Analysis
-
max time kernel
55s -
max time network
58s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
26-08-2024 15:28
Static task
static1
General
-
Target
ElSaifyApp.exe
-
Size
21.3MB
-
MD5
4b8032177a2ab575523c123abbeebaf4
-
SHA1
95dc70c0ca6707fc307357f5e94b320b6e709d4a
-
SHA256
8ebdc838216071b6a38d0ac5b8e2b3bd827aed38d935850e29b2ecd3e242e5bd
-
SHA512
84769a2f577ed5659b1a54e8a631713842dfbfeb8a4e0d6d1917d9c3b592abfae3a92c4c2c5536389cffe9fa4c29d1dd94914db75566ada1a0e6729ffdec2f25
-
SSDEEP
393216:BNVxIfuPmfJ31Xx5qhDhevwnt1wiekhg7H/B+B17lSTU2ykfK:BJcuPW1Be1eICbkO7fAB1RSTUYC
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ElSefy.exepid process 588 ElSefy.exe -
Loads dropped DLL 29 IoCs
Processes:
MsiExec.exeMsiExec.exeElSefy.exepid process 3476 MsiExec.exe 3476 MsiExec.exe 3476 MsiExec.exe 3476 MsiExec.exe 3476 MsiExec.exe 3476 MsiExec.exe 3476 MsiExec.exe 3604 MsiExec.exe 3604 MsiExec.exe 3604 MsiExec.exe 3604 MsiExec.exe 3604 MsiExec.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe -
Obfuscated with Agile.Net obfuscator 10 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuCircleProgress.dll agile_net behavioral1/memory/588-236-0x0000000005F80000-0x0000000005F98000-memory.dmp agile_net behavioral1/memory/588-240-0x000000000AB40000-0x000000000AC82000-memory.dmp agile_net C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.Licensing.dll agile_net C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuPictureBox.dll agile_net behavioral1/memory/588-258-0x0000000007260000-0x000000000726E000-memory.dmp agile_net C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuButton.dll agile_net behavioral1/memory/588-262-0x0000000007290000-0x00000000072B0000-memory.dmp agile_net behavioral1/memory/588-273-0x0000000007450000-0x000000000745E000-memory.dmp agile_net C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuPanel.dll agile_net -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ElSaifyApp.exemsiexec.exeElSaifyApp.exedescription ioc process File opened (read-only) \??\R: ElSaifyApp.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: ElSaifyApp.exe File opened (read-only) \??\O: ElSaifyApp.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: ElSaifyApp.exe File opened (read-only) \??\K: ElSaifyApp.exe File opened (read-only) \??\E: ElSaifyApp.exe File opened (read-only) \??\T: ElSaifyApp.exe File opened (read-only) \??\W: ElSaifyApp.exe File opened (read-only) \??\Z: ElSaifyApp.exe File opened (read-only) \??\B: ElSaifyApp.exe File opened (read-only) \??\Q: ElSaifyApp.exe File opened (read-only) \??\W: ElSaifyApp.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: ElSaifyApp.exe File opened (read-only) \??\N: ElSaifyApp.exe File opened (read-only) \??\T: ElSaifyApp.exe File opened (read-only) \??\X: ElSaifyApp.exe File opened (read-only) \??\X: ElSaifyApp.exe File opened (read-only) \??\Z: ElSaifyApp.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: ElSaifyApp.exe File opened (read-only) \??\I: ElSaifyApp.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: ElSaifyApp.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: ElSaifyApp.exe File opened (read-only) \??\V: ElSaifyApp.exe File opened (read-only) \??\A: ElSaifyApp.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: ElSaifyApp.exe File opened (read-only) \??\U: ElSaifyApp.exe File opened (read-only) \??\Y: ElSaifyApp.exe File opened (read-only) \??\J: ElSaifyApp.exe File opened (read-only) \??\Y: ElSaifyApp.exe File opened (read-only) \??\K: ElSaifyApp.exe File opened (read-only) \??\L: ElSaifyApp.exe File opened (read-only) \??\V: ElSaifyApp.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: ElSaifyApp.exe File opened (read-only) \??\G: ElSaifyApp.exe File opened (read-only) \??\H: ElSaifyApp.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: ElSaifyApp.exe File opened (read-only) \??\R: ElSaifyApp.exe File opened (read-only) \??\S: ElSaifyApp.exe File opened (read-only) \??\S: ElSaifyApp.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\N: ElSaifyApp.exe File opened (read-only) \??\P: ElSaifyApp.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: ElSaifyApp.exe -
Drops file in Program Files directory 64 IoCs
Processes:
msiexec.exeElSefy.exedescription ioc process File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\runtimes\win-arm64\native\WebView2Loader.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuProgressBar.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe.config msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Microsoft.Web.WebView2.WinForms.xml msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuSlider.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\EntityFramework.xml msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\System.Data.SQLite.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\System.Data.SQLite.Linq.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\runtimes\win-x64\native\WebView2Loader.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuCircleProgress.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuGauge.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuGradientPanel.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Microsoft.Web.WebView2.Wpf.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\System.Data.SQLite.EF6.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuColorTransition.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuDropdown.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\EntityFramework.SqlServer.xml msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Microsoft.Web.WebView2.Wpf.xml msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\x64\SQLite.Interop.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Flurl.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\image.png msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Microsoft.Web.WebView2.WinForms.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\runtimes\win-x86\native\WebView2Loader.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuScrollBar.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.Deprecated.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Newtonsoft.Json.xml msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.pdb msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Microsoft.Web.WebView2.Core.xml msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\README.md msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuDatePicker.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuShadowPanel.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\cources.ico msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.Licensing.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuDataGridView.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuSeparator.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuPages.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuShapes.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Microsoft.Web.WebView2.Core.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuCheckBox.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuFormDock.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuLabel.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Flurl.Http.xml msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Flurl.xml msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuPanel.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuUserControl.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\EntityFramework.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuPictureBox.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuTransition.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\System.Data.SQLite.dll.config msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Flurl.Http.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\System.Data.SQLite.xml msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.1.5.3.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuImageButton.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuRadioButton.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Newtonsoft.Json.dll msiexec.exe File opened for modification C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\sqliteDB\users.db ElSefy.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuToolTip.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\EntityFramework.SqlServer.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuGroupBox.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuRating.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuTextbox.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuButton.dll msiexec.exe File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuSnackbar.dll msiexec.exe -
Drops file in Windows directory 19 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\e57cc39.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\SystemTemp\~DF8E10C390BE167CFA.TMP msiexec.exe File created C:\Windows\SystemTemp\~DF8D9DDBC7F5FFB91F.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSICD15.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICD74.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{0ED38AAC-0491-40C9-9899-6178AE5E522D} msiexec.exe File created C:\Windows\SystemTemp\~DFA2CFE0B4C913EF34.TMP msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSICCA6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID024.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID130.tmp msiexec.exe File created C:\Windows\Installer\{0ED38AAC-0491-40C9-9899-6178AE5E522D}\ElSefy.exe msiexec.exe File created C:\Windows\SystemTemp\~DF0160A9B04634352F.TMP msiexec.exe File opened for modification C:\Windows\Installer\e57cc39.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSID0D1.tmp msiexec.exe File opened for modification C:\Windows\Installer\{0ED38AAC-0491-40C9-9899-6178AE5E522D}\ElSefy.exe msiexec.exe File created C:\Windows\Installer\e57cc3b.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
MsiExec.exeElSaifyApp.exeMsiExec.exeElSefy.exeElSaifyApp.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ElSaifyApp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ElSefy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ElSaifyApp.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000004fbc8ede2bb95e8f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800004fbc8ede0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809004fbc8ede000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d4fbc8ede000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000004fbc8ede00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe -
Modifies data under HKEY_USERS 3 IoCs
Processes:
msiexec.exedescription ioc process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe -
Modifies registry class 24 IoCs
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\SourceList\PackageName = "ElSaifyApp.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\A Plus Code\\ElSaifyApp2025 9.2.3\\install\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\SourceList\Media msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\ProductIcon = "C:\\Windows\\Installer\\{0ED38AAC-0491-40C9-9899-6178AE5E522D}\\ElSefy.exe" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\39737A412D2B38C4781CAE644A6CCA71\CAA83DE019409C0489991687EAE525D2 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CAA83DE019409C0489991687EAE525D2 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\Version = "151126019" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\PackageCode = "E306300FCF528AA4EB2AABB17D9C83E4" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\DeploymentFlags = "3" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CAA83DE019409C0489991687EAE525D2\MainFeature msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\ProductName = "ElSaifyApp2025" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\SourceList\Media\1 = "Disk1;Disk1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\A Plus Code\\ElSaifyApp2025 9.2.3\\install\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\39737A412D2B38C4781CAE644A6CCA71 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\SourceList msiexec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exeElSefy.exepid process 4624 msiexec.exe 4624 msiexec.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe 588 ElSefy.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exeElSaifyApp.exedescription pid process Token: SeSecurityPrivilege 4624 msiexec.exe Token: SeCreateTokenPrivilege 2832 ElSaifyApp.exe Token: SeAssignPrimaryTokenPrivilege 2832 ElSaifyApp.exe Token: SeLockMemoryPrivilege 2832 ElSaifyApp.exe Token: SeIncreaseQuotaPrivilege 2832 ElSaifyApp.exe Token: SeMachineAccountPrivilege 2832 ElSaifyApp.exe Token: SeTcbPrivilege 2832 ElSaifyApp.exe Token: SeSecurityPrivilege 2832 ElSaifyApp.exe Token: SeTakeOwnershipPrivilege 2832 ElSaifyApp.exe Token: SeLoadDriverPrivilege 2832 ElSaifyApp.exe Token: SeSystemProfilePrivilege 2832 ElSaifyApp.exe Token: SeSystemtimePrivilege 2832 ElSaifyApp.exe Token: SeProfSingleProcessPrivilege 2832 ElSaifyApp.exe Token: SeIncBasePriorityPrivilege 2832 ElSaifyApp.exe Token: SeCreatePagefilePrivilege 2832 ElSaifyApp.exe Token: SeCreatePermanentPrivilege 2832 ElSaifyApp.exe Token: SeBackupPrivilege 2832 ElSaifyApp.exe Token: SeRestorePrivilege 2832 ElSaifyApp.exe Token: SeShutdownPrivilege 2832 ElSaifyApp.exe Token: SeDebugPrivilege 2832 ElSaifyApp.exe Token: SeAuditPrivilege 2832 ElSaifyApp.exe Token: SeSystemEnvironmentPrivilege 2832 ElSaifyApp.exe Token: SeChangeNotifyPrivilege 2832 ElSaifyApp.exe Token: SeRemoteShutdownPrivilege 2832 ElSaifyApp.exe Token: SeUndockPrivilege 2832 ElSaifyApp.exe Token: SeSyncAgentPrivilege 2832 ElSaifyApp.exe Token: SeEnableDelegationPrivilege 2832 ElSaifyApp.exe Token: SeManageVolumePrivilege 2832 ElSaifyApp.exe Token: SeImpersonatePrivilege 2832 ElSaifyApp.exe Token: SeCreateGlobalPrivilege 2832 ElSaifyApp.exe Token: SeCreateTokenPrivilege 2832 ElSaifyApp.exe Token: SeAssignPrimaryTokenPrivilege 2832 ElSaifyApp.exe Token: SeLockMemoryPrivilege 2832 ElSaifyApp.exe Token: SeIncreaseQuotaPrivilege 2832 ElSaifyApp.exe Token: SeMachineAccountPrivilege 2832 ElSaifyApp.exe Token: SeTcbPrivilege 2832 ElSaifyApp.exe Token: SeSecurityPrivilege 2832 ElSaifyApp.exe Token: SeTakeOwnershipPrivilege 2832 ElSaifyApp.exe Token: SeLoadDriverPrivilege 2832 ElSaifyApp.exe Token: SeSystemProfilePrivilege 2832 ElSaifyApp.exe Token: SeSystemtimePrivilege 2832 ElSaifyApp.exe Token: SeProfSingleProcessPrivilege 2832 ElSaifyApp.exe Token: SeIncBasePriorityPrivilege 2832 ElSaifyApp.exe Token: SeCreatePagefilePrivilege 2832 ElSaifyApp.exe Token: SeCreatePermanentPrivilege 2832 ElSaifyApp.exe Token: SeBackupPrivilege 2832 ElSaifyApp.exe Token: SeRestorePrivilege 2832 ElSaifyApp.exe Token: SeShutdownPrivilege 2832 ElSaifyApp.exe Token: SeDebugPrivilege 2832 ElSaifyApp.exe Token: SeAuditPrivilege 2832 ElSaifyApp.exe Token: SeSystemEnvironmentPrivilege 2832 ElSaifyApp.exe Token: SeChangeNotifyPrivilege 2832 ElSaifyApp.exe Token: SeRemoteShutdownPrivilege 2832 ElSaifyApp.exe Token: SeUndockPrivilege 2832 ElSaifyApp.exe Token: SeSyncAgentPrivilege 2832 ElSaifyApp.exe Token: SeEnableDelegationPrivilege 2832 ElSaifyApp.exe Token: SeManageVolumePrivilege 2832 ElSaifyApp.exe Token: SeImpersonatePrivilege 2832 ElSaifyApp.exe Token: SeCreateGlobalPrivilege 2832 ElSaifyApp.exe Token: SeCreateTokenPrivilege 2832 ElSaifyApp.exe Token: SeAssignPrimaryTokenPrivilege 2832 ElSaifyApp.exe Token: SeLockMemoryPrivilege 2832 ElSaifyApp.exe Token: SeIncreaseQuotaPrivilege 2832 ElSaifyApp.exe Token: SeMachineAccountPrivilege 2832 ElSaifyApp.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
ElSaifyApp.exepid process 2832 ElSaifyApp.exe 2832 ElSaifyApp.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
msiexec.exeElSaifyApp.exedescription pid process target process PID 4624 wrote to memory of 3476 4624 msiexec.exe MsiExec.exe PID 4624 wrote to memory of 3476 4624 msiexec.exe MsiExec.exe PID 4624 wrote to memory of 3476 4624 msiexec.exe MsiExec.exe PID 2832 wrote to memory of 2920 2832 ElSaifyApp.exe ElSaifyApp.exe PID 2832 wrote to memory of 2920 2832 ElSaifyApp.exe ElSaifyApp.exe PID 2832 wrote to memory of 2920 2832 ElSaifyApp.exe ElSaifyApp.exe PID 4624 wrote to memory of 1008 4624 msiexec.exe srtasks.exe PID 4624 wrote to memory of 1008 4624 msiexec.exe srtasks.exe PID 4624 wrote to memory of 3604 4624 msiexec.exe MsiExec.exe PID 4624 wrote to memory of 3604 4624 msiexec.exe MsiExec.exe PID 4624 wrote to memory of 3604 4624 msiexec.exe MsiExec.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe"C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe"1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe"C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe" /i "C:\Users\Admin\AppData\Roaming\A Plus Code\ElSaifyApp2025 9.2.3\install\ElSaifyApp.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\A Plus Code\ElSaifyApp2025" SECONDSEQUENCE="1" CLIENTPROCESSID="2832" CHAINERUIPROCESSID="2832Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1724445527 " TARGETDIR="C:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe" AI_INSTALL="1"2⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:2920
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 64E883095DA6702847056B2EFD96E65E C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3476 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:1008
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8B6117719EDA05DC2D13F5606EF632A32⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3604
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:2348
-
C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe"C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:588
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1404
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5b4797575f56d29f2adb340449c8efa60
SHA1814255fdf6d6b5513b03d9d331128f274634789e
SHA25684d2a2893f2112bb6c3d343e6a246abfafdfe4c0c4a8a0027e51cbb5c84ccc02
SHA51276a005c351f0846f85fb0f78bc9661e5736a710ed0bcf469fdfa27b128db98490f0f45a82027ed05ce5420cf7a433ac1de8a324b497c3a8632b385eaab38b4ce
-
Filesize
1.2MB
MD51a45c5f35d5a5b3bf94f01caae45a641
SHA1678428c593a7b168803766264e4fe44fab253700
SHA2563410caef0cb538e883b3e4a2ef8bc26c1aeb7d07206021cf31f3382d5cdecba1
SHA5123f8b7179cc68fdcb33b474b0c9295ffa13454d4eafd4a769332be21fac4fcbf30e69f1b76bc2fa0a818d972c90001fa4bf9272ef7e333205cdfa5008e035a579
-
Filesize
108KB
MD53e60d71b66fb974045fb8dae1baef617
SHA17078e2779f8c8d0a594c985ff7ca2e65cabaed6b
SHA256ca17918d71b6375a30990979e8f025aaef2764e06a908210be0b665dfbf7f8d0
SHA512fc991a823c39ec6fffdea6193dc3f687af907e36768dc09a733d95d3bb575e8d7ead2b434e94be35fff7bb625a71f3de499c186897f15fa489ebd9d8b65f0327
-
Filesize
78KB
MD5d4de383101856da415aa02cc8aa38398
SHA1ec677a157eaa1effac7874236f77f03ba2168e0c
SHA2569e9ad1889cec632c28fb8e25d052bf727c1945396c6f699815e282835f1af5c9
SHA51239589c92ff4040c7b001e04ae5c66c156e1baa87cadc7d977ebd13e290c423a9acdc9d65450f0e6b76a8b35fef81018bcf72e7c07d560e5fe3722c9e4eec0bac
-
Filesize
43KB
MD5c9b870d649ca008152c8a5f70c26f00f
SHA1aa34ac78f4a8740efce16960e7e35e860e212f49
SHA2562f11a4fafa78fe89a49d6f954a46cb80548d3faaace84ec5faac06ceffbcd191
SHA512d5a9061801b4b97c842aeb8d453118e8f7f2dfff499403d44ac667171de4e4652c245ff02ff0a7f9e1012b952e70fdffca546de4d4a03909206789d35972cb76
-
Filesize
37KB
MD5fd6e28c44ab0bb05721034aa10e5e5c7
SHA12c52c3925b7b3f9bb17fcf32ee7daadd275fdf81
SHA256df1d1a4399138a002883caeb326cb23fa95b5ec4a18a1abbc725166155a299d0
SHA512bf8bb42cce6713bdae6a70f30ba3e889f6d63ab1e92336fddc890cedf33c3cf17f06114c301eeb0b552384af3a2ca0b64ad8920f7a266bed0b6b690b710b74e9
-
Filesize
9.2MB
MD5d78c888d2ae32a966e5ff9c7f408bbaf
SHA11dbbcda10e80ae25124f82a712ef2c266ec281e2
SHA256583b2a6119bedcce2e3748d19ab4422c34dcb7a4d5568c7b78f47f6d31acbad1
SHA512009b617b787a0370c327ab89975765b46ee6ceaec8011227881f0b135ddb503c63ba5b111057cd5a597111fe8b5019c3eae024157f02022ba2889a1d94193ffb
-
Filesize
3KB
MD59c81594a90ca38fa6641b37540507742
SHA14ff8f1db248f4e9c5650d8b0e1bc1c8a246ddb8a
SHA2566ff32eac0c0b7d4dc5290329131dd71401e04294a3ab2d46166f8bf9275a8201
SHA512446106b503452fb7b5435a2d56d146e9f379ff0fdd29e9ac549848cb2be62ce9d4bb1add06c187e8a9531e4db86ff597b5ffe57e1e49cc727b1adbc56155e3f9
-
Filesize
1.4MB
MD5acec68d05e0b9b6c34a24da530dc07b2
SHA1015eb32aad6f5309296c3a88f0c5ab1ba451d41e
SHA256bf72939922afa2cd17071f5170b4a82d05bceb1fc33ce29cdfbc68dbb97f0277
SHA512d68d3ac62319178d3bc27a0f1e1762fc814a4da65156db90ae17284a99e5d9909e9e6348a4ff9ef0b92a46ba2033b838b75313307b46ab72dc0aab9641e4f700
-
Filesize
683KB
MD56815034209687816d8cf401877ec8133
SHA11248142eb45eed3beb0d9a2d3b8bed5fe2569b10
SHA2567f912b28a07c226e0be3acfb2f57f050538aba0100fa1f0bf2c39f1a1f1da814
SHA5123398094ce429ab5dcdecf2ad04803230669bb4accaef7083992e9b87afac55841ba8def2a5168358bd17e60799e55d076b0e5ca44c86b9e6c91150d3dc37c721
-
Filesize
355KB
MD517bb52713d75f8b334a311bd27cf5f23
SHA124446d9f4e639454f36b6edcc187834a059b6082
SHA2566c156f7cf30a6c1e2538e8ee8744f641a9270e9b3a1d5b13c8486ea8b8cd5b03
SHA51233934dd07f98c87b4c86d0c60c64bfe5fa5bcd74f314af9069a0fcaa9a3bfefe331ab751652ced5fa100a490088f063421f0be14a7c6e995665c0ef5d01c168c
-
Filesize
736B
MD58ab01db32f56322275cbd0864feb5d55
SHA1cbdb70f5fc04485af0d09ef7484faa7f8b3047bb
SHA256cde00e0a0f52ed121d52c17338da42ffd9656d4f81a76df2dceda05c88f783ef
SHA512e52a5e341309bae40a4f69d67226a92dfc42b08d4e815da3a7df7295d68da6dcad8973d32af84f269692bd98634c4657e1394366574f5ec299eb50fa3d1db468
-
Filesize
24KB
MD5078ce59c554657f99d13b15e1a6705ae
SHA1deb9598bfffb8780e1a098de84d0e13a391287df
SHA25613e537680c5a8674e48d057bb96e9c53152a0ddacfbfd4b37471d16198f8ac0f
SHA5128a11a01f43b4cc1aee3e62ee351ad32e0d9f4322660fa28dd6306d76f9df1da8a5dc064a4bb94f27d9f2e1ab6d7e2760228c55a828cfc938f396a77518900319
-
Filesize
1.3MB
MD58ee703ae220be11a81d3eaf4eb9106e7
SHA1db7dc6a2f8887475bea01e7b3612c8d79c3500c1
SHA2561272e3a910e0c5c6930bfb80e738b5842e447ad42496e3e10abc1380377e45f7
SHA5124b13b270d175062ac6f69e905a81303089dd0225f4bf7cf149bfc6c54a3ee0ba938729eba00f0ca0bb56790cc8af0c86cac3bc3497791cd7518bbf65db4d6779
-
Filesize
2KB
MD5f67f81ec032b7f620c7de63e628e99a7
SHA1376df52be2f525998fbff29c9dd4ff5e2ba8a2c6
SHA2562a281497ceb43c0484ad8344012bcdcbcb2060cd4a186a280848d7ff917aa900
SHA512345c4730d1fd3eb37c82f1a5fe13b7474d98192ac81812b190809e64ad23a53ba43a9d06945c0b363cfc1fc306cc24d5d4264a9109592bd47a5a6bdfb44e103c
-
Filesize
12KB
MD536d060121ed7e2230f3ea56befe364ce
SHA138a617cd50f0d3f94ab6e57a7acaef3e8561e28a
SHA256193f1e6a191859da26f10d12e5dba79eadb2ade6f12bce95f1776c43263b6f8e
SHA512ec31bddadc5a3a0d98caccd1da2bc4c42db8d3a35c2a646034b69a5c83a03a6df088065cf88c763d42c0c3fa60f9b34520be6cba733fb88ca34cfc36af064b03
-
Filesize
381KB
MD5891de63dad09d3f100263727297e9205
SHA1aeb1c23ab5014dca9d5208afe96585b40ac2a27e
SHA25696513f32d35ccdc3fe50eee2ee7b30836d1e5f09f73c13f151f13091464e0b50
SHA512f517dfecf4d89ed140a9e31ab6e02da64d32070660494f18ea3d8a62228c30d89822e24a86ff0112d42a8b5cb90bb5e4d3e34e83697cf4cca7224a24fe2c45e6
-
Filesize
5.0MB
MD5b40e4304f279119d9345be970babce41
SHA1f76f5b30e7c333efcba1d4e19215ef1fd21d6943
SHA25606285446d57089fe85b3b6127bbc92508773af458ad5cf20abf4570d41c0fee7
SHA512ad7e6b30b3ba32d641737f499874f23ccda7c4539def0465d1723d579c79c5e3e981df8526d31f2eb79dc0fe572eb4b71a780eb63df11170d4b6a0786f588299
-
Filesize
1.5MB
MD57648ba5172b00d7de2b87b64a5163a15
SHA1e0cab2745cfe2ffca70065dfa959b2d080dec360
SHA256d27e6f91a291ef7c03be224789ca1e71b98e837329ab361b527e4444a7d8b870
SHA5123a3cefc93a413f65dde3a014c8e4e0912f2e9d39a8b2e2677ba4e86ed99c129ac4621abdec543c4d8e6863e60ed17089e8b68dbe336bbf3c0081ba1556e3eb27
-
Filesize
17.7MB
MD598f0e1797cae0537d4518f11fbaa2266
SHA14a37fd10ae2bb8893ad87d30edd6236e4162180f
SHA2561a5c46f7024d87b107100e3ef734a528a4376d312baed2b937e674dc8b26efd2
SHA51222ce57739d04080cc6170c8106a0ad4cd94ac4d43d16b5dd5d1bb00b6844aceb8570192105aeaa466a489d5b10bd7615dc0c419544690cc73767f7cc1658f788
-
Filesize
540KB
MD5fa7b536cc7e5367d3be3311680bbd94e
SHA11201a2ab797507bf8e9b4e6c09ea0c6d4d62f271
SHA256f09c8e1a8bc1430a374d1fcd863934f2e2414cf41d6b08b40ec20b7171ed0282
SHA512e7ab0b2b19d393e503bdcf77135298086b569a1dc746b47a70bb79f6aac9a3460e25d8b47f8943d947fe25acfab35c3557430c431d964d16ada19700c8012542
-
Filesize
279KB
MD5d39571bcace5ab6cfc0748d132ca9f20
SHA1c6a7872af059d0481eb2ebf9459cbe4c664d5a58
SHA256dfe14b4dd85981b93d96a3222b9821b0ab4a6fb17812d5a769974adc0b681962
SHA5129385f9ceccd29673896525e1c84e9d58e369f17627c22411dfceca162a17ee9ef6e6e8c373242ac5a392f0488357e733a4240eb7793907a6c26fc7b6b34f488d
-
Filesize
12.8MB
MD56b184ea0b9adc963c6cb3fb041cc7e49
SHA1d54c74fc269bbddceb7b173dd641f943cfa5e6d2
SHA256412652dc6ef5b20ae297f81987faad950eedad8484bde524bcb6c4a730655589
SHA512a4919461077064900ceaf99593d0f985656b0aba33c083967e1183b57052b10975ca7ea467838241e325109a6fe28147ba60584088583d84089d41150af4fa01
-
\??\Volume{de8ebc4f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{c54cef18-1570-4474-a723-919f69d186af}_OnDiskSnapshotProp
Filesize6KB
MD51b3face35c2b5a4e981632c3600923cc
SHA1af8dce13e5e89438321fba6d8434eb7bceb7870f
SHA256b1b998b8fcff77a22b81fdf6f979f94b44a48a87a8fd20f13eae05ab71608276
SHA512e46d473513877588c505642915b016aed6d138e9ed6f8c230a1b28e25caf45a05035b33da64b2ff0455f5f2fb8d310f3cf876262b3555da312d68f49c654a672