File name:	Set_Up.msi
Full analysis:	https://app.any.run/tasks/62cb42ae-beb9-4a99-a0d7-689a4942a011
Verdict:	Malicious activity
Threats:	HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Rhadamanthys is a C++ information-stealing malware that extracts sensitive data from infiltrated machines. Its layered operational chain and advanced evasion tactics make it a major risk in cybersecurity landscapes. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	October 17, 2025, 13:26:29
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	generated-doc anti-evasion rhadamanthys stealer hijackloader loader lumma
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Bordereau, Author: Priest Hotch, Keywords: Installer, Comments: This installer database contains the logic and data required to install Bordereau., Template: Intel;1033, Revision Number: {85F151B8-5554-40CF-BEF3-AEC37C6D9A1C}, Create Time/Date: Wed Oct 15 14:06:58 2025, Last Saved Time/Date: Wed Oct 15 14:06:58 2025, Number of Pages: 500, Number of Words: 10, Name of Creating Application: WiX Toolset (4.0.0.0), Security: 2
MD5:	5E5C826D94565C082FB4521E77AEDECB
SHA1:	4AB9EE69CB1F69CC87F4B0EA29F8A87BF435FF18
SHA256:	3DB102CE192231AC23289A424FAB78A16DDDAAE471232865F188D270EFE32BA9
SSDEEP:	98304:9VgK9yxQEfxPflkNH+kfy7l5kSLukG6EC9P263hGGtBIN5Uox5XOw1Ov5iLyt1eS:wCEyeTE8Gg3rWoo0q5U0/

CodePage:	Windows Latin 1 (Western European)
Title:	Installation Database
Subject:	Bordereau
Author:	Priest Hotch
Keywords:	Installer
Comments:	This installer database contains the logic and data required to install Bordereau.
Template:	Intel;1033
RevisionNumber:	{85F151B8-5554-40CF-BEF3-AEC37C6D9A1C}
CreateDate:	2025:10:15 14:06:58
ModifyDate:	2025:10:15 14:06:58
Pages:	500
Words:	10
Software:	WiX Toolset (4.0.0.0)
Security:	Read-only recommended


(PID) Process:	(8908) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:	write	Name:	SrCreateRp (Enter)
Value: 48000000000000001CD2ABAE693FDC01CC220000EC220000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(8908) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Enter)
Value: 4800000000000000B234AEAE693FDC01CC220000EC220000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(8908) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Leave)
Value: 4800000000000000AC96B0AE693FDC01CC220000EC220000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(8908) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Enter)
Value: 4800000000000000AC96B0AE693FDC01CC220000EC220000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(8908) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Leave)
Value: 4800000000000000AC96B0AE693FDC01CC220000EC220000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(8908) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppCreate (Enter)
Value: 48000000000000002FF9B2AE693FDC01CC220000EC220000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(8908) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:	write	Name:	LastIndex
Value: 14
(PID) Process:	(8908) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGatherWriterMetadata (Enter)
Value: 48000000000000009E5BB5AE693FDC01CC220000EC220000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(8908) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:	write	Name:	IDENTIFY (Enter)
Value: 4800000000000000D3BDB7AE693FDC01CC22000004230000E803000001000000000000000000000032390A262E1A3F44ABA090AD250DCCA900000000000000000000000000000000
(PID) Process:	(8908) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:	write	Name:	IDENTIFY (Leave)
Value: 4800000000000000FA3D7BAF693FDC01CC22000004230000E803000000000000000000000000000032390A262E1A3F44ABA090AD250DCCA900000000000000000000000000000000

PID	Process	Filename		Type
8908	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
8908	msiexec.exe	C:\Windows\Installer\172d88.msi		—
		MD5:—	SHA256:—
8908	msiexec.exe	C:\System Volume Information\SPP\OnlineMetadataCache\{260a3932-1a2e-443f-aba0-90ad250dcca9}_OnDiskSnapshotProp		binary
		MD5:93D928B74704878AF4ECF108EFF5B6E0	SHA256:D46AA6DAE56C5A7B3B43013D8934A5662A10A85BD250F47AACC13F25009A8D8A
8908	msiexec.exe	C:\Windows\Installer\MSI2E82.tmp		binary
		MD5:9E023C1AD7748AB65AC59FE875142FD9	SHA256:A82DDC6033743A5A671B79826D9973E2BF9D58C50D3BDD693B598B5C860ABC82
8908	msiexec.exe	C:\Windows\Temp\~DFB3BDA41CBBB4044B.TMP		binary
		MD5:0ECCB5B53F6BA70EDB0D34869810BE8D	SHA256:84AB2583553055CD1A9AED220E069CFE76EC33367075E9339FED0BA843BD694A
8908	msiexec.exe	C:\Windows\Installer\172d8a.msi		—
		MD5:—	SHA256:—
8908	msiexec.exe	C:\Users\admin\AppData\Roaming\Acyclovir\HyperSt.exe		executable
		MD5:83C01B6C23F4FDFB80A99ED3DCD86CC6	SHA256:3F634E3D8C4EFC730E2072A0C1E7E6DEA16E9EC2CCD35DEE77ED5065B4F41A2B
8908	msiexec.exe	C:\Users\admin\AppData\Roaming\Acyclovir\MSVCR110.dll		executable
		MD5:4BA25D2CBE1587A841DCFB8C8C4A6EA6	SHA256:B30160E759115E24425B9BCDF606EF6EBCE4657487525EDE7F1AC40B90FF7E49
8908	msiexec.exe	C:\Users\admin\AppData\Roaming\Acyclovir\MSVCP110.dll		executable
		MD5:3E29914113EC4B968BA5EB1F6D194A0A	SHA256:C8D5572CA8D7624871188F0ACABC3AE60D4C5A4F6782D952B9038DE3BC28B39A
8908	msiexec.exe	C:\Users\admin\AppData\Roaming\Acyclovir\Plirtkeg.lm		binary
		MD5:A82B266C33262742E5CC835D010AD060	SHA256:5D289D668D8B8BEA022D7B3887024CEDCEF311C049FE4224C8C8CBD2B732F9E4

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	POST	200	40.126.32.133:443	https://login.live.com/RST2.srf	unknown	xml	11.2 Kb	unknown
—	—	GET	200	23.36.162.68:443	https://www.bing.com/DSB/search?dsbmr=1&format=dsbjson&client=windowsminiserp&dsbschemaversion=1.1&dsbminiserp=1&q=q&cc=US&setlang=en-us&clientDateTime=10%2F17%2F2025%2C%201%3A26%3A41%20PM	unknown	binary	71.8 Kb	unknown
—	—	POST	200	40.126.32.133:443	https://login.live.com/RST2.srf	unknown	xml	11.1 Kb	unknown
—	—	GET	200	23.36.162.68:443	https://www.bing.com/th?id=ODSWG.3c4e0bf7-b28c-46fc-84c8-b46a8548b525&pid=dsb	unknown	image	34.7 Kb	unknown
—	—	GET	200	23.36.162.71:443	https://www.bing.com/th?id=ODSWG.aecb2ef5-cb96-4bca-b527-b3e2ae8a8a27&pid=dsb	unknown	image	35.4 Kb	unknown
—	—	POST	204	23.36.162.84:443	https://www.bing.com/threshold/xls.aspx?t=5&dl=1&wsbc=1	unknown	—	—	unknown
—	—	POST	200	40.126.32.133:443	https://login.live.com/RST2.srf	unknown	xml	11.0 Kb	unknown
—	—	POST	200	20.190.159.128:443	https://login.live.com/RST2.srf	unknown	xml	11.3 Kb	unknown
—	—	GET	200	20.223.36.55:443	https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=280815&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20251017T132641Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=2ecfa3646062437280bd2a7fa9a63179&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&currsel=137271744000000000&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1360&dispsize=16.3&dispvertres=768&fosver=16299&isu=0&lo=4265605&metered=false&nettype=ethernet&npid=sc-280815&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&smBiosDm=DELL&stabedgever=133.0.3065.92&tl=2&tsu=1656135&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2	unknown	binary	3.20 Kb	unknown
—	—	POST	200	40.126.31.0:443	https://login.live.com/RST2.srf	unknown	xml	10.3 Kb	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
6016	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
592	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	95.100.158.107:443	www.bing.com	Akamai International B.V.	DE	whitelisted
5224	SearchApp.exe	95.100.158.107:443	www.bing.com	Akamai International B.V.	DE	whitelisted
—	—	20.190.159.2:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5224	SearchApp.exe	2.16.241.222:443	th.bing.com	Akamai International B.V.	DE	whitelisted
8320	backgroundTaskHost.exe	95.100.158.107:443	www.bing.com	Akamai International B.V.	DE	whitelisted
5932	svchost.exe	20.190.159.2:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 51.104.136.2	whitelisted
www.bing.com	95.100.158.107 95.100.158.114 95.100.158.121 23.3.89.90 95.100.158.106 23.11.206.112 95.100.158.122 23.3.89.97 23.11.206.107	whitelisted
login.live.com	20.190.159.2 40.126.31.131 40.126.31.130 40.126.31.0 40.126.31.69 40.126.31.67 40.126.31.2 20.190.159.4	whitelisted
google.com	216.58.206.46	whitelisted
th.bing.com	2.16.241.222 2.16.241.225 2.16.241.211 2.16.241.201 2.16.241.216 2.16.241.205 2.16.241.204 2.16.241.207 2.16.241.218	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
arc.msn.com	20.74.47.205	whitelisted
fd.api.iris.microsoft.com	20.74.47.205	whitelisted
slscr.update.microsoft.com	74.178.240.61	whitelisted
www.microsoft.com	95.101.149.131	whitelisted

General Info

Set_Up.msi

5E5C826D94565C082FB4521E77AEDECB

4AB9EE69CB1F69CC87F4B0EA29F8A87BF435FF18

3DB102CE192231AC23289A424FAB78A16DDDAAE471232865F188D270EFE32BA9

98304:9VgK9yxQEfxPflkNH+kfy7l5kSLukG6EC9P263hGGtBIN5Uox5XOw1Ov5iLyt1eS:wCEyeTE8Gg3rWoo0q5U0/

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

Known privilege escalation attack

HIJACKLOADER has been detected (YARA)

LUMMA has been detected (YARA)

SUSPICIOUS

The process drops C-runtime libraries

Process drops legitimate windows executable

Reads the Windows owner or organization settings

Executable content was dropped or overwritten

Starts itself from another location

There is functionality for taking screenshot (YARA)

The process checks if it is being run in the virtual environment

INFO

Reads the computer name

Creates files or folders in the user directory

Creates files in the program directory

The sample compiled with czech language support

Checks supported languages

The sample compiled with english language support

Manages system restore points

Creates a software uninstall entry

Executable content was dropped or overwritten

Reads the machine GUID from the registry

Reads security settings of Internet Explorer

Create files in a temporary directory

Reads the software policy settings

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings