Analysis
-
max time kernel
150s -
max time network
103s -
platform
windows11-21h2_x64 -
resource
win11-20250619-en -
resource tags
arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system -
submitted
04/07/2025, 12:05
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
Resource
win10v2004-20250619-en
General
-
Target
2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
-
Size
5.0MB
-
MD5
da05404cb8d5af4f7ecc3366ed7f8b9d
-
SHA1
acad65c14e7027521f82be3ab42c7aceaf5fc86f
-
SHA256
e657a432aa54bfe93259ebfbd34dc4a3712133e5c134bc722f587db3e5dfa90c
-
SHA512
bf92dde5fed7ec33ba0ea1e9ee81d6e736c713f80b913cce7749e658bb7356842146eb4e2ac2f64a4db6ae563ca2484457dfd055fe76bc1bcc3c19d138608eb9
-
SSDEEP
98304:iLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLY:CjJS
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 64 IoCs
pid Process 1532 Logo1_.exe 3324 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3552 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2016 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 1816 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 5080 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 1432 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 4320 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 988 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 5572 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 5760 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 4616 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2320 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 5340 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 4808 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 4780 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2052 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2584 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3844 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 4976 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 5464 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 800 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 4360 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2308 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 4292 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 4392 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 4080 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 1172 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 5004 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3644 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 5404 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2976 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2888 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 4848 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 5048 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 1040 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 5688 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 5328 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 4736 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3380 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 6004 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 5264 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 5248 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 1304 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 1392 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3092 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 5452 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3548 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 5024 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2204 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 1468 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 4284 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3728 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2332 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2660 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 1816 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 4408 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 5296 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 5144 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 5088 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2828 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 2340 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 1568 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 6092 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-tw\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows NT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Trust Protection Lists\Mu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Photo Viewer\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\cs-cz\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\PdfPreview\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\_desktop.ini Logo1_.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\eu-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-gb\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\host\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ru-ru\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ru-ru\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ru-ru\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ro-ro\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\Integration\Addons\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Media Player\Skins\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm\_platform_specific\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\uz\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\WidevineCdm\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Defender\uk-UA\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\_desktop.ini Logo1_.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 3352 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3352 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3352 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3352 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3352 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3352 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3352 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3352 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3352 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3352 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3352 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3352 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3352 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3352 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3352 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3352 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3352 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 3352 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe 1532 Logo1_.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3352 wrote to memory of 1852 3352 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 79 PID 3352 wrote to memory of 1852 3352 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 79 PID 3352 wrote to memory of 1852 3352 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 79 PID 3352 wrote to memory of 1532 3352 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 80 PID 3352 wrote to memory of 1532 3352 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 80 PID 3352 wrote to memory of 1532 3352 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 80 PID 1532 wrote to memory of 924 1532 Logo1_.exe 82 PID 1532 wrote to memory of 924 1532 Logo1_.exe 82 PID 1532 wrote to memory of 924 1532 Logo1_.exe 82 PID 924 wrote to memory of 112 924 net.exe 84 PID 924 wrote to memory of 112 924 net.exe 84 PID 924 wrote to memory of 112 924 net.exe 84 PID 1852 wrote to memory of 3324 1852 cmd.exe 85 PID 1852 wrote to memory of 3324 1852 cmd.exe 85 PID 1852 wrote to memory of 3324 1852 cmd.exe 85 PID 3324 wrote to memory of 904 3324 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 86 PID 3324 wrote to memory of 904 3324 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 86 PID 3324 wrote to memory of 904 3324 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 86 PID 904 wrote to memory of 3552 904 cmd.exe 88 PID 904 wrote to memory of 3552 904 cmd.exe 88 PID 904 wrote to memory of 3552 904 cmd.exe 88 PID 3552 wrote to memory of 6004 3552 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 89 PID 3552 wrote to memory of 6004 3552 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 89 PID 3552 wrote to memory of 6004 3552 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 89 PID 6004 wrote to memory of 2016 6004 cmd.exe 91 PID 6004 wrote to memory of 2016 6004 cmd.exe 91 PID 6004 wrote to memory of 2016 6004 cmd.exe 91 PID 2016 wrote to memory of 1368 2016 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 92 PID 2016 wrote to memory of 1368 2016 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 92 PID 2016 wrote to memory of 1368 2016 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 92 PID 1368 wrote to memory of 1816 1368 cmd.exe 94 PID 1368 wrote to memory of 1816 1368 cmd.exe 94 PID 1368 wrote to memory of 1816 1368 cmd.exe 94 PID 1816 wrote to memory of 4896 1816 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 95 PID 1816 wrote to memory of 4896 1816 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 95 PID 1816 wrote to memory of 4896 1816 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 95 PID 1532 wrote to memory of 3304 1532 Logo1_.exe 52 PID 1532 wrote to memory of 3304 1532 Logo1_.exe 52 PID 4896 wrote to memory of 5080 4896 cmd.exe 97 PID 4896 wrote to memory of 5080 4896 cmd.exe 97 PID 4896 wrote to memory of 5080 4896 cmd.exe 97 PID 5080 wrote to memory of 896 5080 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 98 PID 5080 wrote to memory of 896 5080 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 98 PID 5080 wrote to memory of 896 5080 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 98 PID 896 wrote to memory of 1432 896 cmd.exe 100 PID 896 wrote to memory of 1432 896 cmd.exe 100 PID 896 wrote to memory of 1432 896 cmd.exe 100 PID 1432 wrote to memory of 1208 1432 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 101 PID 1432 wrote to memory of 1208 1432 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 101 PID 1432 wrote to memory of 1208 1432 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 101 PID 1208 wrote to memory of 4320 1208 cmd.exe 103 PID 1208 wrote to memory of 4320 1208 cmd.exe 103 PID 1208 wrote to memory of 4320 1208 cmd.exe 103 PID 4320 wrote to memory of 780 4320 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 104 PID 4320 wrote to memory of 780 4320 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 104 PID 4320 wrote to memory of 780 4320 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 104 PID 780 wrote to memory of 988 780 cmd.exe 106 PID 780 wrote to memory of 988 780 cmd.exe 106 PID 780 wrote to memory of 988 780 cmd.exe 106 PID 988 wrote to memory of 4392 988 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 157 PID 988 wrote to memory of 4392 988 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 157 PID 988 wrote to memory of 4392 988 2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe 157 PID 4392 wrote to memory of 5572 4392 cmd.exe 109 PID 4392 wrote to memory of 5572 4392 cmd.exe 109
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3304
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7E96.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7FFD.bat5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8184.bat7⤵
- Suspicious use of WriteProcessMemory
PID:6004 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a83A7.bat9⤵
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"10⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a850E.bat11⤵
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8685.bat13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"14⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8879.bat15⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a89F0.bat17⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8BA6.bat19⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"20⤵
- Executes dropped EXE
PID:5572 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8D4C.bat21⤵PID:2800
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"22⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8F11.bat23⤵PID:2352
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"24⤵
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a90B7.bat25⤵PID:4028
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"26⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a922E.bat27⤵PID:3344
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"28⤵
- Executes dropped EXE
PID:5340 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a93B4.bat29⤵PID:1476
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"30⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9579.bat31⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9700.bat33⤵
- System Location Discovery: System Language Discovery
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"34⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a98A6.bat35⤵PID:2944
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"36⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2584 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9A0D.bat37⤵
- System Location Discovery: System Language Discovery
PID:1248 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"38⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3844 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9B84.bat39⤵PID:2340
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"40⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4976 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9D69.bat41⤵PID:4964
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"42⤵
- Executes dropped EXE
PID:5464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9F4D.bat43⤵PID:2304
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"44⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA0D4.bat45⤵PID:3852
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"46⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4360 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA1FD.bat47⤵PID:5196
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"48⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2308 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA3A2.bat49⤵PID:2296
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"50⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA47D.bat51⤵PID:4064
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"52⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA4EB.bat53⤵
- System Location Discovery: System Language Discovery
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"54⤵
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA548.bat55⤵PID:3756
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"56⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA587.bat57⤵PID:5708
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5004 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA5F4.bat59⤵PID:4784
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"60⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA642.bat61⤵PID:5204
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"62⤵
- Executes dropped EXE
PID:5404 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA6A0.bat63⤵
- System Location Discovery: System Language Discovery
PID:1112 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"64⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2976 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA6EE.bat65⤵PID:3004
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"66⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA73C.bat67⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"68⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4848 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA79A.bat69⤵PID:1476
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"70⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA7D9.bat71⤵
- System Location Discovery: System Language Discovery
PID:576 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"72⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1040 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA884.bat73⤵PID:676
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"74⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5688 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA9BD.bat75⤵PID:660
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"76⤵
- Executes dropped EXE
PID:5328 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAD86.bat77⤵PID:4328
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"78⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4736 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAE70.bat79⤵PID:2196
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"80⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3380 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAF5A.bat81⤵PID:6076
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"82⤵
- Executes dropped EXE
PID:6004 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB054.bat83⤵
- System Location Discovery: System Language Discovery
PID:4064 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"84⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5264 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB13F.bat85⤵PID:4856
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"86⤵
- Executes dropped EXE
PID:5248 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB248.bat87⤵PID:1628
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV188⤵PID:5196
-
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"88⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB323.bat89⤵PID:6100
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"90⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB3FE.bat91⤵PID:4064
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"92⤵
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB4F8.bat93⤵PID:4856
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"94⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB602.bat95⤵PID:1896
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV196⤵PID:4328
-
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"96⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB6BD.bat97⤵PID:5072
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"98⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5024 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB71B.bat99⤵PID:4976
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"100⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB7A7.bat101⤵PID:5180
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"102⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1468 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB7F6.bat103⤵
- System Location Discovery: System Language Discovery
PID:4804 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"104⤵
- Executes dropped EXE
PID:4284 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB853.bat105⤵PID:5420
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"106⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3728 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB8D0.bat107⤵PID:3080
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"108⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2332 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB91E.bat109⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"110⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB98C.bat111⤵PID:5104
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"112⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB9EA.bat113⤵PID:4932
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"114⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBA47.bat115⤵PID:660
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"116⤵
- Executes dropped EXE
PID:5296 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBAB5.bat117⤵PID:5592
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1118⤵PID:3092
-
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"118⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5144 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBCE7.bat119⤵
- System Location Discovery: System Language Discovery
PID:4856 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"120⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5088 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBD35.bat121⤵PID:5456
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"122⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2828
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-