHF.exe (PID: 752)
      • v8.0.7783_reflect_setup_free_x86.exe (PID: 1876)

    • Reads the machine GUID from the registry

      • ReflectDLHF.exe (PID: 752)
      • v8.0.7783_reflect_setup_free_x86.exe (PID: 1876)

    • Creates files or folders in the user directory

      • ReflectDLHF.exe (PID: 752)
      • v8.0.7783_reflect_setup_free_x86.exe (PID: 1876)
      • msiexec.exe (PID: 4000)

    • Manual execution by a user

      • explorer.exe (PID: 3836)
      • v8.0.7783_reflect_setup_free_x86.exe (PID: 1876)
      • v8.0.7783_reflect_setup_free_x86.exe (PID: 1432)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 4000)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 4000)

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 4000)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (4.9)
.exe | Win32 Executable (generic) (3.4)
.exe | Generic Win/DOS Executable (1.5)
.exe | DOS Executable Generic (1.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:07 17:57:11+02:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 2637824
InitializedDataSize: 2939904
UninitializedDataSize: -
EntryPoint: 0xf0d21
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 8.0.6161.0
ProductVersionNumber: 8.0.6161.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Unknown (8090)
CharacterSet: Windows, Latin1
CompanyName: Paramount Software UK Ltd
FileDescription: Macrium Reflect Package Download
FileVersion: 8, 0, 6161, 0
InternalName: Macrium Reflect Package Download
LegalCopyright: (c) Paramount Software. All rights reserved.
OriginalFileName: ReflectDL.exe
ProductName: Macrium Reflect Package Download
ProductVersion: 8, 0, 6161, 0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start reflectdlhf.exe explorer.exe no specs v8.0.7783_reflect_setup_free_x86.exe no specs v8.0.7783_reflect_setup_free_x86.exe msiexec.exe

Process information

PID
CMD
Path
Indicators
Parent process
752"C:\Users\admin\ReflectDLHF.exe" C:\Users\admin\ReflectDLHF.exe
explorer.exe
User:
admin
Company:
Paramount Software UK Ltd
Integrity Level:
MEDIUM
Description:
Macrium Reflect Package Download
Exit code:
0
Version:
8, 0, 6161, 0
Modules
Images
c:\users\admin\reflectdlhf.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mpr.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
1432"C:\Users\admin\Downloads\Macrium\v8.0.7783_reflect_setup_free_x86.exe" C:\Users\admin\Downloads\Macrium\v8.0.7783_reflect_setup_free_x86.exeexplorer.exe
User:
admin
Company:
Paramount Software UK Ltd
Integrity Level:
MEDIUM
Description:
Macrium Reflect Installer
Exit code:
3221226540
Version:
8, 0, 7783, 0
Modules
Images
c:\users\admin\downloads\macrium\v8.0.7783_reflect_setup_free_x86.exe
c:\windows\system32\ntdll.dll
1876"C:\Users\admin\Downloads\Macrium\v8.0.7783_reflect_setup_free_x86.exe" C:\Users\admin\Downloads\Macrium\v8.0.7783_reflect_setup_free_x86.exe
explorer.exe
User:
admin
Company:
Paramount Software UK Ltd
Integrity Level:
HIGH
Description:
Macrium Reflect Installer
Exit code:
0
Version:
8, 0, 7783, 0
Modules
Images
c:\users\admin\downloads\macrium\v8.0.7783_reflect_setup_free_x86.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
3836"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
4000msiexec /i "C:\Windows\Installer\reflect_setupv8.0.7783-x86-00.msi" ENV=PHYSICAL REFLECT_LANGUAGE=en-us /l* C:\Reflect_Install.logC:\Windows\System32\msiexec.exe
v8.0.7783_reflect_setup_free_x86.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
14 450
Read events
14 361
Write events
89
Delete events
0

Modification events

(PID) Process:(752) ReflectDLHF.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(752) ReflectDLHF.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(752) ReflectDLHF.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(752) ReflectDLHF.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(752) ReflectDLHF.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(752) ReflectDLHF.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(752) ReflectDLHF.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(752) ReflectDLHF.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(752) ReflectDLHF.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(752) ReflectDLHF.exeKey:HKEY_CURRENT_USER\Software\Macrium\ReflectDL
Operation:writeName:DownloadFolder
Value:
C:\Users\admin\Downloads\Macrium\
Executable files
10
Suspicious files
5
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
752ReflectDLHF.exeC:\ProgramData\Macrium\ReflectDL\resume\BCE151A2306C2EC6E2192B6B5B01C3ED
MD5:
SHA256:
752ReflectDLHF.exeC:\Users\admin\Downloads\Macrium\v8.0.7783_reflect_setup_free_x86.exe
MD5:
SHA256:
1876v8.0.7783_reflect_setup_free_x86.exeC:\Windows\Installer\reflect_setupv8.0.7783-x86-00.msi
MD5:
SHA256:
752ReflectDLHF.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\P1LXZ1P8.txttext
MD5:F3C07A23AEBBB95AB999755E84A878B1
SHA256:2BD7D96374F8308D2F828184DAD7CF6F57A906DF332E1421A42045ED1ADB361A
752ReflectDLHF.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850Dbinary
MD5:FA235C096A07706BAA7F773913934423
SHA256:9FCE2DC47DED4F120248D70E9CA29D83F6E0B793D0C22AB563D7A5E27A1A5983
4000msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C5C8CC0A7FE31816B4641D0465402560binary
MD5:E94FB54871208C00DF70F708AC47085B
SHA256:7B9D553E1C92CB6E8803E137F4F287D4363757F5D44B37D52F9FCA22FB97DF86
752ReflectDLHF.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\getfeaturelist[1].htmxml
MD5:9E41CF06160C3C08EB806F27DFB89038
SHA256:610D41198AC9964902EF876891A92C652C105991EB0C4E12C5A561629E3D6BFB
4000msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI9CFF.tmpexecutable
MD5:62BEF9AAFE81662AF136600A7D759299
SHA256:58789628D579CF8BF89FBD4D77A19FE3C5D750917C36C2254E9722D5C1322C3F
752ReflectDLHF.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\getmsi[1].htmtext
MD5:9E386340C4A046AD44E5174AB4D373AD
SHA256:9D64566C7FD612B93686962F96AFBAF8594BEF016B0105D823A5345EE8267E2F
1876v8.0.7783_reflect_setup_free_x86.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\get[1].htmtext
MD5:063ACE49CADB2D200490633F56BFE7D5
SHA256:D6445D7BD68EE0B191C8AA16180F2708961A532F5AFD6A84594EA02967C9C7CB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
17
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
752
ReflectDLHF.exe
GET
304
23.32.238.217:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ef11f46972a5ba2c
unknown
unknown
752
ReflectDLHF.exe
GET
200
172.64.149.23:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
unknown
binary
2.18 Kb
unknown
1080
svchost.exe
GET
304
23.32.238.208:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1b8fee253118cbef
unknown
compressed
65.2 Kb
unknown
1080
svchost.exe
GET
200
23.32.238.208:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?89bca2e7018c82c0
unknown
compressed
65.2 Kb
unknown
4000
msiexec.exe
GET
200
104.18.21.226:80
http://secure.globalsign.com/cacert/codesigningrootr45.crt
unknown
binary
1.37 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
752
ReflectDLHF.exe
52.136.198.85:443
updates.macrium.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
752
ReflectDLHF.exe
23.32.238.217:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
752
ReflectDLHF.exe
172.64.149.23:80
ocsp.usertrust.com
CLOUDFLARENET
US
unknown
752
ReflectDLHF.exe
104.18.13.192:443
download.macrium.com
CLOUDFLARENET
unknown
1080
svchost.exe
23.32.238.208:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1876
v8.0.7783_reflect_setup_free_x86.exe
52.136.198.85:443
updates.macrium.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
4000
msiexec.exe
104.18.21.226:80
secure.globalsign.com
CLOUDFLARENET
shared

DNS requests

Domain
IP
Reputation
updates.macrium.com
  • 52.136.198.85
unknown
ctldl.windowsupdate.com
  • 23.32.238.217
  • 23.32.238.169
  • 23.32.238.232
  • 23.32.238.240
  • 23.32.238.179
  • 23.32.238.219
  • 23.32.238.208
  • 23.32.238.201
  • 23.32.238.171
  • 23.32.238.241
whitelisted
ocsp.usertrust.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted
download.macrium.com
  • 104.18.13.192
  • 104.18.12.192
unknown
secure.globalsign.com
  • 104.18.21.226
  • 104.18.20.226
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ReflectDLHF.exe