| File name: | WGLUFXDC.msi |
| Full analysis: | https://app.any.run/tasks/247433cf-11e3-4ccb-b4d5-1f23a8dba3c6 |
| Verdict: | Malicious activity |
| Threats: | HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses. |
| Analysis date: | January 13, 2026, 16:48:53 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-msi |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Illuminate, Author: Nummulite Payola, Keywords: Installer, Comments: This installer database contains the logic and data required to install Illuminate., Template: Intel;1033, Revision Number: {A9FF0184-D50F-44F2-986A-EEAE98A0A458}, Create Time/Date: Tue Jan 13 11:20:30 2026, Last Saved Time/Date: Tue Jan 13 11:20:30 2026, Number of Pages: 500, Number of Words: 10, Name of Creating Application: WiX Toolset (4.0.0.0), Security: 2 |
| MD5: | B9A5FB410E5E5865AC10A9B95327CEB1 |
| SHA1: | 30363F84A8BC1CA7930730DDC7FC599283BE789D |
| SHA256: | 32311BBBFF970819FD79D62EC002B102C191005F9BCD1281071194F53A87E38A |
| SSDEEP: | 98304:qJcVFDC10JIFaul7p0kYJDj3GXIMIoSlL+BslURQfeXryPspxE1Px7xv77G/Xool:xdryKT |
MALICIOUS
HIJACKLOADER has been detected (SURICATA)
- OrbiClient64.exe (PID: 1600)
Connects to the CnC server
- OrbiClient64.exe (PID: 1600)
Executing a file with an untrusted certificate
- OrbiClient64.exe (PID: 1600)
SUSPICIOUS
Executes as Windows Service
- VSSVC.exe (PID: 7808)
Starts itself from another location
- Infra_Transp.exe (PID: 7312)
Executable content was dropped or overwritten
- Infra_Transp.exe (PID: 7312)
- Infra_Transp.exe (PID: 7708)
Connects to unusual port
- OrbiClient64.exe (PID: 1600)
Contacting a server suspected of hosting an CnC
- OrbiClient64.exe (PID: 1600)
INFO
The sample compiled with english language support
- msiexec.exe (PID: 7536)
- msiexec.exe (PID: 7696)
- Infra_Transp.exe (PID: 7312)
- Infra_Transp.exe (PID: 7708)
Reads the computer name
- msiexec.exe (PID: 7696)
- Infra_Transp.exe (PID: 7312)
- Infra_Transp.exe (PID: 7708)
- OrbiClient64.exe (PID: 1600)
- Crisp.exe (PID: 5320)
Manages system restore points
- SrTasks.exe (PID: 1068)
Checks supported languages
- msiexec.exe (PID: 7696)
- Infra_Transp.exe (PID: 7312)
- Infra_Transp.exe (PID: 7708)
- OrbiClient64.exe (PID: 1600)
- Crisp.exe (PID: 5320)
Executable content was dropped or overwritten
- msiexec.exe (PID: 7696)
Creates files in the program directory
- Infra_Transp.exe (PID: 7312)
- OrbiClient64.exe (PID: 1600)
Creates files or folders in the user directory
- Infra_Transp.exe (PID: 7708)
Create files in a temporary directory
- OrbiClient64.exe (PID: 1600)
- Crisp.exe (PID: 5320)
- Infra_Transp.exe (PID: 7708)
Reads the machine GUID from the registry
- OrbiClient64.exe (PID: 1600)
Checks proxy server information
- slui.exe (PID: 7036)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .msi | | | Microsoft Installer (100) |
|---|
EXIF
FlashPix
| CodePage: | Windows Latin 1 (Western European) |
|---|---|
| Title: | Installation Database |
| Subject: | Illuminate |
| Author: | Nummulite Payola |
| Keywords: | Installer |
| Comments: | This installer database contains the logic and data required to install Illuminate. |
| Template: | Intel;1033 |
| RevisionNumber: | {A9FF0184-D50F-44F2-986A-EEAE98A0A458} |
| CreateDate: | 2026:01:13 11:20:30 |
| ModifyDate: | 2026:01:13 11:20:30 |
| Pages: | 500 |
| Words: | 10 |
| Software: | WiX Toolset (4.0.0.0) |
| Security: | Read-only recommended |
Total processes
158
Monitored processes
10
Malicious processes
2
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1068 | C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:15 | C:\Windows\System32\SrTasks.exe | — | msiexec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Windows System Protection background tasks. Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1600 | C:\Users\admin\AppData\Local\OrbiClient64.exe | C:\Users\admin\AppData\Local\OrbiClient64.exe | Infra_Transp.exe | ||||||||||||
User: admin Company: DTS Integrity Level: MEDIUM Description: DTS Audio Service Version: 1.0.0.0 Modules
| |||||||||||||||
| 2164 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | SrTasks.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5320 | C:\Users\admin\AppData\Roaming\MSVC_v4_0_arm64\Crisp.exe | C:\Users\admin\AppData\Roaming\MSVC_v4_0_arm64\Crisp.exe | — | Infra_Transp.exe | |||||||||||
User: admin Company: Crisp IM SAS Integrity Level: MEDIUM Description: Crisp Exit code: 0 Version: 6.0.68 Modules
| |||||||||||||||
| 7036 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7312 | "C:\Users\admin\AppData\Local\Alidade\Infra_Transp.exe" | C:\Users\admin\AppData\Local\Alidade\Infra_Transp.exe | msiexec.exe | ||||||||||||
User: admin Company: COMODO Integrity Level: MEDIUM Description: COMODO Internet Security 2025 Exit code: 0 Version: 12, 3, 4, 8162 Modules
| |||||||||||||||
| 7536 | "C:\Windows\System32\msiexec.exe" /i C:\Users\admin\Desktop\WGLUFXDC.msi | C:\Windows\System32\msiexec.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7696 | C:\WINDOWS\system32\msiexec.exe /V | C:\Windows\System32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7708 | C:\ProgramData\MSVC_v4_0_arm64\Infra_Transp.exe | C:\ProgramData\MSVC_v4_0_arm64\Infra_Transp.exe | Infra_Transp.exe | ||||||||||||
User: admin Company: COMODO Integrity Level: MEDIUM Description: COMODO Internet Security 2025 Exit code: 0 Version: 12, 3, 4, 8162 Modules
| |||||||||||||||
| 7808 | C:\WINDOWS\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
5 670
Read events
5 513
Write events
148
Delete events
9
Modification events
| (PID) Process: | (7696) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore |
| Operation: | write | Name: | SrCreateRp (Enter) |
Value: 480000000000000024F06387AC84DC01101E0000701E0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (7696) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Enter) |
Value: 480000000000000024F06387AC84DC01101E0000701E0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (7696) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Leave) |
Value: 48000000000000006676AB87AC84DC01101E0000701E0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (7696) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Enter) |
Value: 48000000000000006676AB87AC84DC01101E0000701E0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (7696) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Leave) |
Value: 4800000000000000E6D8AD87AC84DC01101E0000701E0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (7696) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppCreate (Enter) |
Value: 4800000000000000A09DB287AC84DC01101E0000701E0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (7696) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 48000000000000003DB0C587AC84DC01101E0000201F0000E8030000010000000000000000000000791D9FAAAFB4484881D7FBFE7A10B43700000000000000000000000000000000 | |||
| (PID) Process: | (7808) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 480000000000000069FED387AC84DC01801E0000341F0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (7808) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 480000000000000069FED387AC84DC01801E0000441F0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (7808) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 480000000000000069FED387AC84DC01801E0000A41E0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
Executable files
8
Suspicious files
26
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7696 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
| 7696 | msiexec.exe | C:\Windows\Installer\101668.msi | — | |
MD5:— | SHA256:— | |||
| 7696 | msiexec.exe | C:\Windows\Installer\10166a.msi | — | |
MD5:— | SHA256:— | |||
| 7696 | msiexec.exe | C:\System Volume Information\SPP\snapshot-2 | binary | |
MD5:FA9FF93E32A6C476B953AEA4AA66F118 | SHA256:88755824F08945822D2116FEC8B3F67BB7343EC28BD054CDF181A52B41C9B64C | |||
| 7696 | msiexec.exe | C:\Windows\Installer\MSI1733.tmp | binary | |
MD5:4FD68A5D511F2BE096AAAE420B340948 | SHA256:444EB495CAF8DB19AB98CF2C6DFA5BDF86D2908F08818B87201A9774450811B7 | |||
| 7696 | msiexec.exe | C:\Config.Msi\101669.rbs | binary | |
MD5:54F2E36134349FD5672E3E25C340BC7C | SHA256:1B516461FA7765B5666F0C22744A6EC63C7BB5C344D9153E9246904685964A96 | |||
| 7696 | msiexec.exe | C:\Users\admin\AppData\Local\Alidade\cmdres.DLL | executable | |
MD5:FF43FD01F2D5C1BA9F83281D0AE51E05 | SHA256:F2950699D233A0A3D5C970D83584CB06E2ADA5D42389A52D709D7A5DEA92DC71 | |||
| 7696 | msiexec.exe | C:\Windows\Temp\~DFBAAAB560AEC9E167.TMP | binary | |
MD5:BF619EAC0CDF3F68D496EA9344137E8B | SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560 | |||
| 7696 | msiexec.exe | C:\Windows\Temp\~DF91359D91CCCAAD4B.TMP | binary | |
MD5:22D47F48A8B9BECBD5F5F68E9224910B | SHA256:3FE4D258D310482040786E92B790352DC1AC328993734CB887DD43BEC436D4FA | |||
| 7696 | msiexec.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{aa9f1d79-b4af-4848-81d7-fbfe7a10b437}_OnDiskSnapshotProp | binary | |
MD5:FA9FF93E32A6C476B953AEA4AA66F118 | SHA256:88755824F08945822D2116FEC8B3F67BB7343EC28BD054CDF181A52B41C9B64C | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
66
TCP/UDP connections
59
DNS requests
21
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2680 | RUXIMICS.exe | GET | 200 | 23.59.18.102:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | US | binary | 814 b | whitelisted |
408 | svchost.exe | GET | 200 | 23.59.18.102:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | US | binary | 814 b | whitelisted |
2680 | RUXIMICS.exe | GET | 200 | 2.19.198.194:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | NL | binary | 825 b | whitelisted |
6768 | MoUsoCoreWorker.exe | GET | 200 | 2.19.198.194:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | NL | binary | 825 b | whitelisted |
6768 | MoUsoCoreWorker.exe | GET | 200 | 23.59.18.102:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | US | binary | 814 b | whitelisted |
— | — | POST | 200 | 40.126.31.130:443 | https://login.live.com/RST2.srf | US | xml | 11.1 Kb | unknown |
— | — | POST | 200 | 40.126.31.128:443 | https://login.live.com/RST2.srf | US | xml | 10.3 Kb | unknown |
— | — | POST | 200 | 40.126.31.131:443 | https://login.live.com/RST2.srf | US | xml | 10.3 Kb | unknown |
5468 | svchost.exe | POST | 200 | 40.126.31.130:443 | https://login.live.com/RST2.srf | US | xml | 11.1 Kb | whitelisted |
5468 | svchost.exe | POST | 200 | 40.126.31.130:443 | https://login.live.com/RST2.srf | US | xml | 10.3 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
408 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:137 | — | Not routed | — | whitelisted |
6768 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
2680 | RUXIMICS.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:138 | — | Not routed | — | whitelisted |
— | — | 172.211.123.249:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
408 | svchost.exe | 2.19.198.194:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
2680 | RUXIMICS.exe | 2.19.198.194:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
6768 | MoUsoCoreWorker.exe | 2.19.198.194:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
408 | svchost.exe | 23.59.18.102:80 | www.microsoft.com | AKAMAI-AS | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1600 | OrbiClient64.exe | Malware Command and Control Activity Detected | MALWARE [ANY.RUN] Win32/HijackLoader CnC Connectivity Check |