Malware Analysis Report

2024-11-13 16:19

Sample ID 240826-swtvxssdpj
Target ElSaifyApp.exe
SHA256 8ebdc838216071b6a38d0ac5b8e2b3bd827aed38d935850e29b2ecd3e242e5bd
Tags
agilenet discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8ebdc838216071b6a38d0ac5b8e2b3bd827aed38d935850e29b2ecd3e242e5bd

Threat Level: Shows suspicious behavior

The file ElSaifyApp.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

agilenet discovery

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Executes dropped EXE

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Uses Volume Shadow Copy service COM API

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-26 15:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-26 15:28

Reported

2024-08-26 15:30

Platform

win11-20240802-en

Max time kernel

55s

Max time network

58s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\runtimes\win-arm64\native\WebView2Loader.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuProgressBar.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Microsoft.Web.WebView2.WinForms.xml C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuSlider.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\EntityFramework.xml C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\System.Data.SQLite.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\System.Data.SQLite.Linq.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\runtimes\win-x64\native\WebView2Loader.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuCircleProgress.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuGauge.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuGradientPanel.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Microsoft.Web.WebView2.Wpf.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\System.Data.SQLite.EF6.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuColorTransition.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuDropdown.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\EntityFramework.SqlServer.xml C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Microsoft.Web.WebView2.Wpf.xml C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\x64\SQLite.Interop.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Flurl.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\image.png C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Microsoft.Web.WebView2.WinForms.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\runtimes\win-x86\native\WebView2Loader.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuScrollBar.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.Deprecated.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Newtonsoft.Json.xml C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.pdb C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Microsoft.Web.WebView2.Core.xml C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\README.md C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuDatePicker.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuShadowPanel.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\cources.ico C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.Licensing.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuDataGridView.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuSeparator.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuPages.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuShapes.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Microsoft.Web.WebView2.Core.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuCheckBox.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuFormDock.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuLabel.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Flurl.Http.xml C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Flurl.xml C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuPanel.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuUserControl.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\EntityFramework.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuPictureBox.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuTransition.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\System.Data.SQLite.dll.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Flurl.Http.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\System.Data.SQLite.xml C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.1.5.3.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuImageButton.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuRadioButton.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Newtonsoft.Json.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\sqliteDB\users.db C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuToolTip.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\EntityFramework.SqlServer.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuGroupBox.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuRating.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuTextbox.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuButton.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuSnackbar.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\e57cc39.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF8E10C390BE167CFA.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF8D9DDBC7F5FFB91F.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSICD15.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSICD74.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{0ED38AAC-0491-40C9-9899-6178AE5E522D} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DFA2CFE0B4C913EF34.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSICCA6.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID024.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID130.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{0ED38AAC-0491-40C9-9899-6178AE5E522D}\ElSefy.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF0160A9B04634352F.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57cc39.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID0D1.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{0ED38AAC-0491-40C9-9899-6178AE5E522D}\ElSefy.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57cc3b.msi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000004fbc8ede2bb95e8f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800004fbc8ede0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809004fbc8ede000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d4fbc8ede000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000004fbc8ede00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\SourceList\PackageName = "ElSaifyApp.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\A Plus Code\\ElSaifyApp2025 9.2.3\\install\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\ProductIcon = "C:\\Windows\\Installer\\{0ED38AAC-0491-40C9-9899-6178AE5E522D}\\ElSefy.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\39737A412D2B38C4781CAE644A6CCA71\CAA83DE019409C0489991687EAE525D2 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CAA83DE019409C0489991687EAE525D2 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\Version = "151126019" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\PackageCode = "E306300FCF528AA4EB2AABB17D9C83E4" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CAA83DE019409C0489991687EAE525D2\MainFeature C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\ProductName = "ElSaifyApp2025" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\SourceList\Media\1 = "Disk1;Disk1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\A Plus Code\\ElSaifyApp2025 9.2.3\\install\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\39737A412D2B38C4781CAE644A6CCA71 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\SourceList C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A
N/A N/A C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe

"C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 64E883095DA6702847056B2EFD96E65E C

C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe

"C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe" /i "C:\Users\Admin\AppData\Roaming\A Plus Code\ElSaifyApp2025 9.2.3\install\ElSaifyApp.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\A Plus Code\ElSaifyApp2025" SECONDSEQUENCE="1" CLIENTPROCESSID="2832" CHAINERUIPROCESSID="2832Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1724445527 " TARGETDIR="C:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe" AI_INSTALL="1"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 8B6117719EDA05DC2D13F5606EF632A3

C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe

"C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
GB 2.18.66.75:443 tcp
GB 92.123.142.121:443 r.bing.com tcp
GB 92.123.142.121:443 r.bing.com tcp
GB 92.123.142.121:443 r.bing.com tcp
GB 92.123.142.121:443 r.bing.com tcp
GB 92.123.142.121:443 r.bing.com tcp
GB 92.123.142.121:443 r.bing.com tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/2832-0-0x0000000003150000-0x0000000003151000-memory.dmp

C:\Users\Admin\AppData\Roaming\A Plus Code\ElSaifyApp2025 9.2.3\install\ElSaifyApp.msi

MD5 7648ba5172b00d7de2b87b64a5163a15
SHA1 e0cab2745cfe2ffca70065dfa959b2d080dec360
SHA256 d27e6f91a291ef7c03be224789ca1e71b98e837329ab361b527e4444a7d8b870
SHA512 3a3cefc93a413f65dde3a014c8e4e0912f2e9d39a8b2e2677ba4e86ed99c129ac4621abdec543c4d8e6863e60ed17089e8b68dbe336bbf3c0081ba1556e3eb27

C:\Users\Admin\AppData\Local\Temp\MSIA00A.tmp

MD5 891de63dad09d3f100263727297e9205
SHA1 aeb1c23ab5014dca9d5208afe96585b40ac2a27e
SHA256 96513f32d35ccdc3fe50eee2ee7b30836d1e5f09f73c13f151f13091464e0b50
SHA512 f517dfecf4d89ed140a9e31ab6e02da64d32070660494f18ea3d8a62228c30d89822e24a86ff0112d42a8b5cb90bb5e4d3e34e83697cf4cca7224a24fe2c45e6

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2832\dialog

MD5 36d060121ed7e2230f3ea56befe364ce
SHA1 38a617cd50f0d3f94ab6e57a7acaef3e8561e28a
SHA256 193f1e6a191859da26f10d12e5dba79eadb2ade6f12bce95f1776c43263b6f8e
SHA512 ec31bddadc5a3a0d98caccd1da2bc4c42db8d3a35c2a646034b69a5c83a03a6df088065cf88c763d42c0c3fa60f9b34520be6cba733fb88ca34cfc36af064b03

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2832\banner

MD5 f67f81ec032b7f620c7de63e628e99a7
SHA1 376df52be2f525998fbff29c9dd4ff5e2ba8a2c6
SHA256 2a281497ceb43c0484ad8344012bcdcbcb2060cd4a186a280848d7ff917aa900
SHA512 345c4730d1fd3eb37c82f1a5fe13b7474d98192ac81812b190809e64ad23a53ba43a9d06945c0b363cfc1fc306cc24d5d4264a9109592bd47a5a6bdfb44e103c

C:\Users\Admin\AppData\Local\Temp\shiB035.tmp

MD5 b40e4304f279119d9345be970babce41
SHA1 f76f5b30e7c333efcba1d4e19215ef1fd21d6943
SHA256 06285446d57089fe85b3b6127bbc92508773af458ad5cf20abf4570d41c0fee7
SHA512 ad7e6b30b3ba32d641737f499874f23ccda7c4539def0465d1723d579c79c5e3e981df8526d31f2eb79dc0fe572eb4b71a780eb63df11170d4b6a0786f588299

memory/2832-82-0x0000000003150000-0x0000000003151000-memory.dmp

C:\Windows\Installer\MSICD74.tmp

MD5 fa7b536cc7e5367d3be3311680bbd94e
SHA1 1201a2ab797507bf8e9b4e6c09ea0c6d4d62f271
SHA256 f09c8e1a8bc1430a374d1fcd863934f2e2414cf41d6b08b40ec20b7171ed0282
SHA512 e7ab0b2b19d393e503bdcf77135298086b569a1dc746b47a70bb79f6aac9a3460e25d8b47f8943d947fe25acfab35c3557430c431d964d16ada19700c8012542

C:\Users\Admin\AppData\Roaming\A Plus Code\ElSaifyApp2025 9.2.3\install\ElSaifyApp1.cab

MD5 98f0e1797cae0537d4518f11fbaa2266
SHA1 4a37fd10ae2bb8893ad87d30edd6236e4162180f
SHA256 1a5c46f7024d87b107100e3ef734a528a4376d312baed2b937e674dc8b26efd2
SHA512 22ce57739d04080cc6170c8106a0ad4cd94ac4d43d16b5dd5d1bb00b6844aceb8570192105aeaa466a489d5b10bd7615dc0c419544690cc73767f7cc1658f788

C:\Windows\Installer\MSID0D1.tmp

MD5 d39571bcace5ab6cfc0748d132ca9f20
SHA1 c6a7872af059d0481eb2ebf9459cbe4c664d5a58
SHA256 dfe14b4dd85981b93d96a3222b9821b0ab4a6fb17812d5a769974adc0b681962
SHA512 9385f9ceccd29673896525e1c84e9d58e369f17627c22411dfceca162a17ee9ef6e6e8c373242ac5a392f0488357e733a4240eb7793907a6c26fc7b6b34f488d

C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe

MD5 d78c888d2ae32a966e5ff9c7f408bbaf
SHA1 1dbbcda10e80ae25124f82a712ef2c266ec281e2
SHA256 583b2a6119bedcce2e3748d19ab4422c34dcb7a4d5568c7b78f47f6d31acbad1
SHA512 009b617b787a0370c327ab89975765b46ee6ceaec8011227881f0b135ddb503c63ba5b111057cd5a597111fe8b5019c3eae024157f02022ba2889a1d94193ffb

C:\Config.Msi\e57cc3a.rbs

MD5 b4797575f56d29f2adb340449c8efa60
SHA1 814255fdf6d6b5513b03d9d331128f274634789e
SHA256 84d2a2893f2112bb6c3d343e6a246abfafdfe4c0c4a8a0027e51cbb5c84ccc02
SHA512 76a005c351f0846f85fb0f78bc9661e5736a710ed0bcf469fdfa27b128db98490f0f45a82027ed05ce5420cf7a433ac1de8a324b497c3a8632b385eaab38b4ce

C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe.config

MD5 9c81594a90ca38fa6641b37540507742
SHA1 4ff8f1db248f4e9c5650d8b0e1bc1c8a246ddb8a
SHA256 6ff32eac0c0b7d4dc5290329131dd71401e04294a3ab2d46166f8bf9275a8201
SHA512 446106b503452fb7b5435a2d56d146e9f379ff0fdd29e9ac549848cb2be62ce9d4bb1add06c187e8a9531e4db86ff597b5ffe57e1e49cc727b1adbc56155e3f9

memory/588-227-0x00000000004F0000-0x0000000000E2E000-memory.dmp

memory/588-228-0x0000000006020000-0x00000000065C6000-memory.dmp

memory/588-229-0x0000000005C90000-0x0000000005D22000-memory.dmp

memory/588-230-0x0000000009830000-0x000000000A220000-memory.dmp

memory/588-231-0x000000000A220000-0x000000000A577000-memory.dmp

C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuCircleProgress.dll

MD5 d4de383101856da415aa02cc8aa38398
SHA1 ec677a157eaa1effac7874236f77f03ba2168e0c
SHA256 9e9ad1889cec632c28fb8e25d052bf727c1945396c6f699815e282835f1af5c9
SHA512 39589c92ff4040c7b001e04ae5c66c156e1baa87cadc7d977ebd13e290c423a9acdc9d65450f0e6b76a8b35fef81018bcf72e7c07d560e5fe3722c9e4eec0bac

memory/588-236-0x0000000005F80000-0x0000000005F98000-memory.dmp

memory/588-240-0x000000000AB40000-0x000000000AC82000-memory.dmp

C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.Licensing.dll

MD5 1a45c5f35d5a5b3bf94f01caae45a641
SHA1 678428c593a7b168803766264e4fe44fab253700
SHA256 3410caef0cb538e883b3e4a2ef8bc26c1aeb7d07206021cf31f3382d5cdecba1
SHA512 3f8b7179cc68fdcb33b474b0c9295ffa13454d4eafd4a769332be21fac4fcbf30e69f1b76bc2fa0a818d972c90001fa4bf9272ef7e333205cdfa5008e035a579

memory/588-232-0x0000000005F40000-0x0000000005F4A000-memory.dmp

C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Newtonsoft.Json.dll

MD5 6815034209687816d8cf401877ec8133
SHA1 1248142eb45eed3beb0d9a2d3b8bed5fe2569b10
SHA256 7f912b28a07c226e0be3acfb2f57f050538aba0100fa1f0bf2c39f1a1f1da814
SHA512 3398094ce429ab5dcdecf2ad04803230669bb4accaef7083992e9b87afac55841ba8def2a5168358bd17e60799e55d076b0e5ca44c86b9e6c91150d3dc37c721

memory/588-244-0x000000000C610000-0x000000000C6C0000-memory.dmp

memory/588-245-0x000000000C6C0000-0x000000000C726000-memory.dmp

C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\System.Data.SQLite.dll

MD5 17bb52713d75f8b334a311bd27cf5f23
SHA1 24446d9f4e639454f36b6edcc187834a059b6082
SHA256 6c156f7cf30a6c1e2538e8ee8744f641a9270e9b3a1d5b13c8486ea8b8cd5b03
SHA512 33934dd07f98c87b4c86d0c60c64bfe5fa5bcd74f314af9069a0fcaa9a3bfefe331ab751652ced5fa100a490088f063421f0be14a7c6e995665c0ef5d01c168c

memory/588-249-0x000000000CA30000-0x000000000CA90000-memory.dmp

memory/588-250-0x000000000C990000-0x000000000C9DC000-memory.dmp

C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\System.Data.SQLite.dll.config

MD5 8ab01db32f56322275cbd0864feb5d55
SHA1 cbdb70f5fc04485af0d09ef7484faa7f8b3047bb
SHA256 cde00e0a0f52ed121d52c17338da42ffd9656d4f81a76df2dceda05c88f783ef
SHA512 e52a5e341309bae40a4f69d67226a92dfc42b08d4e815da3a7df7295d68da6dcad8973d32af84f269692bd98634c4657e1394366574f5ec299eb50fa3d1db468

C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\x86\SQLite.Interop.dll

MD5 8ee703ae220be11a81d3eaf4eb9106e7
SHA1 db7dc6a2f8887475bea01e7b3612c8d79c3500c1
SHA256 1272e3a910e0c5c6930bfb80e738b5842e447ad42496e3e10abc1380377e45f7
SHA512 4b13b270d175062ac6f69e905a81303089dd0225f4bf7cf149bfc6c54a3ee0ba938729eba00f0ca0bb56790cc8af0c86cac3bc3497791cd7518bbf65db4d6779

C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\sqliteDB\users.db

MD5 078ce59c554657f99d13b15e1a6705ae
SHA1 deb9598bfffb8780e1a098de84d0e13a391287df
SHA256 13e537680c5a8674e48d057bb96e9c53152a0ddacfbfd4b37471d16198f8ac0f
SHA512 8a11a01f43b4cc1aee3e62ee351ad32e0d9f4322660fa28dd6306d76f9df1da8a5dc064a4bb94f27d9f2e1ab6d7e2760228c55a828cfc938f396a77518900319

C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuPictureBox.dll

MD5 fd6e28c44ab0bb05721034aa10e5e5c7
SHA1 2c52c3925b7b3f9bb17fcf32ee7daadd275fdf81
SHA256 df1d1a4399138a002883caeb326cb23fa95b5ec4a18a1abbc725166155a299d0
SHA512 bf8bb42cce6713bdae6a70f30ba3e889f6d63ab1e92336fddc890cedf33c3cf17f06114c301eeb0b552384af3a2ca0b64ad8920f7a266bed0b6b690b710b74e9

memory/588-258-0x0000000007260000-0x000000000726E000-memory.dmp

C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuButton.dll

MD5 3e60d71b66fb974045fb8dae1baef617
SHA1 7078e2779f8c8d0a594c985ff7ca2e65cabaed6b
SHA256 ca17918d71b6375a30990979e8f025aaef2764e06a908210be0b665dfbf7f8d0
SHA512 fc991a823c39ec6fffdea6193dc3f687af907e36768dc09a733d95d3bb575e8d7ead2b434e94be35fff7bb625a71f3de499c186897f15fa489ebd9d8b65f0327

memory/588-262-0x0000000007290000-0x00000000072B0000-memory.dmp

memory/588-263-0x0000000007320000-0x000000000735C000-memory.dmp

memory/588-264-0x00000000072E0000-0x0000000007301000-memory.dmp

memory/588-265-0x00000000073C0000-0x00000000073E2000-memory.dmp

C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Guna.UI2.dll

MD5 acec68d05e0b9b6c34a24da530dc07b2
SHA1 015eb32aad6f5309296c3a88f0c5ab1ba451d41e
SHA256 bf72939922afa2cd17071f5170b4a82d05bceb1fc33ce29cdfbc68dbb97f0277
SHA512 d68d3ac62319178d3bc27a0f1e1762fc814a4da65156db90ae17284a99e5d9909e9e6348a4ff9ef0b92a46ba2033b838b75313307b46ab72dc0aab9641e4f700

memory/588-269-0x00000000075A0000-0x0000000007716000-memory.dmp

memory/588-273-0x0000000007450000-0x000000000745E000-memory.dmp

C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuPanel.dll

MD5 c9b870d649ca008152c8a5f70c26f00f
SHA1 aa34ac78f4a8740efce16960e7e35e860e212f49
SHA256 2f11a4fafa78fe89a49d6f954a46cb80548d3faaace84ec5faac06ceffbcd191
SHA512 d5a9061801b4b97c842aeb8d453118e8f7f2dfff499403d44ac667171de4e4652c245ff02ff0a7f9e1012b952e70fdffca546de4d4a03909206789d35972cb76

memory/588-274-0x0000000007440000-0x0000000007446000-memory.dmp

memory/588-275-0x0000000007520000-0x0000000007552000-memory.dmp

memory/588-276-0x0000000007AC0000-0x0000000007B5C000-memory.dmp

\??\Volume{de8ebc4f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{c54cef18-1570-4474-a723-919f69d186af}_OnDiskSnapshotProp

MD5 1b3face35c2b5a4e981632c3600923cc
SHA1 af8dce13e5e89438321fba6d8434eb7bceb7870f
SHA256 b1b998b8fcff77a22b81fdf6f979f94b44a48a87a8fd20f13eae05ab71608276
SHA512 e46d473513877588c505642915b016aed6d138e9ed6f8c230a1b28e25caf45a05035b33da64b2ff0455f5f2fb8d310f3cf876262b3555da312d68f49c654a672

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 6b184ea0b9adc963c6cb3fb041cc7e49
SHA1 d54c74fc269bbddceb7b173dd641f943cfa5e6d2
SHA256 412652dc6ef5b20ae297f81987faad950eedad8484bde524bcb6c4a730655589
SHA512 a4919461077064900ceaf99593d0f985656b0aba33c083967e1183b57052b10975ca7ea467838241e325109a6fe28147ba60584088583d84089d41150af4fa01