Analysis

  • max time kernel
    149s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250619-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/07/2025, 12:05

General

  • Target

    2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe

  • Size

    5.0MB

  • MD5

    da05404cb8d5af4f7ecc3366ed7f8b9d

  • SHA1

    acad65c14e7027521f82be3ab42c7aceaf5fc86f

  • SHA256

    e657a432aa54bfe93259ebfbd34dc4a3712133e5c134bc722f587db3e5dfa90c

  • SHA512

    bf92dde5fed7ec33ba0ea1e9ee81d6e736c713f80b913cce7749e658bb7356842146eb4e2ac2f64a4db6ae563ca2484457dfd055fe76bc1bcc3c19d138608eb9

  • SSDEEP

    98304:iLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLY:CjJS

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3484
      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2396
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7196.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2996
          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of WriteProcessMemory
            PID:936
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a733C.bat
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1248
              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:1364
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a74E2.bat
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4712
                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                    8⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:4716
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7724.bat
                      9⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:3480
                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                        10⤵
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of WriteProcessMemory
                        PID:1384
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7918.bat
                          11⤵
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of WriteProcessMemory
                          PID:2212
                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                            12⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of WriteProcessMemory
                            PID:4380
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7ABE.bat
                              13⤵
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of WriteProcessMemory
                              PID:1484
                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                14⤵
                                • Executes dropped EXE
                                • Drops file in Windows directory
                                • Suspicious use of WriteProcessMemory
                                PID:3164
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7C44.bat
                                  15⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:1712
                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                    16⤵
                                    • Executes dropped EXE
                                    • Drops file in Windows directory
                                    • Suspicious use of WriteProcessMemory
                                    PID:1108
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7ED5.bat
                                      17⤵
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of WriteProcessMemory
                                      PID:3308
                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                        18⤵
                                        • Executes dropped EXE
                                        • Drops file in Windows directory
                                        • Suspicious use of WriteProcessMemory
                                        PID:3344
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a806B.bat
                                          19⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:3284
                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                            20⤵
                                            • Executes dropped EXE
                                            • Drops file in Windows directory
                                            PID:4752
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a81B3.bat
                                              21⤵
                                                PID:4844
                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                  22⤵
                                                  • Executes dropped EXE
                                                  • Drops file in Windows directory
                                                  PID:1480
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a833A.bat
                                                    23⤵
                                                      PID:4316
                                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                        24⤵
                                                        • Executes dropped EXE
                                                        • Drops file in Windows directory
                                                        PID:2040
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a84EF.bat
                                                          25⤵
                                                            PID:1832
                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                              26⤵
                                                              • Executes dropped EXE
                                                              PID:3920
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8685.bat
                                                                27⤵
                                                                  PID:1784
                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                    28⤵
                                                                    • Executes dropped EXE
                                                                    PID:1124
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a882B.bat
                                                                      29⤵
                                                                        PID:4248
                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                          30⤵
                                                                          • Executes dropped EXE
                                                                          • Drops file in Windows directory
                                                                          PID:1916
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a89D1.bat
                                                                            31⤵
                                                                              PID:3076
                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                32⤵
                                                                                • Executes dropped EXE
                                                                                • Drops file in Windows directory
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:1452
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8B58.bat
                                                                                  33⤵
                                                                                    PID:764
                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                      34⤵
                                                                                      • Executes dropped EXE
                                                                                      PID:2440
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8D0D.bat
                                                                                        35⤵
                                                                                          PID:4068
                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                            36⤵
                                                                                            • Executes dropped EXE
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:3576
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8ED2.bat
                                                                                              37⤵
                                                                                                PID:3772
                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                  38⤵
                                                                                                  • Executes dropped EXE
                                                                                                  PID:1880
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a90E6.bat
                                                                                                    39⤵
                                                                                                      PID:1108
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                        40⤵
                                                                                                        • Executes dropped EXE
                                                                                                        PID:1740
                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a929B.bat
                                                                                                          41⤵
                                                                                                            PID:460
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                              42⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Drops file in Windows directory
                                                                                                              PID:4024
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a949F.bat
                                                                                                                43⤵
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                PID:4692
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                  44⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  PID:4536
                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9710.bat
                                                                                                                    45⤵
                                                                                                                      PID:5108
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                        46⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Drops file in Windows directory
                                                                                                                        PID:3616
                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a97EA.bat
                                                                                                                          47⤵
                                                                                                                            PID:3844
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                              48⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Drops file in Windows directory
                                                                                                                              PID:3052
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9913.bat
                                                                                                                                49⤵
                                                                                                                                  PID:4804
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                    50⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    PID:4584
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a99DE.bat
                                                                                                                                      51⤵
                                                                                                                                        PID:2280
                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                          52⤵
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Drops file in Windows directory
                                                                                                                                          PID:1204
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9BA4.bat
                                                                                                                                            53⤵
                                                                                                                                              PID:2844
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                54⤵
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                PID:3552
                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9C6F.bat
                                                                                                                                                  55⤵
                                                                                                                                                    PID:1496
                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                      56⤵
                                                                                                                                                        PID:4036
                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9CFB.bat
                                                                                                                                                          57⤵
                                                                                                                                                            PID:4316
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                              58⤵
                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                              PID:3932
                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9D98.bat
                                                                                                                                                                59⤵
                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                PID:2408
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                  60⤵
                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                  PID:5024
                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA066.bat
                                                                                                                                                                    61⤵
                                                                                                                                                                      PID:4304
                                                                                                                                                                      • C:\Windows\System32\Conhost.exe
                                                                                                                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                        62⤵
                                                                                                                                                                          PID:3932
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                          62⤵
                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                          PID:2244
                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA131.bat
                                                                                                                                                                            63⤵
                                                                                                                                                                              PID:3028
                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                64⤵
                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                PID:1628
                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA20C.bat
                                                                                                                                                                                  65⤵
                                                                                                                                                                                    PID:3744
                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                      66⤵
                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                      PID:3532
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA2E7.bat
                                                                                                                                                                                        67⤵
                                                                                                                                                                                          PID:1248
                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                            68⤵
                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                            PID:5112
                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA400.bat
                                                                                                                                                                                              69⤵
                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                              PID:4316
                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                70⤵
                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                PID:3520
                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA4DB.bat
                                                                                                                                                                                                  71⤵
                                                                                                                                                                                                    PID:3880
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                      72⤵
                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                      PID:4500
                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA5B6.bat
                                                                                                                                                                                                        73⤵
                                                                                                                                                                                                          PID:4216
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                            74⤵
                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                            PID:4564
                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA6DF.bat
                                                                                                                                                                                                              75⤵
                                                                                                                                                                                                                PID:2416
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                  76⤵
                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                  PID:4916
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA7AA.bat
                                                                                                                                                                                                                    77⤵
                                                                                                                                                                                                                      PID:2932
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                        78⤵
                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                        PID:2472
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA856.bat
                                                                                                                                                                                                                          79⤵
                                                                                                                                                                                                                            PID:4660
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                              80⤵
                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                                                              PID:4964
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA921.bat
                                                                                                                                                                                                                                81⤵
                                                                                                                                                                                                                                  PID:1136
                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                    82⤵
                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                    PID:4968
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA9EC.bat
                                                                                                                                                                                                                                      83⤵
                                                                                                                                                                                                                                        PID:4536
                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                          84⤵
                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                          PID:4564
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAC3E.bat
                                                                                                                                                                                                                                            85⤵
                                                                                                                                                                                                                                              PID:312
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                86⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                                                                PID:2684
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aACAB.bat
                                                                                                                                                                                                                                                  87⤵
                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                  PID:4024
                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                    88⤵
                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                    PID:964
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAD18.bat
                                                                                                                                                                                                                                                      89⤵
                                                                                                                                                                                                                                                        PID:3112
                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                          90⤵
                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                          PID:4804
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAD66.bat
                                                                                                                                                                                                                                                            91⤵
                                                                                                                                                                                                                                                              PID:1588
                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                92⤵
                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                                                                                PID:2212
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aADD4.bat
                                                                                                                                                                                                                                                                  93⤵
                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                  PID:2704
                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                    94⤵
                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                    PID:2380
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAE32.bat
                                                                                                                                                                                                                                                                      95⤵
                                                                                                                                                                                                                                                                        PID:2996
                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                          96⤵
                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                                                                                                          PID:3616
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAE8F.bat
                                                                                                                                                                                                                                                                            97⤵
                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                            PID:4068
                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                              98⤵
                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                              PID:1016
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAF0C.bat
                                                                                                                                                                                                                                                                                99⤵
                                                                                                                                                                                                                                                                                  PID:4112
                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                    100⤵
                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                    PID:1788
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAF99.bat
                                                                                                                                                                                                                                                                                      101⤵
                                                                                                                                                                                                                                                                                        PID:1004
                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                          102⤵
                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                          PID:2968
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB16E.bat
                                                                                                                                                                                                                                                                                            103⤵
                                                                                                                                                                                                                                                                                              PID:3932
                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                104⤵
                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                PID:3700
                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB277.bat
                                                                                                                                                                                                                                                                                                  105⤵
                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                  PID:4400
                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                    106⤵
                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                    PID:5108
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB2D5.bat
                                                                                                                                                                                                                                                                                                      107⤵
                                                                                                                                                                                                                                                                                                        PID:1656
                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                          108⤵
                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                          PID:3616
                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB333.bat
                                                                                                                                                                                                                                                                                                            109⤵
                                                                                                                                                                                                                                                                                                              PID:5104
                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                110⤵
                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                PID:4660
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB391.bat
                                                                                                                                                                                                                                                                                                                  111⤵
                                                                                                                                                                                                                                                                                                                    PID:3032
                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                      112⤵
                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                      PID:1788
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB41D.bat
                                                                                                                                                                                                                                                                                                                        113⤵
                                                                                                                                                                                                                                                                                                                          PID:4920
                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                            114⤵
                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                            PID:3296
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB4B9.bat
                                                                                                                                                                                                                                                                                                                              115⤵
                                                                                                                                                                                                                                                                                                                                PID:3620
                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                  116⤵
                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                  PID:2924
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB527.bat
                                                                                                                                                                                                                                                                                                                                    117⤵
                                                                                                                                                                                                                                                                                                                                      PID:2448
                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                        118⤵
                                                                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                        PID:4968
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB575.bat
                                                                                                                                                                                                                                                                                                                                          119⤵
                                                                                                                                                                                                                                                                                                                                            PID:1800
                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                              120⤵
                                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                              PID:3512
                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB5D3.bat
                                                                                                                                                                                                                                                                                                                                                121⤵
                                                                                                                                                                                                                                                                                                                                                  PID:2876
                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                    122⤵
                                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                    PID:2612
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB65F.bat
                                                                                                                                                                                                                                                                                                                                                      123⤵
                                                                                                                                                                                                                                                                                                                                                        PID:1636
                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                          124⤵
                                                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                          PID:3676
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB69E.bat
                                                                                                                                                                                                                                                                                                                                                            125⤵
                                                                                                                                                                                                                                                                                                                                                              PID:2580
                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                126⤵
                                                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                PID:1108
                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB6FC.bat
                                                                                                                                                                                                                                                                                                                                                                  127⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:448
                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                      128⤵
                                                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                      PID:4564
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB74A.bat
                                                                                                                                                                                                                                                                                                                                                                        129⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:4952
                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                            130⤵
                                                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                            PID:1484
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB7A7.bat
                                                                                                                                                                                                                                                                                                                                                                              131⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:552
                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                  132⤵
                                                                                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                  PID:1372
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB815.bat
                                                                                                                                                                                                                                                                                                                                                                                    133⤵
                                                                                                                                                                                                                                                                                                                                                                                      PID:964
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                        134⤵
                                                                                                                                                                                                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                        PID:1296
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB873.bat
                                                                                                                                                                                                                                                                                                                                                                                          135⤵
                                                                                                                                                                                                                                                                                                                                                                                            PID:4300
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                              136⤵
                                                                                                                                                                                                                                                                                                                                                                                                PID:2212
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB8C1.bat
                                                                                                                                                                                                                                                                                                                                                                                                  137⤵
                                                                                                                                                                                                                                                                                                                                                                                                    PID:4024
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                      138⤵
                                                                                                                                                                                                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                      PID:3080
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB91E.bat
                                                                                                                                                                                                                                                                                                                                                                                                        139⤵
                                                                                                                                                                                                                                                                                                                                                                                                          PID:2704
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                            140⤵
                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                            PID:1832
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB97C.bat
                                                                                                                                                                                                                                                                                                                                                                                                              141⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:3232
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                  142⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1664
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB9CA.bat
                                                                                                                                                                                                                                                                                                                                                                                                                      143⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3152
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                          144⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4536
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBA28.bat
                                                                                                                                                                                                                                                                                                                                                                                                                              145⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1928
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                  146⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3576
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBAF3.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                      147⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5112
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                        148⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:904
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBBAF.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                          149⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4716
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                              150⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3772
                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBC5B.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                  151⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1028
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                      152⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3844
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBD06.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                          153⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2280
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                            154⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1468
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBDC2.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                              155⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4432
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  156⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:720
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBE6E.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    157⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1928
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        158⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:116
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBF1A.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          159⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4276
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              160⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2968
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBFD5.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  161⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3712
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    162⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2356
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC0CF.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      163⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1372
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        164⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3324
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC1AA.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          165⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3260
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              166⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:648
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC2B4.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  167⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3600
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    168⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4032
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC4F6.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      169⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1992
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          170⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4400
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC5C1.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            171⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2968
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                172⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2588
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC6CA.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  173⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5104
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      174⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3172
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC7B5.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        175⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5068
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            176⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:764
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC880.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                177⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2408
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    178⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2624
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC92C.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        179⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4740
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          180⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4764
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC98A.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              181⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:552
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                182⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4060
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC9E7.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  183⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2448
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    184⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4348
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCA55.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      185⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4840
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          186⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1496
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCAC2.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              187⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4624
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  188⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4140
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCB3F.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    189⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:532
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        190⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:228
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCBBC.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          191⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4716
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              192⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4216
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCC39.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                193⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4512
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    194⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2936
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCC97.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      195⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2084
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          196⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2720
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCCF5.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            197⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1372
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                198⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3576
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCD52.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  199⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1028
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      200⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3448
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCDC0.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          201⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1464
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              202⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4676
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCE1D.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  203⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:220
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      204⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3288
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCE6C.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          205⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:936
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              206⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1636
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCEE9.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  207⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3588
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      208⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1792
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCF46.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        209⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2216
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            210⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4712
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCFB4.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              211⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2408
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  212⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:216
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD011.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    213⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2024
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        214⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1108
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD07F.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          215⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2336
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              216⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3940
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD0DD.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  217⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2448
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      218⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4380
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD169.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        219⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4964
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            220⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2436
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD1D7.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              221⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:544
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  222⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2684
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD254.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    223⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2480
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        224⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2032
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD2B1.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          225⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1528
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            226⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1936
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD31F.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              227⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3680
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  228⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4444
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD3AB.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      229⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3824
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          230⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4132
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD419.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              231⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3576
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  232⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5108
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD486.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    233⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3448
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      234⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4384
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD503.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          235⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:116
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              236⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5104
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD561.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                237⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:448
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    238⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4104
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD5BF.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        239⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1636
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            240⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3232
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD64B.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              241⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1792
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                242⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4260
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD699.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    243⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4712
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      244⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1664
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD6F7.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        245⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3112
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            246⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3424
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD774.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              247⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3732
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  248⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3284
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD7C2.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    249⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2472
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        250⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2976
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD83F.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            251⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1960
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                252⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4584
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD87E.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  253⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2356
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      254⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2428
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD8EB.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        255⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3744
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            256⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2148
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD968.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                257⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1628
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    258⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2292
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD9C6.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        259⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1296
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            260⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3708
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDA33.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                261⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4036
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  262⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3532
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDA91.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    263⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3712
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        264⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3280
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDAEF.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          265⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4560
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              266⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3552
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDB7B.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  267⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3448
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      268⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3956
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDBD9.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          269⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1712
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              270⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2176
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDC56.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  271⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4104
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    272⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:748
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDCB4.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      273⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1992
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        274⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3240
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDD40.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          275⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2212
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              276⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3328
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDDBD.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  277⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4712
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    278⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3172
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDE3A.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      279⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4984
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          280⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3076
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDE98.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            281⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4068
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                282⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4156
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDF15.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    283⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4144
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      284⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:532
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDF92.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        285⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1960
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            286⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:376
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDFF0.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              287⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1784
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                288⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3724
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE06D.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    289⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2076
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        290⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2940
                                                                                                                                                                                                                                                                                                          • C:\Windows\Logo1_.exe
                                                                                                                                                                                                                                                                                                            C:\Windows\Logo1_.exe
                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                            • Drops startup file
                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                            • Enumerates connected drives
                                                                                                                                                                                                                                                                                                            • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                            • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                                                            PID:2808
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\net.exe
                                                                                                                                                                                                                                                                                                              net stop "Kingsoft AntiVirus Service"
                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                              • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                                                              PID:4036
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                  PID:1832

                                                                                                                                                                                                                                                                                                        Network

                                                                                                                                                                                                                                                                                                              MITRE ATT&CK Enterprise v16

                                                                                                                                                                                                                                                                                                              Replay Monitor

                                                                                                                                                                                                                                                                                                              Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                              Downloads

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\$$a7196.bat

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                776B

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                72d91bf430c60e6a0cc5801503c97167

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                526d63953b1b0b25703b3d66601a08fdae7655a5

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                5718b4cb2b511dce10531393b08a1ee6676d0b8564690807aa18988248a6da47

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                eb832dc4c01028eb2b5c953b6c3bdf949a5da8f69bbba2f6e0326fddd27790517695044d68bdf09180149346388f50933cfc31d65db008f9aa88a894fee541cd

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\$$a733C.bat

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                776B

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                279f7e573ff746e5cb095f7e2b217dfa

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                bdde367f23a0e9c6b3f62c57171d878f086ac85e

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                8c32bd712ee8f16f1ff98114418cbfa7ebd002f6c1453f8ffbfecb523acf90c8

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                880e6070aa7d16a03a597958f0874e6d29a960511f1b6ec358552a206a002b658c235f658b9a5211cf23ae0637775f54d6c71d5906fb6f448702bec3bea85416

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\$$a74E2.bat

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                776B

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                d95f1a62ab8599e8ee1fabf773805867

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                0c36954d3d3b2cf7878c8c404397c7cc31644019

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                182590c85acac8f15a3ff0416cfbbf973c0b685f53fa736f9a06dd14eec8c6c4

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                6866f4baf7787acdb9af82ebc6becceba6498e2dc8b903816bc4bfdf542c1f6089ae07373cbaac450eed155493dc9c51af28e321d40cb656005e7ed7aa864542

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\$$a7724.bat

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                776B

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                77b15d6789eb13b4bd36957f6b05d9a7

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                e29b24f2e69df67b72370c56c814907f12be7551

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                ed14940bcf35dfe2fcfb5b546f382511257d4c8676374336a8d806c5c4d88b5d

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                780e9511349d32c0507d2b33e6bacec47ba79b70fdaa47b7bda7985d3e5f51b05ad28bc0c6fb410bd299bb0278b6ab4228f017eaec85879fcfe64a7f3d97ca00

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\$$a7918.bat

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                776B

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                c4088750e3c57c23c5cc3269af70bc67

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                da9ebbe9f679a0ada50a7ace8a31967d97be3422

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                1895fc30f2736acfb89f51c99e8031ea38dfb5a48f31679f6d306067e50684a6

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                343d5894cfff64888b7de4f9c3f4bbd75e79c93963589776d176045159c3fe01880cacae566cd4be7f970a5aec06645119abdd25ad5719cf2ce7d8bd693f4c47

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\$$a7ABE.bat

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                776B

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                cde40f41f0d9c1909d487f6955d939b7

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                63df9565618b646748b669d12714b1a76d9f0dc9

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                4313e59c76b17c0b0ca839cbe44161f1097a258d5371b9f96c6d41d6ef445a01

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                37b65bf54eec0ca9f269386859a441aac0e0ee3303b604c1bf09df0817947b8f92b83490df59e5d3b7dc7ea5e7c79455b326d600fdd379d28951f37e2fabe8d1

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\$$a7C44.bat

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                776B

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                d5b0f3087d83a8d37bfe47b8f7827ca8

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                9cf34b00f3c4214b33129539e40fb04608239549

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                d7624992ecf01359bbab96650fcff4ba045412dac54b38d35781250469fa01b7

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                dc08fdc75ea7f6b7ff2fdb332530e81c8c3d4edb96d150a3ec6a3c1e3f34ed2f2a66831edbc2b0c2ec106e16ba45ce05d1cc16bf7caa8ff49daf217817d29b39

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\$$a7ED5.bat

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                776B

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                222f103c584fb33ab66d07926d2c3c0c

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                e62c0cf90151e438aa6e15912ac39faf5a4f1ac5

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                bae2a3b9bd175f35ad12e4e785b951bc82b10f6f5cba4323b55d1a20b537e12c

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                13bc17337e905df73d23820d961c41fc05c1d6f392721d5e34e80a0a4e46366a21c99b44a06d69cfd95d0fb239458a5b91549f18230dae9cf5ca7ad6ebc4f06a

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\$$a806B.bat

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                776B

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                6322d3569f3f6a637263bfbb158c3231

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                2bdec98f3da1f314c1ed0a02f797705a13c82c09

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                41c24770dff48575a7df1462914bd3cd6daee522ca6d2836c240800f9b8f22ee

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                6a3078d0bb438611e9161ed340aab070384dd6a921406c52562ccbe47227d99aa42cf5f0011cfa115df937a0a4d8d7768814ee0d7e6bca3ecd89b059ac669136

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\$$a81B3.bat

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                776B

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                c12d73ec1419bea6fbb328a18368a55e

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                f3c600d1558c265ec4c3f119f132992749052957

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                9cabdd2ae7ec87743f9d9aea7456b0a8c76579fe2184cf20d8b64c59153bdb2e

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                4fb0a45708074dba851a558f6ecf2ce3ec5979c8dcd443e4593b2e256f7d53c4b1e63bf8a90b483e9d664889c576e47e301bb16c49bd92a2fbd14185e80361d6

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\$$a833A.bat

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                776B

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                ceeca696ad0290f9c75c79bae935bdd5

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                bfbfb16c29bf601af9df92035d99d50f54fd5baf

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                e1f0dca0afcfd9ae07ffea64b3005435461750324882aea20c74c63cdee5afa5

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                1cf0ffb1e0673e7a5269901315720ead8d2738f7be5d0c9b3eb926ab31851c38febda4de1b069c6958001f6632d01e3d6fd180f78402b7f60265f07998a3e768

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\$$a84EF.bat

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                776B

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                5a56ece02c729b9691911b27bd6c9618

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                05363dc0a7aa2fc503f72b5e1e1c06c07fc95194

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                42df7706601f5d2b059da7fa6b3f5211f0de9c3cf926d9ff30a162e2b7ec64f5

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                e4706148887fc5f309c6db1d96c75587ff651128358fa16dfc10414f7eb7a413950d382491e1a0a9f791f68b26078a04129cae8d5e0ca3615252792543136968

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\$$a8685.bat

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                776B

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                8af18370f8de8fea3b7b20f3970cc4b7

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                f74dfb18326c6e594a46da7918642a8fe6b7f951

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                1e1b7738297fcb43915be23b9313fba0194e79a6400879ad2ffb3f131ce8ffcf

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                cbc55ea5f961aa589fd1fab33b067c55b2ff8e66add15e5ee7f7c61e958c57a7796d3a6c391e085e8c605c74efad775197b0ec8edb847145279f0ab45783a942

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\$$a882B.bat

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                776B

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                baae9aa6763a34b4c4bae711d14cd8a2

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                bce91bcfabf644b3027c00855dee9b91b6498062

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                100de6b2342e2df963f23c3ba45db46184e0bc04a6ea5f1119442cd7f5a7ded7

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                15cc8811c5647820869371066e161608021d74fa2706662c4ab3bf7450475a1a8c4c2d5358cd9ac2100273b346607d6b06a4c6355734174d9aa8f519e2b59e4f

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\$$a89D1.bat

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                776B

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                fadf3ae2f114e8ef4674e75fd6052382

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                ee4341e52d13e378e33047c7dc501be5b2a49c3a

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                2c14dfe6a763c551a736b23fa1c1b2a492b1d507dd28d7bd15ea2b7f0fe876b7

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                1d08690cbc2af045617ddb2f5375daebfd4674a7693ee4623e82eb1b376002e97c1d1c799730174337b5cdcd00608ba3ca060555c2fdfbd0bf58f93528300398

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\$$a8B58.bat

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                776B

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                d8f643aa2fc1293ac3dcc81bb16b04a5

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                f6a2930dab0bf06ff5e5a1851fe670e9bf121c5c

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                0a0bbaba84490bc602c103bb944186754c26fdf49b0f4f9fd1366714b8a62197

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                c5c807a08c8b44387b9c938f22dd51e5e1b7bbc111812aa2d5140a4725ae2405f22a8fb7b167d588799518e4d21f458fcb14ea239d1e61ec882de3dbf9d5855e

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\$$a8D0D.bat

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                776B

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                0cb04df36136273194b00e7cac9d82c0

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                e028a98d1a2ea13784fb3caefc9ac9c3a9f35290

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                4720ccd2f9bef43b56d24b1b984eab329a27cbd1ee1aba2c3a3cad5459a65839

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                a0a9860c8c5be55c431bc171ee51f739a1a3fac14e06744e2c356c0fa831a890fed9def39e909c95ecee8fb55f444a41430833838e780a9a315c5772f128d188

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\$$a8ED2.bat

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                776B

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                c6522079ca5b0c1a6ef71e57862f3e0d

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                6814a2baaf16cae7469d67b31fe25aae41497490

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                bfe6aae10ee23acfbfec5e71842c6ec65184e2e843f3ffc31daf8c671f00f1de

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                d9e3ba230af0500b4a00dca228309894c4ba0af00175819441285c2cadd699631397d3c7fab40e7c4daee70632266be6a5fc9a056531137d2d7d32b91046c2aa

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\$$a90E6.bat

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                776B

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                46f983097468e791a8be5c9c0a6f5f43

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                85e53a481c5b674a30a9f7b09738b4e2f2bd4a06

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                83f5274b583b2a566c5f574d5966eb37bfa121e2bf9fbf3769ce10e04c43b4a5

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                2d751ca17afbe94a1df80515fdc4b3aa138f52fd8042be3d3ed966875d13c7be6a4130b28162b95e768db0b70ff80638ba7d4b46aca9c2f3326d43cea14f0f16

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\$$a929B.bat

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                776B

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                51712fd1db3c7e34602ad83db59513ea

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                fe72a10e486d7dfae6b8076b593ffebe33a0fc59

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                a96974d46c832bfe1e4e1f40218293e261c5c8caba670936f929b61968f56133

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                afba4362a5738a4384649b2016bff0ed59037914d9f9f10ed3c5b5de9a83687529fa49c9ab7ef2170646cda911176845127442fa2ea772be42f09eca1af6a50b

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\$$a949F.bat

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                776B

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                86f1bb765e4674c1f07006315f21a458

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                31fc56ec4415f7121f7f09cb1ae1bd45326693fe

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                7b5e1c21b3ec77876acc381f6f6a013465800e07421bdbd151be45bcf9270f53

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                77666347a030ae2ac40012259a57fd2f93f851090aa08e9308a74d18f440df8cfe00017d0c3f516bb648852e4660ec65cdc538f7c733e4d973a6b91c89b1b586

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                4.7MB

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                9de4a56d9e9e0439babb4c4e50e7e420

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                62a8cc77bbe32ae8ba9caca4c7247a74ad3c443b

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                76ffa186c33c1a6887f0d53c4e9a5b1b2d7ad35ad8018492351025c9fbf23b75

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                80c6b59b031f9158ea3b3c2abc90b3c1c9f5c74a618bea3dc38741d0aea67e0036dee667ef2bbc11077d57a4cdbede35955b4829fb6aea48234fe6dc0adea062

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                4.7MB

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                2790f79b2751ff31b42a5adbb1d735f7

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                42c89ccd61c74fabfccd7f139627f32776040a8c

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                b8f468666866e9d358805677b7171aa8a9c2264e9c462792f766a7a89b98bb0f

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                1311f96e30fcf6dc58061459a59ab2533466cecae3d01bc6b4a01adda79e2dcfa25dd8d32ceae958e0f25318d313644d9ff5249b7c62ae42ff4552c485726588

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                4.6MB

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                5dbe38913e68b2bb0e4af11bccb686cc

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                8705f93bc0b170e456c4e7eed1f27657ab6d6657

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                eaa296f7df6b8458bdbcc57f8d3ff9156b2685276c9a39f57ac895f5654edb7f

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                9f9d1de40a4eaf979931c3b52b6916fef689fc387d6eb7057afef79546cde41904b6b484f621fbbfe43eae62d270b840e8747e15740dc31ca337e25f9bda642e

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                4.6MB

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                9337a4f8948cf68787a7294e6780f6e0

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                67417c67b6675c95a3113749cf97d67b71be950d

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                497ba926c05ef9a7c2816b930ccec8a2a48f675fb727c8ce257673d378a55ebb

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                2074398d23447a64c835f28cbd9cc2e2f770aa2d397c2e4533afc3d817c7be5c376a5266113e5d96188da0b6622e82d44fdd94b40239ae648088e98a1cc4c5bd

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                4.5MB

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                699fa2ead16ee89ac41e3f8cb845d2e2

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                241ad0ccdd3c62b8688452e875d876425d6f9720

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                bdb5725bc4666ed43ca0392f8f18c9991fd19f4bce5a4bb9097f0021db72ab7e

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                90533eb9432342fa21ec8f50aa15c4c6cea82dbc0f549c5f05f3c44bd7d75cd92820b1509770dbded690a92c173cb40000abf9a3271329b7974d657ae162e4b8

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                4.8MB

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                485484a2f1b04169655003deb401acd4

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                011d38bc72c6a7340d83422042598fd91efcf618

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                3f45a0a5154d3d23c64942ea6890a306f3308a95fcd806074a10aeef18570af2

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                a547d7c25a26af0488dabef0ce345ab85e3ec0b0a9ee21d24aaa8f82367dd5cbcd8122f514a6f0f579e3aa1dda56a25dc8f20e32b4fb6a5acc9c1de1dad6feef

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                4.7MB

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                9d4488175ef3cd5dfa15483e658b8baf

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                e09bb89ecb5f3aabb46adfda347cc77ba0af1051

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                e82dc11db5e368f864214a1c1632b8bec256a3e6e9251ade10bb2acb15f83a9c

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                31fcba6ea4c062c03d0e20720ac06c24111533230f58002e0551ad4a779c6a6dd073a0d4bb4cf0e43cf11f7bf17497c731cd84cb76129f27e775f8e443f7d091

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                4.4MB

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                614eab10eb019be3f2a4e7cdc45b89e9

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                27b9620349f4461469998b1941925de630b94f0f

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                548ba6fc2b1205acea73832c765df974befadadb2c07e3916ce362b3b1e30088

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                42b2fe83ea30b61de6b77c3e2a604ab80e127a0e8187810c6fcaafa3632b8c355237e6db53de4d66e3bbca505e75c48e2ce1a5181853204acb291eaa34e66e36

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                4.4MB

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                a7a21fec3fd20640882c1795835dc921

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                ec6cfea24e36b4cafdded1dd42c7c2f662c684b1

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                6fac6ed38c0b1315ed662043fdafd6e499fd5eb35598a38299dbdaac3022213a

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                ff316f67bdcd1a538ec9233ee218ac0163016161458aa4c46df5a14473228e090f9c832ce3737042b1043f78757ad51f27feba6c213b29cd145cde11e2e0f841

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                4.4MB

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                9aa784538afa3768216a11552dec5f31

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                c76583d7673dbb03ade2aee1ae0648055a925188

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                9e7d52450eb305fa1d3a94acc0add00d8e2b748c11decb4da26cab766747e20d

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                9790694f78f22ebb068b22ef1048d591feb0f633476b7aacc3b21ebcd5e014f3b8c480bb3d46797ec51940191c7a1caa83323c08df3fe26f52b5c1b75232dd0b

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                5.0MB

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                4e44002c76c4b355fc429fdd12201441

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                1786fac31f2677ea678bf769fac75936c60c7f86

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                87b6f408ad747c36db6b2afb0b4ce6104f06651f8163d28d4b1ba49a154570d5

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                886b8e458a3443d1f3d67eb2f61fe24c9442f293ee7c77ccc0f6b1d1b0bdf63f6e1bccf0a56f4259873ca5e4446dd4901c22eb66801f22416982bd7e7c04c926

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                4.6MB

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                17b5e016f76c1d3880246f6decf12190

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                3d136d09c4ed6cfb3293ffd4d0007ce1e50261ce

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                17196f1d59a8887168f8432d86aaa12402279bb74f42616297dfd99a2fcfab27

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                83990405125b5c4f6d45acaf723b33441c1de92dbbc07c5a29bfee61f5a72e799d42554e929cb026115467b841c7b0b4e5b88491c5eb1223a55d26742a81f928

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                4.9MB

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                39b56f8480e715c1ed3941a140844b95

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                8f59b88c8e35f16d02bf5b87b0e8be8383f529fe

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                cefcefd4b76c6057c5e4adbfa53e2e77de8ba4fe00549ce7a5952f7eff005973

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                1139040e405cb070a7e4e6dff6429140499e196b6ab4e54f75ce7a299775b79aa67a2d356c5e4a70f2276b72fd0455ed2450b696caf24cd54c8058870e4f0481

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                4.5MB

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                54cc5134acc90eea347e2157837fd533

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                37ee878656ac0e8761ecf9d2af14d9e38d2b465b

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                82b31e925493980542d8500ebc4efa6f53c1c7121b98b59c68ef711b44f4e057

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                c5228e11602df8cfb8882b9d2c6c34342cf415c1fc169245e24440a747da17e4207243b8a146a54f2d1916c14a6841490dc3e6a99348168b490138987557874c

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                5.0MB

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                14954aa4a182ab68fc5a7cf3b2b0a0c8

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                486a72e9a30c37cf13615e50733648d2861275ca

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                89052f94feab5419b6c99f995f0ad766d77f0efd6cbf1d75c44d6cead712f28c

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                2f8e2c6bf5645036ccc98b49d0053d9f5f51e18a939cba88eae1f745ae8480444241d31c78bb940fdb8ada6e6c7267f9a4e3017f1164221f46e4d2d92acd4558

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                4.8MB

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                904702ee30824b6ccbc12da83158e3c6

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                6f11f225a9cbe4e4b3fb89f3881337f63ffceb20

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                8d20121f552f45e4ccbcb8e82f17702d491281556116f4733e3cb041643fb6ae

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                61ec003f261381dfea494be216145b131871d64fd6b7581bd13160b80d8d4c98531697b3dfc4fdd51a755a7339a33017f41d18848d0b0b22a459de6b65a9ac75

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                4.5MB

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                4e500c9a438449339818afc5ce74e354

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                741e08bd4fb02470639d41e43dde00c6917059a1

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                6635ae34d3354d39ca844b4962a284ff2f178f764f3fc8f8907c59692c996f00

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                1e977c5970dfe7bfb78ef8d027e50614d537afdb646b80ca90ff825130eda329ad5482b70ee6e35a703f6be8cc60de19b6a46a51ed7617f3637f7cbfb17c01ac

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                4.9MB

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                445e08267e84451c9e36799c5083a84b

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                392e664453840a49f3ce286f145f928f3123d46b

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                af1a9b4dc1a0603cb8d82465cda62e9e8e5776fc12dccdef442adcc8af7af8fb

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                d202881771c106339fd150b5e3168aa47d200bf664a6d6d3a2d9b0cb39821c94e05f7f008b5fd082e08cfb2000eb5bb376e46e4f0a55bb705e8ead22dc202963

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                4.9MB

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                0d65d79ac2053734465a8e58cdc4642a

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                35b193cdae6a6da4d5f7108c50c09cbd0b87c777

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                03c0cf3ded5f31db8c4074f7a6ccb1362470c63ce6438977c7bb95f106190d0d

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                9b652de15ad9eb58afc627c68e8b8011f1d033bbadf925ac3da271e29cf2afb14319a46a11e0eb100c948efd06a53e8a632d57dc811a1994518e70aed6eb0732

                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                4.8MB

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                250b3dda48df2d14e7bb536994822b42

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                eac7926a645df867cde72f58487b361d88b15027

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                617670ea14a1bee928e35179461e621a748733ae54579f10e7fa9476746fe819

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                b277bbe8447915a563e8a33e685f7942858b9e0cb43b84dfebf710f4c0c6144a04354735b110a5f7790b107ed8e0e2c991411d1192b39e375334b26634264d77

                                                                                                                                                                                                                                                                                                              • C:\Windows\Logo1_.exe

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                32KB

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                4f07b7c07db3deeaef154a2f2c9646b0

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                6ada698575fd2ce3b8041f85d04dad5bd846a03f

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                5c6ca16525876afba9f88ae6809b550793501ed5c5a73b8a800d4029ff92c98c

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                35d71140bddbe016fe55a1e9328b3d284b3c9d5ebe9225b062b994bff4c70555fdf81378a299ab70f1c4d37b60a18a5f8a411e63fe4562299863bb1378616a90

                                                                                                                                                                                                                                                                                                              • F:\$RECYCLE.BIN\S-1-5-21-3008489981-1977616533-741913813-1000\_desktop.ini

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                8B

                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                6ef23bccadc81fb82d7eeecab7166eed

                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                379fb55375f791483209d02402c6c359fe6afc12

                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                da5498ac44fd5b5f97353e6f28c673c28985ae25330f183b90a1a20b4bf4e85a

                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                6e10f0bfc5983272d128dfe59f9868a59098e8ae388e55a0ab9f25d85b1c979728b295f39bef985bb7ef8ff1bc9b14c5f315ead269b8cefb4aaa2e82ca0cf5b1

                                                                                                                                                                                                                                                                                                              • memory/116-7728-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/216-10282-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/228-10227-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/376-10464-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/532-10459-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/648-8850-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/720-7589-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/748-10429-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/764-10100-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/904-6762-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/936-20-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/964-5707-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/1016-5727-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/1108-10287-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/1108-75-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/1108-6288-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/1124-122-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/1204-1935-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/1296-6307-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/1364-27-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/1372-6302-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/1384-44-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/1452-138-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/1468-7359-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/1480-99-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/1484-6297-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/1496-10217-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/1628-3116-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/1636-10267-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/1664-6327-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/1664-10362-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/1740-610-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/1788-5731-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/1788-6256-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/1792-10272-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/1832-6322-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/1880-485-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/1916-131-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/1936-10317-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/2032-10312-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/2040-106-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/2148-10392-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/2176-10424-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/2212-6312-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/2212-5715-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/2244-2920-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/2292-10397-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/2356-8242-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/2380-5719-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/2396-0-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/2396-11-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/2428-10387-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/2436-10302-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/2440-145-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/2472-4680-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/2588-9611-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/2612-6276-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/2624-10197-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/2684-5703-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/2684-10307-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/2720-10242-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/2808-1712-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/2808-95-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/2808-8-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/2924-6264-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/2936-10237-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/2968-7889-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/2968-5968-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/2976-10377-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3052-1796-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3076-10449-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3080-6317-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3164-64-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3172-10444-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3172-9877-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3232-10352-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3240-10434-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3280-10412-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3284-10372-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3288-10262-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3296-6260-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3324-8502-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3328-10439-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3344-82-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3424-10367-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3448-10252-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3512-6272-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3520-3803-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3532-10407-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3532-3292-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3552-10414-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3552-1936-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3576-264-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3576-10247-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3576-6549-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3616-1426-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3616-5723-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3616-6248-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3676-6284-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3700-6240-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3708-10402-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3724-10465-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3724-10470-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3772-6910-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3844-7122-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3920-115-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3932-1944-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3940-10292-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/3956-10419-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/4024-771-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/4032-9073-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/4036-1940-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/4060-10207-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/4104-10347-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/4132-10327-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/4140-10222-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/4156-10454-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/4216-10232-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/4260-10357-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/4348-10212-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/4380-10297-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/4380-57-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/4384-10337-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/4400-9302-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/4444-10322-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/4500-3964-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/4536-6332-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/4536-1132-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/4564-5699-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/4564-6292-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/4564-4336-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/4584-1931-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/4584-10382-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/4660-6252-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/4676-10257-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/4712-10277-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/4716-36-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/4752-89-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/4764-10202-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/4804-5711-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/4916-4524-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/4964-4865-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/4968-5222-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/4968-6268-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/5024-2738-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/5104-10342-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/5108-6244-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/5108-10332-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB

                                                                                                                                                                                                                                                                                                              • memory/5112-3624-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                276KB