File name:

ReflectDLHF.exe

Full analysis: https://app.any.run/tasks/46270044-7a15-4f66-abf7-b7e616d50cda
Verdict: Malicious activity
Analysis date: February 01, 2024, 06:34:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

0EE42FD3581F8F47545EFBD463139D8D

SHA1:

B75679DF9BF4E2EE56BA193FE75E5DA990BF9FA5

SHA256:

73A33442DBBFE5129121E3B3333B33B0E0F21DC46A7FEDA403C61B605710DE87

SSDEEP:

98304:xGIR1cw6+alvPJPazuWASHmWTEjgMHHFlI30LqWstsx9ii8zJy/e2Agf05T7ShVD:vo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • ReflectDLHF.exe (PID: 752)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • ReflectDLHF.exe (PID: 752)
      • v8.0.7783_reflect_setup_free_x86.exe (PID: 1876)

    • Reads the Internet Settings

      • ReflectDLHF.exe (PID: 752)
      • v8.0.7783_reflect_setup_free_x86.exe (PID: 1876)
      • msiexec.exe (PID: 4000)

    • Reads security settings of Internet Explorer

      • ReflectDLHF.exe (PID: 752)
      • v8.0.7783_reflect_setup_free_x86.exe (PID: 1876)

    • Checks Windows Trust Settings

      • ReflectDLHF.exe (PID: 752)
      • v8.0.7783_reflect_setup_free_x86.exe (PID: 1876)

    • Adds/modifies Windows certificates

      • msiexec.exe (PID: 4000)
      • v8.0.7783_reflect_setup_free_x86.exe (PID: 1876)

  • INFO

    • Creates files in the program directory

      • ReflectDLHF.exe (PID: 752)
      • v8.0.7783_reflect_setup_free_x86.exe (PID: 1876)

    • Reads the computer name

      • ReflectDLHF.exe (PID: 752)
      • v8.0.7783_reflect_setup_free_x86.exe (PID: 1876)

    • Creates files or folders in the user directory

      • ReflectDLHF.exe (PID: 752)
      • v8.0.7783_reflect_setup_free_x86.exe (PID: 1876)
      • msiexec.exe (PID: 4000)

    • Reads the machine GUID from the registry

      • ReflectDLHF.exe (PID: 752)
      • v8.0.7783_reflect_setup_free_x86.exe (PID: 1876)

    • Checks supported languages

      • ReflectDLHF.exe (PID: 752)
      • v8.0.7783_reflect_setup_free_x86.exe (PID: 1876)

    • Checks proxy server information

      • ReflectDLHF.exe (PID: 752)
      • v8.0.7783_reflect_setup_free_x86.exe (PID: 1876)

    • Manual execution by a user

      • explorer.exe (PID: 3836)
      • v8.0.7783_reflect_setup_free_x86.exe (PID: 1876)
      • v8.0.7783_reflect_setup_free_x86.exe (PID: 1432)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 4000)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 4000)

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 4000)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (4.9)
.exe | Win32 Executable (generic) (3.4)
.exe | Generic Win/DOS Executable (1.5)
.exe | DOS Executable Generic (1.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:07 17:57:11+02:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 2637824
InitializedDataSize: 2939904
UninitializedDataSize: -
EntryPoint: 0xf0d21
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 8.0.6161.0
ProductVersionNumber: 8.0.6161.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Unknown (8090)
CharacterSet: Windows, Latin1
CompanyName: Paramount Software UK Ltd
FileDescription: Macrium Reflect Package Download
FileVersion: 8, 0, 6161, 0
InternalName: Macrium Reflect Package Download
LegalCopyright: (c) Paramount Software. All rights reserved.
OriginalFileName: ReflectDL.exe
ProductName: Macrium Reflect Package Download
ProductVersion: 8, 0, 6161, 0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start reflectdlhf.exe explorer.exe no specs v8.0.7783_reflect_setup_free_x86.exe no specs v8.0.7783_reflect_setup_free_x86.exe msiexec.exe

Process information

PID
CMD
Path
Indicators
Parent process
752"C:\Users\admin\ReflectDLHF.exe" C:\Users\admin\ReflectDLHF.exe
explorer.exe
User:
admin
Company:
Paramount Software UK Ltd
Integrity Level:
MEDIUM
Description:
Macrium Reflect Package Download
Exit code:
0
Version:
8, 0, 6161, 0
Modules
Images
c:\users\admin\reflectdlhf.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mpr.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
1432"C:\Users\admin\Downloads\Macrium\v8.0.7783_reflect_setup_free_x86.exe" C:\Users\admin\Downloads\Macrium\v8.0.7783_reflect_setup_free_x86.exeexplorer.exe
User:
admin
Company:
Paramount Software UK Ltd
Integrity Level:
MEDIUM
Description:
Macrium Reflect Installer
Exit code:
3221226540
Version:
8, 0, 7783, 0
Modules
Images
c:\users\admin\downloads\macrium\v8.0.7783_reflect_setup_free_x86.exe
c:\windows\system32\ntdll.dll
1876"C:\Users\admin\Downloads\Macrium\v8.0.7783_reflect_setup_free_x86.exe" C:\Users\admin\Downloads\Macrium\v8.0.7783_reflect_setup_free_x86.exe
explorer.exe
User:
admin
Company:
Paramount Software UK Ltd
Integrity Level:
HIGH
Description:
Macrium Reflect Installer
Exit code:
0
Version:
8, 0, 7783, 0
Modules
Images
c:\users\admin\downloads\macrium\v8.0.7783_reflect_setup_free_x86.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
3836"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
4000msiexec /i "C:\Windows\Installer\reflect_setupv8.0.7783-x86-00.msi" ENV=PHYSICAL REFLECT_LANGUAGE=en-us /l* C:\Reflect_Install.logC:\Windows\System32\msiexec.exe
v8.0.7783_reflect_setup_free_x86.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
14 450
Read events
14 361
Write events
89
Delete events
0

Modification events

(PID) Process:(752) ReflectDLHF.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(752) ReflectDLHF.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(752) ReflectDLHF.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(752) ReflectDLHF.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(752) ReflectDLHF.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(752) ReflectDLHF.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(752) ReflectDLHF.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(752) ReflectDLHF.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(752) ReflectDLHF.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(752) ReflectDLHF.exeKey:HKEY_CURRENT_USER\Software\Macrium\ReflectDL
Operation:writeName:DownloadFolder
Value:
C:\Users\admin\Downloads\Macrium\
Executable files
10
Suspicious files
5
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
752ReflectDLHF.exeC:\ProgramData\Macrium\ReflectDL\resume\BCE151A2306C2EC6E2192B6B5B01C3ED
MD5:
SHA256:
752ReflectDLHF.exeC:\Users\admin\Downloads\Macrium\v8.0.7783_reflect_setup_free_x86.exe
MD5:
SHA256:
1876v8.0.7783_reflect_setup_free_x86.exeC:\Windows\Installer\reflect_setupv8.0.7783-x86-00.msi
MD5:
SHA256:
4000msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIB530.tmpexecutable
MD5:62BEF9AAFE81662AF136600A7D759299
SHA256:58789628D579CF8BF89FBD4D77A19FE3C5D750917C36C2254E9722D5C1322C3F
752ReflectDLHF.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\getmsi[1].htmtext
MD5:9E386340C4A046AD44E5174AB4D373AD
SHA256:9D64566C7FD612B93686962F96AFBAF8594BEF016B0105D823A5345EE8267E2F
4000msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIB5CD.tmpexecutable
MD5:62BEF9AAFE81662AF136600A7D759299
SHA256:58789628D579CF8BF89FBD4D77A19FE3C5D750917C36C2254E9722D5C1322C3F
752ReflectDLHF.exeC:\ProgramData\Macrium\ReflectDL\ReflectDL.logtext
MD5:6806E053A7160C6323F61C596318514B
SHA256:ADFCAC0ED01B76758105137624DFD49354BBE3F9897D405B8F6C9B78F8B5A770
4000msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI97FB.tmpexecutable
MD5:62BEF9AAFE81662AF136600A7D759299
SHA256:58789628D579CF8BF89FBD4D77A19FE3C5D750917C36C2254E9722D5C1322C3F
1876v8.0.7783_reflect_setup_free_x86.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\get[1].htmtext
MD5:063ACE49CADB2D200490633F56BFE7D5
SHA256:D6445D7BD68EE0B191C8AA16180F2708961A532F5AFD6A84594EA02967C9C7CB
752ReflectDLHF.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\P1LXZ1P8.txttext
MD5:F3C07A23AEBBB95AB999755E84A878B1
SHA256:2BD7D96374F8308D2F828184DAD7CF6F57A906DF332E1421A42045ED1ADB361A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
17
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
752
ReflectDLHF.exe
GET
304
23.32.238.217:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ef11f46972a5ba2c
unknown
unknown
752
ReflectDLHF.exe
GET
200
172.64.149.23:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
unknown
binary
2.18 Kb
unknown
1080
svchost.exe
GET
200
23.32.238.208:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?89bca2e7018c82c0
unknown
compressed
65.2 Kb
unknown
1080
svchost.exe
GET
304
23.32.238.208:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1b8fee253118cbef
unknown
compressed
65.2 Kb
unknown
4000
msiexec.exe
GET
200
104.18.21.226:80
http://secure.globalsign.com/cacert/codesigningrootr45.crt
unknown
binary
1.37 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
752
ReflectDLHF.exe
52.136.198.85:443
updates.macrium.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
752
ReflectDLHF.exe
23.32.238.217:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
752
ReflectDLHF.exe
172.64.149.23:80
ocsp.usertrust.com
CLOUDFLARENET
US
unknown
752
ReflectDLHF.exe
104.18.13.192:443
download.macrium.com
CLOUDFLARENET
unknown
1080
svchost.exe
23.32.238.208:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1876
v8.0.7783_reflect_setup_free_x86.exe
52.136.198.85:443
updates.macrium.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
4000
msiexec.exe
104.18.21.226:80
secure.globalsign.com
CLOUDFLARENET
shared

DNS requests

Domain
IP
Reputation
updates.macrium.com
  • 52.136.198.85
unknown
ctldl.windowsupdate.com
  • 23.32.238.217
  • 23.32.238.169
  • 23.32.238.232
  • 23.32.238.240
  • 23.32.238.179
  • 23.32.238.219
  • 23.32.238.208
  • 23.32.238.201
  • 23.32.238.171
  • 23.32.238.241
whitelisted
ocsp.usertrust.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted
download.macrium.com
  • 104.18.13.192
  • 104.18.12.192
unknown
secure.globalsign.com
  • 104.18.21.226
  • 104.18.20.226
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ReflectDLHF.exe