Analysis
-
max time kernel
149s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20250619-en -
resource tags
arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 12:05
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
Resource
win10v2004-20250619-en
General
-
Target
2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
-
Size
5.0MB
-
MD5
da05404cb8d5af4f7ecc3366ed7f8b9d
-
SHA1
acad65c14e7027521f82be3ab42c7aceaf5fc86f
-
SHA256
e657a432aa54bfe93259ebfbd34dc4a3712133e5c134bc722f587db3e5dfa90c
-
SHA512
bf92dde5fed7ec33ba0ea1e9ee81d6e736c713f80b913cce7749e658bb7356842146eb4e2ac2f64a4db6ae563ca2484457dfd055fe76bc1bcc3c19d138608eb9
-
SSDEEP
98304:iLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLY:CjJS
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 64 IoCs
pid Process 2808 Logo1_.exe 936 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 1364 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 4716 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 1384 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 4380 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3164 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 1108 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3344 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 4752 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 1480 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2040 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3920 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 1124 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 1916 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 1452 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2440 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3576 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 1880 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 1740 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 4024 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 4536 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3616 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3052 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 4584 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 1204 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3552 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3932 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 5024 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2244 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 1628 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3532 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 5112 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3520 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 4500 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 4564 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 4916 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2472 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 4964 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 4968 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 4564 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2684 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 964 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 4804 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2212 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2380 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3616 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 1016 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 1788 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2968 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3700 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 5108 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3616 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 4660 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 1788 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3296 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2924 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 4968 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3512 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2612 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3676 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 1108 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 4564 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 1484 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\tr-tr\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\de-de\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\bn_IN\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ru\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\rhp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ar-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\VisualElements\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hr-hr\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\he-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\Updates\Download\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hu-hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sl-sl\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\fr\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ar-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Sigma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\skins\fonts\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\zh-Hans\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-gb\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\uk-ua\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fi-fi\_desktop.ini Logo1_.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\rundl132.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 2396 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2396 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2396 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2396 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2396 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2396 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2396 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2396 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2396 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2396 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2396 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2396 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2396 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2396 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2396 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2396 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2396 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2396 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe 2808 Logo1_.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2396 wrote to memory of 2996 2396 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 85 PID 2396 wrote to memory of 2996 2396 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 85 PID 2396 wrote to memory of 2996 2396 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 85 PID 2396 wrote to memory of 2808 2396 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 86 PID 2396 wrote to memory of 2808 2396 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 86 PID 2396 wrote to memory of 2808 2396 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 86 PID 2808 wrote to memory of 4036 2808 Logo1_.exe 88 PID 2808 wrote to memory of 4036 2808 Logo1_.exe 88 PID 2808 wrote to memory of 4036 2808 Logo1_.exe 88 PID 4036 wrote to memory of 1832 4036 net.exe 90 PID 4036 wrote to memory of 1832 4036 net.exe 90 PID 4036 wrote to memory of 1832 4036 net.exe 90 PID 2996 wrote to memory of 936 2996 cmd.exe 91 PID 2996 wrote to memory of 936 2996 cmd.exe 91 PID 2996 wrote to memory of 936 2996 cmd.exe 91 PID 936 wrote to memory of 1248 936 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 92 PID 936 wrote to memory of 1248 936 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 92 PID 936 wrote to memory of 1248 936 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 92 PID 1248 wrote to memory of 1364 1248 cmd.exe 96 PID 1248 wrote to memory of 1364 1248 cmd.exe 96 PID 1248 wrote to memory of 1364 1248 cmd.exe 96 PID 1364 wrote to memory of 4712 1364 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 97 PID 1364 wrote to memory of 4712 1364 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 97 PID 1364 wrote to memory of 4712 1364 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 97 PID 4712 wrote to memory of 4716 4712 cmd.exe 100 PID 4712 wrote to memory of 4716 4712 cmd.exe 100 PID 4712 wrote to memory of 4716 4712 cmd.exe 100 PID 4716 wrote to memory of 3480 4716 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 101 PID 4716 wrote to memory of 3480 4716 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 101 PID 4716 wrote to memory of 3480 4716 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 101 PID 2808 wrote to memory of 3484 2808 Logo1_.exe 56 PID 2808 wrote to memory of 3484 2808 Logo1_.exe 56 PID 3480 wrote to memory of 1384 3480 cmd.exe 103 PID 3480 wrote to memory of 1384 3480 cmd.exe 103 PID 3480 wrote to memory of 1384 3480 cmd.exe 103 PID 1384 wrote to memory of 2212 1384 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 104 PID 1384 wrote to memory of 2212 1384 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 104 PID 1384 wrote to memory of 2212 1384 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 104 PID 2212 wrote to memory of 4380 2212 cmd.exe 106 PID 2212 wrote to memory of 4380 2212 cmd.exe 106 PID 2212 wrote to memory of 4380 2212 cmd.exe 106 PID 4380 wrote to memory of 1484 4380 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 107 PID 4380 wrote to memory of 1484 4380 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 107 PID 4380 wrote to memory of 1484 4380 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 107 PID 1484 wrote to memory of 3164 1484 cmd.exe 109 PID 1484 wrote to memory of 3164 1484 cmd.exe 109 PID 1484 wrote to memory of 3164 1484 cmd.exe 109 PID 3164 wrote to memory of 1712 3164 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 110 PID 3164 wrote to memory of 1712 3164 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 110 PID 3164 wrote to memory of 1712 3164 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 110 PID 1712 wrote to memory of 1108 1712 cmd.exe 114 PID 1712 wrote to memory of 1108 1712 cmd.exe 114 PID 1712 wrote to memory of 1108 1712 cmd.exe 114 PID 1108 wrote to memory of 3308 1108 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 115 PID 1108 wrote to memory of 3308 1108 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 115 PID 1108 wrote to memory of 3308 1108 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 115 PID 3308 wrote to memory of 3344 3308 cmd.exe 117 PID 3308 wrote to memory of 3344 3308 cmd.exe 117 PID 3308 wrote to memory of 3344 3308 cmd.exe 117 PID 3344 wrote to memory of 3284 3344 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 118 PID 3344 wrote to memory of 3284 3344 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 118 PID 3344 wrote to memory of 3284 3344 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 118 PID 3284 wrote to memory of 4752 3284 cmd.exe 120 PID 3284 wrote to memory of 4752 3284 cmd.exe 120
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7196.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a733C.bat5⤵
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a74E2.bat7⤵
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7724.bat9⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"10⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7918.bat11⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7ABE.bat13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"14⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7C44.bat15⤵
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"16⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7ED5.bat17⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"18⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a806B.bat19⤵
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"20⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a81B3.bat21⤵PID:4844
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"22⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1480 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a833A.bat23⤵PID:4316
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"24⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2040 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a84EF.bat25⤵PID:1832
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"26⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8685.bat27⤵PID:1784
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"28⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a882B.bat29⤵PID:4248
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"30⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a89D1.bat31⤵PID:3076
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"32⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8B58.bat33⤵PID:764
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"34⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8D0D.bat35⤵PID:4068
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3576 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8ED2.bat37⤵PID:3772
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"38⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a90E6.bat39⤵PID:1108
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"40⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a929B.bat41⤵PID:460
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"42⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4024 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a949F.bat43⤵
- System Location Discovery: System Language Discovery
PID:4692 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"44⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9710.bat45⤵PID:5108
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"46⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a97EA.bat47⤵PID:3844
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"48⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3052 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9913.bat49⤵PID:4804
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"50⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a99DE.bat51⤵PID:2280
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"52⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1204 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9BA4.bat53⤵PID:2844
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9C6F.bat55⤵PID:1496
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"56⤵PID:4036
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9CFB.bat57⤵PID:4316
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"58⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3932 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9D98.bat59⤵
- System Location Discovery: System Language Discovery
PID:2408 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5024 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA066.bat61⤵PID:4304
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV162⤵PID:3932
-
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"62⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA131.bat63⤵PID:3028
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"64⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1628 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA20C.bat65⤵PID:3744
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"66⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA2E7.bat67⤵PID:1248
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"68⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5112 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA400.bat69⤵
- System Location Discovery: System Language Discovery
PID:4316 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"70⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3520 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA4DB.bat71⤵PID:3880
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"72⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4500 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA5B6.bat73⤵PID:4216
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"74⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4564 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA6DF.bat75⤵PID:2416
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"76⤵
- Executes dropped EXE
PID:4916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA7AA.bat77⤵PID:2932
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"78⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2472 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA856.bat79⤵PID:4660
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"80⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA921.bat81⤵PID:1136
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"82⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA9EC.bat83⤵PID:4536
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"84⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAC3E.bat85⤵PID:312
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"86⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2684 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aACAB.bat87⤵
- System Location Discovery: System Language Discovery
PID:4024 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"88⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAD18.bat89⤵PID:3112
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"90⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAD66.bat91⤵PID:1588
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"92⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2212 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aADD4.bat93⤵
- System Location Discovery: System Language Discovery
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"94⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAE32.bat95⤵PID:2996
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"96⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAE8F.bat97⤵
- System Location Discovery: System Language Discovery
PID:4068 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"98⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAF0C.bat99⤵PID:4112
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"100⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAF99.bat101⤵PID:1004
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"102⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB16E.bat103⤵PID:3932
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"104⤵
- Executes dropped EXE
PID:3700 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB277.bat105⤵
- System Location Discovery: System Language Discovery
PID:4400 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"106⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB2D5.bat107⤵PID:1656
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"108⤵
- Executes dropped EXE
PID:3616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB333.bat109⤵PID:5104
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"110⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4660 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB391.bat111⤵PID:3032
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"112⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB41D.bat113⤵PID:4920
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"114⤵
- Executes dropped EXE
PID:3296 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB4B9.bat115⤵PID:3620
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"116⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2924 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB527.bat117⤵PID:2448
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"118⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB575.bat119⤵PID:1800
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"120⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB5D3.bat121⤵PID:2876
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"122⤵
- Executes dropped EXE
PID:2612
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-