Analysis Overview
SHA256
8ebdc838216071b6a38d0ac5b8e2b3bd827aed38d935850e29b2ecd3e242e5bd
Threat Level: Shows suspicious behavior
The file ElSaifyApp.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
Enumerates connected drives
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Uses Volume Shadow Copy service COM API
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-26 15:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-26 15:28
Reported
2024-08-26 15:30
Platform
win11-20240802-en
Max time kernel
55s
Max time network
58s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe | N/A |
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\runtimes\win-arm64\native\WebView2Loader.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuProgressBar.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe.config | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Microsoft.Web.WebView2.WinForms.xml | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuSlider.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\EntityFramework.xml | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\System.Data.SQLite.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\System.Data.SQLite.Linq.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\runtimes\win-x64\native\WebView2Loader.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuCircleProgress.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuGauge.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuGradientPanel.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Microsoft.Web.WebView2.Wpf.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\System.Data.SQLite.EF6.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuColorTransition.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuDropdown.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\EntityFramework.SqlServer.xml | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Microsoft.Web.WebView2.Wpf.xml | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\x64\SQLite.Interop.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Flurl.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\image.png | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Microsoft.Web.WebView2.WinForms.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\runtimes\win-x86\native\WebView2Loader.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuScrollBar.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.Deprecated.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Newtonsoft.Json.xml | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.pdb | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Microsoft.Web.WebView2.Core.xml | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\README.md | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuDatePicker.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuShadowPanel.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\cources.ico | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.Licensing.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuDataGridView.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuSeparator.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuPages.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuShapes.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Microsoft.Web.WebView2.Core.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuCheckBox.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuFormDock.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuLabel.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Flurl.Http.xml | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Flurl.xml | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuPanel.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuUserControl.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\EntityFramework.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuPictureBox.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuTransition.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\System.Data.SQLite.dll.config | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Flurl.Http.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\System.Data.SQLite.xml | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.1.5.3.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuImageButton.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuRadioButton.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Newtonsoft.Json.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\sqliteDB\users.db | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuToolTip.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\EntityFramework.SqlServer.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuGroupBox.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuRating.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuTextbox.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuButton.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuSnackbar.dll | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\e57cc39.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF8E10C390BE167CFA.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF8D9DDBC7F5FFB91F.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICD15.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICD74.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{0ED38AAC-0491-40C9-9899-6178AE5E522D} | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DFA2CFE0B4C913EF34.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICCA6.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID024.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID130.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{0ED38AAC-0491-40C9-9899-6178AE5E522D}\ElSefy.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF0160A9B04634352F.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e57cc39.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID0D1.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{0ED38AAC-0491-40C9-9899-6178AE5E522D}\ElSefy.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e57cc3b.msi | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000004fbc8ede2bb95e8f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800004fbc8ede0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809004fbc8ede000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d4fbc8ede000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000004fbc8ede00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\SourceList\PackageName = "ElSaifyApp.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\A Plus Code\\ElSaifyApp2025 9.2.3\\install\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\ProductIcon = "C:\\Windows\\Installer\\{0ED38AAC-0491-40C9-9899-6178AE5E522D}\\ElSefy.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\39737A412D2B38C4781CAE644A6CCA71\CAA83DE019409C0489991687EAE525D2 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CAA83DE019409C0489991687EAE525D2 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\Version = "151126019" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\PackageCode = "E306300FCF528AA4EB2AABB17D9C83E4" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CAA83DE019409C0489991687EAE525D2\MainFeature | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\ProductName = "ElSaifyApp2025" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\SourceList\Media\DiskPrompt = "[1]" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\SourceList\Media\1 = "Disk1;Disk1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\A Plus Code\\ElSaifyApp2025 9.2.3\\install\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\39737A412D2B38C4781CAE644A6CCA71 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAA83DE019409C0489991687EAE525D2\SourceList | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe
"C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 64E883095DA6702847056B2EFD96E65E C
C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe
"C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe" /i "C:\Users\Admin\AppData\Roaming\A Plus Code\ElSaifyApp2025 9.2.3\install\ElSaifyApp.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\A Plus Code\ElSaifyApp2025" SECONDSEQUENCE="1" CLIENTPROCESSID="2832" CHAINERUIPROCESSID="2832Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1724445527 " TARGETDIR="C:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\AppData\Local\Temp\ElSaifyApp.exe" AI_INSTALL="1"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 8B6117719EDA05DC2D13F5606EF632A3
C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe
"C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| GB | 2.18.66.75:443 | tcp | |
| GB | 92.123.142.121:443 | r.bing.com | tcp |
| GB | 92.123.142.121:443 | r.bing.com | tcp |
| GB | 92.123.142.121:443 | r.bing.com | tcp |
| GB | 92.123.142.121:443 | r.bing.com | tcp |
| GB | 92.123.142.121:443 | r.bing.com | tcp |
| GB | 92.123.142.121:443 | r.bing.com | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/2832-0-0x0000000003150000-0x0000000003151000-memory.dmp
C:\Users\Admin\AppData\Roaming\A Plus Code\ElSaifyApp2025 9.2.3\install\ElSaifyApp.msi
| MD5 | 7648ba5172b00d7de2b87b64a5163a15 |
| SHA1 | e0cab2745cfe2ffca70065dfa959b2d080dec360 |
| SHA256 | d27e6f91a291ef7c03be224789ca1e71b98e837329ab361b527e4444a7d8b870 |
| SHA512 | 3a3cefc93a413f65dde3a014c8e4e0912f2e9d39a8b2e2677ba4e86ed99c129ac4621abdec543c4d8e6863e60ed17089e8b68dbe336bbf3c0081ba1556e3eb27 |
C:\Users\Admin\AppData\Local\Temp\MSIA00A.tmp
| MD5 | 891de63dad09d3f100263727297e9205 |
| SHA1 | aeb1c23ab5014dca9d5208afe96585b40ac2a27e |
| SHA256 | 96513f32d35ccdc3fe50eee2ee7b30836d1e5f09f73c13f151f13091464e0b50 |
| SHA512 | f517dfecf4d89ed140a9e31ab6e02da64d32070660494f18ea3d8a62228c30d89822e24a86ff0112d42a8b5cb90bb5e4d3e34e83697cf4cca7224a24fe2c45e6 |
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2832\dialog
| MD5 | 36d060121ed7e2230f3ea56befe364ce |
| SHA1 | 38a617cd50f0d3f94ab6e57a7acaef3e8561e28a |
| SHA256 | 193f1e6a191859da26f10d12e5dba79eadb2ade6f12bce95f1776c43263b6f8e |
| SHA512 | ec31bddadc5a3a0d98caccd1da2bc4c42db8d3a35c2a646034b69a5c83a03a6df088065cf88c763d42c0c3fa60f9b34520be6cba733fb88ca34cfc36af064b03 |
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2832\banner
| MD5 | f67f81ec032b7f620c7de63e628e99a7 |
| SHA1 | 376df52be2f525998fbff29c9dd4ff5e2ba8a2c6 |
| SHA256 | 2a281497ceb43c0484ad8344012bcdcbcb2060cd4a186a280848d7ff917aa900 |
| SHA512 | 345c4730d1fd3eb37c82f1a5fe13b7474d98192ac81812b190809e64ad23a53ba43a9d06945c0b363cfc1fc306cc24d5d4264a9109592bd47a5a6bdfb44e103c |
C:\Users\Admin\AppData\Local\Temp\shiB035.tmp
| MD5 | b40e4304f279119d9345be970babce41 |
| SHA1 | f76f5b30e7c333efcba1d4e19215ef1fd21d6943 |
| SHA256 | 06285446d57089fe85b3b6127bbc92508773af458ad5cf20abf4570d41c0fee7 |
| SHA512 | ad7e6b30b3ba32d641737f499874f23ccda7c4539def0465d1723d579c79c5e3e981df8526d31f2eb79dc0fe572eb4b71a780eb63df11170d4b6a0786f588299 |
memory/2832-82-0x0000000003150000-0x0000000003151000-memory.dmp
C:\Windows\Installer\MSICD74.tmp
| MD5 | fa7b536cc7e5367d3be3311680bbd94e |
| SHA1 | 1201a2ab797507bf8e9b4e6c09ea0c6d4d62f271 |
| SHA256 | f09c8e1a8bc1430a374d1fcd863934f2e2414cf41d6b08b40ec20b7171ed0282 |
| SHA512 | e7ab0b2b19d393e503bdcf77135298086b569a1dc746b47a70bb79f6aac9a3460e25d8b47f8943d947fe25acfab35c3557430c431d964d16ada19700c8012542 |
C:\Users\Admin\AppData\Roaming\A Plus Code\ElSaifyApp2025 9.2.3\install\ElSaifyApp1.cab
| MD5 | 98f0e1797cae0537d4518f11fbaa2266 |
| SHA1 | 4a37fd10ae2bb8893ad87d30edd6236e4162180f |
| SHA256 | 1a5c46f7024d87b107100e3ef734a528a4376d312baed2b937e674dc8b26efd2 |
| SHA512 | 22ce57739d04080cc6170c8106a0ad4cd94ac4d43d16b5dd5d1bb00b6844aceb8570192105aeaa466a489d5b10bd7615dc0c419544690cc73767f7cc1658f788 |
C:\Windows\Installer\MSID0D1.tmp
| MD5 | d39571bcace5ab6cfc0748d132ca9f20 |
| SHA1 | c6a7872af059d0481eb2ebf9459cbe4c664d5a58 |
| SHA256 | dfe14b4dd85981b93d96a3222b9821b0ab4a6fb17812d5a769974adc0b681962 |
| SHA512 | 9385f9ceccd29673896525e1c84e9d58e369f17627c22411dfceca162a17ee9ef6e6e8c373242ac5a392f0488357e733a4240eb7793907a6c26fc7b6b34f488d |
C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe
| MD5 | d78c888d2ae32a966e5ff9c7f408bbaf |
| SHA1 | 1dbbcda10e80ae25124f82a712ef2c266ec281e2 |
| SHA256 | 583b2a6119bedcce2e3748d19ab4422c34dcb7a4d5568c7b78f47f6d31acbad1 |
| SHA512 | 009b617b787a0370c327ab89975765b46ee6ceaec8011227881f0b135ddb503c63ba5b111057cd5a597111fe8b5019c3eae024157f02022ba2889a1d94193ffb |
C:\Config.Msi\e57cc3a.rbs
| MD5 | b4797575f56d29f2adb340449c8efa60 |
| SHA1 | 814255fdf6d6b5513b03d9d331128f274634789e |
| SHA256 | 84d2a2893f2112bb6c3d343e6a246abfafdfe4c0c4a8a0027e51cbb5c84ccc02 |
| SHA512 | 76a005c351f0846f85fb0f78bc9661e5736a710ed0bcf469fdfa27b128db98490f0f45a82027ed05ce5420cf7a433ac1de8a324b497c3a8632b385eaab38b4ce |
C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\ElSefy.exe.config
| MD5 | 9c81594a90ca38fa6641b37540507742 |
| SHA1 | 4ff8f1db248f4e9c5650d8b0e1bc1c8a246ddb8a |
| SHA256 | 6ff32eac0c0b7d4dc5290329131dd71401e04294a3ab2d46166f8bf9275a8201 |
| SHA512 | 446106b503452fb7b5435a2d56d146e9f379ff0fdd29e9ac549848cb2be62ce9d4bb1add06c187e8a9531e4db86ff597b5ffe57e1e49cc727b1adbc56155e3f9 |
memory/588-227-0x00000000004F0000-0x0000000000E2E000-memory.dmp
memory/588-228-0x0000000006020000-0x00000000065C6000-memory.dmp
memory/588-229-0x0000000005C90000-0x0000000005D22000-memory.dmp
memory/588-230-0x0000000009830000-0x000000000A220000-memory.dmp
memory/588-231-0x000000000A220000-0x000000000A577000-memory.dmp
C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuCircleProgress.dll
| MD5 | d4de383101856da415aa02cc8aa38398 |
| SHA1 | ec677a157eaa1effac7874236f77f03ba2168e0c |
| SHA256 | 9e9ad1889cec632c28fb8e25d052bf727c1945396c6f699815e282835f1af5c9 |
| SHA512 | 39589c92ff4040c7b001e04ae5c66c156e1baa87cadc7d977ebd13e290c423a9acdc9d65450f0e6b76a8b35fef81018bcf72e7c07d560e5fe3722c9e4eec0bac |
memory/588-236-0x0000000005F80000-0x0000000005F98000-memory.dmp
memory/588-240-0x000000000AB40000-0x000000000AC82000-memory.dmp
C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.Licensing.dll
| MD5 | 1a45c5f35d5a5b3bf94f01caae45a641 |
| SHA1 | 678428c593a7b168803766264e4fe44fab253700 |
| SHA256 | 3410caef0cb538e883b3e4a2ef8bc26c1aeb7d07206021cf31f3382d5cdecba1 |
| SHA512 | 3f8b7179cc68fdcb33b474b0c9295ffa13454d4eafd4a769332be21fac4fcbf30e69f1b76bc2fa0a818d972c90001fa4bf9272ef7e333205cdfa5008e035a579 |
memory/588-232-0x0000000005F40000-0x0000000005F4A000-memory.dmp
C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Newtonsoft.Json.dll
| MD5 | 6815034209687816d8cf401877ec8133 |
| SHA1 | 1248142eb45eed3beb0d9a2d3b8bed5fe2569b10 |
| SHA256 | 7f912b28a07c226e0be3acfb2f57f050538aba0100fa1f0bf2c39f1a1f1da814 |
| SHA512 | 3398094ce429ab5dcdecf2ad04803230669bb4accaef7083992e9b87afac55841ba8def2a5168358bd17e60799e55d076b0e5ca44c86b9e6c91150d3dc37c721 |
memory/588-244-0x000000000C610000-0x000000000C6C0000-memory.dmp
memory/588-245-0x000000000C6C0000-0x000000000C726000-memory.dmp
C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\System.Data.SQLite.dll
| MD5 | 17bb52713d75f8b334a311bd27cf5f23 |
| SHA1 | 24446d9f4e639454f36b6edcc187834a059b6082 |
| SHA256 | 6c156f7cf30a6c1e2538e8ee8744f641a9270e9b3a1d5b13c8486ea8b8cd5b03 |
| SHA512 | 33934dd07f98c87b4c86d0c60c64bfe5fa5bcd74f314af9069a0fcaa9a3bfefe331ab751652ced5fa100a490088f063421f0be14a7c6e995665c0ef5d01c168c |
memory/588-249-0x000000000CA30000-0x000000000CA90000-memory.dmp
memory/588-250-0x000000000C990000-0x000000000C9DC000-memory.dmp
C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\System.Data.SQLite.dll.config
| MD5 | 8ab01db32f56322275cbd0864feb5d55 |
| SHA1 | cbdb70f5fc04485af0d09ef7484faa7f8b3047bb |
| SHA256 | cde00e0a0f52ed121d52c17338da42ffd9656d4f81a76df2dceda05c88f783ef |
| SHA512 | e52a5e341309bae40a4f69d67226a92dfc42b08d4e815da3a7df7295d68da6dcad8973d32af84f269692bd98634c4657e1394366574f5ec299eb50fa3d1db468 |
C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\x86\SQLite.Interop.dll
| MD5 | 8ee703ae220be11a81d3eaf4eb9106e7 |
| SHA1 | db7dc6a2f8887475bea01e7b3612c8d79c3500c1 |
| SHA256 | 1272e3a910e0c5c6930bfb80e738b5842e447ad42496e3e10abc1380377e45f7 |
| SHA512 | 4b13b270d175062ac6f69e905a81303089dd0225f4bf7cf149bfc6c54a3ee0ba938729eba00f0ca0bb56790cc8af0c86cac3bc3497791cd7518bbf65db4d6779 |
C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\sqliteDB\users.db
| MD5 | 078ce59c554657f99d13b15e1a6705ae |
| SHA1 | deb9598bfffb8780e1a098de84d0e13a391287df |
| SHA256 | 13e537680c5a8674e48d057bb96e9c53152a0ddacfbfd4b37471d16198f8ac0f |
| SHA512 | 8a11a01f43b4cc1aee3e62ee351ad32e0d9f4322660fa28dd6306d76f9df1da8a5dc064a4bb94f27d9f2e1ab6d7e2760228c55a828cfc938f396a77518900319 |
C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuPictureBox.dll
| MD5 | fd6e28c44ab0bb05721034aa10e5e5c7 |
| SHA1 | 2c52c3925b7b3f9bb17fcf32ee7daadd275fdf81 |
| SHA256 | df1d1a4399138a002883caeb326cb23fa95b5ec4a18a1abbc725166155a299d0 |
| SHA512 | bf8bb42cce6713bdae6a70f30ba3e889f6d63ab1e92336fddc890cedf33c3cf17f06114c301eeb0b552384af3a2ca0b64ad8920f7a266bed0b6b690b710b74e9 |
memory/588-258-0x0000000007260000-0x000000000726E000-memory.dmp
C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuButton.dll
| MD5 | 3e60d71b66fb974045fb8dae1baef617 |
| SHA1 | 7078e2779f8c8d0a594c985ff7ca2e65cabaed6b |
| SHA256 | ca17918d71b6375a30990979e8f025aaef2764e06a908210be0b665dfbf7f8d0 |
| SHA512 | fc991a823c39ec6fffdea6193dc3f687af907e36768dc09a733d95d3bb575e8d7ead2b434e94be35fff7bb625a71f3de499c186897f15fa489ebd9d8b65f0327 |
memory/588-262-0x0000000007290000-0x00000000072B0000-memory.dmp
memory/588-263-0x0000000007320000-0x000000000735C000-memory.dmp
memory/588-264-0x00000000072E0000-0x0000000007301000-memory.dmp
memory/588-265-0x00000000073C0000-0x00000000073E2000-memory.dmp
C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Guna.UI2.dll
| MD5 | acec68d05e0b9b6c34a24da530dc07b2 |
| SHA1 | 015eb32aad6f5309296c3a88f0c5ab1ba451d41e |
| SHA256 | bf72939922afa2cd17071f5170b4a82d05bceb1fc33ce29cdfbc68dbb97f0277 |
| SHA512 | d68d3ac62319178d3bc27a0f1e1762fc814a4da65156db90ae17284a99e5d9909e9e6348a4ff9ef0b92a46ba2033b838b75313307b46ab72dc0aab9641e4f700 |
memory/588-269-0x00000000075A0000-0x0000000007716000-memory.dmp
memory/588-273-0x0000000007450000-0x000000000745E000-memory.dmp
C:\Program Files (x86)\A Plus Code\ElSaifyApp2025\Bunifu.UI.WinForms.BunifuPanel.dll
| MD5 | c9b870d649ca008152c8a5f70c26f00f |
| SHA1 | aa34ac78f4a8740efce16960e7e35e860e212f49 |
| SHA256 | 2f11a4fafa78fe89a49d6f954a46cb80548d3faaace84ec5faac06ceffbcd191 |
| SHA512 | d5a9061801b4b97c842aeb8d453118e8f7f2dfff499403d44ac667171de4e4652c245ff02ff0a7f9e1012b952e70fdffca546de4d4a03909206789d35972cb76 |
memory/588-274-0x0000000007440000-0x0000000007446000-memory.dmp
memory/588-275-0x0000000007520000-0x0000000007552000-memory.dmp
memory/588-276-0x0000000007AC0000-0x0000000007B5C000-memory.dmp
\??\Volume{de8ebc4f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{c54cef18-1570-4474-a723-919f69d186af}_OnDiskSnapshotProp
| MD5 | 1b3face35c2b5a4e981632c3600923cc |
| SHA1 | af8dce13e5e89438321fba6d8434eb7bceb7870f |
| SHA256 | b1b998b8fcff77a22b81fdf6f979f94b44a48a87a8fd20f13eae05ab71608276 |
| SHA512 | e46d473513877588c505642915b016aed6d138e9ed6f8c230a1b28e25caf45a05035b33da64b2ff0455f5f2fb8d310f3cf876262b3555da312d68f49c654a672 |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | 6b184ea0b9adc963c6cb3fb041cc7e49 |
| SHA1 | d54c74fc269bbddceb7b173dd641f943cfa5e6d2 |
| SHA256 | 412652dc6ef5b20ae297f81987faad950eedad8484bde524bcb6c4a730655589 |
| SHA512 | a4919461077064900ceaf99593d0f985656b0aba33c083967e1183b57052b10975ca7ea467838241e325109a6fe28147ba60584088583d84089d41150af4fa01 |